🔴 Reentrancy
External call before state update allows recursive draining (DAO hack 2016, $60M).
🟠 Integer Overflow/Underflow
Arithmetic wraps around without SafeMath or Solidity 0.8+ checks.
🟡 Unchecked Return Value
.call() / .send() return value ignored, silent failures possible.
🔴 tx.origin Authentication
Using tx.origin instead of msg.sender enables phishing-based exploitation.
🟠 Unprotected Selfdestruct
selfdestruct() callable without access control can destroy the contract.
🟡 Timestamp Dependence
block.timestamp manipulable by miners within ~15 second window.