RESEARCH
Structural findings from the ongoing analysis of 18,966 unique bytecodes across 44,121 deployed contracts, alongside case studies from historically exploited protocols.
AGGREGATE FINDINGS
Contracts above 10KB are 15 times more likely to contain structural vulnerabilities than contracts below 2KB. Among large contracts, 10.6% have elevated or critical findings — an order of magnitude above the baseline rate.
83% of all critical findings involve DELEGATECALL, making the proxy pattern that enables upgradeability the dominant structural risk vector across deployed contracts. Implementations vary dramatically in safety.
A single vulnerable bytecode pattern can propagate to 161 deployed contracts through code reuse and factory patterns. Bytecode-level analysis detects the flaw once and identifies every deployment that shares it.
85.5% of unique bytecodes receive a clean verdict with zero structural findings, which establishes the baseline against which deviations become statistically meaningful.
KEY OBSERVATIONS
The strongest signal in the data is the relationship between contract complexity and structural risk. Contracts managing the most value tend to be the most complex, and complex contracts are where findings concentrate. This is not surprising, but the magnitude of the correlation — 15x between the smallest and largest contracts — is worth understanding for anyone deploying or integrating with DeFi infrastructure.
Among critical findings, the proxy pattern dominates. DELEGATECALL enables upgradeability and composability, but the structural safety of its implementation varies widely. Some proxy contracts are clean. Others carry structural patterns that the engine flags as critical. The difference is in the implementation details, which are visible at the bytecode level regardless of whether source code is available.
Code reuse amplifies both quality and risk. When a clean bytecode pattern is deployed to hundreds of addresses through a factory, the entire fleet inherits its structural soundness. When a flawed pattern propagates the same way, a single vulnerability becomes 161 deployed contracts with the same exposure.
CASE STUDY
The DAO raised $150M in ETH through a public crowdsale in May 2016. On June 17, an attacker exploited a reentrancy vulnerability in the withdrawal function and drained 3.6 million ETH. The function sent ETH to the caller before updating the caller's balance, allowing recursive re-entry until the treasury was empty.
The engine was given only The DAO's deployed bytecode — no source code, no exploit details, no prior knowledge of the vulnerability. It identified every structural condition that made the exploit possible: 4 reentrancy patterns across separate functions, 5 unchecked external calls, 12 unprotected storage writes, and zero access control checks across all 46 functions.