Home/Blockchain/Security Best Practices Game/Introduction

Previous Module

Cross-chain Bridge Visual

🛡️ Security Best Practices: Prevent Exploits

Learn how to write secure smart contracts from day one

Your Progress

0 / 5 completed

Introduction

Common Vulnerabilities

Secure Patterns

Testing & Auditing

Key Takeaways

🛡️ Why Smart Contract Security Matters

Smart contracts hold billions in assets—and they're immutable. Once deployed, bugs become permanent vulnerabilities. The DAO hack ($60M), Parity wallet freeze ($150M), Poly Network exploit ($611M), Ronin bridge ($625M) weren't theoretical—they were production disasters. Unlike traditional software where you can patch bugs, blockchain code is final. A single reentrancy vulnerability, missing access control, or integer overflow can drain entire treasuries in seconds. Security isn't optional—it's existential. This module teaches you to think like an attacker, recognize common vulnerabilities, apply secure patterns, and build contracts that withstand adversarial conditions.

🎮 Interactive: Vulnerability Explorer

Select a vulnerability type to see vulnerable code, how the attack works, and the secure fix. Learn from real exploits.

🔁

Reentrancy Attack

Critical

Attacker recursively calls function before state update completes

Real Loss Example

DAO Hack: $60M

❌ Vulnerable Code

function withdraw(uint amount) public {
  require(balances[msg.sender] >= amount);
  (bool success,) = msg.sender.call{value: amount}("");
  require(success);
  balances[msg.sender] -= amount; // ❌ Too late!
}

⚡ How the Attack Works

Attacker calls withdraw() → receives ETH → fallback triggers another withdraw() → loop drains contract before balance update.

✅ Secure Fix

function withdraw(uint amount) public {
  require(balances[msg.sender] >= amount);
  balances[msg.sender] -= amount; // ✅ Update first!
  (bool success,) = msg.sender.call{value: amount}("");
  require(success);
}

💥 Historic Exploits

The DAO Hack (2016)$60M

Reentrancy exploit drained ETH before balance update. Led to Ethereum hard fork (ETH/ETC split).

Parity Wallet Freeze (2017)$150M

Missing access control allowed attacker to become owner, then self-destruct library contract freezing all wallets.

Poly Network (2021)$611M

Access control vulnerability in cross-chain keeper contract. Attacker returned funds (whitehat?).

Ronin Bridge (2022)$625M

Centralized multi-sig compromise. Not a code bug, but architecture vulnerability (only 9 validators).

🎯 Security Mindset

•

Assume Adversarial: Every external call is malicious until proven safe. Every user input is an attack vector.

•

Defense in Depth: Multiple security layers. If one fails, others prevent exploit (checks, effects, interactions pattern).

•

Fail Secure: When in doubt, revert. Better to block legitimate transactions than allow malicious ones.

•

Minimize Complexity: Simple code has fewer bugs. Avoid clever tricks—they hide vulnerabilities.

•

Never Trust, Always Verify: Check caller permissions, validate inputs, verify external contract behavior.

📊 Security Statistics

$3.8B+

Total value lost to smart contract exploits (2016-2022)

47%

Of attacks exploited reentrancy or access control bugs

$15M

Average bug bounty paid by top protocols (prevents larger losses)

100%

Major DeFi protocols require multiple security audits before launch