Smart contract vulnerabilities have cost over $4 billion in hacks. Most are preventable with automated scanning before deployment.
The Most Common Vulnerabilities
1. Reentrancy — The DAO hack, $60M lost
// Vulnerable
function withdraw() public {
uint amount = balances[msg.sender];
(bool success,) = msg.sender.call{value: amount}(""); // External call BEFORE state update
balances[msg.sender] = 0; // Too late
}
// Fixed
function withdraw() public {
uint amount = balances[msg.sender];
balances[msg.sender] = 0; // Update state FIRST
(bool success,) = msg.sender.call{value: amount}("");
}
2. Integer Overflow (pre-Solidity 0.8)
// uint8 max is 255. 255 + 1 = 0. Attack vector.
uint8 public count = 255;
count++; // Wraps to 0 in old Solidity
3. Unchecked Return Values
// Dangerous
token.transfer(recipient, amount); // Returns bool, not checked
// Safe
require(token.transfer(recipient, amount), "Transfer failed");
Automated Scanning via API
import requests
with open("MyContract.sol") as f:
contract_code = f.read()
resp = requests.post("https://api.lazy-mac.com/smart-contract-scanner/scan", json={
"code": contract_code,
"language": "solidity"
})
results = resp.json()
for vuln in results['vulnerabilities']:
print(f"[{vuln['severity']}] {vuln['type']}: {vuln['description']}")
print(f" Line {vuln['line']}: {vuln['code_snippet']}")
Integrate into Your CI/CD
# .github/workflows/security.yml
- name: Scan Smart Contracts
run: |
for contract in contracts/*.sol; do
curl -X POST "https://api.lazy-mac.com/smart-contract-scanner/scan" \
-H "Content-Type: application/json" \
-d "{\"code\": \"$(cat $contract | jq -Rs .)\"}" | jq '.vulnerabilities[] | select(.severity == "HIGH" or .severity == "CRITICAL")'
done
Top comments (0)