1. Admin Key Compromise
Such functions are typically privileged functions used to modify the contract configuration or manage funds held in the smart contract. If an attacker compromises an admin key, they can have complete control over the smart contract and steal user funds.
2. Multisig hacking
3. Coding Mistakes
1. Repetitive Code
2. Bad Variable Names
3. Not Using Comments
4. Language Overload
5. Not Backing Up Code
6. Complicated Code
7. Not Asking Questions
8. Not Planning in Advance
9. Not Taking Breaks
10. Not Having Fun
4. flash loans and price manipulations
A flash loan attack is an abuse of the smart contract security of a particular platform in which an attacker usually borrows a lot of funds that don’t require collateral. They then manipulate the price of a crypto asset on one exchange and quickly resell it on another one.
5. misuse of third party protocols and business
Any attack begins primarily with analysis of the victim. Blockchain technology provides many opportunities for the automatic tuning and the simulation of hacking scenarios. For an attack to be fast and invisible, the attacker must have the necessary programming skills and knowledge of how smart contracts work. The typical toolkit of a hacker allows them to download their own full copy of a blockchain from the main version of the network, and then fully tune the process of an attack as if the transaction was taking place in a real network.
The developers of smart contracts often require more data relevant at the time of a transaction than they may possess at any given moment. They are therefore forced to use external services — for example, oracles. These services are not designed to operate in a trustless environment, so their use implies additional risks. According to statistics for a calendar year (since the summer of 2020), the given type of risk accounted for the smallest percentage of losses — only 10 hacks, resulting in losses totaling approximately $50 million.
Use and Misuse Cases diagram. Use cases on the left and Misuse Cases on the right.
6. Logic Error
A logic error is an error in a program’s source code that gives way to unanticipated and erroneous behavior. A logic error is classified as a type of runtime error that can result in a program producing an incorrect output. It can also cause the program to crash when running.
Logic errors are not always easy to recognize immediately. This is due to the fact that such errors, unlike that of syntax errors, are valid when considered in the language, but do not produce the intended behavior. These can occur in both interpreted and compiled languages.
A logic error is also known as a logical error.
Architecture of Logic Error Detectionjoumal.
7. phishing attacks
Phishing is a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message.
8. fake apps
Fake apps are apps created by cybercriminals to cause harm to users and their devices. They are designed to resemble legitimate apps but instead carry out malicious activities. These activities include monitoring your activity, installing malware, showing annoying ads, or stealing your personal information.
9. DNS hijacking
Domain Name Server (DNS) hijacking, also named DNS redirection, is a type of DNS attack in which DNS queries are incorrectly resolved in order to unexpectedly redirect users to malicious sites. To perform the attack, perpetrators either install malware on user computers, take over routers, or intercept or hack DNS communication.
DNS hijacking can be used for pharming (in this context, attackers typically display unwanted ads to generate revenue) or for phishing (displaying fake versions of sites users access and stealing data or credentials).
Many Internet Service Providers (ISPs) also use a type of DNS hijacking, to take over a user’s DNS requests, collect statistics and return ads when users access an unknown domain. Some governments use DNS hijacking for censorship, redirecting users to government-authorized sites.
10 . D DOS distributed denial of service
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic.
DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices.
From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
11. TCP connection attacks
Syn Spoofing or TCP Reset Attack is a type of attack in which attackers send forged TCP RST (Reset) packets to the host. This is the most common attack on the Internet which is causing a lot of problems. These attacks are mainly performed to shut down the websites which are not working with them.
12. Volumetric attacks
Volumetric DDoS attacks are designed to overwhelm internal network capacity and even centralized DDoS mitigation scrubbing facilities with significantly high volumes of malicious traffic. These DDoS attacks attempt to consume the bandwidth either within the target network/service, or between the target network/service and the rest of the Internet.
13. Rugpull
A rug pull is a malicious maneuver in the cryptocurrency industry where crypto developers abandon a project and run away with investors’ funds. … Rug pulls thrive on DEXs because these types of exchanges allow users to list tokens for free and without audit, unlike in centralized cryptocurrency exchanges.
researcher : Franak Askari
contact : bersipa@gmail.com
