Smart Contract Bugs: One of the Most Pressing Risks in DeFi

One of the most pressing risks in DeFi is that smart contracts may contain bugs that might be exploited by bad actors or result in unexpected outcomes. This article brings Smart contract bugs into the limelight.

What are the Risks of DeFi in Finance?

Finance is the art of managing risk. Assets and operations are both subject to risk. An asset’s price reflects its intrinsic value and synthesized risk. We cannot appraise an asset without considering its risk. 

Humans are the primary source of operational hazards and are prone to errors and corruption. 

Asset and operational risk assessment are essential, whether traditional finance based on traditional assets, or sparkling new decentralized finance (aka DeFi) running on native crypto assets.

Crypto-asset risks include external risks, such as regulatory changes, and internal risks, such as design faults and implementation issues. 

On Ethereum, the native asset is ETH, and the non-native assets are known as ERC tokens, which adhere to any of the ERC20 standards and their companions, such as ERC721 and ERC777, among others. 

The risk of a native asset is smaller than that of a non-native asset, which both Ethereum client and smart contract Bugs can impact. 

Smart contract bugs constitute a significant problem for ERC tokens and DeFi since DeFi is a complex network knitted together by countless smart contracts produced by developers from different regions. 

Smart contract bugs create dangers, which we refer to as smart contract risks.

Many research efforts have focused on smart contract weaknesses, and we have discovered numerous defenses. 

However, it is well understood that eradicating defects in any non-trivial smart contract (or any program) is impossible. 

We live in a world full of communication problems and randomness, which produce “distortion” at every stage: 

We can’t turn a concept in our heads into a precise specification, and we can’t turn a specification into a faultless implementation.

Now, let’s get down to it and see what smart contract bugs are.

What are Smart Contract Bugs?

Smart contract bugs can be seen as errors or flaws in the code of a smart contract that make the smart contract behave in a way the developer didn’t intend for it to act. 

The presence of smart contract bugs can lead to many unexpected occurrences, including loss of funds.

I have some examples of these smart contract bugs, so let’s delve right in without wasting more time!

Types of Smart Contract Bugs

Some notable types of Smart contract bugs are:

1. Oracle/ Price manipulation
2. Improper input validation
3. Weak access control
4. Incorrect calculations
5. Rounding error
6. Replay attacks/ signature malleability

Oracle/ Price Manipulation

On our list of smart contract bugs, we will first discuss the Oracle/ price manipulation. 

Smart contracts frequently rely on external data sources, known as oracles, to make informed judgments. 

If these oracles are corrupted or abused, it may result in erroneous swap pricing, wrong reward computation, borrowing more assets than a collateralization ratio allows, or other general financial transaction difficulties. 

One of the most common causes of on-chain DeFi vulnerabilities is the manipulation of these external data sources. 

Choosing trustworthy oracles and establishing safe data verification processes are critical for reducing the dangers associated with oracle/price manipulation.

Because many protocols are built to update asset pricing depending on user activities, this might be a straightforward but quickly noticed vulnerability, as prices are expected to change based on user engagement. 

However, when procedures rely on pricing systems, whether internally or externally, care must be taken to guarantee that spot prices are not misused. 

The effectiveness of price manipulation is also heavily influenced by current on-chain conditions. Pools with shallow liquidity are more susceptible to manipulation than those with substantial liquidity. 

Careful selection of reliable oracles and the deployment of safe data verification techniques are critical. 

Staleness checks, average pricing methods, and read-only reentrancy protections may be essential for effectively integrating external pricing systems. 

Diversification of data sources can help keep attacks in a single protocol from wreaking havoc across the entire blockchain ecosystem.

Improper Input Validation

Improper input validation is also one of the smart contract bugs. It is the primary cause of many confirmed vulnerability reports filed by Immunefi and exploited in the field. 

Input validation is a critical security practice that ensures the integrity, accuracy, and safety of data entered into a system. Failure to adequately check inputs allows attackers to exploit and control the system’s behavior.

Improper input validation happens when smart contracts fail to validate and sanitize user inputs, making them open to various attacks. 

This vulnerability can be used to modify contract logic, introduce malicious data, or trigger unexpected behavior. 

Proper input validation guarantees that the contract processes only valid and expected data, which reduces the risk of abuse.

Weak Access Control

The next among the smart contract bugs is weak access control. Weak access control methods can allow unauthorized users or bad actors to obtain access to a smart contract’s critical functions or data. 

Access control ensures only authorized entities connect with specified functionalities or change critical parameters.

Effective access control methods, such as role-based permissions and robust authentication systems, must be established to prevent unwanted access. 

Documenting the restrictions and capacities of system actors can assist in identifying which behaviors are vulnerable to significant vulnerabilities. 

This type of documentation can help improve unit testing and identify conflicts, ensuring that the system works as intended and reducing the chance of critical vulnerabilities caused by a single missing check. 

Projects should also ensure that roles are as limited as feasible in their allowable actions to avoid threats from the web2 world inflicting irreversible damage to the system. 

A compromised private key can be highly damaging if roles are not granular enough or the protocol depends significantly on centralization as a security model.

Incorrect Calculations

Incorrect computations are common in confirmed reports on smart contract bugs.

Incorrect or inconsistent computations within a smart contract can have unanticipated implications, such as wrong token balances, incorrect reward distribution, or unexpected contract execution outcomes. 

Incorrect calculations are frequently associated with unexplored code paths and are directly tied to inappropriate input validation errors. 

However, improper calculations address vulnerabilities in which the user was intended to be allowed to take some activity. 

Still, the user may obtain significantly more value in return than expected due to the incorrect calculation.

In smart contracts, improper calculations happen when mathematical operations are done incorrectly, resulting in unexpected or inaccurate outcomes. 

These vulnerabilities can develop for various reasons, including faulty assumptions about precision, range of values, or inconsistent calculations throughout the contract. Incorrect calculations can occur when contracts fail to account for edge circumstances or appropriately handle corner cases. 

In some cases, contracts may fail to account for extreme values or handle overflows or underflows, resulting in unexpected behavior or security problems. 

Attackers can use these weaknesses to modify calculations or acquire unlawful advantages under the contract. Proper mathematical precision and careful study of corner cases are required to avoid such vulnerabilities.

Rounding Error

Rounding error is also one of the notable smart contract bugs. Improper handling of floating-point arithmetic and rounding errors might result in financial imbalances or the exploitation of contract logic. 

Avoiding such vulnerabilities requires precise management of numerical operations, including using fixed-point arithmetic when applicable. 

These vulnerabilities are commonly seen in permissionless exchange protocols, where non-standard decimal numbers might have unexpected repercussions.

Rounding errors occur when smart contracts do calculations that use floating-point arithmetic but do not account for precision or rounding. 

These inaccuracies might result in financial inconsistencies, loss of funds, or incorrectly calculated benefits under the contract. 

Smart contracts should use fixed-point arithmetic or other means to handle decimal computations, reliably reducing or eliminating rounding mistakes.

Replay Attacks/ Signature Malleability

Cryptography is fundamental to the operation of all smart contracts. Protocols frequently use the same cryptographic primitives the chain uses to operate without permission. 

However, they can sometimes be misused, resulting in activities being executed more than once and financial loss or an inaccurate contract condition.

Replay attacks occur when an attacker uses a legal transaction or message to trick the smart contract into acting more than once. 

EVM-based chains have access to a rudimentary function, which enables a smart contract to confirm that some data was checked and signed by the recovered address. 

This native function, however, does not provide any form of replay prevention.

Typically, replay protection is done by introducing a nonce (a single-use integer) that is incremented when a signature is used, preventing the original signature from being used again once the nonce is changed. 

Signature malleability is the ability to change a signature without invalidating it, allowing it to be used twice. 

This can occur when encoding data or casting between types, where some parts, or bits, of a value, are omitted when checking the signature but used entirely to prevent replay attacks. 

Final Thoughts

As smart contracts expand and gain wider acceptance, developers and auditors must keep up with the latest smart contract bugs and security best practices. 

Addressing these smart contract bugs allows stakeholders to improve the security posture of their smart contracts while also contributing to the overall confidence and reliability of blockchain-based systems.