Smart contracts are transforming the way we transact and manage digital assets on the Ethereum blockchain. However, like any software, they can be vulnerable to security issues. A clear example of this was the 2016 DAO Hack, where an attacker exploited a vulnerability to steal 3.54 million ether, underscoring the importance of having robust security in these contracts.
In this article, we will explore some of the most common vulnerabilities affecting smart contracts. We will also introduce HACONTI, a free platform that provides cybersecurity challenges focused on smart contracts. HACONTI is designed to help developers improve the security of their contracts and allow security specialists to learn how to assess these critical systems.
Smart Contract Vulnerabilities
Smart contracts can be affected by multiple types of vulnerabilities. Some of the most critical are included in the list below.
(Free access, no subscription required)
Reentrancy: Allows an attacker to repeatedly call a function again before its previous execution is completed, manipulating the contract.
Integer Overflow: An integer overflow occurs when an arithmetic operation surpasses the fixed range of a type of data, causing unexpected behavior.
Denial of Service (DoS): A DoS attack can block access to critical functions or deplete the gas of the contract, preventing its proper operation.
Access Control Flaws: These flaws allow unauthorized users to access functions that should be restricted, compromising the system’s integrity.
Private Information on the Blockchain: As information stored on the blockchain is public, confidentiality can be compromised if it is not properly encrypted.
Insecure Calls to External Contracts: The use of delegatecall() with untrusted contracts may allow the manipulation of the internal state of the calling contract.
HACONTI (short for Hack The Not So Smart Contract in Spanish) is a web platform that offers cybersecurity challenges focusing on Solidity smart contracts. Each level or challenge presents a smart contract with a vulnerability which users must exploit.
The platform has a total of thirty levels, organized into three different categories, each with its own difficulty level. Two of the most notable features of HACONTI are the extensive contextual information it provides for the vulnerabilities in each level and its unique points system.
HACONTI Main Menu
Reentrancy: Allows an attacker to repeatedly call a function again before its previous execution is completed, manipulating the contract.
Integer Overflow: An integer overflow occurs when an arithmetic operation surpasses the fixed range of a type of data, causing unexpected behavior.
Denial of Service (DoS): A DoS attack can block access to critical functions or deplete the gas of the contract, preventing its proper operation.
Access Control Flaws: These flaws allow unauthorized users to access functions that should be restricted, compromising the system’s integrity.
Private Information on the Blockchain: As information stored on the blockchain is public, confidentiality can be compromised if it is not properly encrypted.
Insecure Calls to External Contracts: The use of delegatecall() with untrusted contracts may allow the manipulation of the internal state of the calling contract.
HACONTI (short for Hack The Not So Smart Contract in Spanish) is a web platform that offers cybersecurity challenges focusing on Solidity smart contracts. Each level or challenge presents a smart contract with a vulnerability which users must exploit.
The platform has a total of thirty levels, organized into three different categories, each with its own difficulty level. Two of the most notable features of HACONTI are the extensive contextual information it provides for the vulnerabilities in each level and its unique points system.
HACONTI Main Menu
Challenge Categories
Category 1 (Introductory): Levels designed so that players without prior experience can become familiar with Ethereum and smart contracts, and acquire basic skills to deploy and interact with Solidity contracts.
Category 3 (Complex and Chained Vulnerabilities): These more advanced levels combine multiple simple vulnerabilities that must be exploited in sequence to complete the challenge, testing the skills acquired by solving previous levels.
Contextual Information for the Challenges
Each level indicates its status (solved or unsolved), difficulty, and category. It also includes a list of objectives that must be overcome and the source code of the vulnerable contract with which one must interact to complete the level.
“Reentrance” Level
Levels in Category 1 also include a detailed tutorial for their resolution. Those in Categories 2 and 3 include:
Description: Challenge details.
Hints: Clues that can be unlocked with points.
Additional hints: Clues requiring more points.
SWC and SCSVS: Information about vulnerabilities and associated checklists; can be unlocked with additional points.
“Points” Level
Once a level is solved, the following is also unlocked:
Additional Information: Technical details about solving the level.
Real-Life Cases: Examples of real-world incidents where attackers exploited similar vulnerabilities to steal millions of ether.
Fixed Code: Source code that shows how to remediate the vulnerability. multiple versions of the remediation may exist.
Hints, Additional Hints, and SWC and SCSVS information associated with the completed level are automatically unlocked regardless of the player’s points.
“BuilderName” Level Unlockable Information
HACONTI Points System
Points are earned by solving levels. Points are awarded based on the difficulty of each level:
Very Easy: 50 points
Easy: 100 points
Normal: 150 points
Difficult: 200 points
Very Difficult: 300 points
These points allow players to climb the public ranking and are required to unlock hints, additional hints, and vulnerability details (SWC and SCSVS). They can also be used to customize the player’s profile, for example, to choose a nickname (200 points), choose a flag (500 points), or add contact information such as an email address, website, and social media profiles.
HACONTI Ranking
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of LACNIC.
