Skip to main content

Glossary

Common terms in smart contract security and blockchain development.

A

Access Control

Mechanisms that restrict who can call certain functions in a smart contract. Common patterns include onlyOwner modifiers, role-based access (OpenZeppelin's AccessControl), and multi-signature requirements.

Audit

A systematic review of smart contract code to identify security vulnerabilities, logic errors, and best practice violations. Can be automated (like FirePan) or manual (boutique audits).

C

CEI Pattern

Checks-Effects-Interactions - A defensive programming pattern where you:

  1. Check all conditions and validate inputs
  2. Effect state changes
  3. Interact with external contracts

Following CEI prevents reentrancy vulnerabilities.

Composability

The ability for smart contracts to interact with and build upon each other. While powerful for DeFi, composability creates complex attack surfaces where vulnerabilities in one protocol can affect others.

D

Delegatecall

A low-level Solidity function that executes code from another contract in the context of the calling contract. Dangerous when the target is untrusted, as it can modify storage and drain funds.

DeFi

Decentralized Finance - Financial services built on blockchain networks using smart contracts. Includes lending, trading, derivatives, and more.

E

ERC-20

The standard interface for fungible tokens on Ethereum. Defines functions like transfer(), approve(), and transferFrom().

Exploit

A technique that takes advantage of a vulnerability to achieve unintended behavior, typically extracting funds or disrupting protocol operations.

F

False Positive

A security finding that is flagged but is not actually a vulnerability. Managing false positives is crucial for efficient security workflows.

Flash Loan

An uncollateralized loan that must be borrowed and repaid within a single transaction. While legitimate, flash loans are often used in exploits to amplify attack impact.

Frontrunning

Observing a pending transaction and submitting a competing transaction with higher gas to execute first. Common in DEX trading and can be exploited in various ways.

G

Gas

The unit measuring computational effort in Ethereum. Users pay gas fees to execute transactions. Inefficient code costs more to run.

Governance

On-chain mechanisms for making decisions about protocol changes. Includes voting, proposal systems, and timelocks.

I

Immutable

A variable that can only be set once (in the constructor) and cannot be changed afterward. More gas-efficient than regular storage but less flexible.

Invariant

A property that should always be true in a system. For example, "total supply equals sum of all balances" is an invariant for ERC-20 tokens. Automated tools can test invariants to find bugs.

L

Liquidation

The process of selling collateral when a position becomes undercollateralized. Critical for lending protocols but can be manipulated if not carefully implemented.

M

MEV

Maximal Extractable Value - Value that can be extracted by transaction ordering within a block. Includes frontrunning, sandwich attacks, and arbitrage.

Modifier

Solidity keyword that adds preconditions to functions. Commonly used for access control (onlyOwner) and reentrancy guards (nonReentrant).

N

NatSpec

Ethereum Natural Language Specification - A documentation format for Solidity using /// or /** */ comments. Helps both humans and tools understand contract behavior.

O

Oracle

An external data feed that provides off-chain information to smart contracts. Price oracles are critical for DeFi but are common attack vectors if not properly secured.

Overflow/Underflow

When arithmetic operations exceed the maximum or go below the minimum value for a data type. Solidity 0.8.0+ reverts on overflow by default; older versions wrap around.

P

Proxy

A contract pattern where logic is separated from storage, allowing upgrades without changing the contract address. Common patterns include Transparent Proxy and UUPS.

R

Reentrancy

A vulnerability where an external call allows an attacker to re-enter the calling function before the first execution completes. The infamous DAO hack exploited reentrancy.

Risk Score

A numerical assessment (typically 0-100) of a contract's security posture based on detected vulnerabilities and code quality metrics.

S

Selfdestruct

A Solidity function that destroys a contract and sends its ETH balance to a specified address. Deprecated in recent Ethereum versions but still dangerous when unprotected.

Slippage

The difference between expected and actual execution price in a trade. High slippage can indicate manipulation or poor liquidity.

Solidity

The primary programming language for Ethereum smart contracts. Statically typed, contract-oriented, and compiled to EVM bytecode.

Storage Collision

When two contracts in a proxy pattern try to use the same storage slot for different purposes. Causes data corruption and potential exploits.

T

Timelock

A delay mechanism requiring waiting period between proposing and executing changes. Gives users time to react to potentially malicious governance actions.

tx.origin

The original sender of a transaction (EOA), regardless of contract calls in between. Using tx.origin for authorization is vulnerable to phishing attacks.

V

Vyper

An alternative smart contract language for Ethereum. Emphasizes simplicity and security over flexibility.

Vulnerability

A weakness in code that can be exploited to cause unintended behavior. Severities typically range from Critical to Low.

W

Wrapped Token

A token representing another asset, typically used to make non-ERC-20 assets compatible with DeFi protocols. WETH (Wrapped Ether) is the most common example.