OWASP Smart Contract Top 10
04 · CHAINOWASP · CREDSHIELDS2025 EDITION

OWASP Smart Contract
Top 10 2025.

Our research with the OWASP Foundation helped shape the first-ever Smart Contract Top 10. See the risks every Web3 project faces, and check if you're exposed.

Submit Project Run Free AI Scan
OWASP
2025
DOSSIER · SC · TOP 102025 Edition
The definitive smart contract risk framework, co-authored with OWASP Foundation.
Grounded in 50,000+ contracts scanned and 1,200+ documented incidents from Web3HackHub.
Risks covered 10 critical categories Data source SolidityScan · Web3HackHub Losses tracked $1.42B in 2024 ESP Grant Ethereum Foundation
Published: 2025View on OWASP →
$1.42B
Lost in 2024
Web3 security incidents
149
Incidents tracked
Web3HackHub database
50K+
Contracts scanned
Via SolidityScan
10
Risk categories
Defined with OWASP
01 · About the Initiative
The gold standard for Web3 security.

The Open Web Application Security Project (OWASP) has been the gold standard for web security since 2001. Their Top 10 lists have guided millions of developers in building secure applications.

Ethereum Foundation · ESP Grant recipient
First-ever OWASP Smart Contract Top 10, shaped by CredShields research.
CredShields partnered with the OWASP Foundation to produce the first comprehensive smart contract security standard. Our SolidityScan data - covering 50,000+ audited contracts and 1,200+ documented hacks - provided the empirical backbone for every category in the list.
2001
OWASP founded
2025
SC Top 10 published
INITIATIVE · OWASP SCActive
Community-led. Data-driven. Globally adopted.
Founded 2001 · Non-profit SC Top 10 2025 Edition Data partner CredShields Funder Ethereum Foundation
02 · Top 10 Risks
The most critical smart contract vulnerabilities in 2025.

The most critical security risks facing smart contracts and Web3 applications in 2025, ranked by exploitability, prevalence, and financial impact.

SC01
Access Control Vulnerabilities
Missing or misconfigured role checks allow unauthorized callers to drain funds, upgrade contracts, or pause protocols.
SC02
Price Oracle Manipulation
Flash-loan-powered spot-price attacks distort oracle feeds, enabling mispriced borrows and protocol-level drains.
SC03
Logic Errors
Flawed business logic - incorrect accounting, off-by-one errors, improper state transitions - leads to silent fund loss.
SC04
Lack of Input Validation
Unvalidated parameters allow attackers to supply malicious addresses, overflow amounts, or bypass critical guards.
SC05
Reentrancy Attacks
Recursive external calls drain funds before state is updated. The original smart contract exploit - still in use today.
SC06
Unchecked External Calls
Ignoring return values from low-level calls or ERC-20 transfers silently swallows failures, leaving contracts in broken states.
SC07
Flash Loan Attacks
Atomic uncollateralized borrowing manipulates governance, liquidity, or price feeds within a single transaction block.
SC08
Integer Overflow & Underflow
Arithmetic wrapping pre-SafeMath or in assembly blocks produces out-of-bounds balances and bypasses transfer limits.
SC09
Insecure Randomness
On-chain entropy sources - blockhash, timestamp, difficulty - are predictable. Miners and validators can game lottery or NFT outcomes.
SC10
Denial of Service
Gas exhaustion, unbounded loops, or griefing patterns lock critical functions, preventing legitimate users from withdrawing funds.
03 · Data Behind OWASP
How our research informed the standard.

At CredShields, thousands of contracts are scanned via SolidityScan and monitored through Web3HackHub. Our comprehensive reports were key inputs for the OWASP Smart Contract Top 10.

SolidityScan dataset.
50,000+ smart contracts scanned across EVM chains. Each scan maps vulnerability patterns to OWASP categories, building an empirical frequency baseline no other dataset can match.
50K+ contracts EVM chains
Web3HackHub incidents.
1,200+ real-world hack incidents catalogued with root-cause classification, loss amounts, and exploit technique. Used to calibrate the risk ranking of each Top 10 category.
1,200+ incidents Root-cause tagged
OWASP co-authorship.
CredShields researchers contributed directly to drafting the SC Top 10 methodology - ensuring the standard reflects real exploit patterns, not theoretical risk models.
ESP Grant Co-authored
04 · Loss Landscape
$1,420,399,790 lost in 2024.

~1.42 Billion USD lost across 149 security incidents. The breakdown confirms that these Top 10 categories are not theoretical - they are active attack vectors draining real funds today.

01
Access control & logic
The largest single loss category in 2024. Misconfigured roles and flawed business logic accounted for the majority of funds stolen across DeFi protocols.
~$600M+ · Largest category
02
Oracle & flash loan attacks
Price manipulation via flash loans remained a dominant vector, targeting lending protocols, AMMs, and yield optimizers with atomic multi-step exploits.
~$300M+ · Flash loan chains
03
Reentrancy & input flaws
Classic reentrancy and input validation failures continued to surface in newly deployed contracts, proving that known vulnerability classes are still being introduced into production.
~$200M+ · Preventable
05 · Why These Risks Matter
The stakes of smart contract security.
Instant & irreversible.
Unlike Web2, exploits in smart contracts are instant, irreversible, and on-chain. Once funds are drained, they're gone forever. There is no rollback, no chargeback, no recovery.
Enterprise adoption.
With Web3 adoption by enterprises and regulators rising, compliance with security standards is no longer optional. Institutional auditors now reference OWASP SC Top 10 directly.
Prevention is key.
Over $1.4B was lost to Web3 hacks in 2024, most linked to these exact categories. A professional audit before deployment costs a fraction of one incident. Prevention is the only protection.
06 · Adjacent practices
Explore related solutions.
Chain
Smart Contract Audits
  • Manual + AI-assisted code review
  • EVM, Solana, Move, Rust
  • OWASP SC Top 10 mapped findings
  • Attestation letter included
Request Audit → Updated
OWASP SC Top 10 2026
  • New categories: Business Logic, Proxy
  • $3.67B loss data from 2025
  • Flash loan & oracle updates
  • 134 documented incidents
View 2026 Edition →
07 · Frequently Asked Questions
Common questions about the standard.

The OWASP Smart Contract Top 10 is a risk prioritization framework that identifies the most prevalent and high-impact vulnerability classes observed in production smart contracts. It translates real incident data, audit learnings, and practitioner feedback into an actionable reference for developers, auditors, and security teams.

The traditional OWASP Top 10 focuses on web application security risks such as injection and broken authentication. The Smart Contract Top 10 addresses execution-layer risks unique to blockchain systems, including:

  • Privileged role abuse
  • Arbitrary call paths
  • Flash-loan driven manipulation
  • Upgradeability risks
  • Oracle dependencies

It reflects how decentralized systems fail, not how web servers fail.

It is designed for:

  • Smart contract developers
  • Security auditors
  • Protocol architects
  • Exchanges & custodians
  • Web3 security product builders
  • Enterprise blockchain teams

If your system can move value without human intervention, this framework is relevant.

It is empirically grounded. The categories are derived from:

  • Documented security incidents
  • Onchain exploit patterns
  • Audit findings
  • Practitioner surveys
  • Post-mortem analysis of high-profile breaches

No. The Smart Contract Top 10 is an awareness and prioritization layer, not a substitute for:

  • Manual audits
  • Formal verification
  • Runtime monitoring
  • Secure SDLC processes

It helps teams ask better questions earlier in the lifecycle.

It can be embedded into:

  • Threat modeling exercises
  • Secure coding checklists
  • Pre-deployment review gates
  • CI/CD static analysis baselines
  • Auditor scoping discussions

Many teams map their controls against each category to ensure systematic coverage.

No. While DeFi incidents heavily inform the dataset, the risk classes apply to:

  • Token contracts
  • NFT platforms
  • DAO governance systems
  • Bridges and cross-chain systems
  • RWA tokenization platforms
  • Institutional custody systems

Any smart contract that manages value inherits systemic risk.

Start here

Don't Let Your Project Become
the Next Headline.

Run a free scan today and see how your code stacks up against the OWASP Smart Contract Top 10.

Secure your protocol today

Don't wait for a
security incident.

Get your comprehensive security audit from the team trusted by 200+ protocols and enterprises worldwide. Fast turnaround. Proven track record. Direct access to senior security engineers.

Request Manual Audit → Run Free AI Scan ↗ Request Manual Audit → Run Free AI Scan ↗
NDA by default
Signed before kickoff
SOC 2 Type II
Certified
ISO 27001
Compliant