How Smart Contracts Get Hacked

Smart Contract SecurityLesson 1·12 min read

Lesson by Uvin Vindula

Smart contracts hold billions of dollars in value and execute automatically without human intervention. When they work, they are remarkably efficient. When they fail, the losses are instant, irreversible, and often catastrophic. Since the birth of DeFi, over $10 billion has been lost to smart contract exploits, hacks, and bugs. Understanding how these attacks happen is essential for anyone interacting with decentralized applications.

Why Smart Contracts Are Attractive Targets

Several characteristics make smart contracts uniquely vulnerable:

Immutability: Once deployed, most smart contracts cannot be changed. A bug at deployment is a permanent bug — unless the contract was specifically designed with upgrade mechanisms.
Public code: Smart contract bytecode is visible on the blockchain. While this enables trustless verification, it also means attackers can study the code and find vulnerabilities at their leisure.
High-value targets: DeFi protocols routinely hold hundreds of millions or billions in total value locked (TVL). This makes them extraordinarily lucrative targets.
Composability risk: Smart contracts interact with other smart contracts. An exploit in one protocol can cascade through the entire DeFi ecosystem. This interconnectedness amplifies risk.
Irreversible execution: There is no "undo" button. Once a transaction executes, it is final. Unlike traditional finance, there is no fraud department to call, no chargeback mechanism, and no court order that can reverse a blockchain transaction.

Major Historical Hacks

1. The DAO Hack (2016) — $60 million

The event that split Ethereum into two chains. The DAO (Decentralized Autonomous Organization) was an early investment fund on Ethereum. A reentrancy vulnerability allowed an attacker to drain funds by repeatedly calling the withdrawal function before the balance was updated. This hack was so significant that the Ethereum community controversially hard-forked the chain to reverse it — creating Ethereum (ETH) and Ethereum Classic (ETC).

2. Ronin Bridge Hack (2022) — $625 million

The largest DeFi hack in history. The Ronin bridge (connecting Axie Infinity's sidechain to Ethereum) was secured by 9 validator nodes, with 5 needed to approve transactions. The attacker compromised 5 of the 9 private keys — 4 belonging to Sky Mavis and 1 from the Axie DAO (which had given temporary access to Sky Mavis and never revoked it). This was not a smart contract code bug — it was a key management failure that reduced a supposedly decentralized bridge to a 5-of-9 multisig where one entity controlled 5 keys.

3. Wormhole Bridge Hack (2022) — $320 million

The attacker exploited a vulnerability in the Wormhole bridge's signature verification on Solana. They bypassed the guardian signature check, allowing them to mint 120,000 wETH (wrapped Ether) on Solana without depositing any actual ETH. This was a classic input validation failure — the contract did not properly verify that the signed message was authentic.

4. Euler Finance Hack (2023) — $197 million

A flash loan attack exploited a vulnerability in Euler Finance's donation mechanism. The attacker used flash-borrowed funds to manipulate the protocol's internal accounting, creating bad debt that allowed them to drain pools. Remarkably, the attacker eventually returned most of the funds after negotiation.

5. Curve Finance Exploit (2023) — $73 million

A compiler bug in Vyper (not Solidity) caused a reentrancy vulnerability in several Curve Finance pools. This was particularly alarming because the vulnerability was not in the smart contract code itself, but in the compiler that translated the code to bytecode. Even well-audited code can be vulnerable if the compiler is buggy.

Categories of Smart Contract Attacks

Smart contract hacks generally fall into several categories:

Category	Description	Example
Code vulnerabilities	Bugs in the smart contract logic	The DAO (reentrancy)
Economic exploits	Manipulating prices or incentives	Flash loan attacks on oracles
Access control failures	Unauthorized access to admin functions	Ronin bridge key compromise
Bridge vulnerabilities	Exploiting cross-chain messaging	Wormhole signature bypass
Oracle manipulation	Feeding false price data	Various DEX price manipulation
Infrastructure bugs	Compiler or toolchain flaws	Curve Finance (Vyper bug)

Key Lesson: Smart contract security is not just about writing bug-free code. It encompasses key management, economic design, oracle reliability, bridge architecture, compiler correctness, and operational security. A chain is only as strong as its weakest link, and attackers are patient, resourceful, and increasingly sophisticated.

Key Takeaways

•Over $10 billion has been lost to smart contract exploits — immutability, public code, high TVL, composability, and irreversibility make contracts uniquely vulnerable targets
•The DAO hack (2016) exploited a reentrancy bug and was so significant it caused Ethereum to hard fork, creating Ethereum and Ethereum Classic
•The Ronin bridge hack ($625M) was a key management failure, not a code bug — one entity controlled 5 of 9 validator keys in a supposedly decentralized system
•Attack categories include code vulnerabilities, economic exploits, access control failures, bridge vulnerabilities, oracle manipulation, and infrastructure bugs
•The Curve Finance exploit demonstrated that even well-audited smart contract code can be vulnerable if the compiler that processes it contains bugs
•Smart contract security encompasses far more than code quality — it includes key management, economic design, oracle reliability, and operational security

Quick Quiz

Question 1 of 3

0 correct so far

What made the Ronin bridge hack possible?