Tags List and Descriptions
Last updated
Last updated
Title | Description |
---|---|
0x
0x Protocol is the trusted open source settlement layer for the permissionless global exchange of value.
1/64 Rule
According to this rule, when a contract function makes a call to another function or contract, only 63/64 of the remaining gas can be forwarded in a message call
51% Attack
An attack on a cryptocurrency blockchain by a group of miners who control more than 50% of the network's mining hash rate. Owning 51% of the nodes on the network gives the controlling parties the power to alter the blockchain.
Aave
Aave is a decentralized cryptocurrency platform that allows users to borrow and lend crypto. Aave uses smart contracts to automate the process, with preset rules on how funds are distributed, how collateral is handled, and how fees are assessed.
ABI Encoding
Encoding functions can be used to craft data for external function calls without actually calling an external function. Furthermore, keccak256(abi.encodePacked(a, b)) is a way to compute the hash of structured data (although be aware that it is possible to craft a “hash collision” using different function parameter types).
Access Control
Access control vulnerabilities are cases where a smart contract does not properly restrict the use of certain operations to authorized users. These vulnerabilities can arise from excessively permissive or overly restrictive access controls. They are critical because they may allow unauthorized users to manipulate contract data or operations.
Account Abstraction
Account Abstraction in Ethereum aims to enhance user interactions by allowing greater flexibility in how transactions and smart contracts are initiated. It proposes upgrading externally owned accounts (EOAs) to be controlled by smart contracts or enabling smart contracts to initiate transactions.
Add/Subtract Match
Calculations involving addition and subtraction are not synchronized or consistent, leading to unexpected outcomes.
Admin
Admin vulnerabilities typically involve scenarios where an administrator, who holds special permissions, could potentially misuse their authority to manipulate settings, parameters, or functionalities in a way that could be detrimental to the system's integrity or fairness.
Airdrop
Airdrop vulnerabilities refers to a potential risk associated with the distribution of tokens or assets to multiple addresses. This vulnerability arises when the process lacks proper validation or authorization checks, potentially allowing unauthorized recipients to gain access to the airdropped tokens, leading to loss or misuse of resources.
Allowance
Allowance vulnerability arises when a user grants excessive spending permissions to a third-party address, potentially allowing unauthorized access to their tokens and enabling malicious actions. Allowances are necessary in Ethereum to enable certain functionalities like decentralized exchanges or lending platforms, where smart contracts need limited access to a user's tokens for specific operations, but if not properly managed, it can lead to security risks.
API Inconsistency
API inconsistency vulnerabilities are present when the functions within a smart contract have inconsistent calling patterns or semantics. Although the individual functions may be implemented correctly, the inconsistency in how they are used or interact with each other could confuse users or developers, potentially leading to mistakes or misuse of the contract.
Approve
Approve refers to a function in Ethereum smart contracts that allows a token holder to grant spending permissions to another address. This action can become a vulnerability if not carefully managed, potentially leading to unauthorized access and misuse of the approved tokens by the designated address.
Approve Max
Approve Max refers to a potential risk associated with setting the approval amount to the maximum possible value (often 2^256 - 1) when interacting with smart contracts.
Arbitrum
Arbitrum is a technology suite designed to scale Ethereum. You can use Arbitrum chains to do all things you do on Ethereum — use Web3 apps, deploy smart contracts, etc., but your transactions will be cheaper and faster.
Array
Array refers to a data structure that holds multiple elements under a single variable name. Vulnerabilities related to arrays can arise when developers do not properly handle array indices or fail to validate user inputs.
Array Bound
Array Bound refers to the potential risk of accessing or modifying elements in an array outside the specified range of indices. This vulnerability can occur if proper checks and validations are not implemented.
Array Reorder
Array Reorder refers to the risk associated with the manipulation of array elements' order, potentially leading to unintended consequences or exploitable conditions.
Assembly
Assembly refers to a low-level programming language feature in Solidity that allows developers to directly interact with the Ethereum Virtual Machine (EVM).
Auction
Auction refers to a system where goods or services are sold to the highest bidder. Vulnerabilities can arise in auctions when there are flaws in the bidding process, such as incorrect validation of bids, improper handling of time constraints, or lack of transparency, potentially leading to unfair practices or exploitation by malicious actors.
Auditing and Logging
Auditing and logging vulnerabilities are characterized by insufficient or incorrect logging mechanisms within a smart contract. These vulnerabilities make it difficult to monitor and audit contract activities.
Authentication
Authentication vulnerabilities are cases where the mechanism used to verify identity or authorization is flawed. This is different from access control issues; here, the logic regarding who can do what is correct, but the system fails in accurately determining the identity of participants.
AutoRoll
AutoRoll is an ERC4626 compliant vault that simplifies the process of managing liquidity pools by automatically migrating it from a matured series to a new one. It offers LPs a passive experience, where they can deposit their assets, receive LP shares, and have their holdings automatically transitioned to a new series with a starting market rate after a "cooldown" period following maturity.
Blacklisted
Blacklisted mostly refer to cryptocurrency wallets that have been flagged or identified as associated with illicit activities or known scams. These wallets are typically subject to restrictions to prevent their involvement in fraudulent transactions or criminal operations within the cryptocurrency ecosystem.
block.number vs block.timestamp
block.number refers to the unique identifier of a block within a blockchain, representing its position in the chain's chronological order. On the other hand, block.timestamp denotes the specific time at which a block is mined, recorded as a Unix timestamp, providing a reference point for time-based operations within a smart contract.
Block Period
Block Period usually refers to a specific period of time measured in blocks. This term is crucial in understanding time-related functions and vulnerabilities in smart contracts, as it helps determine when certain actions or conditions can occur based on the passage of blocks.
Bond
Bond Protocol is a permissionless product suite for optimizing DAO treasuries and token economics
Brick
brick is a term used to describe a type of malicious contract or code that is intentionally designed to disrupt or harm the Ethereum network. This can include contracts with excessive gas consumption, causing network congestion, or those designed to exploit vulnerabilities in other contracts, potentially leading to financial losses for users.
Bridge
Bridge refers to a smart contract or mechanism that facilitates the interoperability between different blockchain networks. While bridges are essential for cross-chain functionality, they can introduce security risks if not properly implemented, potentially allowing for exploits or vulnerabilities that could affect the integrity of assets transferred between blockchains.
Broken Loop
Broken Loop refers to a loop lacks a proper exit condition, causing it to execute indefinitely. This can lead to excessive gas consumption, potentially resulting in a denial-of-service attack on the Ethereum network or causing a contract to become unresponsive.
Business Logic
Logic vulnerabilities involve flaws in the business logic or protocols of a smart contract, where the implementation matches the developer's intention, but the underlying logic is inherently flawed.
Bypass limit
Bypass limit refers to a scenario where a smart contract or function lacks proper checks and allows users to exceed predefined limits or constraints.
Calldata
Calldata refers to the area where function arguments and data are stored when a contract is called from an external source. It is a read-only area, meaning that the data stored here cannot be modified by the contract itself
call vs transfer
Use 'call' instead of 'transfer' due to gas cost considerations, and make sure to implement the CEI pattern to prevent reentrancy vulnerabilities when utilizing 'call'.
Can't Remove Access Control
Refers to a situation where a smart contract lacks a mechanism to revoke or modify access permissions once they have been granted.
CEI
Checks effects interactions patterns is an effective way to prevent reentrancy attacks in a smart contract code. The first step in using this pattern is to perform some checks and verifications in the contract flow.
Chain ID
Chain ID refers to a unique identifier assigned to a specific blockchain network. It is a critical parameter for ensuring secure interactions between different chains, helping prevent attacks that attempt to manipulate transactions meant for a particular chain.
Chainlink
Chainlink is a decentralized blockchain oracle network. The network is intended to be used to facilitate the transfer of tamper-proof data from off-chain sources to on-chain smart contracts.
Chain Reorganization Attack
Chain Reorganization Attack occurs when a malicious actor gains control over a significant portion of a blockchain's mining power, allowing them to create an alternate version of the blockchain that replaces the existing one.
Change Validation
Change Validation refers to the process of verifying and validating modifications to critical parameters or functionalities within a smart contract. It is essential for ensuring that alterations are made securely and in compliance with the contract's intended behavior.
CheckPoint
CheckPoint is a specific point in a blockchain's history that is recorded and used as a reference for security and validation purposes. It serves as a snapshot of the blockchain's state at a particular moment.
Check Return Value
Check Return Value refers to the practice of validating and handling the result or return value of external function calls.
Code Quality
Code quality issues pertain to the readability and maintainability of the smart contract code. These are not directly related to the functionality of the contract but can have long-term impacts on the ability to understand, maintain, and securely update the code. Code quality is considered to be a non-functional requirement but is essential for the sustainability and reliability of a smart contract.
Coding-Bug
Coding-bug is a broad category that covers simple mistakes in the code, akin to typos, which can lead to unintended behavior. These are usually unintended errors rather than deliberate logic errors.
Collateral Factor
Collateral Factor pertains to the ratio determining the amount of collateral required to back a specific asset in decentralized finance (DeFi) protocols.
Configuration
Configuration vulnerabilities arise from improper configuration of a smart contract which, despite having correct code, leads to unintended behavior. This is common in cases where financial parameters or market settings are misconfigured.
Constructor
Constructor is a special function within a smart contract that is executed only once when the contract is deployed. It is responsible for initializing the contract's state variables and can play a crucial role in ensuring the secure and intended behavior of the contract upon deployment.
Cooldown
Cooldown refers to a mechanism implemented in smart contracts to introduce a delay or waiting period before certain actions can be performed.
CREATE2
CREATE2 is an opcode that allows for the creation of smart contracts with a deterministic address based on the contract's bytecode and initialization parameters.
Cross Chain
Cross Chain refers to interactions or transactions that occur between different blockchain networks. This introduces a unique set of security considerations, as smart contracts must implement measures to validate and handle cross-chain interactions securely.
Cross Chain Message
Cross Chain Message refers to a communication or transaction initiated on one blockchain network that is intended to interact with or trigger actions on a different blockchain.
Cryptography
Cryptography vulnerabilities occur when a smart contract employs flawed or insufficient cryptographic practices. In the context of blockchain and smart contracts, this often involves the use of weak or inappropriate algorithms for tasks such as generating random numbers. The use of improper cryptography can compromise the security and integrity of a smart contract.
CryptoPunks
CryptoPunks is a non-fungible token collection on the Ethereum blockchain,launched as a fixed set of 10,000 items in mid-2017 and became one of the inspirations for the ERC-721 standard.
Data Exposure
Data exposure vulnerabilities occur when sensitive data that should remain private is inadvertently made public by the smart contract, often through transactions or blockchain state.
Data Validation
Data validation vulnerabilities arise when a smart contract does not adequately verify or sanitize inputs, especially those from untrusted sources. This lack of validation can lead to unintended and potentially harmful consequences within the contract’s operations.
DAO
A decentralized autonomous organization (DAO) is an emerging form of legal structure that has no central governing body and whose members share a common goal to act in the best interest of the entity. Popularized through cryptocurrency enthusiasts and blockchain technology, DAOs are used to make decisions in a bottom-up management approach.
Deadline
Deadline refers to a specified timestamp or block number by which a certain action or transaction must be completed. It serves as a critical security measure to enforce time-sensitive operations within a smart contract.
Decimals
Decimals refers to the level of precision used to represent fractional values of tokens within a smart contract. Incorrectly setting or manipulating decimal values can lead to miscalculations in token amounts.
Delegate
Delegate typically refers to the practice of delegating or forwarding certain functions or permissions to another smart contract or external address.
Denial-Of-Service
Denial of Service (DoS) vulnerabilities occur when an attacker can exploit a contract in a way that makes it unresponsive or significantly less efficient. This category includes cases that are not well described by another class and where the primary consequence is contract shut-down or operational inefficiency.
Deposit/Reward tokens
Deposit/Reward tokens pertain to the process of placing assets into a smart contract, often as part of a staking or yield farming mechanism, in order to earn rewards or benefits.
Diamond
Diamond refers to a design pattern that allows for the efficient and upgradeable deployment of multiple functionalities within a smart contract system.
Documentation
Documentation vulnerabilities aren't issues in the smart contract code itself, but rather in the accompanying documentation. This category includes cases where the documentation is incorrect, unclear, or incomplete. While documentation issues generally don’t affect the execution of the contract, they can lead to misuse or misunderstanding of how the contract should be used, which can indirectly contribute to security issues.
Domain Separator
The domain separator, in the context of EIP-712, is a cryptographic value that uniquely identifies a specific domain or dapps. It is used to prevent replay attacks and ensure that structured data is signed within the correct context.
Don't update state
Don't update state refers to a guideline that advises against modifying the contract's state or storage within certain functions, as doing so may lead to unintended consequences for users and other contracts interacting with it.
DOS
DOS stands for Denial-of-Service, which refers to a malicious attack aimed at disrupting or preventing the normal functioning of a smart contract or blockchain network.
Dust
Dust refers to very small or negligible amounts of cryptocurrency, often below the precision threshold of a token's decimals. These tiny balances can accumulate in wallets or contracts and, if not managed properly, may lead to inefficiencies, increased gas costs, or even potential vulnerabilities in smart contracts.
ECDSA
ECDSA stands for Elliptic Curve Digital Signature Algorithm. It is a combination of the Digital Signature Algorithm (DSA) and Elliptic Curve Cryptography (ECC). The DSA uses the keys derived from the ECC and is a very efficient equation based on Public Key Cryptography (PKC).
ecrecover
ecrecover is a crucial Ethereum Solidity function that allows a smart contract to verify digital signatures. It takes a message, a signature, and the signer's public key, and returns the address that corresponds to the private key used for signing, providing a means to authenticate external messages in a smart contract.
EIP-1271
EIP-1271, also known as the "Standardized Contract Signatures," is an Ethereum Improvement Proposal that defines a standard way for smart contracts to validate the authenticity of a message or transaction. It allows contracts to implement a specific function, isValidSignature, which can be used to verify signatures.
EIP-150
EIP-150, also known as the "Gas cost changes for IO-heavy operations", aimed to make certain computational operations more expensive in terms of gas, discouraging potential attackers from exploiting vulnerabilities related to excessive gas consumption.
EIP-165
EIP-165, known as the "Standard Interface Detection", outlines a standardized way for smart contracts to declare which interfaces they support. This allows other contracts and applications to interact with them more securely by verifying their capabilities before attempting any transactions.
EIP-2981
EIP-2981, titled "NFT Royalty Standard", provides a standardized way for non-fungible tokens (NFTs) to handle royalty payments to creators when they are resold.
EIP-4337
EIP-4337 is an account abstraction proposal which completely avoids consensus-layer protocol changes, instead relying on higher-layer infrastructure.
EIP-4524
EIP-4524 "Safer ERC-20" standard extends ERC-20 tokens with EIP-165, and adds familiar functions from ERC-721 and ERC-1155 ensuring receiving contracts have implemented proper functionality.
EIP-4626
EIP-4626 "Tokenized Vaults" allows for the implementation of a standard API for tokenized Vaults representing shares of a single underlying EIP-20 token. This standard is an extension on the EIP-20 token that provides basic functionality for depositing and withdrawing tokens and reading balances.
EIP-4758
EIP-4758, titled "Deactivate SELFDESTRUCT", renames the SELFDESTRUCT opcode to SENDALL, and replaces its functionality. The new functionality will be only to send all Ether in the account to the caller.
EIP-712
EIP-712, also known as "Typed Structured Data," introduces a standardized way to create and validate messages that need to be signed by external accounts or contracts.
Emergency
Emergency refers to a situation within a smart contract that enables users to forcefully withdraw their funds in critical situations. This function is usually designed to bypass specific checks or restrictions, providing a fail-safe mechanism to ensure users can recover their assets even in abnormal circumstances.
EOA
An EOA refers to a standard Ethereum account controlled by a private key and is not associated with any smart contract code. It is primarily used for transactions on the Ethereum network and does not possess the ability to execute complex code logic like a smart contract account.
ERC1155
ERC1155 refers to a widely-used Ethereum token standard that allows for the creation of multi-fungible tokens. Unlike traditional ERC20 or ERC721 tokens, ERC1155 tokens can represent multiple types of assets within a single contract
ERC20
ERC-20 is the technical standard for fungible tokens created using the Ethereum blockchain. A fungible token is interchangeable with another token—where the well-known non-fungible tokens (NFTs) are not interchangeable.
ERC2981
ERC2981 known as "NFT Royalty Standard." It introduces a standardized way to handle royalty payments for non-fungible tokens (NFTs) on the Ethereum blockchain, providing a mechanism to ensure creators receive a share of the proceeds when their NFTs are resold.
ERC4626
ERC-4626 "Tokenized Vaults" allows for the implementation of a standard API for tokenized Vaults representing shares of a single underlying EIP-20 token.
ERC721
"ERC721" refers to a widely adopted Ethereum token standard for non-fungible tokens (NFTs). Unlike fungible tokens, each ERC721 token is unique and indivisible, making it well-suited for representing ownership of distinct digital assets.
ERC721Checkpointable
ERC777
ERC777 enhance the functionality of tokens compared to the earlier ERC20 and ERC223 standards. It introduces features like "hooks" that allow token holders to receive notifications and interact with the contract during transfers.
Error Reporting
Error reporting vulnerabilities are cases where a contract fails to properly report or handle error conditions. This category involves contracts not providing sufficient information or feedback about internal errors or issues.
Event
Event refers to a crucial feature in smart contracts that enables the emission of notifications about specific occurrences on the blockchain.
External Call