Common Smart Contract Vulnerabilities and How to Prevent Them

Developers and reviewers benefit from knowing recurring vulnerability classes. This explainer describes risk patterns and prevention strategies—without exploit instructions or live-target testing guidance.

Access control and privilege errors

Functions that change balances, upgrade logic, or pause systems must restrict callers to intended roles. Missing modifiers, incorrect role assignments, and orphaned admin keys are frequent audit findings. Prevention: explicit role matrices, timelocks on sensitive changes, and multi-party approval for production deployments.

Reentrancy and state ordering

When external calls occur before state updates, contracts may process inconsistent balances. Prevention: checks-effects-interactions ordering, reentrancy guards, and limiting external call surfaces in critical paths.

Oracle and price feed dependency

Protocols relying on single oracle sources can misprice assets during stale data or manipulation events. Prevention: freshness checks, multiple sources, circuit breakers, and documented fallback behavior.

Integer and precision issues

Rounding, truncation, and token decimal mismatches can drain value slowly or enable unfair minting. Prevention: fixed-point libraries, invariant tests, and fuzzing across decimal combinations.

Logic and economic design flaws

Even "secure" code can fail if incentive structures allow griefing, flash-loan amplification, or governance capture. Prevention: threat modeling, economic simulations, and independent review before mainnet deployment.

For users and investors

You cannot audit code from marketing alone. Review published audit reports, check whether known issues were remediated, and treat unaudited or recently upgraded contracts as higher residual risk.