The OWASP Smart Contract Top 10 (2025)
OWASP groups the most critical smart contract risks into ten categories. These aren’t random — they’re the vulnerabilities that keep showing up in audits, hacks, and post-mortems.
| Code | Vulnerability Name | What It Means |
|---|---|---|
| SC01:2025 | Access Control Vulnerabilities | Missing or weak permission checks that let outsiders do things they shouldn’t. |
| SC02:2025 | Price Oracle Manipulation | Attackers trick the contract by feeding it manipulated external price data. |
| SC03:2025 | Logic Errors | Bugs in the business logic that make the contract behave in ways you didn’t intend. |
| SC04:2025 | Lack of Input Validation | Contracts trusting whatever input they receive — a big mistake. |
| SC05:2025 | Reentrancy Attacks | The classic exploit where an attacker re-enters a function before it finishes, often draining funds. |
| SC06:2025 | Unchecked External Calls | Contracts calling outside code without checking whether things worked. |
| SC07:2025 | Flash Loan Attacks | Using massive temporary liquidity to manipulate markets or protocol state in one transaction. |
| SC08:2025 | Integer Overflow & Underflow | Math errors caused by fixed-size integers, often leading to messed-up balances. |
| SC09:2025 | Insecure Randomness | “Random” values that aren’t actually random — easy pickings for attackers. |
| SC10:2025 | Denial of Service (DoS) | Making a contract unusable by exhausting resources or forcing constant reverts. |