Ethereum Smart Contract Security

Ethereum is the most battle-tested smart contract platform and home to over $50 billion in TVL. It is also the most heavily targeted by attackers. Understanding Ethereum-specific security risks is essential before deploying any contract to mainnet.

Ethereum-specific attack vectors

MEV and frontrunning

Maximal Extractable Value (MEV) is a form of economic extraction unique to Ethereum's mempool. Validators and searchers monitor pending transactions and inject their own — ahead of yours — to profit from price impact. Common forms include:

• Sandwich attacks: A bot buys an asset before your swap and sells immediately after, profiting from the slippage you caused.
• Liquidation racing: Searchers compete to be first to liquidate undercollateralized positions on lending protocols.
• NFT mint sniping: High gas bids to secure limited-supply mint slots.

Mitigate MEV with slippage limits, commit-reveal schemes, or submission through Flashbots' private mempool (flashbots.net).

Reentrancy

The most notorious Ethereum vulnerability — exploited in the 2016 DAO hack for 3.6 million ETH. Ethereum's low-level .call{value:} passes all available gas to the recipient, enabling recursive re-entry before state updates complete. See the full explanation in our reentrancy glossary entry.

Non-standard ERC20 tokens

Several high-value Ethereum tokens violate the ERC20 standard in ways that cause integration bugs. USDT does not return a boolean, WETH's permit is a no-op, and AMP uses ERC777 hooks that enable reentrancy. See our token risk profiles for the complete list with per-token remediation advice.

Gas griefing

Ethereum's gas model allows attackers to force expensive operations in loops — reverting transactions to grief protocols or draining gas from multisigs. Always cap iteration limits and use pull-over-push for Ether distributions.

Ethereum audit toolchain

• Slither (Trail of Bits) — 80+ detectors for Solidity vulnerabilities
• Foundry / Forge — Fuzz testing, invariant testing, and Ethereum fork simulations
• Echidna — Property-based fuzzer for Ethereum smart contracts
• Mythril — Symbolic execution for integer overflow and reentrancy
• SmartContract.us — AI-powered audit with Claude, covering logic errors pattern matchers miss

Common Ethereum exploit patterns (2020–2025)

• Flash loan attacks — Amplify economic exploits using uncollateralized atomic loans
• Oracle manipulation — Price feeds based on spot AMM liquidity are manipulable
• Access control flaws — Unprotected initialize() functions and missing onlyOwner checks
• Proxy storage collisions — Delegatecall-based upgradeable contracts with overlapping storage layouts

ERC standards commonly audited on Ethereum

Most Ethereum contracts implement one or more ERC standards. Each standard introduces a distinct vulnerability surface:

• ERC20 security — Non-standard return values, fee-on-transfer, permit vulnerabilities
• ERC721 security — Royalty bypass, reentrancy via safeTransfer hooks
• ERC777 security — Reentrancy via tokensReceived hooks
• ERC4626 security — Share inflation and donation attacks on yield vaults

Audit your Ethereum contract

SmartContract.us supports full security analysis for any Ethereum contract by address or source code. The AI audit includes reentrancy detection, token risk scanning, and an executive summary in plain language. Analyze an Ethereum contract →