Smart Contract Vulnerabilities in DeFi Protocols

Decentralised finance continues to represent the most targeted sector in the blockchain ecosystem, with smart contract vulnerabilities responsible for approximately $1.4 billion in losses during 2025. Despite significant advances in auditing tools and methodologies, the complexity and composability of DeFi protocols continue to outpace the security practices designed to protect them. This paper examines the vulnerability patterns that persist in production DeFi systems and proposes improvements to current audit methodologies.

The Composability Problem

The most distinctive feature of DeFi security — and its greatest challenge — is composability. DeFi protocols are designed to interact with each other, creating complex dependency chains that introduce emergent security properties. A protocol that is secure in isolation may become vulnerable when composed with other protocols in ways its developers did not anticipate.

We examined 156 DeFi exploits from 2025 and found that 43% involved inter-protocol interactions — the vulnerable behaviour emerged only when two or more protocols were combined in a specific sequence. Traditional security audits, which typically examine a single protocol in isolation, are fundamentally ill-equipped to identify these vulnerabilities.

Prevalent Vulnerability Patterns

Price Oracle Manipulation

Price oracle attacks remain the most common exploit category, accounting for 31% of DeFi losses in our dataset. These attacks exploit the dependency of DeFi protocols on external price data by manipulating the price source — typically through flash loan-funded trades on low-liquidity markets — to create artificial conditions that trigger profitable protocol behaviour.

The most sophisticated variants combine multiple oracle manipulation techniques: manipulating spot prices on one exchange while simultaneously exploiting time-weighted average price calculations on another to bypass oracle safety checks.

Access Control Deficiencies

Approximately 22% of exploits in our dataset involved access control failures — functions that should have been restricted to privileged callers but were accessible to anyone. In several cases, access control was correctly implemented in the main protocol contract but missing from auxiliary contracts or proxy implementations, allowing attackers to bypass the intended restrictions.

Reentrancy Evolution

Classic reentrancy attacks — where a malicious contract re-enters the vulnerable contract during a state-changing operation — are well understood and increasingly rare in their basic form. However, we observed a significant increase in cross-function and cross-contract reentrancy, where the reentrant call targets a different function or a different contract within the same protocol. These variants evade the single-function reentrancy guards that most protocols implement.

Governance Attacks

As DeFi protocols mature and accumulate significant treasury holdings, governance mechanisms have become attractive targets. We documented 14 governance-related exploits in 2025, ranging from flash loan-funded vote manipulation to malicious proposal injection exploiting insufficient timelock durations.

Recommendations for Protocol Developers

Adopt compositional security analysis. Security audits should explicitly model inter-protocol interactions and test the protocol's behaviour when composed with common DeFi building blocks. Formal specification of protocol invariants should include properties that must hold across arbitrary external calls.

Implement comprehensive monitoring. On-chain monitoring that detects anomalous protocol behaviour — such as unexpected changes in total value locked, abnormal transaction patterns, or deviations from historical price ranges — provides a critical layer of defence that can limit losses even when a vulnerability is successfully exploited.

Use tiered access controls. Critical protocol functions should require multi-signature authorisation with time delays. Emergency pause functionality should be implementable through a simpler governance process but should not be susceptible to flash loan attacks.

Invest in formal verification. For protocols managing significant assets, formal verification of core invariants is no longer optional. The cost of verification is trivial compared to the potential losses from a critical vulnerability.

Conclusion

The security challenges facing DeFi protocols are not primarily technical — the tools and techniques for building secure smart contracts exist. The challenge is one of practice: consistently applying rigorous security methodologies to increasingly complex and composable systems. Protocols that invest in compositional security analysis, comprehensive monitoring, and formal verification will be best positioned to earn the trust that decentralised finance requires to achieve mainstream adoption.