Skip to content

Latest commit

 

History

History
 
 

(Not So) Smart Contracts

This repository contains examples of common Algorand smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Algorand vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.

Features

Each Not So Smart Contract includes a standard set of information:

  • Description of the vulnerability type
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts that exhibit the flaw
  • References to third-party resources with more information

Vulnerabilities

Not So Smart Contract Description
Rekeying Smart signatures are rekeyable
Unchecked Transaction Fees Attacker sets excessive fees for smart signature transactions
Closing Account Attacker closes smart signature accounts
Closing Asset Attacker transfers entire asset balance of a smart signature
Group Size Check Contract does not check transaction group size
Time-based Replay Attack Contract does not use lease for periodic payments
Access Controls Contract does not enfore access controls for updating and deleting application
Asset Id Check Contract does not check asset id for asset transfer operations
Denial of Service Attacker stalls contract execution by opting out of a asset

Credits

These examples are developed and maintained by Trail of Bits.

If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.