Free Blockchain Security Training DeFi Security and Audits Questions and Answers

Question 1

A DeFi lending protocol uses the spot price from a single, low-liquidity decentralized exchange (DEX) to value collateral.
An attacker secures a large flash loan, uses it to artificially inflate an asset's price on that specific DEX, and then deposits the inflated asset as collateral to borrow a much larger sum of other assets.
What is the primary vulnerability exploited in this scenario?

Accepted Answer

C) Use of a single, easily manipulated spot-price oracle.

Answer

A) A denial-of-service vulnerability in the deposit function.

Answer

B) An integer overflow during the collateral calculation.

Answer

D) A reentrancy attack on the borrowing function.

Question 2

A smart contract contains a function to transfer ownership: `function changeOwner(address newOwner) public { require(tx.origin == owner); owner = newOwner; }`. Why is using `tx.origin` for authorization a critical security flaw?

Accepted Answer

A) A user can be phished into calling a malicious intermediary contract, which then successfully calls `changeOwner` on their behalf, as the `tx.origin` remains the user's address.

Answer

B) It is significantly more gas-intensive than using `msg.sender`, leading to potential out-of-gas errors.

Answer

C) It prevents other smart contracts from ever legitimately interacting with the function, breaking composability.

Answer

D) The `tx.origin` variable is deprecated in the latest versions of Solidity and will cause the contract to fail compilation.

Question 3

A DeFi protocol's governance mechanism allows token holders to vote on proposals. An attacker uses a flash loan to borrow a massive quantity of the protocol's governance tokens, uses them to vote for a malicious proposal to transfer treasury funds to themselves, and repays the loan, all within a single transaction. This exploit is best described as what type of attack?

Accepted Answer

A) Flash loan-assisted governance manipulation.

Answer

B) A time-lock reentrancy attack.

Answer

C) A front-running attack on the proposal submission.

Answer

D) A Sybil attack using multiple addresses.

Question 4

A development team deploys an upgradeable smart contract using the UUPS proxy pattern. They deploy the proxy and the implementation contract, but neglect to call the `initialize` function on the implementation contract itself. What is the most severe and immediate security risk of this oversight?

Accepted Answer

C) An attacker can call the public `initialize` function on the implementation contract directly, potentially seizing ownership and bricking the contract via `selfdestruct`.

Answer

A) The proxy contract will revert all user transactions due to being uninitialized.

Answer

B) Gas costs for all functions will be unpredictably high.

Answer

D) The contract's storage layout will become corrupted upon the first transaction.

Question 5

Which of the following BEST describes the role of a professional smart contract security audit?

Accepted Answer

D) To perform a time-boxed code review to identify vulnerabilities, assess risks, and provide mitigation advice.

Answer

A) To provide a formal guarantee that the smart contract is 100% secure and free of bugs.

Answer

B) To rewrite inefficient parts of the code to optimize for gas consumption.

Answer

C) To write a comprehensive suite of unit and integration tests for the protocol.

Question 6

In smart contract security analysis, what is the fundamental difference between static and dynamic analysis?

Accepted Answer

A) Static analysis examines the source code or bytecode without executing it to find known vulnerability patterns, while dynamic analysis executes the code with various inputs to observe its runtime behavior.

Answer

B) Static analysis is a fully automated process using tools, whereas dynamic analysis is a purely manual review by an auditor.

Answer

C) Static analysis is used to find business logic flaws, while dynamic analysis is used to find common vulnerabilities like reentrancy.

Answer

D) Static analysis is performed before deployment, and dynamic analysis is performed on the live, on-chain contract.