Home /Security /Common Attack Vectors
💀
Attack Vectors

Common DeFi Exploit Patterns

DeFi has lost over $3.8 billion to smart contract exploits. Most of it falls into five categories. Below is the complete taxonomy — how each attack works, real-world examples, and interactive simulations showing the mechanics.

🔄 Attack Flow Diagram — Reentrancy

Watch the attack sequence unfold. Each step highlights the vulnerable code pattern.

Step 1 of 5

💻 Vulnerable vs Secure Code Patterns

❌ Vulnerable
 
 
 
✓ Secure
 
 
 
 
  
 
💰 Interactive: $ Value at Risk by Vulnerability Type
 
Drag the slider to model how a $1M position would be impacted by each attack type. Shows potential loss, recovery probability, and time to recover.
 
  
 
 
 
Attack Type
 
Loss %
 
Potential Loss
 
Recovery %
 
Avg Recovery Time
 
Risk Score
 
 
 
🔄Reentrancy
 
95%
 
$950,000
 
12%
 
6–18 months
 
🔴 CRITICAL
 
 
 
📊Oracle Manipulation
 
85%
 
$850,000
 
8%
 
3–12 months
 
🔴 CRITICAL
 
 
 
Flash Loan Attack
 
80%
 
$800,000
 
22%
 
2–8 months
 
🟠 HIGH
 
 
 
🔑Access Control
 
100%
 
$1,000,000
 
5%
 
12–36 months
 
🔴 CRITICAL
 
 
 
🐛Logic Bug
 
70%
 
$700,000
 
15%
 
4–12 months
 
🟠 HIGH
 
 
 
  
 
📅 Notable Incidents by Attack Type
 
 
 
 🔄 
 
Reentrancy
 
~$1.35B total lost
 
 
 
 
 2016 The DAO $60M 
 
 2019 Ampleforth $5M 
 
 2021 CREAM Finance $130M 
 
 2023 Stargate $6.4M 
 
 2024 Vyper Vulnerability $70M 
 
 
 
 
  
 
Flash Loan
 
~$950M total lost
 
 
 
 
 2020 dYdX $8M 
 
 2020 Pancake Bunny $200M 
 
 2020 Harvest Finance $33M 
 
 2022 Mango Markets $114M 
 
 2023 BonqDAO $120M 
 
 
 
 
 📊 
 
Oracle Manipulation
 
~$650M total lost
 
 
 
 
 2020 bZx Fulcrum $1M 
 
 2020 Synthetix $1B (attempted) 
 
 2022 Mango Markets $114M 
 
 2023 Viction (Tomic) $60M 
 
 2024 Vyper/Curve pools $70M 
 
 
 
 
 🔑 
 
Access Control / Key
 
~$1.8B total lost
 
 
 
 
 2022 Ronin Bridge $625M 
 
 2023 Euler Finance $197M (white-hat) 
 
 2022 Wormhole $325M 
 
 2025 Bybit $1.4B (CEX) 
 
 
 
 
  
 
🛡️ Protection Checklist for Each Attack Type
 
 
 
🔄 Reentrancy Defense
 
   
 
   
 
   
 
   
 
   
 
 
 
⚡ Flash Loan Defense
 
   
 
   
 
   
 
   
 
   
 
 
 
📊 Oracle Defense
 
   
 
   
 
   
 
   
 
   
 
 
 
🔑 Access Control Defense
 
   
 
   
 
   
 
   
 
   
 
 
 
  
 
🔬 DeFi Security Prevention Framework
 
The industry standard for securing any DeFi protocol.
 
 
 
📐
 
Architecture Review
 
Map all external call paths. Identify cross-contract dependencies. Model attacker capabilities. Assume every external contract is malicious.
 
Audits page has the full checklist
 
 
 
 
CEI Pattern Enforcement
 
Enforce Check-Effects-Interactions on every function. No external call before state updates. Use modifiers for reentrancy guards. Automate via static analysis tools like Slither.
 
 
 
🔮
 
Fuzzing & Invariant Testing
 
Run invariant tests that enforce state constraints across thousands of random transactions. Echidna and Foundry's InvariantRunner are industry standard. Find edge cases your unit tests missed.
 
 
 
⏱️
 
Timelock & Escape Hatches
 
Every critical upgrade must have a timelock (48h–14d). Users need time to exit if a suspicious upgrade is announced. Emergency pause functions must be accessible but not easily abused.
 
 
 
🔗
 
Oracle Diversification
 
Never rely on a single price source. Use 3+ independent oracles with different data aggregation methods. TWAP windows should be long enough to prevent flash manipulation.
 
 
 
📊
 
Formal Verification
 
Mathematically prove contract correctness. Certora, Runtime Verification, and Trail of Bits all offer formal verification services. Expensive but critical for protocols holding >$100M.