Catastrophes Caused by Programming Language Defects

1.1. Ariane 5, Flight 501 — June 4, 1996

Defect type: integer overflow during 64-bit float → 16-bit signed integer conversion.
What happened: in the inertial reference system (SRI), the horizontal velocity variable BH exceeded int16 bounds because Ariane 5 had higher horizontal velocities than Ariane 4, for which the code was originally written. A hardware exception was raised, both SRIs (primary and backup) simultaneously went into failsafe mode. Diagnostic data from the SRI was interpreted by the main computer as flight data, course deviation, and self-destruction occurred ~37 seconds after launch.
Damage: loss of the launcher + 4 satellites of the Cluster mission. Direct financial damage — approximately $370 million (other estimates up to $500 million including satellite costs). The Ariane 5 program had cost ~$7 billion over 10 years of development at that point.
Casualties: none (unmanned launch).
The program was written in Ada. SRI deliberately did not protect 4 out of 7 variables from overflow to comply with the requirement of "no more than 80% CPU load." This was a conscious decision to forgo protection.
Sources:
- J.L. Lions et al., "ARIANE 5 Flight 501 Failure: Report by the Inquiry Board", 1996 — the official ESA inquiry, full text mirrored at MIT: http://sunnyday.mit.edu/nasa-class/Ariane5-report.html
- ESA, "Ariane 501 — Presentation of Inquiry Board report" (press release): https://www.esa.int/Newsroom/Press_Releases/Ariane_501_-_Presentation_of_Inquiry_Board_report
- Wikipedia, Ariane flight V88: https://en.wikipedia.org/wiki/Ariane_flight_V88
- Prof. Douglas N. Arnold, "The Explosion of the Ariane 5": https://www-users.cse.umn.edu/~arnold/disasters/ariane.html

1.3. Boeing 787 Dreamliner — Generator Control Unit, 2015

Defect type: signed int32 overflow in a counter ticking every 10 ms. After 248 days of continuous operation the counter overflows (2^31 × 10 ms ≈ 248.55 days).
What happened: all four main GCUs after 248 days of continuous power simultaneously go into failsafe. This means loss of all aircraft AC power in any phase of flight, including takeoff and landing. At the time of discovery — no 787 in actual service had reached 248 days, but if it had, the crew would have lost control of the aircraft.
Response: FAA issued an Airworthiness Directive (AD) requiring full power-off cycles at least every 120 days. Boeing released a software update.
Casualties: none (the bug was found in the lab before any in-flight incidents).
Sources:
- FAA Airworthiness Directive 2015-09-07 (Federal Register, Amendment 39-18153): https://www.federalregister.gov/documents/2015/05/01/2015-10066/airworthiness-directives-the-boeing-company-airplanes
- Avionics International, "Boeing 787 Power Issue to Receive Software Fix": https://www.aviationtoday.com/2015/05/05/boeing-787-power-issue-to-receive-software-fix/
- Engadget: https://www.engadget.com/2015-05-01-boeing-787-dreamliner-software-bug.html
- Availability Digest (PDF): https://availabilitydigest.com/public_articles/1006/787_power_loss.pdf

2.1. Patriot PAC-2, Dhahran — February 25, 1991

Defect type: precision loss when representing 1/10 in a 24-bit fixed-point register. Accumulated time drift at a rate of ~0.0034 sec/hour of continuous operation.
What happened: the battery had been operating continuously for over 100 hours (deployed in a stationary configuration contrary to its original mobile design intended for a few hours of operation per location). By the time of the attack, the internal clock had drifted by 0.342 seconds. Scud velocity ~1.6 km/s — that translates into a range-gate shift of 687 meters. The radar "saw" the target but could not maintain the track (track rejection threshold 137 m), considered it spurious, and removed it. No interception was launched. The Scud struck the barracks of the 14th Quartermaster Detachment.
Damage: 28 dead, ~100 wounded. This is the first documented case where a floating-point/fixed-point error cost human lives.
Context: two weeks before the incident, on February 11, the Israelis reported the issue. The corrected firmware arrived in Dhahran on February 26 — the day after the strike.
Sources:
- GAO/IMTEC-92-26 (official report): https://www.gao.gov/assets/imtec-92-26.pdf
- Wikipedia, MIM-104 Patriot: https://en.wikipedia.org/wiki/MIM-104_Patriot
- Prof. D. Arnold, U Minnesota: https://www-users.cse.umn.edu/~arnold/disasters/patriot.html
- Hackaday (notes that this is the first "death from floating point"): https://hackaday.com/2015/10/22/an-improvement-to-floating-point-numbers/
- Stanford course: http://nifty.stanford.edu/2003/pests/2002/lectures/07.1_FloatingPoint/Patriot.html

3.1. Therac-25 — 1985–1987

Defect type (1): race condition (outside our taxonomy — included for completeness).
Defect type (2): integer overflow in the Class3 flag variable (1 byte). The program incremented the flag instead of assigning a fixed value. On overflow the flag wrapped to zero, safety checks were bypassed, and the machine fired the electron beam without the X-ray turntable in place — i.e. it hit patients not with the "therapeutic" dose of ~200 rad but with ~25,000 rad of direct beam.
What happened: at least 6 serious radiation overdoses in oncology patients in the US and Canada from 1985 to 1987.
Damage: at least 3 dead, 3+ with severe lifelong injuries. AECL was hit with an FDA Class I recall. A series of lawsuits, some settled out of court.
Sources:
- Leveson & Turner, "An Investigation of the Therac-25 Accidents", IEEE Computer 26(7), 1993 — the canonical analysis (UC eScholarship): https://escholarship.org/uc/item/5dr206s3
- Wikipedia, Therac-25: https://en.wikipedia.org/wiki/Therac-25

5.1. Vancouver Stock Exchange index — 1982–1983

Defect type: systematic precision loss through floor() (truncation) instead of round() when recalculating the index. ~3000 updates per day, each losing part of the last digit.
What happened: the index launched in January 1982 at 1000.000. By November 1983 it stood at 524.811 — even though the actual market was not declining. The accumulated error was ~25 points per month. Over the weekend of November 25–28, 1983 the index was recalculated correctly: on Monday it opened at 1098.892 — a one-time "jump" of +574 points purely from fixing the truncation.
Damage: direct monetary loss — three weeks of consultant work. Indirect — several years of distorted market signal, potential errors in client investment decisions.
Sources:
- Wikipedia, Vancouver Stock Exchange: https://en.wikipedia.org/wiki/Vancouver_Stock_Exchange
- McCullough & Vinod (1999), Journal of Economic Literature, summary: https://www5.in.tum.de/~huckle/Vancouv.pdf
- Engora: https://blog.engora.com/2020/06/death-by-rounding.html

Cryptocurrency protocols have produced two distinct flavours of language-level arithmetic disasters. The earliest — case 6.1 below — was a C++ overflow in Bitcoin Core itself. The later cases (6.2+) come from Solidity prior to version 0.8.0, which lacked checked arithmetic by default and required programmers to use SafeMath manually. Awsum-like guarantees (overflow in any arithmetic produces a compile-time error or explicit handling) would zero out the entire class.

6.1. Bitcoin Value Overflow Incident — August 15, 2010

Defect type: integer overflow in the unchecked summation of transaction output values (int64). CTransaction::CheckTransaction() did not validate that the sum of outputs fit in 64 bits — a single transaction could specify outputs whose total wrapped past 2^63 − 1. CVE-2010-5139.
What happened: block 74638 included a transaction with three outputs totalling ~184,467,440,737 BTC (two outputs of ~92.2 billion BTC each, plus 0.01 BTC) — i.e. roughly 8,800× Bitcoin's entire 21-million supply cap, created in a single transaction.
Response: Satoshi Nakamoto and Gavin Andresen released a patched client within ~5 hours. The patch added a soft-fork consensus rule rejecting any transaction whose outputs sum to overflow. Network operators switched to the patched client and started mining a parallel chain branching from before block 74638. The patched ("good") chain overtook the unpatched ("bad") chain at block 74691 — effectively a network-wide reorganization that erased ~53 blocks (~9 hours) of history. The fraudulent transaction does not exist in the canonical chain. This is the only intentional rollback in Bitcoin's history.
Damage: no direct financial loss — the bad transaction was rolled back before any phantom BTC could enter the wider economy. The full economic invariant of Bitcoin (21M supply cap) was at stake: had the bug gone unnoticed, the entire monetary model would have been broken.
Casualties: none.
Sources:
- Bitcoin Wiki (CVE-2010-5139): https://en.bitcoin.it/wiki/CVE-2010-5139
- Bitcointalk.org, "Value overflow incident.. August 15, 2010" — primary thread where Satoshi and Gavin Andresen coordinated the patch: https://bitcointalk.org/index.php?topic=6290.0
- Bitcoin Wiki, Common Vulnerabilities and Exposures: https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposures
- Quadriga Initiative incident report: https://quadrigainitiative.com/cryptocurrencyhackscamfraudwiki/index.php?title=Bitcoin_Value_Overflow_184_Billion_Minting_Incident

6.2. BatchOverflow (BEC) — April 22, 2018

Defect type: integer overflow in the multiplication uint256(cnt) * _value in the batchTransfer function of the Beauty Ecosystem Coin ERC-20 token.
What happened: the attacker passed such _value and a _receivers array of two elements that the product overflowed to 0. The sanity check amount > 0 was bypassed, after which two addresses received 2^255 BEC tokens each. The emission exceeded total supply by many orders of magnitude (115 octodecillion tokens).
Damage: BEC trading collapsed, OKEx, Poloniex, HitBTC, Huobi Pro suspended deposits/withdrawals of ALL ERC-20 tokens. CVE-2018-10299.
Sources:
- Wolf Crypto Medium: https://medium.com/wolf-crypto/batchoverflow-erc20-vulnerability-5691e42940de
- Verichains: https://medium.com/verichains/integer-overflow-simple-but-not-easy-9ebbc58bbaa5

6.3. ProxyOverflow (SMT et al.) — April 24, 2018

Defect type: integer overflow in _fee + _value of the transferProxy/proxyTransfer function of SmartMesh (SMT) and analogs.
What happened: two days after BEC. The attacker minted 5 octodecillion USD-equivalent in SMT. Similar vulnerabilities were found in UET (transferFlow), SCA (multiOverflow), HXG (burnOverflow), and ~12 other contracts.
Damage: repeated trading suspensions on major exchanges, devaluation of affected tokens. CVE-2018-10376.
Sources:
- PeckShield Medium: https://peckshield.medium.com/integer-overflow-i-e-proxyoverflow-bug-found-in-multiple-erc20-smart-contracts-14fecfba2759
- CryptoSlate: https://cryptoslate.com/batchoverflow-exploit-creates-trillions-of-ethereum-tokens/

6.4. Poolz Finance — March 15, 2023

Defect type: integer overflow in the unaudited LockedControl contract.
Damage: ~$390k across BSC and Polygon.
Source: Hacken: https://hacken.io/discover/smart-contract-vulnerabilities/

6.5. Raft Protocol — November 10, 2023

Defect type: precision loss in the share-token mint calculation when the collateral index rate is manipulated.
What happened: the attacker took a 6,000 cbETH flash loan from Aave and exploited a precision miscalculation in cbETH collateral handling to mint 6.7 million R tokens (Raft's stablecoin). The freshly-minted R was dumped via Balancer/Uniswap, depegging R by ~50%.
Damage: ~1,577 ETH drained (≈$3.3M in proceeds; ~$6.7M in unbacked R minted). The attacker accidentally burned 1,570 of the stolen ETH to a 0x000…dEaD address and walked away with ~7 ETH net.
Sources:
- CoinDesk: https://www.coindesk.com/tech/2023/11/10/defi-platform-raft-suffers-33m-exploit-but-hacker-likely-takes-a-loss-on-the-attack

6.6. Abracadabra Money (Cauldron V4) — January 30, 2024

Defect type: precision loss in userBorrowPart() / repay() of the Cauldron V4 contract; the rounding gap let recorded total debt drift below actual debt across repeated calls.
What happened: the attacker used a flash loan to repeatedly call userBorrowPart() and repay() from inside the V4 Cauldron, paying down other users' positions. The precision-loss bug let recorded total debt artificially shrink, bypassing the insolvency check. The attacker then borrowed MIM against far less collateral than required and dumped it.
Damage: ~$6.5M (over 2,740 ETH and 2.2M MIM); the MIM stablecoin temporarily depegged.
Sources:
- Distributed Networks Institute: https://dn.institute/research/cyberattacks/incidents/2024-01-31-abracadabra-money/
- Extropy.IO analysis: https://extropy-io.medium.com/breaking-down-the-6-5m-abracadabra-money-hack-a-detailed-analysis-of-the-cauldron-v4-exploit-44100da10896

6.7. Sonne Finance — May 14, 2024

Defect type: rounding / precision loss in the Compound-fork redeemUnderlying flow when applied to a freshly-created, near-empty market. Same defect class as the April 2023 Hundred Finance exploit.
What happened: after a governance vote added VELO to Sonne, the attacker manipulated the exchangeRate of the empty soVELO market by depositing underlying tokens directly into the contract. The truncating division in the exchange-rate calculation caused 2 wei of soVELO to value at 35,471,603 VELO — redeeming 1 wei drained the pool. Sonne was aware of the vulnerability class but their multisig on Optimism was permissionless, defeating the planned guard.
Damage: ~$20M — the largest single exploit on Optimism to date. ~$6.5M was rescued by a community front-run that re-funded the empty pool.
Sources:

6.8. Velocore V2 — June 2, 2024

Defect type: integer underflow in the fee-adjusted withdrawal math of a Balancer-style CPMM pool: when effectiveFee1e9 > 1e18 (>100%), the expression 1e18 — ((1e18 — k) * effectiveFee1e9) underflows, flipping a withdrawal into an apparent large deposit. Compounded by a missing access-control check on velocore__execute().
What happened: the attacker called velocore__execute() directly with simulated large withdrawals to push feeMultiplier past 100%; once effectiveFee1e9 exceeded 1e18, a flash-loan-funded single-token withdrawal minted an outsized LP-token balance via the underflow, letting the attacker drain the pool and repay the loan.
Damage: ~$6.8M in ETH on zkSync Era and Linea.
Sources:
- Rekt: https://rekt.news/velocore-rekt/

6.9. zkLend — February 2025

Defect type: rounding-down / precision loss in the protocol's safeMath library: integer division truncates instead of rounding, letting the attacker manipulate raw_balance through repeatedly crafted deposits and withdrawals.
What happened: the attacker deposited and withdrew wstETH in amounts engineered so that the share-burn calculation produced fractional values like 1.5, which truncated to 1.0 — leaving the attacker's accounted balance higher than it should be on every cycle. After several iterations the inflated raw_balance was used to drain other pools.
Damage: ~$9.5M (~2,930 ETH). zkLend offered a 10% bounty for return; the attacker subsequently lost most of the funds to a Tornado Cash phishing scam, and zkLend wound the protocol down four months later.
Sources:

6.10. 1inch Fusion v1 resolvers — March 5, 2025

Defect type: integer underflow on interactionLength used as a step inside a broader calldata-corruption exploit on deprecated Fusion v1 resolver contracts. The arithmetic underflow is the language-level component; the primary defect class is buffer/calldata corruption.
What happened: the attacker discovered that setting interactionLength to -512 underflowed the memory pointer used by the low-level _settleOrder function to locate the order suffix (which contains the resolver address). The corrupted suffix redirected execution into resolver contracts that still used the deprecated Fusion v1 implementation (1inch had marked it obsolete in 2023, but resolver operators had not migrated).
Damage: ~$5M total (≈2.4M USDC + 1,276 WETH). End-user funds were not affected — losses fell on resolver operators; TrustedVolumes recovered most of its ~$4.5M after negotiating with the attacker, who kept ~$450k as a 10% bounty.
Sources:
- 1inch official disclosure: https://blog.1inch.com/vulnerability-discovered-in-resolver-contract/
- Halborn analysis: https://www.halborn.com/blog/post/explained-the-1inch-hack-march-2025
- Rekt: https://rekt.news/1inch-rekt

6.11. Systematics of blockchain cases

Solidity prior to 0.8.0 (December 2020) did not perform overflow checks by default — programmers had to use SafeMath manually. After 0.8.0 the language reverts on overflow, but unchecked { ... } blocks, forks of legacy code, and division-heavy DeFi math (rounding / precision-loss bugs in share-token, exchange-rate, and fee calculations) continue to produce vulnerabilities of the same language-level arithmetic class. A 2025 systematic review (Rezaei et al., "SoK: Root Cause of $1 Billion Loss in Smart Contract Real-World Attacks", arXiv:2507.20175) catalogs arithmetic over/underflow and precision loss among the 24 active (still-exploitable) vulnerability classes in 50 major attacks 2022–2025. The paper does not break the $1.09B total down by class; for the named arithmetic-class incidents in its catalogue (cases 6.5–6.9 above), publicly reported losses sum to ~$46M, a lower bound that excludes the pre-Solidity Bitcoin case (6.1), the pre-0.8.0 Solidity cases (6.2–6.4), and the long tail of unaudited contracts. Case 6.10 (1inch Fusion v1, ~$5M) sits adjacent to this set: the arithmetic underflow there appeared as a step in a wider buffer/calldata-corruption attack rather than as the primary defect, so its loss is documented separately and not included in the $46M arithmetic-primary sum.

SoK paper (Rezaei et al., 2025): https://arxiv.org/abs/2507.20175
SoK incident repository: https://github.com/HadisRe/SoK-Root-Cause-of-Smart-Contract-Incidents

In 2009, at the QCon conference, Sir Tony Hoare (creator of Quicksort, 1980 Turing Award laureate) publicly apologized for inventing the null reference in ALGOL W in 1965:

"I call it my billion-dollar mistake. It was the invention of the null reference in 1965. (…) I couldn't resist the temptation to put in a null reference, simply because it was so easy to implement. This has led to innumerable errors, vulnerabilities, and system crashes, which have probably caused a billion dollars of pain and damage in the last forty years."

Hoare himself acknowledged that "billion" is a lower bound: he estimated the actual cumulative damage from NPE/NullPointerException in Java, NullReferenceException in .NET, and segfaults in C/C++ over 60 years as "somewhere between $100 million and $10 billion." Modern estimates are an order of magnitude larger.

Awsum eliminates null as a value of a reference type: there is no "empty" state for a reference type — absence is represented by an explicit constructor (Maybe, Either). This closes the classical NPE / segfault.

It is worth being precise about what this does not cover in other languages often grouped together for this property. Haskell still has undefined / error inhabiting every type; Rust has panic! / .unwrap(); Swift has the ! force-unwrap and implicitly-unwrapped optionals; F# inherits null from .NET interop on every reference type imported from the BCL or C#; Idris has believe_me and is partial-by-default unless totality is explicitly enforced. Each of these is the same class of bug Hoare was complaining about — "a value the type admits, but the program crashes on" — under a different name.

Awsum has no language construct for a bottom value: no undefined, no error, no panic, no force-unwrap. Combined with mandatory exhaustiveness in case (a missing constructor is a compile error, not a runtime exception), this means "a value of type T that crashes the program" does not exist — not just for null, but for the wider family.

InfoQ, "Null References: The Billion Dollar Mistake" (QCon 2009 video): https://www.infoq.com/presentations/Null-References-The-Billion-Dollar-Mistake-Tony-Hoare/
Wikipedia, Tony Hoare: https://en.wikipedia.org/wiki/Tony_Hoare

9.1. NIST 2002 — estimate of $59.5 billion/year for the US

The NIST/RTI study "Planning Report 02-3: The Economic Impacts of Inadequate Infrastructure for Software Testing" estimated the direct annual damage to the US economy from software defects at $59.5 billion (≈0.6% of GDP). Of this:

$1.8 billion — transportation manufacturing (CAD/CAM/CAE/PDM, aerospace+automotive).
$3.3 billion — financial services.
About $22.5 billion of the $59.5 billion could have been eliminated by improving testing infrastructure.

Among the elements of the CISQ Automated Source Code Reliability Measure (the structure of CWE categories that forms this number), explicitly listed are: null pointer dereference (CWE-476), division by zero (CWE-369), uncaught exception, stack overflow, and related weaknesses.

NIST Planning Report 02-3, "The Economic Impacts of Inadequate Infrastructure for Software Testing" (PDF): https://www.nist.gov/system/files/documents/2021/03/24/econImpactSumm.v23.pdf
Computerworld, "Study: Buggy software costs users, vendors nearly $60B annually": https://www.computerworld.com/article/1326875/study-buggy-software-costs-users-vendors-nearly-60b-annually.html

9.2. CISQ 2022 — estimate of $2.41 trillion/year for the US

Twenty years after the NIST study, the CISQ consortium (co-founded by OMG and SEI Carnegie Mellon) estimated the cost of poor software quality in the US at $2.41 trillion for 2022, of which:

$1.56 trillion — operational failures (actual downtime, incidents, damage from cyber-attacks via existing vulnerabilities).
$260 billion — failed projects.
$1.52 trillion — accumulated technical debt.

That's a ~40× growth over two decades. CISQ explicitly lists buffer overflow, integer overflow, null pointer dereference, division by zero among the weaknesses that form this number (CISQ Automated Source Code Quality Measures).

CISQ release: https://www.it-cisq.org/the-cost-of-poor-quality-software-in-the-us-a-2022-report/
Full report PDF: https://www.it-cisq.org/wp-content/uploads/sites/6/2022/11/CPSQ-Report-Nov-22-2.pdf
Synopsys: https://news.synopsys.com/2022-12-06-Software-Quality-Issues-in-the-U-S-Cost-an-Estimated-2-41-Trillion-in-2022
List of weaknesses (CISQ-CWE mapping): https://www.it-cisq.org/cisq-files/pdf/cisq-weaknesses-in-ascqm.pdf

9.3. CWE Top 25 — where our defects sit in the real CVE dataset

CWE Top 25 Most Dangerous Software Weaknesses (MITRE) ranks weaknesses by real CVE frequency and severity.

In the 2024 edition:

CWE-476 (NULL Pointer Dereference) — #11. 1,625 CVEs, average CVSS 5.8. Score 15.34.
CWE-190 (Integer Overflow or Wraparound) — #23. Score around 7.x by various estimates.

In the 2025 edition MITRE's methodology changed (decomposing abstract classes into specific children) — positions reshuffled, but the classes remained near the top:

CWE-476 rose to #13.
CWE-190 dropped to #30 (formally outside the Top 25, but specific buffer-overflow variants CWE-120/121/122 climbed in, which are often consequences of integer overflow).

CWE Top 25 (2024): https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html
CWE Top 25 (2025): https://cwe.mitre.org/top25/archive/2025/2025_cwe_top25.html

Incident	Year	Defect class	Casualties	Direct damage
Therac-25	1985–87	byte overflow + race	≥3 dead, ≥3 severely injured	lawsuits, FDA Class I recall
Vancouver Stock Exchange	1982–83	precision loss (truncation)	0	years of distorted index
AT&T network collapse (mentioned indirectly)	1990	C `break` mishandling, not arithmetic	0	~$60 million, 70 million failed calls
Patriot Dhahran	1991	fixed-point precision	28 dead, ~100 injured	strategic failure
Ariane 5 Flight 501	1996	int16 overflow	0	$370–500 million + 4 Cluster satellites
Bitcoin Value Overflow	2010	int64 overflow in tx output sum	0	~9 hours of chain rolled back, no $ loss
Boeing 787 GCU	2015	int32 counter overflow	0 (caught in lab)	potentially — loss of AC power in flight
BEC BatchOverflow	2018	int overflow in multiplication	0	ERC-20 trading suspensions on major exchanges
SMT proxyOverflow	2018	int overflow in addition	0	trading suspensions
Poolz Finance	2023	int overflow	0	~$390k
Raft Protocol	2023	precision loss in share-token mint	0	~$3.3M proceeds (~$6.7M unbacked R minted)
Abracadabra Money (Cauldron V4)	2024	precision loss in borrow/repay	0	~$6.5M, MIM stablecoin depeg
Sonne Finance	2024	precision loss / rounding	0	~$20M (~$6.5M rescued)
Velocore V2	2024	underflow in fee math	0	~$6.8M
zkLend	2025	precision loss / rounding	0	~$9.5M, protocol shut down
1inch Fusion v1 resolvers	2025	underflow as step in calldata corruption	0	~$5M (resolver operators)

The incidents above demonstrate that runtime defects in numerical and reference arithmetic continue to kill people and burn billions of dollars 60+ years after these defect classes were first identified. The standard "industry" answer is external tooling: SafeMath in Solidity, MISRA-C for embedded systems, static analyzers, formal verification. All of these tools are external to the language. They are optional, require discipline, and every missed SafeMath call is a potential BatchOverflow.

Awsum closes this gap through:

No null as a valid value of a reference type — Hoare's mistake closed at the type-system level. Optional values must be Maybe; the compiler refuses to compile code that doesn't handle the absence case, and exhaustiveness is checked without a catch-all _ escape. null, nil, undefined, and NaN are not values of any type in the language.
Honest integer arithmetic via Either — closing the Ariane 5 / Boeing 787 / Patriot / Vancouver / Therac-25 / BatchOverflow class. Every integer operation that can leave its range — overflow, underflow, precision loss, division by zero — returns Either with a typed error variant. The programmer must handle the error case explicitly; ignoring it is a compile error. No silent wrap, no Infinity, no -0. The same byte-identical behaviour on JVM, CLR, JavaScript, WebAssembly, and LLVM regardless of the host platform's native integer semantics.
Stack-safe recursion of any shape — closing the unbounded-recursion class. Self, mutual, and non-tail recursion compile to a bounded-stack loop on every backend, including JVM and JS where the host platform has no native cross-method tail calls. No tailRecM, no manual trampolines, no "stack-safe in our test suite, blows up in production on the JVM."
Platform effects gated at compile time — closing the runtime-surprise class. Each effect is bound to the program-types it can run under; using a browser-only effect in a CLI program (or vice versa) is a compile error, not a 3 AM page.
No silent decisions — closing the broader "I thought this value had a different type" / "I thought I was modifying the outer x" class. No defaulting of integer literals (the compiler never picks a type for the user), no implicit numeric coercion, no shadowing of any visible name by an inner binder. Closed sum types make every "what can this value be?" answerable from the type signature alone.

Each of these guarantees moves the defect from runtime to compile-time — for every line of application code, on every supported backend.

Tom Cargill / Donald MacKenzie / Nancy Leveson — academic works on software safety (Therac, Ariane, Patriot are discussed in each).
rflynn/bugs — open compilation of incidents: https://github.com/rflynn/bugs
IBM/CSO Online, "8 Famous Software Bugs in Space": https://www.csoonline.com/article/567417/8-famous-software-bugs-in-space.html
Computerworld, "Epic failures: 11 infamous software bugs": https://www.computerworld.com/article/2515483/epic-failures-11-infamous-software-bugs.html
Tech World With Milan, Ariane 5 analysis in the context of Boeing 737 MAX: https://newsletter.techworld-with-milan.com/p/how-a-single-line-of-code-brought
ACM Risks Forum (Peter Neumann) — primary source for many of the cases above.

Catastrophes Caused by Programming Language Defects

Aviation and Space

1.1. Ariane 5, Flight 501 — June 4, 1996

1.3. Boeing 787 Dreamliner — Generator Control Unit, 2015

Military Equipment

2.1. Patriot PAC-2, Dhahran — February 25, 1991

Medical Equipment

3.1. Therac-25 — 1985–1987

Stock Exchanges and Financial Markets