A comprehensive collection of smart contract vulnerabilities and attack vectors, designed to educate developers about common security pitfalls in Ethereum smart contracts .
- Educational resource for blockchain developers and security researchers
- Practical examples of common smart contract vulnerabilities
- Detailed explanations of each vulnerability and its potential impact
- Foundry test suite demonstrating exploit scenarios
- On-Chain Data Exposure
- Signature Replay Attacks
- Denial of Service (DoS)
tx.origin
Phishing- Reentrancy
- Force-feeding Ether
- WETH Permit Vulnerability
-
Clone the repository:
git clone https://github.com/zeroaddresss/smart-contract-vulnerabilities.git cd smart-contract-vulnerabilities
-
Install dependencies:
forge install
-
Build the project:
forge build
-
Run tests:
forge test
Each vulnerability comes with a corresponding Foundry test that demonstrates the exploit. You can run individual tests using:
forge test --mt testFunctionName
For example, to run the test for the Reentrancy vulnerability:
forge test --mt testAttackerCanDrainEther
To run all tests:
forge test
Demonstrates how private data stored on-chain can be accessed by anyone.
Vulnerability: src/OnChainData.sol
Test: test/OnChainDataTest.t.sol
Shows how signatures can be reused in multiple transactions if not properly handled.
Vulnerability: src/SignatureReplay.sol
Test: test/SignatureReplay.t.sol
Illustrates how a contract can be rendered unusable by exploiting its logic.
Vulnerability: src/DoS.sol
Test: test/DosTest.t.sol
Demonstrates the dangers of using tx.origin
for authorization.
Vulnerability: src/TxOrigin.sol
Test: test/TxOrigin.t.sol
Shows how a contract can be drained of funds through recursive calls.
Vulnerability: src/Reentrancy.sol
Test: test/ReentrancyTest.t.sol
Illustrates how a contract can be forced to receive Ether, potentially disrupting its logic.
Vulnerability: src/ForceEther.sol
Test: test/ForceEtherTest.t.sol
Demonstrates a vulnerability specific to WETH contracts lacking a permit
function.
Vulnerability: src/WETHPermit.sol
Test: test/WETHPermitTest.t.sol
smart-contract-vulnerabilities/
βββ src/
β βββ OnChainData.sol
β βββ SignatureReplay.sol
β βββ DoS.sol
β βββ TxOrigin.sol
β βββ Reentrancy.sol
β βββ ForceEther.sol
β βββ WETHPermit.sol
βββ test/
β βββ OnChainDataTest.t.sol
β βββ SignatureReplay.t.sol
β βββ DosTest.t.sol
β βββ TxOrigin.t.sol
β βββ ReentrancyTest.t.sol
β βββ ForceEtherTest.t.sol
β βββ WETHPermitTest.t.sol
βββ README.md
- Solidity ^0.8.26
- Foundry
- OpenZeppelin Contracts
Contributions are welcome! Please feel free to submit a Pull Request.
- Fork the repository
- Create your feature branch (
git checkout -b feature/AmazingFeature
) - Commit your changes (
git commit -m 'Add some AmazingFeature'
) - Push to the branch (
git push origin feature/AmazingFeature
) - Open a Pull Request
Run the test suite using Foundry:
forge test
For verbose output:
forge test -vvvvv
- Add more vulnerability examples
- Implement mitigation strategies for each vulnerability
This project is licensed under the MIT License - see the LICENSE file for details.
- OpenZeppelin for their secure contract implementations
- Ethereum community for ongoing research in smart contract security
[email protected] - zeroaddresss - zeroaddresss
Project Link: https://github.com/zeroaddresss/smart-contract-vulnerabilities