All Posts
4
min read

Reentrancy and Denial of Service Attack attacks

Published on
April 22, 2024
Share
COPY LINK

Blockchain technology has revolutionized various industries by offering decentralized and transparent solutions. However, the security of blockchain systems heavily relies on the integrity of smart contracts. In this article, we delve into three of the most common smart contract vulnerabilities, shedding light on their impact and mitigation strategies to bolster blockchain security.

Reentrancy attack

In a nutshell, reentrancy occurs when a contract calls back into the same or another contract before its initial execution. Attackers find a way to exploit this loophole by manipulating the contract’s functionality and state, leading to syphoning funds for example.

How to mitigate Reentrancy attacks

There are some recommended best practices to mitigate this risk including Checks, Effects, Interactions (CEI) pattern. Checks pertain to the evaluation of the condition's truth value. Effects denote alterations in state caused by interactions, while interactions involve transactions among functions or contracts.

Another solution deployed in the industry is Reentrancy Guard or Mutex. Whether constructed as a function or function modifier, the logic is quite simple: a boolean lock is placed around the function call that is vulnerable to reentrancy.

Denial of Service Attack

A smart contract denial-of-service (DoS) attack is a security concern that can lead to code logic errors, compatibility issues, or excessive call depth, causing smart contracts malfunctions. There are three main types:

1. Code Logic-Based DoS Attack occurs due to coding errors, often in loops without length limits, allowing attackers to overflow gas and render the contract unusable.
2. External Call-Based DoS Attack exploits mishandling of external calls, causing transaction failures and rendering the contract ineffective.
3. Last but not least, Operation Management-Based DoS Attack, which targets contracts with Owner privileges, disrupting operations if the Owner role fails or loses the private key.

How to mitigate DoS attacks

Some of the best practices to mitigate this risk include Implementing a gas limit, which limits the maximum gas units a transaction can utilize. Thus, even if a malicious function attempts to deplete the gas from the invoked call, it cannot exceed the predefined gas units set by the caller.

Another way of addressing DoS attacks often involves implementing measures that increase the expense for attackers. Proven methods include imposing higher gas fees and utilizing time-lock puzzles. Additionally, mitigation strategies emphasize restricting calls solely to trusted contracts, thereby enhancing overall security.

Other common security threats

While this article dives into two of the most common, there are more attack types which a smart contract can be vulnerable to, for example:

1. Timestamp dependence: Smart contracts often rely on timestamps to put executional order and logic behind the activation of different tasks. Unfortunately attackers have found different ways to manipulate the timestamps, causing irregular execution, leading to unexpected and undesired outcomes.
2. Integer Overflow and Underflow: provoked by surpassing the fixed range for the values. As a result, the state variables and logic of the contract could malfunction and undergo invalid operations. There are solutions including the Solidity Complier version 0.8.0 or above, which would automatically not allow code susceptible to under or overflowing.

In Conclusion

The web3 sector continues to develop. To ensure future proofing its success and integrity, securing its weak points is crucial. The rapid developments in the sector call for even quicker adaptation and allies projects can rely on. Shieldify strives to build long-lasting relationships and be a partner in one march to achieving these goals. By ensuring the proficiency and continuous improvement of our portfolio, we can guarantee a security partner that will look for your best interest. Because your safety and sustainable growth are our priority, and it should be yours too.

Related posts

Read more from our blog

View all
5
min read

Oracle Manipulation

It is one of the most common attack vectors in DeFi, so both auditors and protocols need to learn what it is and how to deal with it, so get your notepads out and dive into our thread.
Read more
2
min read

DAO, Governance and Attacks

DAO is Decentralised Autonomous Organisation. Essentially, it’s a set of smart contracts the determine how its participants/members make decisions. Let’s look at a small graph to easier understand it.
Read more
3
min read

Merkle Tree

Merkle tree is a generalisation of a hash list or a hash chain. It has “leaf” nodes, each of them have a cryptographic hash of a data black they’re accossiated with. Every node that is not a “leaf” (they’re called branch or inner node) is labelled with the cryptographic hash of its child node’s hash. Merkle tree (or hash tree) allows more secure and efficient verification of large data structures. It was created in 1979 by Ralph Merkle (hence, Merkle tree).
Read more
3
min read

MEV Attacks

MEV is the abbreviation of Miner or Maximum Extractable Value. Miners/validators can order, prioritize and censor transactions in blocks, moreover, they can insert their transactions. Therefore, they always seek opportunities to manipulate transactions and gain additional value besides the fees for creating blocks.
Read more
View all