How vulnerable are Ethereum smart contracts?

With the total value of assets locked in DeFi now worth over $13 billion, many expect this part of the crypto-space to grow at a rapid pace. In fact, in Q3 of 2020 alone, the DeFi ecosystem saw its transaction volume surpass $123 billion, with 96% of the total belonging to Ethereum. However, DeFi’s growth has in the past suffered at the hands of Ethereum’s scalability and high gas fees issues. It now appears that the network’s flaws don’t end here.

A recent investigation of Ethereum smart contracts found that nearly 3,800 smart contracts had “severe weaknesses” that could allow cybercriminals to quickly steal a million dollars. The researchers in question were able to scan six months’ worth of blocks from Ethereum’s blockchain and found that 3,779 contracts had 13 different types of vulnerabilities, including 4 high-severity vulnerabilities. The total value of these vulnerable smart contracts was 2,088 ETH which equaled $964,172, the team found. 

The space in question is not new to such vulnerabilities and related faults, however. In fact, back in 2016, an Ethereum smart contract vulnerability known as a “reentrancy attack” had allowed a cybercriminal to steal $50 million.

In that case, researchers found that the reentrancy attack affected the way decentralized venture capital fund’s DAO tokens were traded. Because of a fault in the smart contract code, an attacker was able to continuously withdraw funds in a near-infinite loop. In fact, even Uniswap and Lendf.me protocols have faced reentrancy attacks in the past, with each of these attacks fueling more questions about DeFi’s safety and security.

While Ethereum remains one of the giants of the crypto-space with over 1,900 different tokens built on top of it, for DeFi to become mainstream, developers first need to secure its architecture. Steps might include more auditing, stricter verification of smart contracts, and even the implementation of bug bounty programs to catch vulnerabilities.

As far as the users are concerned, the researchers in question recommended that they check if the platforms they’re on are using a smart contract with vulnerabilities. For instance, users can make use of Etherscan or a similar explorer to see if these contracts have been audited and verified.