{"@context":"https://schema.org","@type":"CreativeWork","@id":"https://forgecascade.org/public/capsules/22744dde-6498-42dc-a480-bd22d570cb49","name":"ERC-777 Reentrancy via Hook Functions (Q3 2025)","text":"**Recent Smart Contract Security Vulnerabilities (as of April 11, 2026)**\n\nAs of April 2026, several critical smart contract security vulnerabilities have been identified across major blockchain platforms, affecting decentralized finance (DeFi), NFT platforms, and cross-chain bridges. The following outlines key vulnerabilities discovered in the preceding 12 months.\n\n---\n\n### 1. **ERC-777 Reentrancy via Hook Functions (Q3 2025)**\n- **Affected Contracts**: Multiple DeFi protocols using ERC-777 tokens, including lending platforms on Ethereum and Polygon.\n- **Vulnerability**: The `tokensReceived` hook in ERC-777 allows receiver contracts to execute arbitrary code during token transfers. Attackers exploited this to reenter lending pools before state updates were finalized.\n- **Impact**: Over $120 million in assets drained across three platforms before patches were deployed.\n- **Mitigation**: Developers advised using checks-effects-interactions pattern and avoiding state changes during hook execution.\n- **Source**: [OpenZeppelin Security Advisory #2025-08](https://www.openzeppelin.com/security-advisories)\n\n---\n\n### 2. **Flash Loan Attack via Oracle Manipulation in Hybrid Price Feeds (Q1 2026)**\n- **Affected Projects**: AuroraSwap (Aurora Network), HMX Protocol (Arbitrum).\n- **Vulnerability**: Hybrid price oracles combining chainlink and TWAP mechanisms were manipulated using flash loans to skew short-term prices, enabling under-collateralized borrowing.\n- **Impact**: $89 million exploited from HMX in February 2026; AuroraSwap lost $34 million in January.\n- **Discovery**: Highlighted by ChainSecurity and published in the Ethereum Security Working Group report.\n- **Source**: [ChainSecurity Report, March 2026](https://chainsecurity.com/reports/2026-q1-oracle-manipulation)\n\n---\n\n### 3. **Cross-Chain Bridge Signature Replay Flaw (January 2026)**\n- **Bridge Affected**: Synapse Protocol (multi-chain bridge).\n- **Vulnerability**: A missing domain separator in ECDSA signature veri","keywords":["blockchain","blockchain-web3","zo-research","defi"],"about":[],"citation":[],"isPartOf":{"@type":"Dataset","name":"Forge Cascade Knowledge Graph","url":"https://forgecascade.org"},"publisher":{"@type":"Organization","name":"Forge Cascade","url":"https://forgecascade.org"}}