Smart contracts are immutable programs. A single flaw can lead to catastrophic financial loss. This module dissects the logic errors that attackers exploit to drain protocols.
Traditional software security relies on patches. In Web3, once code is deployed, it cannot be changed. This "Code is Law" philosophy means security audits must happen before deployment, not after.
Bugs are permanent. Attackers can exploit them forever until the contract is drained or paused (if pausing logic exists).
Bytecode is visible to everyone on the blockchain. Attackers can reverse-engineer logic to find flaws without ever interacting with the UI.
Contracts often hold millions in assets directly. There is no bank vault; the code is the vault.
An attacker's contract calls back into the victim contract before the first execution is finished, draining funds in a recursive loop.
Missing `onlyOwner` modifiers on sensitive functions like `setFee()` or `withdrawTreasury()` allow anyone to take control.
Using massive borrowed capital to manipulate price oracles in a single transaction, causing the protocol to misprice assets.
Smart contracts are state machines. Attackers look for ways to put the contract into an invalid state. They ask: "Can I make the contract think I have deposited funds when I haven't? Can I overflow a number so it wraps around to zero?"
Real World Pattern: In the DAO hack (2016), attackers used reentrancy to withdraw ETH repeatedly before their balance was updated, draining $60 million.
There is no WAF (Web Application Firewall) for a smart contract. You cannot block IPs or filter malicious packets.
Attackers can bundle exploits into a single transaction. If the exploit fails, the entire transaction reverts, costing them nothing but gas.