(Not So) Smart Contracts

This repository contains examples of common Algorand smart contract vulnerabilities, including code from real smart contracts. Use Not So Smart Contracts to learn about Algorand vulnerabilities, as a reference when performing security reviews, and as a benchmark for security and analysis tools.

Features

Each Not So Smart Contract includes a standard set of information:

  • Description of the vulnerability type
  • Attack scenarios to exploit the vulnerability
  • Recommendations to eliminate or mitigate the vulnerability
  • Real-world contracts that exhibit the flaw
  • References to third-party resources with more information

Vulnerabilities

Not So Smart ContractDescriptionApplicable to smart signaturesApplicable to smart contracts
RekeyingAttacker rekeys an accountyesyes
Unchecked Transaction FeesAttacker sets excessive fees for smart signature transactionsyesno
Closing AccountAttacker closes smart signature accountsyesno
Closing AssetAttacker transfers entire asset balance of a smart signatureyesno
Group Size CheckContract does not check transaction group sizeyesyes
Time-based Replay AttackContract does not use lease for periodic paymentsyesno
Access ControlsContract does not enfore access controls for updating and deleting applicationnoyes
Asset Id CheckContract does not check asset id for asset transfer operationsyesyes
Denial of ServiceAttacker stalls contract execution by opting out of a assetyesyes
Inner Transaction FeeInner transaction fee should be set to zeronoyes
Clear State Transaction CheckContract does not check OnComplete field of an Application Callyesyes

Credits

These examples are developed and maintained by Trail of Bits.

If you have questions, problems, or just want to learn more, then join the #ethereum channel on the Empire Hacking Slack or contact us directly.