0
0
Blockchain / Solidityprogramming~10 mins

Common vulnerability patterns in Blockchain / Solidity - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Concept Flow - Common vulnerability patterns
Start: Smart Contract Deployment
User Interaction with Contract
Check for Vulnerabilities
Reentrancy
Funds Drained
Security Patch
End
This flow shows how a smart contract is deployed, users interact, vulnerabilities may occur, and how they lead to problems before a patch fixes them.
Execution Sample
Blockchain / Solidity
contract Vulnerable {
  mapping(address => uint) public balances;
  function withdraw(uint amount) public {
    require(balances[msg.sender] >= amount);
    (bool success,) = msg.sender.call{value: amount}("");
    require(success);
    balances[msg.sender] -= amount;
  }
}
This contract allows users to withdraw funds but is vulnerable to reentrancy attacks because it sends funds before updating balances.
Execution Table
StepActionCondition/EvaluationState ChangeResult/Output
1User calls withdraw(10)balances[user] >= 10 is TrueNo change yetProceed to send funds
2Contract sends 10 ether to userCall to user succeedsFunds sent but balances not updatedUser receives 10 ether
3User's fallback calls withdraw again (reentrancy)balances[user] still >= 10 is TrueNo balance deducted yetFunds sent again
4Balances updated after callsbalances[user] -= 10Balance reduced by 10 only onceUser drained more funds than allowed
5Attack ends when balance < amountbalances[user] < 10No more withdrawals allowedContract drained
6Security patch: update balance before sendingbalances[user] -= amount before callBalance updated earlyReentrancy prevented
💡 Execution stops when user's balance is insufficient or attack is prevented by patch.
Variable Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4Final
balances[user]1001001001009090
funds sent0010202020
call successN/AN/ATrueTrueTrueTrue
Key Moments - 3 Insights
Why does the contract send funds before updating the balance cause a problem?
Because in step 2 and 3 of the execution_table, the contract sends funds before reducing the balance, allowing the user to call withdraw multiple times and drain funds.
What stops the attack eventually?
In step 5, the user's balance becomes less than the withdrawal amount, so the require condition fails and no more funds are sent.
How does updating the balance before sending funds prevent reentrancy?
As shown in step 6, updating the balance early means the condition fails on reentrant calls, stopping multiple withdrawals.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table at step 3, what allows the user to withdraw funds again?
AThe balance is updated before sending funds
BThe balance is not updated before sending funds
CThe call to user fails
DThe require condition fails
💡 Hint
Check the 'State Change' column at step 3 showing balance not updated yet.
At which step does the contract finally reduce the user's balance?
AStep 2
BStep 3
CStep 4
DStep 6
💡 Hint
Look at the 'State Change' column where balances[user] -= 10 happens.
If the contract updated balance before sending funds, which step would change?
AStep 2 would update balance before sending
BStep 3 would allow reentrancy
CStep 5 would never be reached
DStep 4 would send more funds
💡 Hint
Refer to step 6 in execution_table describing the security patch.
Concept Snapshot
Common vulnerability patterns in blockchain contracts:
- Reentrancy: Sending funds before updating state allows repeated calls.
- Integer Overflow: Arithmetic errors cause wrong balances.
- Unchecked Calls: Ignoring call success leads to silent failures.
Always update state before external calls and check all conditions.
Full Transcript
This visual execution shows a common vulnerability pattern called reentrancy in blockchain smart contracts. The contract lets users withdraw funds but sends money before updating their balance. This allows a user to call withdraw repeatedly before the balance is reduced, draining more funds than allowed. The execution table traces each step: user calls withdraw, funds are sent, fallback triggers another withdraw, and balance updates happen too late. The variable tracker shows balances and funds sent at each step. Key moments explain why sending funds before updating balance is dangerous and how updating balance first stops the attack. The quiz tests understanding of these steps. The snapshot summarizes key vulnerability patterns and best practices to avoid them.