https://evmresearch.io/indexhttps://evmresearch.io/vulnerability-patterns/zkEVM+type+classification+determines+compatibility-performance+tradeoff+with+distinct+security+implications+at+each+levelhttps://evmresearch.io/vulnerability-patterns/upgradeable+proxy+tokens+allow+token+issuers+to+modify+transfer+semantics+post-deployment+silently+breaking+protocol+integrations+built+on+prior+behaviorhttps://evmresearch.io/vulnerability-patterns/unvalidated+user-supplied+calldata+passed+to+low-level+calls+in+router+contracts+enables+arbitrary+transferFrom+execution+against+tokens+users+have+approved+to+the+routerhttps://evmresearch.io/vulnerability-patterns/unrestricted+delegatecall+allowing+user-specified+target+addresses+enables+fund+drainage+and+state+manipulationhttps://evmresearch.io/vulnerability-patterns/uninitialized+proxy+contracts+are+vulnerable+to+re-initialization+attacks+that+hijack+ownershiphttps://evmresearch.io/vulnerability-patterns/unchecked+arithmetic+blocks+reintroduce+overflow+vulnerabilities+in+post-0.8+solidityhttps://evmresearch.io/vulnerability-patterns/unbounded+return+data+from+external+calls+forces+quadratic+memory+cost+gas+consumption+via+RETURNDATASIZEhttps://evmresearch.io/vulnerability-patterns/tx.origin+authentication+is+vulnerable+to+phishing+because+any+contract+in+the+call+chain+can+read+ithttps://evmresearch.io/vulnerability-patterns/tokens+with+per-transfer+maximum+caps+silently+revert+large+liquidations+allowing+undercollateralized+positions+to+persist+until+manually+split+into+smaller+transactionshttps://evmresearch.io/vulnerability-patterns/tokens+with+more+than+18+decimals+trigger+arithmetic+overflow+in+intermediate+calculations+causing+transaction+reversion+rather+than+precision+losshttps://evmresearch.io/vulnerability-patterns/tokens+with+missing+return+values+break+IERC20+interface+compatibility+and+revert+when+callers+ABI-decode+the+absent+booleanhttps://evmresearch.io/vulnerability-patterns/tokens+that+return+false+on+failure+instead+of+reverting+create+phantom+balances+when+protocols+omit+return+value+checks+on+transfer+callshttps://evmresearch.io/vulnerability-patterns/token+admin+blocklists+can+freeze+protocol+contracts+causing+liveness+failures+and+permanent+fund+inaccessibility+for+legitimate+usershttps://evmresearch.io/vulnerability-patterns/the+majority+of+deployed+ERC-20+token+contracts+exhibit+non-standard+behaviors+that+break+DeFi+protocol+assumptionshttps://evmresearch.io/vulnerability-patterns/supply+chain+attacks+on+signing+infrastructure+bypass+hardware+wallet+protection+by+compromising+the+display+layer+between+the+signer+and+the+transactionhttps://evmresearch.io/vulnerability-patterns/storage+layout+must+remain+consistent+across+proxy+implementation+versionshttps://evmresearch.io/vulnerability-patterns/static+analysis+tools+miss+novel+vulnerability+patterns+because+their+detectors+only+encode+vulnerability+classes+that+have+already+been+cataloguedhttps://evmresearch.io/vulnerability-patterns/signature+replay+attacks+succeed+when+contracts+verify+signatures+without+tracking+processed+message+hasheshttps://evmresearch.io/vulnerability-patterns/signature+malleability+allows+replay+by+computing+complementary+ECDSA+signatures+without+the+private+keyhttps://evmresearch.io/vulnerability-patterns/selfdestruct+in+implementation+contracts+can+permanently+brick+proxy+systemshttps://evmresearch.io/vulnerability-patterns/rebasing+token+supply+changes+create+free+arbitrage+in+AMMs+that+cache+reserves+because+cached+values+diverge+from+actual+token+balances+after+each+rebasehttps://evmresearch.io/vulnerability-patterns/property-based+fuzzers+systematically+miss+invariants+that+only+break+under+specific+economic+conditions+requiring+precise+multi-variable+alignmenthttps://evmresearch.io/vulnerability-patterns/owasp+smart+contract+top+10+2025+ranks+access+control+as+the+highest+risk+categoryhttps://evmresearch.io/vulnerability-patterns/optimistic+rollups+can+finalize+invalid+state+when+all+challengers+are+censored+or+offline+during+the+challenge+periodhttps://evmresearch.io/vulnerability-patterns/on-chain+randomness+from+block+attributes+is+deterministic+and+manipulable+by+validatorshttps://evmresearch.io/vulnerability-patterns/off-by-one+errors+in+loop+bounds+and+comparison+operators+cause+silent+boundary+failureshttps://evmresearch.io/vulnerability-patterns/non-standard+permit+implementations+that+do+not+revert+on+signature+failure+enable+silent+gasless+approval+bypass+when+callers+assume+permit+either+succeeds+or+revertshttps://evmresearch.io/vulnerability-patterns/non-atomic+proxy+deployment+creates+a+front-running+window+where+any+actor+can+write+to+the+ERC1967+implementation+storage+slot+before+the+legitimate+initialization+transaction+confirmshttps://evmresearch.io/vulnerability-patterns/newer+EVM+opcodes+introduced+in+recent+forks+are+disproportionately+buggy+across+implementations+because+implementations+lag+specification+maturityhttps://evmresearch.io/vulnerability-patterns/multisig+threshold+security+assumes+independent+uncompromised+signers+and+provides+no+protection+when+the+signer+environment+is+compromisedhttps://evmresearch.io/vulnerability-patterns/msg.value+remains+constant+throughout+a+transaction+enabling+double-spend+when+referenced+inside+loopshttps://evmresearch.io/vulnerability-patterns/metamorphic+contract+patterns+remain+exploitable+on+L2s+that+have+not+adopted+EIP-6780+Cancun+changeshttps://evmresearch.io/vulnerability-patterns/low-level+call+and+send+return+false+on+failure+without+reverting+so+unchecked+return+values+cause+silent+fund+losshttps://evmresearch.io/vulnerability-patterns/low-decimal+tokens+reduce+the+minimum+cost+of+ERC-4626+vault+inflation+attacks+because+precision+boundaries+are+coarser+and+easier+to+cross+with+smaller+donationshttps://evmresearch.io/vulnerability-patterns/logic+errors+climbed+from+seventh+to+third+in+owasp+2025+ranking+indicating+a+shift+toward+business+logic+as+primary+attack+surfacehttps://evmresearch.io/vulnerability-patterns/integer+overflow+dropped+from+second+to+eighth+risk+after+solidity+0.8+default+protectionshttps://evmresearch.io/vulnerability-patterns/insufficient+gas+griefing+in+relayer+patterns+allows+forwarders+to+starve+subcalls+while+outer+transactions+succeedhttps://evmresearch.io/vulnerability-patterns/insufficient+access+control+on+sensitive+functions+allows+any+caller+to+execute+privileged+operationshttps://evmresearch.io/vulnerability-patterns/inline+assembly+bypasses+solidity+safety+checks+including+type+enforcement+and+overflow+protectionhttps://evmresearch.io/vulnerability-patterns/globally+pausable+collateral+tokens+halt+liquidations+in+dependent+lending+protocols+creating+bad+debt+when+the+pause+coincides+with+collateral+price+declinehttps://evmresearch.io/vulnerability-patterns/function+selector+clashes+between+proxy+and+implementation+can+shadow+critical+admin+functionshttps://evmresearch.io/vulnerability-patterns/formal+verification+provides+stronger+theoretical+guarantees+than+fuzzing+but+requires+complete+specifications+that+are+almost+never+achieved+making+practical+coverage+equivalent+in+many+caseshttps://evmresearch.io/vulnerability-patterns/formal+verification+can+only+prove+properties+that+are+explicitly+specified+leaving+unspecified+behaviors+outside+its+guarantee+boundaryhttps://evmresearch.io/vulnerability-patterns/forced+inclusion+mechanisms+in+optimistic+rollups+are+insufficient+against+sequencer+state+manipulation+attackshttps://evmresearch.io/vulnerability-patterns/flash-mintable+tokens+expose+protocols+that+use+totalSupply+for+governance+weight+or+price+calculation+to+temporary+supply+inflation+attacks+within+a+single+transactionhttps://evmresearch.io/vulnerability-patterns/fee-on-transfer+tokens+enable+accounting+mismatch+exploits+in+any+protocol+that+equates+the+amount+parameter+of+transfer+to+the+amount+actually+receivedhttps://evmresearch.io/vulnerability-patterns/explicit+returns+from+solidity+modifiers+do+not+affect+function+return+values+allowing+silent+control+flow+bypasseshttps://evmresearch.io/vulnerability-patterns/ecrecover+returns+address+zero+on+invalid+signatures+which+matches+uninitialized+address+variables+creating+false+authorizationhttps://evmresearch.io/vulnerability-patterns/economic+invariant+violations+including+pricing+model+errors+oracle+manipulation+and+rounding+accumulation+over+sequences+are+not+caught+by+either+formal+verification+or+fuzzinghttps://evmresearch.io/vulnerability-patterns/double-delegation+chains+in+CPIMP+attacks+forward+all+calls+to+the+legitimate+implementation+preserving+normal+protocol+functionality+while+granting+hidden+attacker+controlhttps://evmresearch.io/vulnerability-patterns/double+entry+point+tokens+with+two+valid+contract+addresses+sharing+one+balance+storage+allow+attackers+to+bypass+protocol-level+blacklists+and+drain+pools+via+the+secondary+addresshttps://evmresearch.io/vulnerability-patterns/deployment-phase+vulnerabilities+are+structurally+invisible+to+standard+smart+contract+audits+because+auditors+examine+implementation+code+correctness+not+deployment+transaction+sequenceshttps://evmresearch.io/vulnerability-patterns/dangling+storage+references+from+array+pop+operations+allow+writes+to+unintended+storage+locationshttps://evmresearch.io/vulnerability-patterns/commit-reveal+schemes+without+msg.sender+binding+allow+front-runners+to+copy+commitments+and+claim+the+reveal+rewardhttps://evmresearch.io/vulnerability-patterns/bytecode-level+formal+verification+tools+detect+compiler-introduced+vulnerabilities+that+source-level+analysis+cannot+reachhttps://evmresearch.io/vulnerability-patterns/block+timestamp+manipulation+within+protocol+bounds+enables+exploitation+of+time-dependent+contract+logichttps://evmresearch.io/vulnerability-patterns/blind+signing+on+hardware+wallets+provides+no+protection+when+the+signing+UI+is+compromised+because+the+device+cannot+interpret+complex+multisig+transaction+semanticshttps://evmresearch.io/vulnerability-patterns/biased+ECDSA+nonces+enable+lattice-based+private+key+recovery+with+as+few+as+two+or+three+signatureshttps://evmresearch.io/vulnerability-patterns/beacon+proxy+patterns+share+upgrade+risk+across+all+dependent+proxieshttps://evmresearch.io/vulnerability-patterns/automated+security+tooling+reliably+detects+code-level+flaws+but+structurally+misses+design-level+economic+and+cross-system+vulnerabilities+that+dominate+high-value+exploitshttps://evmresearch.io/vulnerability-patterns/arbitrary+storage+writes+enable+attackers+to+overwrite+critical+variables+when+dynamic+array+slot+calculations+are+manipulablehttps://evmresearch.io/vulnerability-patterns/access+control+vulnerabilities+are+the+leading+cause+of+smart+contract+financial+losseshttps://evmresearch.io/vulnerability-patterns/abi.encodePacked+concatenates+types+shorter+than+32+bytes+without+padding+creating+collision+riskshttps://evmresearch.io/vulnerability-patterns/ZK+rollup+soundness+bugs+represent+the+primary+failure+mode+when+cryptographic+validity+proof+generation+can+be+manipulatedhttps://evmresearch.io/vulnerability-patterns/ZK+bridge+verifiers+are+vulnerable+to+proof+replay+when+public+inputs+are+not+bound+to+transaction-specific+parametershttps://evmresearch.io/vulnerability-patterns/USDT+zero-first+approval+requirement+breaks+protocols+that+directly+update+allowances+to+non-zero+values+without+first+resetting+to+zerohttps://evmresearch.io/vulnerability-patterns/SafeERC20+resolves+token+return+value+incompatibility+by+wrapping+calls+in+low-level+assembly+that+accepts+both+returning+and+non-returning+tokenshttps://evmresearch.io/vulnerability-patterns/Merkle+proof+second-preimage+attacks+exploit+missing+domain+separation+between+leaf+and+internal+node+hasheshttps://evmresearch.io/vulnerability-patterns/L2+sequencer+centralization+creates+systemic+liveness+censorship+and+regulatory+riskshttps://evmresearch.io/vulnerability-patterns/Foundry's+invariant+fuzzer+silently+reports+success+when+all+function+calls+revert+indicating+it+validates+harness+health+not+protocol+correctnesshttps://evmresearch.io/vulnerability-patterns/EVM-compatible+chain+precompile+implementations+diverge+from+mainnet+specifications+creating+silent+failures+for+contracts+that+are+safe+on+Ethereumhttps://evmresearch.io/vulnerability-patterns/EVM+precompiles+for+BN256+elliptic+curve+operations+never+revert+on+invalid+input+requiring+explicit+return+value+checks+to+detect+proof+verification+failureshttps://evmresearch.io/vulnerability-patterns/ERC-777+tokensToSend+hook+enables+pre-transfer+reentrancy+by+executing+attacker-controlled+code+before+the+sender+balance+is+debitedhttps://evmresearch.io/vulnerability-patterns/ERC-777+arbitrary+hook+assignment+via+ERC-1820+registry+enables+attacker-controlled+callbacks+on+victim+contractshttps://evmresearch.io/vulnerability-patterns/ERC-7579+modules+executing+via+delegatecall+in+account+storage+context+allow+malicious+or+buggy+modules+to+overwrite+arbitrary+storage+slots+and+brick+or+drain+the+accounthttps://evmresearch.io/vulnerability-patterns/ERC-7579+malicious+modules+can+permanently+lock+modular+smart+accounts+by+reverting+on+uninstallationhttps://evmresearch.io/vulnerability-patterns/ERC-5202+blueprint+contracts+without+preamble+prefix+are+callable+as+runtime+code+enabling+unauthorized+constructor+executionhttps://evmresearch.io/vulnerability-patterns/ERC-4626+fee-on-transfer+token+incompatibility+breaks+vault+accounting+because+received+amount+differs+from+specified+amounthttps://evmresearch.io/vulnerability-patterns/ERC-4337+signature+replay+across+wallets+exploits+isValidSignature+implementations+that+authenticate+a+bytes32+hash+without+binding+the+signature+to+a+specific+account+addresshttps://evmresearch.io/vulnerability-patterns/ERC-4337+paymasters+deferring+token+collection+to+postOp+are+vulnerable+to+systematic+deposit+drainage+because+EntryPoint+continues+execution+when+postOp+revertshttps://evmresearch.io/vulnerability-patterns/ERC-4337+gas+penalty+exploitation+drains+paymaster+EntryPoint+deposits+when+users+inflate+callGasLimit+beyond+actual+execution+costhttps://evmresearch.io/vulnerability-patterns/ERC-4337+counterfactual+wallet+takeover+occurs+when+factory+CREATE2+salt+does+not+depend+on+the+initial+owner+credentials+allowing+attacker+pre-deploymenthttps://evmresearch.io/vulnerability-patterns/ERC-4337+accounts+that+revert+on+signature+failure+instead+of+returning+SIG_VALIDATION_FAILED+break+bundler+simulation+and+prevent+graceful+rejectionhttps://evmresearch.io/vulnerability-patterns/ERC-3156+side+entrance+attack+allows+borrowers+to+deposit+flash-loaned+funds+back+into+the+lender+pool+to+steal+liquidityhttps://evmresearch.io/vulnerability-patterns/ERC-3156+flash+loan+standard+allows+arbitrary+initiators+to+drain+unsuspecting+contracts+that+have+pre-approved+lendershttps://evmresearch.io/vulnerability-patterns/ERC-2612+permit+signatures+enable+gasless+approvals+but+create+phishing+vectors+where+users+unknowingly+sign+malicious+allowanceshttps://evmresearch.io/vulnerability-patterns/ERC-20+tokens+sent+to+contracts+without+callback+support+are+permanently+lost+because+transfer+does+not+verify+recipient+capabilityhttps://evmresearch.io/vulnerability-patterns/ERC-20+approve+front-running+allows+a+racing+spender+to+withdraw+both+the+old+and+new+allowance+amountshttps://evmresearch.io/vulnerability-patterns/EIP-7702+storage+collision+attacks+occur+when+migrating+between+delegate+contracts+with+incompatible+layouts+because+existing+EOA+storage+is+not+cleared+on+re-delegationhttps://evmresearch.io/vulnerability-patterns/EIP-7702+delegation+phishing+enables+persistent+EOA+account+takeover+through+a+single+signed+authorization+tuple+with+effects+invisible+in+standard+transaction+inspectionhttps://evmresearch.io/vulnerability-patterns/EIP-7702+delegation+does+not+execute+the+delegate+contract's+constructor+leaving+EOA+storage+uninitialized+unless+initialization+is+explicitly+batched+with+delegationhttps://evmresearch.io/vulnerability-patterns/EIP-7702+delegation+combined+with+ERC-4337+infrastructure+allows+bundlers+and+paymasters+to+trigger+attacker-controlled+code+at+zero+cost+to+the+attackerhttps://evmresearch.io/vulnerability-patterns/EIP-712+domain+separator+computed+at+deployment+becomes+stale+after+chain+forks+enabling+cross-chain+replayhttps://evmresearch.io/vulnerability-patterns/EIP-2929+warm+and+cold+storage+access+costs+create+gas-limit+dependent+reentrancy+guard+failures+in+contracts+using+hardcoded+gas+amountshttps://evmresearch.io/vulnerability-patterns/EIP-2535+Diamond+proxy+facet+storage+collisions+occur+when+multiple+facets+write+to+non-namespaced+storage+slotshttps://evmresearch.io/vulnerability-patterns/EIP-1822+UUPS+upgrade+logic+in+implementation+enables+permanent+proxy+bricking+if+implementation+is+destroyed+or+uninitializedhttps://evmresearch.io/vulnerability-patterns/EIP-1271+contracts+without+isValidSignature+implementation+return+true+via+fallback+causing+false+signature+validationhttps://evmresearch.io/vulnerability-patterns/EIP-1153+transient+storage+persists+across+call+frames+within+a+transaction+enabling+cross-call+state+leakagehttps://evmresearch.io/vulnerability-patterns/EIP-1153+TSTORE+lacks+the+minimum+gas+requirement+of+SSTORE+enabling+reentrancy+at+lower+gas+thresholdshttps://evmresearch.io/vulnerability-patterns/ECDSA+nonce+reuse+directly+reveals+the+private+key+because+two+signatures+sharing+the+same+r+value+expose+k+algebraicallyhttps://evmresearch.io/vulnerability-patterns/DoS+via+unexpected+revert+exploits+fallback+functions+that+intentionally+revert+to+block+ETH+transfershttps://evmresearch.io/vulnerability-patterns/DoS+via+block+gas+limit+permanently+bricks+functions+that+iterate+over+unbounded+arrayshttps://evmresearch.io/vulnerability-patterns/CREATE2+enables+contract+recreation+at+the+same+address+with+different+bytecode+when+the+constructor+queries+external+statehttps://evmresearch.io/vulnerability-patterns/CPIMP+self-restoration+after+every+transaction+makes+standard+upgrade+procedures+ineffective+as+removal+mechanismshttps://evmresearch.io/vulnerability-patterns/CPIMP+attacks+exploit+the+gap+between+proxy+deployment+and+initialization+to+inject+a+persistent+malicious+intermediary+that+parasitizes+the+protocol+invisiblyhttps://evmresearch.io/vulnerability-patterns/BLS+signature+aggregation+enables+rogue-key+attacks+where+an+attacker+forges+multi-signatures+by+registering+a+cancellation+public+keyhttps://evmresearch.io/vulnerability-patterns/vulnerability-patternshttps://evmresearch.io/solidity-behaviors/solidity+lacks+floating-point+types+so+all+division+rounds+toward+zero+losing+precision+when+numerator+is+smaller+than+denominatorhttps://evmresearch.io/solidity-behaviors/solidity+0.8.31+deprecates+send+and+transfer+signaling+the+move+away+from+fixed+gas+stipend+patternshttps://evmresearch.io/solidity-behaviors/solidity+0.8.0+introduced+default+arithmetic+overflow+protection+making+unchecked+blocks+the+new+attack+surfacehttps://evmresearch.io/solidity-behaviors/selfdestruct+was+deprecated+in+solidity+0.8.18+via+eip-6049https://evmresearch.io/solidity-behaviors/private+visibility+in+solidity+only+restricts+contract-level+access+while+all+on-chain+data+remains+publicly+readablehttps://evmresearch.io/solidity-behaviors/gas+optimization+via+unchecked+blocks+creates+tension+with+arithmetic+safety+guaranteeshttps://evmresearch.io/solidity-behaviors/abi+types+are+not+self-describing+so+the+decoder+must+know+the+interface+to+interpret+valueshttps://evmresearch.io/solidity-behaviors/solidity-behaviorshttps://evmresearch.io/security-patterns/writing+correct+invariants+constitutes+80+percent+of+verification+work+making+the+choice+of+checking+tool+secondary+to+specification+qualityhttps://evmresearch.io/security-patterns/vyper+module+composition+uses+explicit+uses+initializes+and+exports+keywords+preventing+accidental+state+coupling+between+moduleshttps://evmresearch.io/security-patterns/timelocks+on+contract+ownership+transfers+provide+the+detection+window+to+identify+and+revert+malicious+multisig+upgrade+attacks+before+funds+are+drainedhttps://evmresearch.io/security-patterns/testing+smart+contracts+with+specification+languages+different+from+the+implementation+language+reveals+compiler-level+assumption+bugs+invisible+to+same-language+verificationhttps://evmresearch.io/security-patterns/snapshot-based+voting+power+measurement+at+proposal+creation+time+prevents+flash+loan+governance+attacks+by+decoupling+token+acquisition+from+voting+eligibilityhttps://evmresearch.io/security-patterns/restricting+delegatecall+to+pre-verified+logic+contracts+prevents+arbitrary+code+executionhttps://evmresearch.io/security-patterns/rage+quit+mechanisms+give+token+holders+a+credible+exit+threat+that+functions+as+a+veto+device+against+governance+capture+without+requiring+active+voting+participationhttps://evmresearch.io/security-patterns/proof+of+possession+prevents+BLS+rogue-key+attacks+only+when+the+PoP+hash+function+is+domain-separated+from+the+signature+hash+functionhttps://evmresearch.io/security-patterns/post-deployment+verification+by+directly+reading+ERC1967+implementation+storage+slots+detects+proxy+hijacking+that+block+explorer+displays+and+emitted+events+concealhttps://evmresearch.io/security-patterns/openzeppelin+initializable+with+initializer+modifier+prevents+re-initialization+attacks+on+proxy+contractshttps://evmresearch.io/security-patterns/locking+pragma+versions+prevents+deployment+with+untested+compiler+versionshttps://evmresearch.io/security-patterns/governance+systems+must+verify+proposal+code+integrity+at+execution+time+not+only+at+approval+time+because+contract+metamorphism+can+change+the+code+between+voteshttps://evmresearch.io/security-patterns/formally+rare+bugs+requiring+inputs+with+probability+below+1+in+2%5E80+are+unreachable+by+fuzzers+regardless+of+time+budget+making+formal+verification+uniquely+capable+for+that+classhttps://evmresearch.io/security-patterns/formal+verification+proves+code+matches+a+specification+but+cannot+prove+the+specification+itself+is+complete+or+correcthttps://evmresearch.io/security-patterns/formal+verification+completeness+paradox+FV+provides+mathematical+certainty+that+code+matches+spec+but+the+92%25+post-audit+exploit+rate+shows+that+mathematical+certainty+of+the+wrong+thing+provides+no+safety+guaranteehttps://evmresearch.io/security-patterns/formal+verification+and+fuzzing+find+systematically+different+bug+classes+with+minimal+overlap+making+them+complementary+tools+rather+than+substituteshttps://evmresearch.io/security-patterns/eip-7201+namespaced+storage+provides+structured+collision+avoidance+for+upgradeable+contractshttps://evmresearch.io/security-patterns/eip-1967+reserved+storage+slots+prevent+proxy+implementation+address+collisionshttps://evmresearch.io/security-patterns/double+hashing+Merkle+leaves+prevents+second-preimage+attacks+by+making+leaf+hashes+structurally+incompatible+with+internal+node+hasheshttps://evmresearch.io/security-patterns/combining+multiple+security+analysis+tools+detects+more+unique+vulnerabilities+than+any+single+tool+because+each+tool+has+distinct+blind+spots+and+corpus+management+strategieshttps://evmresearch.io/security-patterns/automated+security+tools+combined+catch+approximately+60+percent+of+exploitable+vulnerabilities+with+the+remaining+40+percent+requiring+human+expertise+in+economic+modeling+and+compositional+reasoninghttps://evmresearch.io/security-patterns/atomic+proxy+deployment+by+passing+initialization+data+to+the+ERC1967Proxy+constructor+eliminates+the+CPIMP+front-running+window+because+deployment+and+initialization+occur+within+a+single+transactionhttps://evmresearch.io/security-patterns/RFC+6979+deterministic+nonce+generation+eliminates+ECDSA+private+key+leakage+from+randomness+failures+by+deriving+nonces+from+message+and+private+keyhttps://evmresearch.io/security-patterns/KEVM+provides+complete+executable+formal+semantics+of+the+EVM+enabling+correct-by-construction+verification+but+requires+deep+K-framework+expertise+that+limits+practitioner+adoptionhttps://evmresearch.io/security-patterns/EIP-6780+restricts+SELFDESTRUCT+to+same-transaction+contracts+eliminating+metamorphic+contract+patternshttps://evmresearch.io/security-patterns/DeFi+protocols+on+L2+must+check+L2+sequencer+uptime+before+consuming+Chainlink+price+feeds+to+prevent+stale+data+exploitationhttps://evmresearch.io/security-patterns/CREATE2+deterministic+deployment+enables+atomic+initialization+of+circularly+dependent+proxy+contracts+by+allowing+all+required+addresses+to+be+precomputed+before+any+deployment+transactionhttps://evmresearch.io/security-patterns/92%25+of+smart+contracts+exploited+in+2025+had+passed+security+reviews+indicating+specification+completeness+rather+than+code+correctness+is+the+primary+audit+gaphttps://evmresearch.io/security-patterns/security-patternshttps://evmresearch.io/protocol-mechanics/token-level+transfer+cooldowns+break+sandwich+attack+atomicity+by+blocking+double-movement+within+a+block+windowhttps://evmresearch.io/protocol-mechanics/tick+boundary+edge+cases+in+concentrated+liquidity+AMMs+produce+double-counting+and+incorrect+fee+calculation+bugshttps://evmresearch.io/protocol-mechanics/the+stablecoin+trilemma+shows+no+design+simultaneously+achieves+decentralization+stability+and+capital+efficiencyhttps://evmresearch.io/protocol-mechanics/perpetual+DEX+oracle-based+models+expose+liquidity+providers+to+toxic+flow+from+informed+traders+draining+pool+capitalhttps://evmresearch.io/protocol-mechanics/concentrated+liquidity+AMMs+amplify+impermanent+loss+within+active+price+ranges+while+providing+zero+liquidity+outside+themhttps://evmresearch.io/protocol-mechanics/commit-reveal+schemes+prevent+frontrunning+by+concealing+transaction+details+until+after+ordering+is+fixedhttps://evmresearch.io/protocol-mechanics/bridge+upgrade+transactions+are+a+distinct+exploit+vector+when+upgrade+logic+introduces+verification+threshold+bugshttps://evmresearch.io/protocol-mechanics/Uniswap+V4+hooks+introduce+arbitrary+external+code+execution+into+pool+swap+paths+creating+new+reentrancy+attack+surfaceshttps://evmresearch.io/protocol-mechanics/RWA+tokenization+introduces+off-chain+legal+wrapper+failure+risk+that+smart+contract+security+cannot+addresshttps://evmresearch.io/protocol-mechanics/RWA+recovery+agent+functions+with+burn-and-remint+capability+must+be+protected+by+multisig+and+timelock+to+prevent+admin+key+exploitationhttps://evmresearch.io/protocol-mechanics/Lido's+concentration+at+29+percent+of+staked+ETH+approaches+the+threshold+that+would+enable+consensus-level+attackshttps://evmresearch.io/protocol-mechanics/L2+upgrade+authority+creates+a+security+council+governance+tradeoff+between+rapid+incident+response+and+centralized+fund+controlhttps://evmresearch.io/protocol-mechanics/ERC-7540+asynchronous+redemption+vaults+prevent+bank-run+failure+modes+in+RWA+protocols+with+illiquid+underlying+assetshttps://evmresearch.io/protocol-mechanics/ERC-4337+EntryPoint+singleton+concentrates+unconditional+trust+creating+a+single+point+of+failure+across+the+entire+account+abstraction+ecosystemhttps://evmresearch.io/protocol-mechanics/ERC-3643+T-REX+permissioned+token+standard+prevents+unauthorized+transfers+by+mapping+addresses+to+verified+identities+on-chainhttps://evmresearch.io/protocol-mechanics/DA-saturation+and+prover+killer+attacks+exploit+mismatches+between+EVM+gas+costs+and+ZK+proving+costs+to+create+L2-specific+DoShttps://evmresearch.io/protocol-mechanics/Chainlink+Proof+of+Reserve+oracle+feeds+provide+on-chain+verification+that+tokenized+asset+supply+matches+off-chain+reserveshttps://evmresearch.io/protocol-mechanics/protocol-mechanicshttps://evmresearch.io/exploit-analyses/the+Penpie+exploit+demonstrated+reentrancy+in+reward-harvesting+via+permissionless+Pendle+market+creation+enabling+flash-loan-amplified+extraction+of+%2427+millionhttps://evmresearch.io/exploit-analyses/bridge+validator+set+compromise+enables+unauthorized+message+relay+as+demonstrated+by+the+Ronin+%24625M+exploithttps://evmresearch.io/exploit-analyses/the+WazirX+exploit+demonstrated+that+harvesting+valid+multisig+signatures+via+a+compromised+custody+UI+enables+malicious+contract+upgrades+without+any+signer+awarenesshttps://evmresearch.io/exploit-analyses/the+USPD+exploit+demonstrated+that+publicly+disclosed+deployment+vulnerabilities+remain+exploitable+when+teams+apply+published+mitigations+to+new+code+without+auditing+their+own+deployment+procedureshttps://evmresearch.io/exploit-analyses/the+Radiant+Capital+exploit+demonstrated+that+malware+intercepting+Gnosis+Safe+signing+requests+bypasses+3-of-11+multisig+by+exploiting+hardware+wallet+blind+signinghttps://evmresearch.io/exploit-analyses/the+Orbit+Chain+exploit+demonstrated+that+insider+threat+via+deliberate+firewall+policy+degradation+before+departure+creates+bounded-time+exploit+windows+in+bridge+infrastructurehttps://evmresearch.io/exploit-analyses/the+Euler+Finance+donateToReserves+exploit+demonstrated+that+economic+logic+flaws+invisible+to+all+automated+tooling+require+protocol-specific+manual+review+to+detecthttps://evmresearch.io/exploit-analyses/the+Bybit+exploit+demonstrated+that+JavaScript+injection+into+web-based+signing+infrastructure+can+bypass+hardware+wallet+protection+and+drain+cold+wallet+assetshttps://evmresearch.io/exploit-analyses/supply+chain+injection+into+hardware+wallet+signing+interfaces+enables+theft+without+private+key+extraction+by+tricking+operators+into+signing+fraudulent+transactionshttps://evmresearch.io/exploit-analyses/social+engineering+and+key+management+failures+drove+65+percent+of+2025+crypto+losses+and+are+outside+the+scope+of+any+code-level+security+analysishttps://evmresearch.io/exploit-analyses/parity+wallet+hack+demonstrated+that+selfdestruct+in+implementation+contracts+permanently+bricks+proxy+systemshttps://evmresearch.io/exploit-analyses/furucombo+exploit+demonstrated+unrestricted+delegatecall+enabling+storage+approval+manipulationhttps://evmresearch.io/exploit-analyses/cross-chain+bridge+cryptographic+failures+account+for+40+percent+of+total+Web3+hack+losses+through+validator+key+compromise+and+signature+scheme+weaknesseshttps://evmresearch.io/exploit-analyses/Profanity+vanity+address+generator+used+a+32-bit+seed+keyspace+making+all+generated+private+keys+recoverable+from+any+observed+transaction+signaturehttps://evmresearch.io/exploit-analyses/ERC-4337+malformed+calldata+in+EntryPoint+pack()+functions+allows+post-signing+mutation+of+UserOperation+fields+undermining+paymaster+sponsorship+intenthttps://evmresearch.io/exploit-analyses/DPRK-affiliated+threat+actors+account+for+the+majority+of+crypto+theft+losses+by+shifting+from+smart+contract+exploitation+to+social+engineering+infrastructure+compromise+and+supply+chain+attackshttps://evmresearch.io/exploit-analyses/exploit-analyseshttps://evmresearch.io/evm-internals/yul+division+by+zero+returns+zero+rather+than+reverting+unlike+solidity+checked+arithmetichttps://evmresearch.io/evm-internals/writing+contract+logic+in+yul+or+assembly+can+bypass+access+control+mechanisms+only+implemented+in+solidityhttps://evmresearch.io/evm-internals/transient+storage+introduces+new+storage+semantics+with+novel+security+implicationshttps://evmresearch.io/evm-internals/storage+variable+ordering+affects+gas+costs+because+suboptimal+ordering+wastes+storage+slotshttps://evmresearch.io/evm-internals/solidity+pure+functions+use+STATICCALL+but+cannot+prevent+state+reads+at+the+EVM+level+creating+a+false+safety+guaranteehttps://evmresearch.io/evm-internals/solidity+delete+on+mappings+contained+within+arrays+leaves+orphaned+data+in+storage+because+mappings+cannot+track+their+keyshttps://evmresearch.io/evm-internals/solidity+compiler+packs+multiple+small+values+into+one+storage+slot+but+writing+requires+reading+the+full+slothttps://evmresearch.io/evm-internals/memory-to-memory+assignment+in+solidity+creates+references+not+copies+enabling+aliasing+bugs+when+both+variables+modify+the+same+datahttps://evmresearch.io/evm-internals/memory+and+calldata+values+are+not+packed+unlike+storagehttps://evmresearch.io/evm-internals/low-level+calls+to+non-existent+contracts+succeed+silently+because+the+EVM+treats+empty+addresses+as+successfulhttps://evmresearch.io/evm-internals/evm+memory+gas+costs+grow+quadratically+making+large+allocations+prohibitively+expensivehttps://evmresearch.io/evm-internals/delegatecall+executes+code+from+another+contract+using+the+callers+storage+contexthttps://evmresearch.io/evm-internals/custom+storage+layouts+enable+powerful+proxy+patterns+but+manual+slot+math+errors+can+corrupt+datahttps://evmresearch.io/evm-internals/EXTCODESIZE+returns+zero+during+constructor+execution+allowing+contracts+to+bypass+code-size-based+EOA+checkshttps://evmresearch.io/evm-internals/EVM+opcode+incompatibility+across+chains+causes+failures+when+contracts+assume+uniform+opcode+supporthttps://evmresearch.io/evm-internals/CREATE2+enables+metamorphic+contract+attacks+by+allowing+a+self-destructed+contract+to+be+redeployed+with+different+bytecode+at+the+same+trusted+addresshttps://evmresearch.io/evm-internals/evm-internalshttps://evmresearch.io/vulnerability-patterns/business+logic+vulnerabilities+are+the+highest-frequency+attack+category+yet+resist+systematic+defensive+patterns+because+economically+valid+code+can+break+under+adversarial+pressurehttps://evmresearch.io/vulnerability-patterns/on-chain+rate+limiting+is+undermined+by+Sybil+attacks+enabling+a+single+attacker+to+distribute+operations+across+multiple+accounts+to+evade+per-address+limitshttps://evmresearch.io/vulnerability-patterns/owasp+smart+contract+top+10+2026+confirms+business+logic+and+access+control+together+account+for+78+percent+of+all+2025+incidentshttps://evmresearch.io/security-patterns/defense-in-depth+combining+pre-deployment+and+post-deployment+security+layers+reduces+smart+contract+breach+probability+by+87+percenthttps://evmresearch.io/security-patterns/combined+runtime+invariant+guards+block+85+percent+of+exploits+with+less+than+1+percent+gas+overhead+making+them+practical+for+productionhttps://evmresearch.io/security-patterns/EOA+access+control+invariant+is+the+single+most+effective+runtime+exploit+guard+blocking+18+of+27+distinct+exploits+in+empirical+studyhttps://evmresearch.io/security-patterns/ERC-7265+on-chain+circuit+breakers+are+fundamentally+reactive+and+cannot+prevent+the+initial+attack+transaction+only+subsequent+outflowshttps://evmresearch.io/vulnerability-patterns/algorithmic+stablecoin+death+spirals+are+triggered+by+reflexive+depegging+where+falling+price+reduces+demand+accelerating+the+fallhttps://evmresearch.io/vulnerability-patterns/cross-chain+sandwich+attacks+exploit+bridge+event+visibility+to+gain+mempool-order+advantage+on+destination+chainshttps://evmresearch.io/vulnerability-patterns/permissionless+market+registration+in+yield+aggregators+creates+implicit+trust+of+attacker-controlled+contracts+enabling+reentrancy+via+reward+distribution+callbackshttps://evmresearch.io/vulnerability-patterns/lending+protocols+depend+on+utilization-based+interest+rate+curves+that+create+depositor-trapping+risk+at+100%25+utilizationhttps://evmresearch.io/vulnerability-patterns/borrower+front-running+of+liquidators+via+tiny+repayments+creates+denial+of+service+against+liquidation+mechanismshttps://evmresearch.io/vulnerability-patterns/OpenZeppelin+TimelockController+proposals+remain+executable+indefinitely+after+the+delay+expires+creating+persistent+unauthorized+execution+windowshttps://evmresearch.io/vulnerability-patterns/rebasing+token+balance+increases+cause+accounting+errors+in+protocols+that+cache+balances+without+accounting+for+daily+rebaseshttps://evmresearch.io/vulnerability-patterns/just-in-time+liquidity+extraction+captures+swap+fees+without+bearing+impermanent+loss+by+sandwiching+large+swapshttps://evmresearch.io/vulnerability-patterns/allowing+governance+voting+and+execution+in+the+same+transaction+makes+any+governance+system+unconditionally+vulnerable+to+flash+loan+attack+regardless+of+quorum+thresholdhttps://evmresearch.io/vulnerability-patterns/emergency+governance+functions+designed+for+protocol+protection+become+the+highest-value+attack+surface+when+they+bypass+timelock+delayshttps://evmresearch.io/vulnerability-patterns/bridge+finality+assumptions+create+reorganization+attack+risk+when+relays+occur+before+source+chain+confirmshttps://evmresearch.io/vulnerability-patterns/low-participation+governance+votes+enable+protocol+parameter+manipulation+through+flash+loan+voting+powerhttps://evmresearch.io/vulnerability-patterns/mint-burn+asymmetry+in+bridges+enables+unlimited+token+minting+when+destination+minting+occurs+without+verified+source-chain+lockinghttps://evmresearch.io/vulnerability-patterns/DeFi+composability+creates+systemic+exploit+propagation+risk+because+interconnected+protocols+transform+local+failures+into+cascadeshttps://evmresearch.io/vulnerability-patterns/slow+token+accumulation+attacks+on+governance+succeed+by+amassing+unilateral+control+below+detection+thresholds+when+snapshot+protections+block+flash+loanshttps://evmresearch.io/vulnerability-patterns/restaking+compounds+validator+slashing+risk+by+applying+multiple+independent+slashing+conditions+to+the+same+staked+capitalhttps://evmresearch.io/vulnerability-patterns/protocol+complexity+measured+in+composable+DeFi+primitives+drives+vulnerability+surface+area+nonlinearlyhttps://evmresearch.io/vulnerability-patterns/reentrancy+oracle+manipulation+vault+share+inflation+slippage+precision+loss+and+access+control+form+the+universal+vulnerability+kernel+across+all+DeFi+protocol+typeshttps://evmresearch.io/vulnerability-patterns/delta-neutral+stablecoins+face+funding+rate+inversion+risk+when+perpetual+markets+turn+negativehttps://evmresearch.io/vulnerability-patterns/flash+loan+oracle+manipulation+enables+price+feed+attacks+against+defi+protocolshttps://evmresearch.io/vulnerability-patterns/sandwich+attacks+exploit+AMM+deterministic+pricing+to+front-run+and+back-run+victim+trades+within+a+single+blockhttps://evmresearch.io/vulnerability-patterns/yield+aggregator+strategy+composition+inherits+vulnerabilities+from+every+underlying+protocol+in+the+stackhttps://evmresearch.io/vulnerability-patterns/funding+rate+manipulation+in+perpetual+DEXs+allows+large+positions+to+skew+economic+extraction+at+the+expense+of+counterpartieshttps://evmresearch.io/vulnerability-patterns/AVS-defined+slashing+conditions+can+slash+honest+operators+due+to+buggy+or+overly+punitive+slashing+logichttps://evmresearch.io/vulnerability-patterns/liquidation+cascades+in+lending+protocols+create+self-reinforcing+price+collapse+through+forced+selling+feedback+loopshttps://evmresearch.io/vulnerability-patterns/LST+depeg+risk+creates+liquidation+cascades+in+lending+protocols+that+accept+liquid+staking+tokens+as+collateralhttps://evmresearch.io/vulnerability-patterns/ERC-4626+vault+share+price+manipulation+via+direct+token+donation+exploits+the+share-to-asset+ratio+in+newly+deployed+vaultshttps://evmresearch.io/vulnerability-patterns/AMM+spot+prices+are+manipulable+within+a+single+transaction+making+them+unsafe+as+oracle+price+feeds+without+TWAP+smoothinghttps://evmresearch.io/vulnerability-patterns/malicious+governance+proposal+injection+via+CREATE2+and+SELFDESTRUCT+allows+attackers+to+swap+approved+code+with+malicious+code+between+proposal+approval+and+executionhttps://evmresearch.io/vulnerability-patterns/the+Mango+Markets+exploit+demonstrated+that+thin-liquidity+oracle+manipulation+combined+with+unrealized+PnL+as+collateral+enables+full+protocol+drain+through+controlled+spot+price+inflationhttps://evmresearch.io/vulnerability-patterns/bad+debt+accumulation+in+lending+protocols+occurs+when+liquidations+fail+to+clear+underwater+positions+during+extreme+market+eventshttps://evmresearch.io/vulnerability-patterns/frontrunning+exploits+public+mempool+visibility+to+insert+competing+transactions+before+profitable+pending+operationshttps://evmresearch.io/vulnerability-patterns/vyper+nonreentrant+decorator+uses+a+single+global+storage+lock+eliminating+cross-function+reentrancy+by+design+in+versions+0.4.0+and+laterhttps://evmresearch.io/vulnerability-patterns/vyper+empty+string+nonreentrant+key+silently+produces+no+reentrancy+checks+at+runtimehttps://evmresearch.io/vulnerability-patterns/vyper+eliminates+entire+solidity+vulnerability+classes+by+omitting+inheritance+operator+overloading+recursive+functions+and+inline+assemblyhttps://evmresearch.io/vulnerability-patterns/vyper+default+function+did+not+respect+nonreentrancy+decorator+prior+to+v0.3.0+allowing+reentrancy+through+the+fallback+pathhttps://evmresearch.io/vulnerability-patterns/vyper+compiler+reentrancy+lock+storage+slot+bug+broke+cross-function+reentrancy+protection+in+versions+0.2.15+through+0.3.0https://evmresearch.io/vulnerability-patterns/the+Fei+Protocol+Rari+Capital+exploit+demonstrated+that+incomplete+reentrancy+guard+coverage+enables+cross-function+reentrancy+through+unprotected+state-sharing+functionshttps://evmresearch.io/vulnerability-patterns/the+dForce+exploit+demonstrated+cross-contract+read-only+reentrancy+where+stale+Curve+get_virtual_price+values+enabled+artificial+liquidation+of+lending+positionshttps://evmresearch.io/vulnerability-patterns/the+Curve+Finance+Vyper+compiler+exploit+proved+that+source-level+reentrancy+guards+can+be+silently+broken+by+compiler+bugs+invisible+to+auditorshttps://evmresearch.io/vulnerability-patterns/reentrancy+variant+evolution+outpaces+defense+adoption+because+each+variant+exploits+a+different+assumption+about+where+external+calls+occurhttps://evmresearch.io/vulnerability-patterns/reentrancy+is+possible+whenever+external+calls+precede+state+updateshttps://evmresearch.io/vulnerability-patterns/reentrancy+attacks+have+caused+over+500+million+dollars+in+cumulative+losses+across+70+plus+incidents+from+2016+through+2025+despite+being+the+most+well-known+smart+contract+vulnerabilityhttps://evmresearch.io/vulnerability-patterns/read-only+reentrancy+exploits+view+functions+to+cause+other+protocols+to+read+inconsistent+statehttps://evmresearch.io/vulnerability-patterns/ERC-721+safeTransferFrom+and+ERC-777+tokensReceived+callbacks+create+reentrancy+entry+points+in+any+protocol+handling+these+token+standardshttps://evmresearch.io/vulnerability-patterns/ERC-4337+multi-UserOperation+bundles+require+manual+transient+storage+cleanup+because+transient+values+from+one+sender+persist+into+subsequent+sender+validationhttps://evmresearch.io/vulnerability-patterns/checks-effects-interactions+pattern+prevents+reentrancy+by+updating+state+before+external+callshttps://evmresearch.io/vulnerability-patterns/vyper+double+evaluation+bugs+form+the+largest+cluster+of+compiler+CVEs+causing+side+effects+to+execute+multiple+times+or+in+wrong+orderhttps://evmresearch.io/vulnerability-patterns/vyper+compiler+side+effect+elision+skips+state-changing+expressions+when+slice+or+concat+receives+zero-length+argumentshttps://evmresearch.io/vulnerability-patterns/vyper+builtin+function+argument+evaluation+order+is+undefined+causing+unpredictable+results+with+side-effecting+expressionshttps://evmresearch.io/vulnerability-patterns/vyper+augmented+assignment+evaluation+order+enables+out-of-bounds+writes+when+right-hand+side+modifies+the+target+arrayhttps://evmresearch.io/vulnerability-patterns/transient+storage+violates+composability+assumptions+in+multi-contract+interactions+because+values+persist+across+external+calls+within+a+transactionhttps://evmresearch.io/vulnerability-patterns/solidity+via-IR+transient+storage+clearing+helper+collision+emits+wrong+opcode+when+clearing+both+persistent+and+transient+variables+of+the+same+typehttps://evmresearch.io/vulnerability-patterns/silent+semantic+mismatch+is+a+cross-language+vulnerability+class+where+code+appears+to+enforce+constraints+but+silently+failshttps://evmresearch.io/vulnerability-patterns/majority+of+solidity+0.8.x+compiler+bugs+manifest+only+under+specific+pipeline+configurations+creating+hidden+behavioral+divergence+from+identical+source+codehttps://evmresearch.io/vulnerability-patterns/compiler+bugs+represent+a+distinct+threat+category+where+source-level+security+analysis+is+structurally+insufficienthttps://evmresearch.io/vulnerability-patterns/EIP-7702+authorization+tuples+encode+no+execution+scope%2C+expiry%2C+or+call+restrictions+making+them+semantically+equivalent+to+unconditional+persistent+capability+grantshttps://evmresearch.io/vulnerability-patterns/EIP-7702+tx.origin+equals+msg.sender+check+no+longer+prevents+flash+loan+attacks+because+delegated+EOAs+can+execute+arbitrary+contract+logic+while+satisfying+both+identity+checkshttps://evmresearch.io/security-patterns/detecting+EIP-7702+delegation+via+the+0xef0100+prefix+check+is+the+only+contract-level+defense+that+distinguishes+delegated+EOAs+from+both+regular+EOAs+and+deployed+contractshttps://evmresearch.io/vulnerability-patterns/EIP-7702+invalidates+pre-Pectra+assumptions+that+EOAs+have+no+code+cannot+revert+ETH+transfers+and+only+change+balances+through+signed+transactionshttps://evmresearch.io/vulnerability-patterns/CPIMP+defeats+detection+by+layering+fake+ERC1967+Upgraded+events+with+legacy+storage+slot+misdirection+so+each+standard+monitoring+method+sees+the+legitimate+implementationhttps://evmresearch.io/vulnerability-patterns/complex+multi-step+interaction+invariants+in+DeFi+protocols+are+the+vulnerability+class+that+both+human+auditors+and+automated+tools+most+commonly+misshttps://evmresearch.io/vulnerability-patterns/contract+upgrade+procedures+create+temporary+vulnerability+windows+when+initialization+must+occur+after+a+state+change+that+disables+reentrancy+protectionhttps://evmresearch.io/vulnerability-patterns/whether+CLM+TWAP+bypass+patterns+generalize+beyond+asymmetric+enforcement+to+other+conditional+check+architectureshttps://evmresearch.io/vulnerability-patterns/Chainlink+oracle+front-running+is+possible+because+price+feed+updates+are+public+transactions+that+allow+sandwiching+of+oracle+price+changeshttps://evmresearch.io/vulnerability-patterns/Chainlink+price+feed+heartbeats+vary+between+feeds+with+similar+names+requiring+per-feed+verification+rather+than+assuming+uniform+update+frequencyhttps://evmresearch.io/vulnerability-patterns/alternating+between+inline+assembly+and+Solidity+creates+implicit+state+dependencies+that+neither+compiler+warnings+nor+auditors+reliably+detecthttps://evmresearch.io/vulnerability-patterns/inline+assembly+free+memory+pointer+corruption+occurs+when+Solidity+code+modifies+the+free+memory+pointer+between+assembly+blocks+that+assume+it+has+not+changedhttps://evmresearch.io/vulnerability-patterns/fixed+liquidation+bonus+causes+revert+below+the+bonus+threshold+preventing+liquidation+of+positions+that+most+need+clearinghttps://evmresearch.io/vulnerability-patterns/lending+protocols+must+never+pause+repayments+while+leaving+liquidations+active+because+borrowers+cannot+repay+to+avoid+unfair+liquidationhttps://evmresearch.io/vulnerability-patterns/hard-coded+UniswapV3+fee+tiers+prevent+optimal+routing+and+cause+unnecessary+slippage+by+locking+swaps+to+potentially+non-ideal+fee+levelshttps://evmresearch.io/vulnerability-patterns/missing+deadline+parameters+allow+transactions+to+linger+in+the+mempool+and+execute+at+substantially+worse+prices+than+at+submission+timehttps://evmresearch.io/vulnerability-patterns/slippage+protection+with+zero+minTokensOut+exposes+users+to+unlimited+loss+and+must+always+be+flagged+as+critical+in+auditshttps://evmresearch.io/vulnerability-patterns/CLM+owner+retrospective+fee+changes+steal+pending+user+rewards+by+modifying+fee+parameters+after+accumulation+but+before+harvesthttps://evmresearch.io/vulnerability-patterns/TWAP+bypass+via+asymmetric+enforcement+allows+attackers+to+exploit+unprotected+owner+functions+when+calm-period+checks+guard+only+non-owner+pathshttps://evmresearch.io/vulnerability-patterns/precision+loss+in+DeFi+can+be+weaponized+to+drain+funds+rather+than+merely+disadvantaging+usershttps://evmresearch.io/vulnerability-patterns/modular+protocol+architectures+hide+precision+loss+by+separating+calculations+across+functions+contracts+and+libraries+that+obscure+rounding+accumulationhttps://evmresearch.io/vulnerability-patterns/empty+array+inputs+bypass+loop-based+verification+entirely+when+callers+omit+array+length+validationhttps://evmresearch.io/vulnerability-patterns/two-step+ownership+transfer+is+exploitable+when+step+two+does+not+verify+step+one+was+initiatedhttps://evmresearch.io/vulnerability-patterns/signature+expiration+deadlines+are+necessary+because+signatures+without+timestamps+function+as+irrevocable+lifetime+licenseshttps://evmresearch.io/vulnerability-patterns/cross-chain+signature+replay+succeeds+when+UserOperations+omit+chain_id+from+the+signed+messagehttps://evmresearch.io/vulnerability-patterns/hidden+ERC+standard+callbacks+create+reentrancy+surface+developers+do+not+recognize+as+hookablehttps://evmresearch.io/vulnerability-patterns/ERC-1155+mintBatch+callback+creates+reentrancy+before+valueLeft+storage+write+enabling+unlimited+token+fraction+splittinghttps://evmresearch.io/security-patterns/off-chain+transaction+monitoring+detects+holistic+attack+patterns+that+stay+within+individual+protocol+thresholds+complementing+per-protocol+on-chain+detectionhttps://evmresearch.io/security-patterns/circuit+breakers+provide+independent+security+guarantees+when+implemented+at+a+layer+separate+from+application+logic+because+attackers+must+then+defeat+two+unrelated+systemshttps://evmresearch.io/security-patterns/bug+heuristic+methodology+combines+code+patterns+easy+to+get+wrong+with+pre-defined+high-impact+targets+to+focus+offensive+research+on+the+most+likely+critical+vulnerabilitieshttps://evmresearch.io/security-patterns/formal+verification+finds+bugs+that+all+three+major+fuzzers+miss+because+SMT+solving+exhausts+state+spaces+that+random+sampling+cannot+reachhttps://evmresearch.io/security-patterns/handler+functions+in+invariant+fuzz+tests+must+satisfy+preconditions+to+prevent+trivial+reverts+that+give+fuzzers+false+confidencehttps://evmresearch.io/security-patterns/multiplication+before+division+is+required+in+Solidity+to+minimize+precision+loss+because+integer+division+truncates+remainders+permanentlyhttps://evmresearch.io/security-patterns/developer+subconscious+assumptions+about+prior+state+create+systematic+input+validation+gaps+auditors+must+explicitly+hunthttps://evmresearch.io/exploit-analyses/self-liquidation+via+flash+loan+is+profitable+when+borrowed+funds+trigger+and+profit+from+the+borrowers+own+liquidation+before+repaying+the+flash+loanhttps://evmresearch.io/vulnerability-patterns/solidity+0.8+default+checked+arithmetic+converts+overflow+from+a+value+manipulation+vulnerability+into+a+denial-of-service+vulnerabilityhttps://evmresearch.io/vulnerability-patterns/induction+variable+overflow+permanently+bricks+loop-dependent+functions+when+counter+types+are+too+small+for+the+iteration+rangehttps://evmresearch.io/vulnerability-patterns/empty+array+pop+triggers+Panic(0x31)+enabling+denial+of+service+when+attackers+drain+arrays+before+pop-dependent+operationshttps://evmresearch.io/vulnerability-patterns/division+by+zero+in+solidity+always+reverts+even+inside+unchecked+blocks+making+attacker-controlled+denominators+a+hard+DoS+vectorhttps://evmresearch.io/vulnerability-patterns/attacker-controlled+array+indices+or+lengths+trigger+out-of-bounds+panics+that+permanently+block+critical+contract+functionshttps://evmresearch.io/solidity-behaviors/Solidity's+error+hierarchy+treats+panics+as+unexpected+bugs+rather+than+expected+failure+modes+making+contracts+structurally+unprepared+to+handle+panic-triggering+inputshttps://evmresearch.io/solidity-behaviors/Panic(uint256)+error+codes+provide+a+formal+taxonomy+of+compiler-inserted+revert+conditions+in+solidity+0.8https://evmresearch.io/vulnerability-patterns/upgrade+and+deployment+procedures+constitute+a+process-layer+vulnerability+class+structurally+invisible+to+code-level+security+analysishttps://evmresearch.io/vulnerability-patterns/storage+gap+mismanagement+in+upgradeable+base+contracts+causes+child+contract+storage+collisionshttps://evmresearch.io/vulnerability-patterns/re-initialization+vulnerabilities+arise+when+upgrades+inadvertently+reset+initialization+statehttps://evmresearch.io/vulnerability-patterns/proxy+architecture+choice+determines+the+tradeoff+between+upgrade+authority+concentration+selector+routing+cost+and+blast+radius+scopehttps://evmresearch.io/vulnerability-patterns/access+control+failures+on+UUPS+_authorizeUpgrade+enable+unauthorized+proxy+upgrades+to+arbitrary+codehttps://evmresearch.io/vulnerability-patterns/lending+protocol+liquidation+transfer+failures+have+three+distinct+mechanisms+that+each+require+different+defensive+patternshttps://evmresearch.io/vulnerability-patterns/cUSDCv3+max-uint256+transfer+semantics+break+vault+accounting+by+silently+transferring+less+than+the+specified+amounthttps://evmresearch.io/vulnerability-patterns/code+injection+via+malicious+ERC-20+token+name+attributes+enables+frontend+exploitation+including+private+key+extractionhttps://evmresearch.io/vulnerability-patterns/ERC-20+representations+of+native+currency+on+L1+and+L2+chains+create+double-spending+vulnerabilities+when+protocols+handle+both+native+and+ERC-20+pathshttps://evmresearch.io/vulnerability-patterns/non-string+metadata+encoding+in+ERC-20+tokens+breaks+standard+ABI+decoding+of+name+and+symbol+fieldshttps://evmresearch.io/vulnerability-patterns/zero-value+transfer+and+approval+reverts+create+silent+integration+failures+in+protocols+that+use+boundary-amount+operationshttps://evmresearch.io/vulnerability-patterns/ERC-20+approval+behaviors+are+mutually+incompatible+across+major+tokens+making+universal+approval+handling+impossible+without+token-specific+branching+or+Permit2https://evmresearch.io/vulnerability-patterns/signed+integer+division+overflow+occurs+when+dividing+the+minimum+value+by+negative+one+because+the+positive+result+exceeds+the+type+maximumhttps://evmresearch.io/vulnerability-patterns/hand-written+EVM+function+dispatchers+that+lack+a+terminal+revert+allow+execution+to+fall+through+into+unrelated+bytecodehttps://evmresearch.io/vulnerability-patterns/Solidity+scratch+space+at+memory+addresses+0x00-0x3f+is+overwritten+by+mapping+and+array+storage+slot+calculations+between+assembly+blockshttps://evmresearch.io/vulnerability-patterns/low-level+EVM+code+must+explicitly+validate+calldata+input+bit+widths+because+the+EVM+performs+no+type-level+masking+on+function+parametershttps://evmresearch.io/vulnerability-patterns/swap-and-pop+list+deletion+may+invalidate+external+index+references+to+the+moved+last+elementhttps://evmresearch.io/vulnerability-patterns/rounding+errors+become+exploitable+when+amplifiable+through+repetition+or+value+scalehttps://evmresearch.io/vulnerability-patterns/memory+copies+of+storage+data+that+are+never+written+back+silently+lose+state+updateshttps://evmresearch.io/vulnerability-patterns/functions+with+source+and+destination+parameters+may+malfunction+when+the+two+addresses+are+equal+because+cached+balances+diverge+from+realityhttps://evmresearch.io/vulnerability-patterns/duplicate+entries+in+user-supplied+lists+may+bypass+implicit+uniqueness+assumptions+enabling+double-countinghttps://evmresearch.io/vulnerability-patterns/contracts+accepting+both+ETH+and+WETH+must+enforce+mutual+exclusivity+or+msg.value+can+be+double-counted+alongside+WETH+transfershttps://evmresearch.io/vulnerability-patterns/checking+default+values+to+detect+initialization+is+unreliable+because+default+values+can+be+legitimate+statehttps://evmresearch.io/vulnerability-patterns/assuming+contract+balance+equals+the+sum+of+tracked+deposits+is+unsafe+because+ETH+and+tokens+can+arrive+unsolicitedhttps://evmresearch.io/security-patterns/complementary+function+pairs+that+don't+mirror+all+state+mutations+may+have+an+asymmetry+bughttps://evmresearch.io/security-patterns/calling+a+function+X+times+with+value+Y+should+equal+calling+it+once+with+value+XY+as+a+fuzzing+invarianthttps://evmresearch.io/vulnerability-patterns/stale+cached+state+after+lifecycle+transitions+enables+exploitation+when+initialization+logic+conflates+fresh+deployment+with+drained+statehttps://evmresearch.io/vulnerability-patterns/lending+protocol+liquidation+mechanisms+fail+through+five+distinct+mechanisms+each+requiring+a+separate+defensive+patternhttps://evmresearch.io/vulnerability-patterns/individually+safe+rounding+directions+can+produce+exploitable+composite+errors+when+applied+across+multiple+operations+in+sequencehttps://evmresearch.io/vulnerability-patterns/hand-written+EVM+code+shares+a+specific+set+of+vulnerability+classes+that+are+structurally+impossible+in+compiler-generated+codehttps://evmresearch.io/vulnerability-patterns/bootstrap+and+initialization+logic+that+remains+reachable+after+launch+creates+a+permanent+re-initialization+attack+surfacehttps://evmresearch.io/vulnerability-patterns/Newton-Raphson+iterative+solvers+in+AMM+invariant+calculations+are+vulnerable+to+divergence+under+extreme+input+imbalance+producing+truncated+or+incorrect+state+valueshttps://evmresearch.io/exploit-analyses/the+yETH+exploit+demonstrated+that+stale+cached+state+after+pool+drainage+enables+infinite+token+minting+through+bootstrap+re-entryhttps://evmresearch.io/exploit-analyses/the+Bunni+exploit+demonstrated+that+individually+safe+rounding+directions+become+unsafe+under+multi-operation+compositionhttps://evmresearch.io/vulnerability-patterns/excessive+input+validation+can+lock+funds+permanently+by+making+withdrawal+or+critical+operations+unreachable+under+valid+conditionshttps://evmresearch.io/vulnerability-patterns/unvalidated+user-supplied+contract+addresses+enable+arbitrary+code+execution+when+protocols+call+interfaces+on+attacker-controlled+deploymentshttps://evmresearch.io/exploit-analyses/the+SushiSwap+RouteProcessor2+exploit+demonstrated+that+callback+mechanisms+on+unvalidated+user-supplied+addresses+grant+attackers+delegated+execution+context+within+the+calling+protocolhttps://evmresearch.io/vulnerability-patterns/unfair+liquidation+vulnerabilities+arise+when+protocol+design+creates+information+or+timing+asymmetry+between+borrowers+and+liquidatorshttps://evmresearch.io/vulnerability-patterns/temporal+gap+between+value+accumulation+and+distribution+creates+an+exploitable+window+for+parameter+manipulation+timing+attacks+and+dilutionhttps://evmresearch.io/vulnerability-patterns/stale+token+approvals+persisting+after+router+or+spender+contract+updates+create+unauthorized+spending+vectorshttps://evmresearch.io/vulnerability-patterns/slippage+invariant+requiring+outputAmount+%3E%3D+minOutputAmount+must+be+verified+at+the+final+operation+step+not+intermediate+stepshttps://evmresearch.io/vulnerability-patterns/on-chain+slippage+calculation+using+Quoter+contracts+is+subject+to+the+same+manipulation+as+the+spot+price+it+querieshttps://evmresearch.io/vulnerability-patterns/non-existent+ID+manipulation+returns+default+values+enabling+silent+state+corruptionhttps://evmresearch.io/vulnerability-patterns/no+grace+period+after+protocol+unpause+enables+unfair+immediate+liquidation+of+borrowers+who+could+not+repay+during+the+pausehttps://evmresearch.io/vulnerability-patterns/liquidation+denial+of+service+through+callback+reverts+collateral+hiding+and+data+structure+corruption+constitutes+a+distinct+vulnerability+sub-class+beyond+incentive+failureshttps://evmresearch.io/vulnerability-patterns/inconsistent+array+length+between+correlated+input+arrays+causes+out-of-bounds+errors+and+silent+state+corruptionhttps://evmresearch.io/vulnerability-patterns/cross-chain+replay+of+signatures+without+chain_id+binding+impacts+any+signature+scheme+used+across+multi-chain+deploymentshttps://evmresearch.io/vulnerability-patterns/block.timestamp+as+deadline+provides+no+protection+because+it+references+the+time+at+executionhttps://evmresearch.io/vulnerability-patterns/authorization+mechanisms+without+explicit+expiration+or+revocation+function+as+indefinite+capability+grants+that+persist+beyond+their+intended+contexthttps://evmresearch.io/vulnerability-patterns/Chainlink+minAnswer+and+maxAnswer+price+bounds+cause+oracles+to+report+incorrect+prices+during+flash+crashes+and+extreme+eventshttps://evmresearch.io/security-patterns/state+transition+invariants+preventing+invalid+progression+must+be+encoded+explicitly+because+implicit+ordering+assumptions+are+the+root+cause+of+multi-step+vulnerabilitieshttps://evmresearch.io/security-patterns/invariant+analysis+as+a+systematic+audit+methodology+discovers+vulnerabilities+that+pattern+matching+alone+misseshttps://evmresearch.io/security-patterns/balance+invariants+requiring+sum+of+user+balances+equals+total+supply+are+the+most+fundamental+DeFi+accounting+checkhttps://evmresearch.io/vulnerability-patterns/transfer+amount+fidelity+cannot+be+assumed+for+arbitrary+ERC-20+tokens+because+four+distinct+mechanisms+cause+actual+received+amounts+to+differ+from+specified+amountshttps://evmresearch.io/contributorshttps://evmresearch.io/vulnerability-patterns/non-atomic+on-chain+initialization+creates+a+universal+race+condition+between+structure+creation+and+configurationhttps://evmresearch.io/vulnerability-patterns/Uniswap+v3-v4+LiquidityAmounts+helper+functions+round+token+amounts+down+while+Pool.modifyLiquidity+rounds+up+creating+a+systematic+accounting+discrepancy+of+up+to+1+wei+per+token+per+positionhttps://evmresearch.io/protocol-mechanics/Uniswap+v4+modifyLiquidity+callerDelta+bundles+accrued+fees+with+principal+causing+logic+that+assumes+negative-only+deltas+to+revert+or+double-count+feeshttps://evmresearch.io/vulnerability-patterns/incorrect+inheritance+ordering+in+Solidity+multiple+inheritance+causes+unintended+function+dispatch+because+the+C3+linearization+algorithm+resolves+ambiguity+via+reverse+order+of+base+class+declarationhttps://evmresearch.io/vulnerability-patterns/single-step+ownership+transfer+without+confirmation+from+the+new+owner+risks+permanent+loss+of+contract+admin+control+if+the+target+address+is+wrong+or+cannot+accept+ownershiphttps://evmresearch.io/vulnerability-patterns/state+variables+without+an+explicit+visibility+modifier+default+to+internal+in+Solidity+making+incorrect+visibility+assumptions+invisible+during+code+reviewhttps://evmresearch.io/vulnerability-patterns/Solidity+allows+casting+any+address+to+any+contract+interface+type+enabling+contracts+to+initialize+external+dependencies+to+malicious+addresses+that+pass+type+checks+while+executing+attacker+codehttps://evmresearch.io/vulnerability-patterns/Solidity+functions+without+an+explicit+visibility+modifier+defaulted+to+public+before+version+0.5.0+allowing+anyone+to+call+intended-internal+functionshttps://evmresearch.io/vulnerability-patterns/the+Unicode+RTL+override+character+U%2B202E+embedded+in+Solidity+source+code+visually+reorders+identifiers+hiding+malicious+code+from+auditors+reading+the+filehttps://evmresearch.io/vulnerability-patterns/interface+type+signature+mismatches+produce+different+function+selectors+causing+calls+to+invoke+the+fallback+function+instead+of+the+intended+implementationhttps://evmresearch.io/vulnerability-patterns/Solidity+delete+on+an+array+element+zeroes+the+slot+without+reducing+array+length+leaving+a+zero-value+gap+that+breaks+length-based+iteration+assumptionshttps://evmresearch.io/vulnerability-patterns/assert()+misuse+for+input+validation+consumes+all+gas+and+halts+execution+instead+of+gracefully+reverting+like+require()https://evmresearch.io/vulnerability-patterns/vault+token+oracle+proxies+that+derive+price+from+on-chain+pricePerShare+are+manipulable+by+direct+token+donation+to+the+underlying+vaulthttps://evmresearch.io/vulnerability-patterns/user-granted+unlimited+token+approvals+extend+a+protocol+key+compromise+beyond+protocol+TVL+to+all+user+wallets+that+previously+approved+the+compromised+addresshttps://evmresearch.io/vulnerability-patterns/unvalidated+user-supplied+spender+addresses+in+token+approval+flows+allow+attackers+to+route+ERC-20+allowances+to+attacker-controlled+contractshttps://evmresearch.io/vulnerability-patterns/treating+LP+tokens+as+tradeable+pool+assets+in+composable+pool+architectures+enables+atomic+single-transaction+manipulation+of+the+invariant+used+to+price+those+same+LP+tokenshttps://evmresearch.io/vulnerability-patterns/safeTransferFrom+wrappers+using+raw+call+instead+of+code-existence-verified+dispatch+allow+silent+success+on+zero-address+and+non-contract+targetshttps://evmresearch.io/vulnerability-patterns/rounding+direction+inconsistency+between+parallel+computation+paths+that+resolve+the+same+price+creates+an+exploitable+state+divergence+when+conditional+logic+uses+one+path+while+state+reflects+the+otherhttps://evmresearch.io/vulnerability-patterns/publicly+disclosed+key+compromise+requires+immediate+admin+privilege+revocation+across+all+dependent+systems+not+just+fund+movement+from+the+compromised+addresshttps://evmresearch.io/vulnerability-patterns/permissionless+oracle+reporter+systems+with+low+minimum+staking+thresholds+allow+attackers+to+submit+manipulated+price+data+for+the+cost+of+the+stakehttps://evmresearch.io/vulnerability-patterns/oracle+spread+checks+fail+to+detect+manipulation+when+multiple+price+sources+derive+from+the+same+upstream+because+both+sources+move+together+preserving+the+spreadhttps://evmresearch.io/vulnerability-patterns/lending+protocols+that+allow+mint()-based+synthetic+leverage+create+precisely+controllable+health+score+degradation+enabling+self-liquidation+without+oracle+manipulationhttps://evmresearch.io/vulnerability-patterns/instant+oracle+price+consumption+without+dispute+period+validation+transforms+permissionless+oracle+reports+into+single-transaction+manipulation+vectorshttps://evmresearch.io/vulnerability-patterns/incomplete+cancellation+cleanup+that+revokes+claim+access+but+preserves+token+allowances+creates+a+dangling+approval+attackers+can+exploit+after+fund+withdrawalhttps://evmresearch.io/vulnerability-patterns/granting+cross-chain+relay+contracts+owner+privileges+over+administrative+contracts+creates+a+circular+exploit+path+where+arbitrary+message+execution+can+modify+the+execution+authorization+systemhttps://evmresearch.io/vulnerability-patterns/governance+timelocks+that+block+emergency+fixes+create+a+known-vulnerable+window+where+protocol+operators+can+observe+ongoing+exploitation+without+the+ability+to+respondhttps://evmresearch.io/vulnerability-patterns/functions+perceived+as+low-impact+become+critical+security+risks+when+called+with+large+values+because+smart+contract+code+is+amount-agnostichttps://evmresearch.io/vulnerability-patterns/front-end+infrastructure+compromise+is+a+distinct+attack+class+from+smart+contract+vulnerabilities+because+the+exploit+chain+never+touches+audited+on-chain+codehttps://evmresearch.io/vulnerability-patterns/cross-chain+relay+contracts+must+not+hold+administrative+privileges+over+the+contracts+that+govern+relay+authorizationhttps://evmresearch.io/vulnerability-patterns/compiler+bug+patches+without+coordinated+disclosure+to+deployed+protocols+create+vulnerability+windows+measured+in+months+to+yearshttps://evmresearch.io/vulnerability-patterns/co-locating+multiple+multisig+private+keys+on+the+same+infrastructure+reduces+a+threshold+scheme+to+the+access+security+of+that+single+systemhttps://evmresearch.io/vulnerability-patterns/browser+extension+binary+modification+on+endpoint+machines+is+a+reusable+targeted+attack+template+confirmed+across+at+least+two+separate+cryptocurrency+theft+incidentshttps://evmresearch.io/vulnerability-patterns/an+audited+and+disclosed+vulnerability+with+a+scheduled+migration+fix+creates+a+bounded+exploitation+window+where+the+bug+is+simultaneously+known%2C+unfixed%2C+and+the+timeline+is+predictablehttps://evmresearch.io/vulnerability-patterns/LP+token+valuation+formulas+using+raw+AMM+reserve+ratios+are+manipulable+within+a+single+transaction+when+reserves+can+be+distorted+by+a+large+swaphttps://evmresearch.io/vulnerability-patterns/ERC-20+self-transfer+with+identical+sender+and+recipient+duplicates+tokens+when+the+implementation+subtracts+then+adds+to+the+same+balance+without+checking+sender+!%3D+recipienthttps://evmresearch.io/security-patterns/yearn+vault+recovery+via+custom+strategy+deployment+demonstrates+that+attacker+donations+to+yield+vaults+are+recoverable+when+the+vault+owner+deploys+a+recovery+strategy+before+withdrawals+are+madehttps://evmresearch.io/security-patterns/stablecoin+issuer+asset+freezing+can+recover+a+fraction+of+exploit+proceeds+when+attackers+hold+freezable+tokens+but+requires+issuer+cooperation+and+leaves+non-freezable+assets+permanently+unrecoverablehttps://evmresearch.io/security-patterns/proving+invariant+enforcement+completeness+requires+verifying+that+every+code+path+modifying+collateral+or+debt+state+calls+the+appropriate+health+checkhttps://evmresearch.io/security-patterns/formally+verifying+aggregate+solvency+invariants+without+verifying+local+per-operation+rounding+safety+leaves+arithmetic+precision+attacks+outside+the+proof+boundaryhttps://evmresearch.io/security-patterns/forking+a+protocol+without+auditing+the+fork-specific+extensions+inherits+the+original+vulnerability+surface+while+adding+unreviewed+attack+surfacehttps://evmresearch.io/security-patterns/cross-function+reentrancy+guards+require+all+protected+functions+to+share+a+single+mutex+storage+slot+not+merely+each+hold+their+own+reentrancy+lockhttps://evmresearch.io/exploit-analyses/unrevoked+cross-validator+signing+allowlists+create+residual+bridge+compromise+paths+after+their+intended+use+expireshttps://evmresearch.io/exploit-analyses/the+bZx+February+2020+exploits+demonstrated+that+flash+loans+enabled+the+first+prominent+DeFi+oracle+manipulation+attacks+by+combining+spot+price+manipulation+with+undercollateralization+bypasshttps://evmresearch.io/exploit-analyses/the+Wintermute+exploit+demonstrated+that+retaining+compromised+admin+credentials+after+public+key+recovery+vulnerability+disclosure+converts+a+cryptographic+weakness+into+a+full+protocol+drainhttps://evmresearch.io/exploit-analyses/the+WOOFi+sPMM+exploit+demonstrated+that+arithmetic+boundary+conditions+in+dynamic+price+adjustment+formulas+combined+with+unconfigured+oracle+fallbacks+enable+flash-loan-amplified+pool+drainagehttps://evmresearch.io/exploit-analyses/the+Uranium+Finance+exploit+demonstrated+that+an+inconsistent+fee+constant+modification+in+a+Uniswap+V2+fork+swap+function+enabled+a+%2457.2M+pool+drain+by+trivially+satisfying+the+constant+product+invariant+checkhttps://evmresearch.io/exploit-analyses/the+Qubit+Finance+exploit+demonstrated+that+cross-chain+bridges+amplify+single-chain+input+validation+failures+by+enabling+collateral-free+borrowing+through+fabricated+deposit+eventshttps://evmresearch.io/exploit-analyses/the+PancakeBunny+exploit+demonstrated+that+AMM+reserve-based+LP+token+valuation+in+yield+aggregator+minters+enables+flash-loan-driven+unbounded+token+mintinghttps://evmresearch.io/exploit-analyses/the+Nomad+bridge+exploit+demonstrated+that+initializing+a+Merkle+root+verification+mapping+to+bytes32(0)+during+a+contract+upgrade+makes+every+unproven+message+automatically+valid%2C+enabling+permissionless+message+forgery+and+a+%24190M+copycat+cascadehttps://evmresearch.io/exploit-analyses/the+Munchables+exploit+demonstrated+that+storage+slot+writes+during+a+proxy+upgrade+can+fabricate+phantom+balances+that+survive+subsequent+implementation+swapshttps://evmresearch.io/exploit-analyses/the+KyberSwap+Elastic+exploit+demonstrated+that+rounding+direction+inversion+in+dual+swap+computation+paths+enables+tick-crossing+bypass+and+liquidity+double-countinghttps://evmresearch.io/exploit-analyses/the+Fuse+reentrancy+attack+used+flash-loan-funded+liquidity+supply+to+the+target+pool+enabling+the+exploit+without+requiring+attacker-owned+capitalhttps://evmresearch.io/exploit-analyses/the+EasyFi+exploit+demonstrated+that+a+single+unprotected+admin+key+on+a+software+wallet+can+drain+an+entire+DeFi+lending+protocolhttps://evmresearch.io/exploit-analyses/the+Cream+Finance+October+2021+exploit+demonstrated+that+oracle+proxies+for+wrapped+vault+tokens+in+Compound+v2+fork+lending+protocols+enable+%24130M+collateral+inflation+via+pricePerShare+manipulationhttps://evmresearch.io/exploit-analyses/the+Compound+Finance+COMP+distribution+exploit+demonstrated+that+a+single+comparison+operator+bug+in+reward+index+initialization+can+cause+%24147M+over-distribution+with+no+admin+recoursehttps://evmresearch.io/exploit-analyses/the+BonqDAO+exploit+demonstrated+that+consuming+the+latest+submitted+oracle+value+without+enforcing+the+dispute+window+converts+a+protocol's+safety+period+into+an+exploitable+race+conditionhttps://evmresearch.io/exploit-analyses/the+Balancer+V2+II+exploit+demonstrated+that+unidirectional+rounding+in+decimal+normalization+functions+compounds+catastrophically+when+adversaries+control+the+number+and+sequencing+of+operationshttps://evmresearch.io/exploit-analyses/the+Balancer+V2+II+exploit+demonstrated+that+pushing+token+balances+to+integer+boundary+thresholds+through+preliminary+swaps+maximizes+per-operation+rounding+error+in+fixed-point+scaling+functionshttps://evmresearch.io/exploit-analyses/the+BadgerDAO+exploit+demonstrated+that+Cloudflare+Workers+script+injection+can+drain+%24120M+by+phishing+ERC-20+approvals+from+500+users+over+12+days+without+any+smart+contract+vulnerabilityhttps://evmresearch.io/exploit-analyses/the+BNB+Bridge+exploit+demonstrated+that+IAVL+Merkle+proof+forgery+via+hash+computation+bugs+enables+arbitrary+cross-chain+message+injection+and+unbounded+token+mintinghttps://evmresearch.io/economic-security/token+emission+schedules+where+yield+is+funded+by+inflation+rather+than+protocol+revenue+are+economically+unsustainable+and+structurally+similar+to+Ponzi+schemeshttps://evmresearch.io/economic-security/sandwich+attack+profitability+is+bounded+by+victim+slippage+tolerance+and+inversely+proportional+to+pool+liquidity+depthhttps://evmresearch.io/economic-security/recursive+borrowing+creates+hidden+leverage+that+is+invisible+to+any+single+protocol+and+produces+nonlinear+liquidation+cascades+when+collateral+prices+drophttps://evmresearch.io/economic-security/protocol+fee+revenue+must+exceed+operational+and+security+costs+for+sustainability+otherwise+token+emissions+subsidize+operations+at+the+expense+of+holder+dilutionhttps://evmresearch.io/economic-security/proposer+timing+games+are+individually+rational+but+zero-sum+because+delayed+block+proposals+in+slot+N+reduce+the+MEV+auction+duration+for+slot+N%2B1https://evmresearch.io/economic-security/proof-of-stake+security+budget+equals+the+cost+of+acquiring+enough+stake+to+corrupt+consensus+which+scales+with+staked+value+and+acquisition+price+impacthttps://evmresearch.io/economic-security/oracle+economic+security+fails+when+the+profit+from+corruption+exceeds+the+cost+of+corruption+which+scales+with+protocol+TVL+but+not+with+oracle+provider+economicshttps://evmresearch.io/economic-security/agent-based+economic+simulation+fills+the+gap+between+formal+verification+and+real-world+security+by+modeling+protocol+behavior+under+adversarial+market+conditionshttps://evmresearch.io/economic-security/on-chain+transparency+creates+information+asymmetry+favoring+sophisticated+actors+who+can+process+mempool+and+state+data+faster+than+retail+participantshttps://evmresearch.io/economic-security/liquidity+mining+subsidizes+LP+adverse+selection+losses+with+token+emissions+creating+dependency+that+collapses+when+emissions+decreasehttps://evmresearch.io/economic-security/lending+protocol+insolvency+risk+increases+nonlinearly+with+TVL+growth+because+liquidation+throughput+and+correlated+collateral+risk+do+not+scale+proportionallyhttps://evmresearch.io/economic-security/governance+capture+cost+depends+on+acquisition+method+with+slow+accumulation+and+vote+buying+being+cheaper+than+direct+market+purchase+due+to+price+impact+avoidancehttps://evmresearch.io/economic-security/flash+loans+eliminate+capital+requirements+for+economic+attacks+making+exploitation+scale+bounded+only+by+total+DeFi+liquidity+not+attacker+wealthhttps://evmresearch.io/economic-security/economic-securityhttps://evmresearch.io/economic-security/cross-protocol+economic+contagion+propagates+through+four+channels+shared+collateral+shared+oracles+shared+liquidity+and+composability+dependencieshttps://evmresearch.io/economic-security/bonding+curve+token+launches+mathematically+guarantee+early+buyer+profit+at+late+buyer+expense+if+the+price+reverseshttps://evmresearch.io/economic-security/arbitrage+enforces+price+consistency+across+DeFi+venues+as+a+public+good+but+the+cost+is+borne+by+LPs+who+systematically+trade+at+stale+priceshttps://evmresearch.io/economic-security/a+protocol+is+economically+secure+only+when+the+cost+of+corruption+exceeds+the+profit+from+corruption+for+all+participants+and+attack+vectorshttps://evmresearch.io/economic-security/MEV+extraction+functions+as+a+continuous+multi-player+game+where+searcher+competition+compresses+margins+but+builder+centralization+concentrates+ordering+powerhttps://evmresearch.io/economic-security/Dutch+auctions+for+liquidation+provide+better+price+discovery+than+fixed-bonus+systems+but+fail+during+gas+spikes+when+no+bidders+can+participatehttps://evmresearch.io/economic-security/DeFi+insurance+pricing+is+unreliable+because+exploit+probability+cannot+be+estimated+actuarially+and+tail+risk+dominates+the+loss+distributionhttps://evmresearch.io/economic-security/AMM+liquidity+providers+face+systematic+adverse+selection+from+informed+traders+because+the+AMM+always+offers+stale+prices+that+arbitrageurs+exploit