A07: Smart Contract Audit Challenge

Time Allocated: 60 minutes
Points: 50
Group Size: 2-3 students
Materials Needed: Contracts handout, Vulnerability reference, Attack worksheet
Submission: Completed worksheet + 5-minute group presentation

Overview

Smart contract vulnerabilities have led to billions of dollars in losses. In this hands-on audit challenge, you'll step into the role of a security researcher, analyzing real-world vulnerability patterns and developing attack scenarios. Your mission: identify critical security flaws before malicious actors do.

Learning Objectives

Identify common smart contract vulnerabilities (reentrancy, access control, integer overflow)
Understand attack vectors and exploitation mechanics
Apply game-theoretic reasoning to adversarial scenarios
Evaluate economic incentives for attacking vs. reporting vulnerabilities
Propose practical security fixes and mitigation strategies

Activity Structure

1 Contract Review (20 minutes)

Each group receives 3 vulnerable contract snippets. For each contract:

Read the pseudocode carefully
Use the vulnerability reference guide to identify potential issues
Consider: "If I were an attacker, how would I exploit this?"
Document your findings on the attack worksheet

2 Attack Development (15 minutes)

For each identified vulnerability:

Design a step-by-step attack scenario
Estimate potential loss impact (Low/Medium/High/Critical)
Calculate hypothetical bug bounty value (use provided formula)
Propose a fix or mitigation strategy

3 Analysis & Comparison (10 minutes)

Discuss within your group:

Which vulnerability is most severe? Why?
Are any vulnerabilities related or compound?
Would a rational attacker exploit or report? (Consider bounty vs. exploit profit)
What does this reveal about mechanism design in crypto systems?

4 Presentation (15 minutes total - 5 min/group)

Present your findings to the class:

Contract Selection: Choose your most interesting finding
Vulnerability Explanation: What's the flaw? (30 seconds)
Attack Demo: Walk through exploitation steps (2 minutes)
Fix Proposal: How to prevent it? (1 minute)
Economic Analysis: Attack vs. report decision (1 minute)
Q&A: Answer peer questions (30 seconds)

Bonus Challenge: After completing the 3 main contracts, attempt the 3 advanced contracts for extra credit (up to +10 points). These involve more sophisticated attack vectors like flash loan exploits and oracle manipulation.

Deliverables

Item	Points	Description
Completed Worksheet	30	All 3 contracts analyzed with vulnerability identification, attack scenarios, and fixes
Group Presentation	15	Clear explanation, technical accuracy, time management
Class Participation	5	Asking questions, engaging with peer presentations
Total	50
Bonus Contracts	+10	Optional advanced challenges

Tips for Success

Think like an attacker: Assume contracts have bugs. Your job is to find them.
Check execution order: Many vulnerabilities arise from unexpected function call sequences.
Follow the money: Trace how value flows through the contract. Where can it leak?
Read the reference guide: All main contracts contain vulnerabilities from the provided list.
Be specific: "There's a bug" isn't useful. Explain exactly what happens step-by-step.
Consider real costs: Auditors earn $100K-$500K/year. High-severity bugs can pay $1M+ bounties.

Real-World Context: The DAO hack (2016) exploited reentrancy for $60M. Poly Network (2021) had access control issues leading to $600M loss. Your skills in this exercise translate directly to protecting billions of dollars in real assets.