Composability
high severity
Cross-Contract Interaction Bugs
Cross-contract interaction bugs emerge when contracts interact with other protocols in unexpected ways, including callback exploits, composability issues, and trust assumptions about external contracts.
How It Works
DeFi protocols are composable — they interact with each other. Bugs arise when a contract trusts external contract behavior, doesn't account for callback functions, or assumes specific execution ordering across multiple protocols.
Real-World Examples
Yearn Finance
2021
$11M
A complex interaction between multiple DeFi protocols was exploited through a series of flash loan and callback manipulations.
Code Examples
Vulnerable Code
// VULNERABLE: Trusts external contract callback
function swap(address tokenOut, uint256 amount) external {
// External DEX might call back into this contract
dex.swap(tokenOut, amount, address(this));
// State might be inconsistent here due to callback
_updateReserves();
}Secure Code
// FIXED: Reentrancy guard + state update before external call
function swap(address tokenOut, uint256 amount) external nonReentrant {
_updateReserves(); // Update state first
dex.swap(tokenOut, amount, address(this));
_validateReserves(); // Verify post-conditions
}Prevention
- Use reentrancy guards on all external-facing functions
- Follow checks-effects-interactions pattern
- Validate post-conditions after external calls
- Document and test all external protocol integrations
Related Vulnerabilities
Scan Your Contract for Cross-Contract Interaction Bugs
Our AI-powered auditor automatically detects cross-contract interaction bugs and 20+ other vulnerability types. Get a detailed report in minutes.