Skip to content

Latest commit

 

History

History
 
 

(Not So) Smart Contracts

This repository contains examples of common Algorand smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Algorand vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.

Features

Each Not So Smart Contract includes a standard set of information:

  • Description of the vulnerability type
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts that exhibit the flaw
  • References to third-party resources with more information

Vulnerabilities

Not So Smart Contract Description Applicable to smart signatures Applicable to smart contracts
Rekeying Attacker rekeys an account yes yes
Unchecked Transaction Fees Attacker sets excessive fees for smart signature transactions yes no
Closing Account Attacker closes smart signature accounts yes no
Closing Asset Attacker transfers entire asset balance of a smart signature yes no
Group Size Check Contract does not check transaction group size yes yes
Time-based Replay Attack Contract does not use lease for periodic payments yes no
Access Controls Contract does not enfore access controls for updating and deleting application no yes
Asset Id Check Contract does not check asset id for asset transfer operations yes yes
Denial of Service Attacker stalls contract execution by opting out of a asset yes yes

Credits

These examples are developed and maintained by Trail of Bits.

If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.