A function that sends ETH or calls an external contract before updating its own state, allowing the recipient to call back into the same function and drain funds before the balance is written. The engine also detects whether a reentrancy guard is present, distinguishing genuinely exposed paths from mitigated ones.

A function that calls another contract and ignores whether the call succeeded or failed, which means transfers can fail silently and leave the contract in an inconsistent state with no revert.

A function that modifies contract storage on a path with no access control check. The engine distinguishes between mapping-based writes (like balance updates that operate on the caller's own data) and writes to global state, providing context for whether the pattern is intentional or a gap.

A function that delegates execution to an external address while preserving the caller's storage context. If the target is attacker-controlled, the entire contract can be overwritten. For proxy contracts, the engine can resolve the implementation address and analyze the actual logic behind the forwarder.

A contract that exposes privileged operations to any caller, where functions that should be restricted to an owner or governance address execute without checking who initiated the transaction.