SoK: Root Cause of $1 Billion Loss in Smart Contract Real-World Attacks via a Systematic Literature Review of Vulnerabilities

TL;DR

This paper systematically reviews academic literature and analyzes recent high-impact Ethereum attacks to develop a four-tier root-cause framework, revealing that most incidents stem from design flaws and operational issues rather than just code bugs.

Contribution

It introduces a novel multi-tier root-cause framework for smart contract vulnerabilities, moving beyond code-level analysis to include design, governance, and external dependencies.

Findings

Most attacks are caused by combinations of design flaws and operational issues.

The four-tier framework includes protocol logic, governance, dependencies, and code vulnerabilities.

Real-world attacks often involve exploit chains linking multiple root causes.

Abstract

While catastrophic attacks on Ethereum persist, vulnerability research remains fixated on implementation-level smart contract bugs, creating a gap between academic understanding of vulnerabilities and the root causes of high-impact, real-world incidents. To address this, we employ a two-pronged methodology: first, a systematic literature review of 71 academic papers to build a catalog of 24 active and 5 deprecated vulnerabilities. Second, we conduct an in-depth, empirical analysis of 50 of the most severe real-world attacks between 2022 and 2025, collectively incurring over $1.09B in losses, to identify their root causes. We introduce the concept of "exploit chains" by revealing that many incidents are not caused by isolated vulnerabilities but by combinations of human, operational, and economic design flaws that link with implementation bugs to enable an attack. Our analysis yields insights on how decentralized applications are exploited in practice, leading to a novel, four-tier root-cause framework that moves beyond code-level vulnerabilities. We find that real-world successful attacks on Ethereum (and related networks) trace back to one of the four tiers of (1) protocol logic design, (2) lifecycle and governance, (3) external dependencies, and (4) classic smart contract vulnerabilities. We investigate the suitability of this multi-tier incident root-cause framework via a case study.