Code vs. Economic Layer
Smart contract vulnerabilities generally fall into two categories. Understanding the distinction helps frame what Shepherd tests and why execution-based testing matters.
Code Layer
Code layer vulnerabilities are bugs in the contract logic itself. The code that defines how your protocol operates.
Examples:
Reentrancy: A contract calls an external address before updating its own state, allowing the external contract to re-enter and manipulate state mid-execution
Access control: Privileged functions that are missing authorization checks, or authorization logic that can be bypassed
Integer overflow/underflow: Arithmetic that wraps around, producing unexpected values
Storage collisions: Proxy patterns where the implementation and proxy share storage slots incorrectly
Uninitialized state: Contracts deployed without calling initialization functions, leaving them open to takeover
These bugs exist in the code regardless of market conditions. They can often (but not always) be caught through code review and static analysis.
Economic Layer
Economic layer vulnerabilities exploit how your contracts interact with the broader DeFi ecosystem under specific market conditions or transaction sequences.
Examples:
Oracle manipulation: Executing a large trade to move a DEX price, then using that inflated price in a lending protocol to borrow against overvalued collateral
Flash loan attacks: Borrowing a large amount without collateral, using it to manipulate state across multiple protocols, and repaying in the same transaction
Liquidation cascades: Triggering a chain of liquidations by manipulating one position, profiting from the cascade
MEV extraction: Front-running or sandwiching transactions to extract value from other users' trades
Sandwich attacks: Placing transactions before and after a victim's swap to profit from the price impact
Reward timing exploits: Depositing right before a reward distribution and withdrawing immediately after to capture disproportionate yield
These vulnerabilities depend on runtime state, market conditions, and transaction ordering. They're difficult to detect through code review alone because the code may be technically correct but the exploit emerges from how it behaves in context.
Why the Distinction Matters
Most security tools focus on one layer or the other:
Static analyzers are strong at the code layer — pattern matching for known vulnerability signatures
Economic simulations model token flows and incentive structures but may miss code-level bugs
Real-world exploits frequently combine both layers. A code-level reentrancy bug becomes a nine-figure exploit when combined with a flash loan and oracle manipulation. A technically correct vault contract becomes exploitable when someone manipulates the exchange rate through a donation attack.
Shepherd tests across both layers simultaneously because it executes attacks on a fork with real state. This means an agent can:
Take out a flash loan (economic layer)
Use it to manipulate an oracle (economic layer)
Exploit a missing check in a liquidation function (code layer)
Extract profit and repay the flash loan (economic layer)
All within a single episode, on a fork that mirrors production conditions.
Last updated