Solidity-Specific Attack Vector Catalog
This chapter is a reference appendix. The preceding chapters of Book 4 treat the high-impact, frequently-encountered vulnerability classes in depth — reentrancy in §4.11.8, delegatecall in §4.11.9, oracle manipulation in §4.15.4, flash loans in §4.15.5, signature replay in §4.14.3, and so on. What follows below is a tighter survey of the longer tail: Solidity-specific bugs, encoding subtleties, source-text tricks, compiler-version pitfalls, and historic exploits that every auditor should recognize on sight.
The structure provides a smart-contract attack-vector taxonomy. Where a vector already has dedicated coverage elsewhere in the book, this catalog includes a cross-reference rather than duplicating that content. Where it does not, the sub-pages below provide self-contained writeups with detection patterns and remediation guidance.
Coverage Map
| Vector | Coverage |
|---|---|
| Reentrancy (general) | §4.11.8 |
| Reentrancy variants (cross-function, cross-contract, read-only) | §4.18.2 |
| Delegatecall (both subtypes) | §4.11.9 |
| Flash loan attacks | §4.15.5 |
| Oracle manipulation | §4.15.4 |
| Signature replay | §4.14.3 |
| Block values as proxy for time | §4.11.5 |
| DoS (revert / gas-limit / external call) | §4.11.7 |
| Transaction-order dependence | §4.13 MEV |
| Proxy storage collisions / uninitialized storage | §4.12.2 |
| Unchecked call return values | §4.11.11 |
| Calculation errors (precision, divide-before-multiply) | §4.11.10 |
Authorization through tx.origin, default visibility, unprotected ether withdrawal, unprotected SELFDESTRUCT, missed/incorrect modifiers, overpowered roles, unsafe ownership transfer | §4.18.1 |
| Unencrypted private data on-chain, arbitrary storage writes, improper array deletion | §4.18.3 |
Unsafe typecast, dirty higher-order bits, floating-point arithmetic, hash collisions in abi.encodePacked, function selector abuse, short address / parameter attack, hardcoded gas, insufficient input validation | §4.18.4 |
| Entropy illusion / insecure randomness | §4.18.5 |
| Right-to-left override (U+202E), floating pragma, outdated compiler, deprecated functions, variable shadowing, complex modifiers, incorrect interface | §4.18.6 |
| Historic attacks (constructor names, call-depth, ABI Encoder v2 bug, Constantinople reentrancy) | §4.18.7 |
How to Use This Catalog
Three suggested workflows:
- First-pass scan. Before opening a codebase, skim the section headers below. Many of these vectors are spotted by a few
grepqueries (tx.origin,selfdestruct,assembly,abi.encodePacked,transfer(,deleteon arrays,block.timestampnear randomness) — running those queries up front saves time later. - Drilldown reference. When something in the code looks off but you can't yet name the class, search this catalog by symptom. The remediation guidance is intentionally concrete so the writeup doubles as a reviewer's note.
- Checklist source. The auditor checklists at the end of each sub-page can be lifted directly into engagement working documents.
A Note on Relevance
Some vectors below (call-depth attack, constructor-name bug, ABI Encoder v2 bug, short-address attack) are historic — modern Solidity and modern tooling have closed them. They are included anyway because (a) legacy contracts are still deployed and still receive audits, (b) the underlying patterns recur in new forms, and (c) understanding why they were dangerous sharpens intuition for the next class of bug that nobody has written about yet.