Agnech

Blockchain Vulnerability Classes

Comprehensive coverage of smart contract vulnerability categories. Each class includes detection patterns, real-world exploits, and remediation.

Overview

ClassExploitsTotal LossNotable
Reentrancy47$890MThe DAO ($60M)
Access Control89$1.2BRonin ($625M)
Oracle Manipulation34$420MMango ($114M)
Flash Loan62$380MCream ($130M)
Logic Errors156$950MWormhole ($326M)

Reentrancy

Occurs when external calls allow attackers to re-enter the contract before state updates complete.

Vulnerable

Solidity
1function withdraw(uint256 amount) {
2  require(balances[msg.sender] >= amount);
3  // External call BEFORE state update
4  msg.sender.call{value: amount}("");
5  balances[msg.sender] -= amount;
6}

Secure

Solidity
1function withdraw(uint256 amount) {
2  require(balances[msg.sender] >= amount);
3  // State update BEFORE external call
4  balances[msg.sender] -= amount;
5  msg.sender.call{value: amount}("");
6}

Access Control

Missing or flawed permission checks allow unauthorized users to call privileged functions.

Most Common Category

Access control vulnerabilities account for over $1.2B in losses, making them the most costly vulnerability class.

Oracle Manipulation

Price oracles can be manipulated to drain funds from DeFi protocols that rely on them for valuations.

Solidity
1// Vulnerable: Using spot price
2uint256 price = uniswapPair.getReserves();
3

4// Secure: Using TWAP with staleness check
5(, int256 price,, uint256 updatedAt,) = chainlinkFeed.latestRoundData();
6require(block.timestamp - updatedAt < 1 hours, "Stale price");

Flash Loan Attacks

Flash loans enable attackers to borrow massive capital within a single transaction to manipulate markets and exploit protocols.

Attack Pattern

  1. 1. Borrow millions via flash loan (no collateral needed)
  2. 2. Manipulate on-chain price oracle
  3. 3. Exploit protocol using manipulated price
  4. 4. Repay flash loan + profit in same transaction

Business Logic Errors

Flaws in the intended business logic that allow unintended behavior. These are the hardest to detect automatically.

AI-Assisted Detection

Bloodhound's AI engine is specifically trained to identify logic errors by understanding the intended behavior of common DeFi patterns.