Oracle & State
This section includes detectors that identify vulnerabilities related to external oracles, blockchain-specific state variables, and time-dependent logic.
Smart contracts that depend on off-chain data or on-chain environmental variables are particularly susceptible to manipulation, stale information, or subtle misuse. Attackers can exploit these issues to manipulate outcomes, replay signatures, or exploit stale or false data — often without violating contract invariants.
Detectors in This Category
This category covers several common and high-risk vulnerability patterns, including:
-
Oracle Misuse and Manipulation:
- Stale or unreliable price feeds
- Missing heartbeat checks
- Unchecked or improperly validated oracle inputs
- Risks from L2 sequencer status (e.g., downtime manipulation)
-
State Dependency Vulnerabilities:
- Overreliance on
block.timestamp,blockhash, ortx.origin - Replay attacks via incorrect nonce handling
- Invalid or unsafe state updates based on loosely defined assumptions
- Overreliance on
-
Randomness and Predictability:
- Use of pseudo-random sources like
blockhashorblock.timestampthat attackers can influence
- Use of pseudo-random sources like
These detectors are critical for ensuring that smart contracts interacting with external systems or relying on blockchain state maintain integrity and are resistant to manipulation and timing-based attacks.
Explore the list to learn more about each issue.