Common DeFi Exploits Overview | Security & Best Practices

AT A GLANCE

Re-entrancy, flash loan abuse, oracle manipulation, and access control bugs are frequent attack vectors. You will learn what they are and how to avoid exposure.

Re-EntrancyFlash LoansOracle ManipulationAccess ControlPrice AttacksProxy Exploits

Who Is This For?

Non-devs who want to recognize risky protocols
Builders seeking a checklist of common pitfalls

Learning Objectives

Describe major exploit categories
Identify red flags in protocol design
Choose mitigations like audits and oracles

Section 1

Key Exploit Types

🔍 Exploit Encyclopedia

🔄

Re-Entrancy

Critical

An attacker repeatedly calls a function before it finishes updating, draining funds in a loop.

🧠 Plain English

Imagine a bank teller handing you cash from your account, but before they update your balance, you walk back to the window and withdraw again — and again. The teller keeps giving you money because their records still show the original balance. That's re-entrancy.

How It Works:

1.Attacker deploys a malicious contract

2.Calls "withdraw" on target protocol

3.Protocol sends ETH BEFORE updating balance

4.Attacker's contract auto-calls withdraw again

5.Loop continues until drained

🛡️ Protocol Protection

• Checks-Effects-Interactions pattern

• Re-entrancy guards (mutex locks)

• Pull-over-push payment patterns

👤 What You Can Do

Use protocols with audited code that follows checks-effects-interactions. Check if the audit report specifically tested for re-entrancy.

📚 Real Exploit Case Studies

🏛️The DAO Hack (2016)

$60M

Re-EntrancyEthereum

The original DeFi exploit. Re-entrancy in "splitDAO" function drained 3.6M ETH.

Lesson: Always update state before making external calls.

Section 2

How to Stay Safer

🔍 Protocol Risk Scanner

Evaluate a protocol before depositing:

Audit status

Oracle source

Admin control

Upgradeability

Bug bounty

Protocol maturity

🔮 Oracle Architecture Comparison

Chainlink / Pyth

Manipulation: Very Hard

Aggregates price data from multiple independent node operators.

✅ Pros

• Decentralized

• Flash loan resistant

• Industry standard

⚠️ Cons

• May lag during volatility

• Limited pair coverage

Gold standard for price feeds.

Section 3

Due Diligence Steps

✅ Pre-Deposit Checklist

Read audit summary and check if findings were fixed×3

Identify oracle source (Chainlink = safer, single DEX = risky)×3

Verify admin key setup (multi-sig + time-lock)×3

Check if contracts are upgradeable×3

Understand where yield comes from×3

Protocol live 6+ months without major incidents×2

Contracts open source and verified×2

Due Diligence Confidence0%

Watch Out

Common Mistakes

📋

The protocol was audited, so I deposited everything

Audits reduce risk but do not eliminate it. Euler was audited and still lost $197M.

🔄

The contract is upgradeable but the team seems trustworthy

An upgradeable contract with single admin key = funds only as safe as that one key.

🔮

The protocol uses its own DEX pool for price feeds

Single DEX pool price can be manipulated with a flash loan. Demand Chainlink or TWAP.

🌾

This farm offers 500% APY — must be real

If you cannot explain WHERE the yield comes from, you are the yield.

🛡️ Golden Rule: DeFi is open-source finance built on code, and code has bugs. Ask: Who audited it? What oracle does it use? Who controls the admin keys? If you cannot answer these, you are gambling, not investing.

Test Yourself

Knowledge Check

What is a re-entrancy attack?

Wrong password repeatedly

Repeatedly calling a function before state updates

Contract runs out of gas

Two contracts disagree

Why are flash loans useful for attackers?

Cheaper than regular loans

Large temporary capital for one atomic transaction

Permanent funding

Bypass KYC

How to reduce oracle manipulation risk?

Trade on weekends

Use protocols with decentralized oracles

Avoid all DeFi

Use highest TVL protocols

What makes upgradeable contracts risky?

Use more gas

Admin can change code, potentially draining funds

Can't be verified

Don't support ERC-20

Most important audit check?

Report length

Critical findings were fixed

Audit firm name

Audit cost

Next Steps

→Continue learning: Approvals and Permissions Safety to secure wallet interactions

→Hands-on: Scan a protocol admin keys and oracle setup before depositing funds