{"id":24429280,"url":"https://github.com/nzt48/exploiting-smart-contract-vulnerabilities","last_synced_at":"2026-04-21T08:36:24.533Z","repository":{"id":41540692,"uuid":"510038855","full_name":"NZT48/exploiting-smart-contract-vulnerabilities","owner":"NZT48","description":"Repository for \"Exploiting smart contract vulnerabilities\" bachelor thesis at School of Electrical Engineering, University of Belgrade. Paper (in Serbian) with 5 examples of vulnerable smart contracts and exploitation of them.","archived":false,"fork":false,"pushed_at":"2023-09-10T12:21:55.000Z","size":29283,"stargazers_count":9,"open_issues_count":0,"forks_count":2,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-01-20T13:35:51.425Z","etag":null,"topics":["ethereum","exploitation","hacking","security","smart-contracts","solidity"],"latest_commit_sha":null,"homepage":"","language":"TeX","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/NZT48.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-03T13:59:33.000Z","updated_at":"2024-08-12T20:24:42.000Z","dependencies_parsed_at":"2025-01-20T13:35:11.131Z","dependency_job_id":"945e6fff-e9ba-40f3-9be2-7a23f5f9ad64","html_url":"https://github.com/NZT48/exploiting-smart-contract-vulnerabilities","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NZT48%2Fexploiting-smart-contract-vulnerabilities","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NZT48%2Fexploiting-smart-contract-vulnerabilities/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NZT48%2Fexploiting-smart-contract-vulnerabilities/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/NZT48%2Fexploiting-smart-contract-vulnerabilities/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/NZT48","download_url":"https://codeload.github.com/NZT48/exploiting-smart-contract-vulnerabilities/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243456564,"owners_count":20293905,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ethereum","exploitation","hacking","security","smart-contracts","solidity"],"created_at":"2025-01-20T13:35:00.392Z","updated_at":"2025-12-27T11:11:33.280Z","avatar_url":"https://github.com/NZT48.png","language":"TeX","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Exploiting Smart Contract Vulnerabilities\n\n![Ethereum](https://img.shields.io/badge/Ethereum-3C3C3D?style=for-the-badge\u0026logo=Ethereum\u0026logoColor=white)\n![Solidity](https://img.shields.io/badge/Solidity-%23363636.svg?style=for-the-badge\u0026logo=solidity\u0026logoColor=white)\n\nRepository for [\"Exploiting smart contract vulnerabilities\" bachelor thesis](https://zenodo.org/record/6792551) at [School of Electrical Engineering](https://www.etf.bg.ac.rs/en), [University of Belgrade](http://www.bg.ac.rs/en/index.php). \n\nThe paper is written in Serbian (Eksploatacija_propusta_u_pametnim_ugovorima.pdf) and there are 5 exmples of vulnerable smart contracts and how to exploit them with instructions in English. Everything is implemented in Solidity.\n\n## Examples\n\n1. NFT Auction\n\t* Implementation of auction that has reentrancy vulnerability\n\t* Inspired by [DAO hack](https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/)\n\t\t\n2. Hyperinflation\n\t* Smart contract that has half implementation of ERC20 contract with overflow vulnerability\n\t* Exploitation of this vulnerability leads to hyperinflation of token\n\t* Inspired by [BEC (BeutyChain) hack](https://medium.com/secbit-media/a-disastrous-vulnerability-found-in-smart-contracts-of-beautychain-bec-dbf24ddbc30e)\n\n3. Ether chest\n\t* Smart contract that enables users to lock their Eth for some time\n\t* To exploit this contract attacker needs to combine reentracny, overflow and underflow vulnerabilities\n\n4. King of Ether\n\t* Famous [king of ether game](https://www.kingoftheether.com/thrones/kingoftheether/index.html) with additional protection (checks if caller is smart contract and if it is stops function call)\n\t* Example of Denial of Service (DOS) attack\n\n5. Giveaway\n\t* Contract that is giving away 10 Ethers, but you need to give 1 eth to enter the giveaway\n\t* Attacks combines unexpected ether vulnerability and bad usage of delegatecall\n\t\nInstructions for running each example is in readme inside each example directories in src directory.\n\n\n## Recommendations for developing safe smart contracts\n\n* Use Checks-Effects-Interactions pattern\n* Use pull over push pattern\n* Implement circuit breakers\n* Use formal verification\n* Use modifiers only for checks\n* Do not use kill and selfdestruct\n* Keep the code small and modular\n* Use events to track activities in smart contract\n* Use well known libraries like the ones from [OpenZeppelin](https://github.com/OpenZeppelin)\n* Don't forget that all data is public on blockchain\n\t* use commitment schemes with separate phases: first commit using the hash of the values and in a later phase revealing the values\n* Limit the maximum number of Eth that contract can accept (if possible)\n\nMore useful recommendations [here](https://consensys.github.io/smart-contract-best-practices/)\n\n## Smart contract security tools\n\n* [Slither](https://github.com/crytic/slither) - Static Analyzer for Solidity \n\n* [Mythril](https://github.com/ConsenSys/mythril) - Security analysis tool for EVM bytecode\n\n* [Manticore](https://github.com/trailofbits/manticore) - Symbolic execution tool \n\n* [Oyente](https://github.com/enzymefinance/oyente) - An Analysis Tool for Smart Contracts \n\n* [Echidna](https://github.com/crytic/echidna) - Ethereum smart contract fuzzer \n\n## Contributing\n\nIf you see any mistake or have improvement idea, feel free to open an issue and PR, or contact the author.\n\n## License\n\n[![License: GPL v3](https://img.shields.io/badge/License-GPLv3-blue.svg)](https://www.gnu.org/licenses/gpl-3.0)\n\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnzt48%2Fexploiting-smart-contract-vulnerabilities","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnzt48%2Fexploiting-smart-contract-vulnerabilities","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnzt48%2Fexploiting-smart-contract-vulnerabilities/lists"}