One of the major dangers of calling external contracts is that they can take over the control flow, and make changes to your data that the calling function wasn't expecting.
This class of bugs can take many forms, and both of the major bugs that led to the DAO's collapse were bugs of this sort.
2. Oracle Manipulation
Protocols sometimes require additional information from outside the realm of the blockchain to function correctly. Such off-chain information is provided by oracles, which often are smart contracts themselves.
A vulnerability arises when protocols relying on oracles automatically execute actions even though the oracle-provided data feed is incorrect. An oracle with deprecated or even malicious contents can have disastrous effects on all processes connected to the data feed.
In practice, manipulated data feeds can cause significant damage, from unwarranted liquidations to malicious arbitrage trades. The following sections provide examples illustrating common vulnerabilities and malfunctions involving oracles.
Since all transactions are visible in the Mempool for a short while before being executed, observers of the network can see and react to an action before it is included in a block.
An example of how this can be exploited is with a decentralised exchange where a buy order transaction can be seen, and second order can be broadcast and executed before the first transaction is included.
Protecting against this is difficult, as it would come down to the specific contract itself.
4. Timestamp Dependence
Be aware that the timestamp of the block can be manipulated by the miner, and all direct and indirect uses of the timestamp should be considered.
- Loading comments...