Close-up view of a mouse cursor over digital security text on display.

Question: What are smart contract security vulnerabilities? Give an example of a common smart contract vulnerability and explain how to avoid it.

Interview Prep, Smart Contract, Web3 / Leave a Comment

Blockchain Interview Prep Smart Contract Web3

A smart contract security vulnerability refers to a defect or error in the contract’s code that can be exploited by attackers. Such vulnerabilities may lead to the loss of funds or malicious exploitation of the contract’s logic. Since smart contracts are programs that automatically enforce agreement terms, their security is critical—especially in a blockchain environment where modifying a deployed contract is very difficult.

In Solidity, one of the most common vulnerabilities is Reentrancy. This usually occurs when a contract function changes state while also making an external call. Attackers can exploit this flaw by repeatedly calling specific functions (e.g., the withdrawal function) before the state is updated.

Example:

contract VulnerableWallet {
    mapping(address => uint256) public balances;

    function deposit() public payable {
        require(msg.value > 0);
        balances[msg.sender] += msg.value;
    }

    function withdraw(uint256 _amount) public {
        require(balances[msg.sender] >= _amount);
        (bool sent, ) = msg.sender.call{value: _amount}("");
        require(sent, "Failed to send Ether");
        balances[msg.sender] -= _amount;
    }
}

In this example, the withdraw function sends Ether to the caller before updating the balance. If the caller is a malicious contract with a fallback function, control will be handed back to the attacker during the transfer. The attacker can then repeatedly call withdraw before the balance is reduced, eventually draining all funds from the contract.

How to avoid reentrancy vulnerabilities:

  1. Checks-Effects-Interactions Pattern: Update state variables first, and only then interact with external contracts. This ensures that even if a reentrancy attack occurs, the state has already been updated.
  2. Use a Reentrancy Guard: OpenZeppelin provides a ReentrancyGuard contract with the nonReentrant modifier to block nested calls.
  3. Restrict Function Calls: Ensure withdrawal functions can only be called by externally owned accounts (EOAs), not other contracts.
  4. Use Safer Transfer Methods: For example, transfer, which includes a built-in failure check and forwards only 2,300 gas—insufficient to trigger most contract fallback functions.
  5. Professional Security Audits: Before deployment, have the contract reviewed by professional security teams to detect and fix potential risks. This is critical, as developers often overlook vulnerabilities in their own code.

Subscribe for New Articles!

Must Read

Leave a Comment

Your email address will not be published. Required fields are marked *