Smart Contract Attacks Every Crypto User Should Understand

Smart contracts behave like rules carved in code, but attackers move like water and probe for the smallest crack. The most common smart contract attacks are reentrancy, flash-loan and oracle manipulation, access-control failures, MEV ordering tactics, business-logic flaws, and a handful of advanced edge cases such as delegatecall abuse and signature replay. Most of these exploits do not require a single dramatic bug. They chain small weaknesses across DeFi building blocks until the whole structure gives way. This guide explains each class, shows the losses they caused, and lists the red flags you can check before depositing a single token.

📷 a layered diagram showing how a single transaction chains a flash loan, an oracle read, and a privileged call into one combined exploit

Why Smart Contracts Stay Vulnerable

Three structural facts keep smart contracts exposed. First, immutability cuts both ways: code that cannot change cannot be quietly patched, while upgradeable proxy patterns shift the risk to whoever controls the upgrade key. Second, transactions sit in a public mempool before confirmation, so intent is visible to anyone watching. Third, high-value systems attract professional adversaries who treat protocols as financial machines to be reverse-engineered.

The money at stake is not theoretical. Across 2025, on-chain theft climbed past 3.4 billion dollars, and a single February 2025 incident drained nearly 1.5 billion dollars in Ethereum from one exchange's signing workflow. One event dominated the entire year, which tells you that operational security and key management now matter as much as clean Solidity.

COINOTAG perspective: attacks are composed, not isolated

The useful mental model in 2026 is composition. Modern DeFi protocols inherit risk from their dependencies, including cross-chain bridges, Layer 2 environments, and price feeds. A protocol can be flawless in isolation and still fail because an oracle it trusts can be moved with borrowed capital. When you evaluate a contract, evaluate the entire surface it touches, not just the lines it ships.

The Five Attacks That Cause The Most Damage

Before the deep dives, here is a comparison of the five highest-frequency, highest-impact patterns, each paired with a real loss and the core defense.

📷 a screenshot of a block explorer transaction trace showing repeated internal calls characteristic of a reentrancy drain

Reentrancy: Giving Away Control Too Early

A reentrancy attack happens when a contract sends value or calls an external address before it finishes updating its own records. Picture a cashier who hands you change first and updates the register afterward, leaving a window where you can interrupt and repeat the same checkout. The attacker's contract calls back into the victim during that window and drains funds before the balance is ever reduced.

The DAO and why it still matters

The original DAO exploit abused exactly this ordering. Funds were transferred before the internal balance was decremented, so a single withdrawal flow could be re-entered repeatedly inside one call sequence, diverting roughly 3.6 million ETH. The fallout reshaped the ecosystem, triggering a contentious hard fork. It still matters because the same mistake reappears during refactors, upgrades, and fresh integrations, often through token hooks like ERC-777 or cross-contract callbacks.

The fix in three steps

1. Check the user's balance.
2. Update the user's balance.
3. Send the funds last.

This ordering is the checks-effects-interactions pattern. A reentrancy guard adds a one-at-a-time lock so the function cannot be re-entered mid-execution, and pull payments let users claim funds in a separate step rather than receiving them during a sensitive state change. Severity profile: exploitability high, impact high, detection medium.

Flash Loans And Oracle Manipulation

A flash loan lets an attacker borrow a large amount with no collateral, provided the loan is repaid inside the same transaction. Flash loans are not the vulnerability. They are an amplifier that exposes weak assumptions about pricing, collateral, and liquidity. The attack flow is consistent: borrow big, briefly push a price or balance, trigger a calculation that trusts that temporary state, extract value, repay the loan, and keep the difference.

A worked numeric example

Suppose a lending protocol values collateral using the spot price from a single thin liquidity pool holding 100,000 USDC and 100 TOKEN, implying a price of 1,000 USDC per TOKEN. An attacker flash-borrows 900,000 USDC and buys into that pool, pushing the on-chain price toward roughly 4,000 USDC per TOKEN for the duration of the transaction. They then deposit a small amount of TOKEN as collateral, which the protocol now values at four times reality, and borrow against the inflated figure. After withdrawing the over-collateralized loan, they sell back, restore the pool, and repay the flash loan, walking away with the gap. PancakeBunny lost about 45 million dollars to this class of manipulation, and Harvest Finance lost roughly 24 million dollars to the same pricing fragility.

📷 a chart showing a temporary intra-transaction price spike in a thin pool versus a stable time-weighted average over the same window

Defenses that hold

• Time-weighted average pricing instead of a single spot read.
• Medianization across multiple sources.
• Deviation checks that reject extreme intra-block moves.
• Circuit breakers and pause conditions.
• Depth requirements so a thin pool cannot define truth.

As a user, treat any protocol that relies on a single spot price from a shallow pool as higher risk, and be strict with slippage settings.

Oracle And Data-Feed Failures

An oracle attack makes a protocol act on bad inputs. If a contract trusts a price, rate, or timestamp that is wrong or cheap to move, it executes exactly as coded and still produces the wrong outcome. A blockchain oracle that pulls from a single venue is a single point of failure.

Manipulation usually begins in low-liquidity pools where prices move cheaply, then scales with flash-loan capital. Mango Markets is the textbook case: distorted collateral pricing enabled withdrawals of about 116 million dollars, while Vee Finance lost roughly 34 million dollars after relying on a single oracle. The defensive pattern is the inverse of these mistakes: combine sources, take a median, enforce freshness, and refuse outliers. Severity profile: impact high, exploitability medium, detection medium.

Access-Control Failures

Access control decides who can upgrade contracts, pause withdrawals, mint tokens, or move treasury funds. When that layer breaks, an attacker simply calls a privileged function and bypasses everything else. The most common mistakes are missing permission checks, incorrect function visibility, and role sprawl where too many addresses can perform sensitive actions.

A classic error is using `tx.origin` for authorization instead of `msg.sender`, which opens a phishing path through an intermediary contract. The Parity multisig hack drained over 150,000 ETH, worth roughly 30 million dollars at the time, and a separate Parity bug later froze around 280 million dollars in ETH. A robust blueprint combines a multisignature wallet for critical actions, a timelock that delays dangerous changes, role-based permissions with clear separation, and a division of duties so no single key can both propose and execute high-impact changes. As a user, look for multisig and timelock protections, and treat instant upgrades as a warning sign.

MEV, Front-Running, And Sandwich Attacks

Maximal extractable value is profit captured through transaction ordering. When a searcher can see pending trades and influence how they land in a block, they extract value at your expense, usually as worse execution and hidden slippage. Learning how maximal extractable value works is now part of basic on-chain literacy.

The variants are simple to name. Insertion places a transaction before yours. Displacement pushes yours back. Suppression delays inclusion. Sandwiching wraps your trade with a buy before and a sell after. On Ethereum, regulator-cited transparency data estimated 526,207 ETH of realized extractable value between September 2022 and early June 2024, roughly 1.1 billion dollars. Protocols mitigate with commit-reveal schemes, batch auctions, and MEV-aware oracle reads. Users mitigate with disciplined slippage, by avoiding thin pools, and by routing through MEV-protected transaction relays where available.

Business-Logic And Economic-Design Flaws

Logic flaws happen when the rules are wrong, not the syntax. A contract can run perfectly and still be exploitable if it makes unsafe assumptions about incentives, governance, or how prices behave. These are the bugs audits most often miss because the code does exactly what it was told to do.

Governance capture is the marquee example. In the Beanstalk incident, an attacker gained enough governance control to push through actions that drained about 182 million dollars, all while the contract worked as designed. The Audius treasury was cashed out for roughly 1.1 million dollars through a governance pathway, and Mango Markets again illustrates how distorted economic inputs let an attacker make a position look safer than it was. Prevention means testing assumptions as adversarial claims, enforcing invariants, running scenario and chaos-style simulations, and applying targeted formal verification when the value at risk justifies it. A DAO with instant, low-quorum governance changes deserves extra scrutiny.

Advanced Vulnerabilities Worth Knowing

Some flaws hide inside powerful features rather than obvious bugs.

• Delegatecall danger. Delegatecall runs another contract's code against your own storage. It powers libraries and upgrades, but mismatched storage layouts or untrusted target code can overwrite critical state. Only delegatecall trusted code and lock storage layouts under review.
• Signature replay. A valid signature reused in a different context lets an attacker repeat an authorized action. Around 15 million dollars in Optimism tokens were taken in a 2022 recovery-process attack. Bind every signature with nonces, expiry times, and domain separation via EIP-712. This is conceptually related to a chain-level replay attack, where a transaction valid on one chain is replayed on another.
• Force-fed ether. A contract can receive ETH even without a payable function. Never treat `address(this).balance` as proof of internal state; track accounting explicitly.
• Integer overflow and underflow. Rare since Solidity 0.8 added checked arithmetic, but still alive in legacy forks; one historic underflow drained 866 ETH.
• Denial of service. A function looping over an unbounded list can exceed the block gas limit and become permanently unexecutable, locking funds. Use bounded work and the pull-over-push pattern.

What 2025 Taught Us: Mega Exploits Dissected

The biggest 2025 incidents span the full spectrum from math bugs to key misuse, which is precisely the point: "smart contract risk" is broader than the contract.

The pattern is unmistakable. Concentrated-liquidity logic, rounding precision, and privileged-key control now sit alongside the classic reentrancy bug. Note how concentrated liquidity introduces new math that attackers study line by line.

A Practical Security Workflow For 2026

Security is no longer one event called an audit. It is a repeatable workflow that starts before deployment and continues after launch, because most losses happen once code meets real users and real liquidity.

Testing methodology that catches different failure modes

1. Static analysis (Slither) flags common risky patterns fast.
2. Symbolic execution (Mythril) explores many execution paths.
3. Fuzzing (Echidna, Foundry) generates adversarial inputs automatically.
4. Manual review validates governance and economic assumptions tools cannot understand.
5. Targeted formal verification (Certora) proves a small set of must-be-true properties.

Risks and pitfalls to plan around

• An audit reduces risk; it never deletes it. Treat it as one line in a security budget, not the whole budget.
• Re-audit whenever you change core logic, add a dependency, expand permissions, or ship a new upgrade path.
• Without post-deploy monitoring, pause mechanisms, and a disclosure or bug-bounty program, you are blind after launch.
• A single unguarded upgrade key can undo every other control, as 2025 repeatedly demonstrated.

For teams that want to formalize this, our companion guides on how to audit a smart contract and blockchain security audits go deeper on process and tooling.

Red Flags You Can Check In Sixty Seconds

• Collateral or liquidations depend on a spot price from a thin pool.
• A single oracle with no fallback feed or sanity check.
• Admin can upgrade instantly through a proxy with no timelock.
• No multisig on treasury or upgrade permissions.
• Tokenomics with infinite-mint paths or fragile pegs.

Most "surprise" hacks are only surprising in hindsight. Learn the patterns, respect the red flags, and treat every protocol as a machine made of many parts, because an attacker only needs one loose screw. If you want a broader checklist for protecting your holdings, see our overview on crypto safety. None of this is financial advice; it is security awareness for anyone holding Bitcoin or interacting with DeFi.