OWASP Smart Contract Top 10
05 · CHAINOWASP · CREDSHIELDS2026 EDITION

OWASP Smart Contract
Top 10 2026.

Updated with $3.67B in 2025 loss data and four new categories. The definitive smart contract risk standard - now covering Business Logic, Proxy Vulnerabilities, Oracle Manipulation, and Flash Loans as standalone risks.

Submit Project Run Free AI Scan
OWASP
2026
DOSSIER · SC · TOP 102026 Edition
The updated smart contract risk framework - now tracking $3.67B in 2025 losses.
New categories: Business Logic, Oracle Manipulation, Flash Loans, Proxy Vulnerabilities. Real incidents, real data.
Risks covered 10 updated categories Data source SolidityScan · Web3HackHub Losses tracked $3.67B in 2025 Incidents 134 documented
Published: 2026View on OWASP →
$3.67B
Lost in 2025
Web3 security incidents
134
Incidents tracked
Web3HackHub database
50K+
Contracts scanned
Via SolidityScan
4
New categories
vs 2025 edition
01 · About the Initiative
The gold standard for Web3 security, updated.

The Open Web Application Security Project (OWASP) has been the gold standard for web security since 2001. Their Top 10 lists have guided millions of developers in building secure applications.

2026 Edition · Updated risk rankings
OWASP SC Top 10 2026 - four new categories, two years of new loss data.
The 2026 edition reflects a materially changed threat landscape. Flash loan attacks, oracle manipulation, proxy vulnerabilities, and business logic errors have each surpassed the $100M individual loss threshold and now appear as standalone top-10 categories. CredShields' Web3HackHub incident data and SolidityScan scan corpus informed every ranking change.
$3.67B
Lost in 2025
+4
New categories
Visit SC Top 10 on OWASP →
INITIATIVE · OWASP SCActive
Community-led. Data-driven. Globally adopted.
Based on 2025 loss data New SC Top 10 2026 Edition Data partner CredShields New categories 4 added
02 · Top 10 Risks
The most critical smart contract vulnerabilities in 2026.

The most critical security risks facing smart contracts and Web3 applications in 2026, ranked by exploitability, prevalence, and financial impact across 134 documented incidents.

SC01
Access Control Vulnerabilities
Missing or misconfigured role checks allow unauthorized callers to drain funds, upgrade contracts, or pause protocols. Top loss category in 2025.
SC02
Price Oracle Manipulation
Flash-loan-powered spot-price attacks distort oracle feeds, enabling mispriced borrows and protocol-level drains. Promoted from SC07 in 2025.
SC03
Business Logic Errors
New in 2026. Incorrect protocol economics, improper fee accounting, and governance exploits that pass all unit tests but fail at system level.
SC04
Lack of Input Validation
Unvalidated parameters allow attackers to supply malicious addresses, overflow amounts, or bypass critical guards - still a top-5 vector by incident count.
SC05
Reentrancy Attacks
Recursive external calls drain funds before state is updated. The original smart contract exploit - continuously re-discovered in newly deployed protocols.
SC06
Flash Loan Attacks
New standalone category in 2026. Atomic uncollateralized borrowing manipulates governance, liquidity, or price feeds within a single transaction block.
SC07
Proxy & Upgrade Vulnerabilities
New in 2026. Uninitialized proxies, storage collisions, and unconstrained upgrade authority allow complete protocol takeover post-deployment.
SC08
Unchecked External Calls
Ignoring return values from low-level calls or ERC-20 transfers silently swallows failures, leaving contracts in broken states with incorrectly accounted balances.
SC09
Integer Overflow & Underflow
Arithmetic wrapping in assembly blocks produces out-of-bounds balances and bypasses transfer limits. Relevant in any code path using unchecked arithmetic.
SC10
Denial of Service
Gas exhaustion, unbounded loops, or griefing patterns lock critical functions, preventing legitimate users from withdrawing funds or executing governance actions.
03 · Data Behind OWASP
How our research informed the 2026 standard.

At CredShields, thousands of contracts are scanned via SolidityScan and monitored through Web3HackHub. Our comprehensive reports were key inputs for the OWASP Smart Contract Top 10.

SolidityScan dataset.
50,000+ smart contracts scanned across EVM chains. Each scan maps vulnerability patterns to OWASP categories, providing the frequency baseline that drives the 2026 rankings.
50K+ contracts EVM chains
Web3HackHub incidents.
134 real-world hack incidents from 2025 catalogued with root-cause classification and $3.67B in losses attributed. The four new 2026 categories were each driven by $100M+ individual incident clusters.
134 incidents $3.67B tracked
OWASP co-authorship.
CredShields researchers contributed directly to drafting the 2026 update - reviewing incident data, validating category boundaries, and ensuring the ranking reflects real exploit patterns not theoretical risk.
2026 co-author OWASP Foundation
04 · Loss Landscape
$3,670,000,000 lost in 2025.

~3.67 Billion USD lost across 134 security incidents. Four new categories in the 2026 list each represent attack vectors that surpassed the $100M individual threshold in 2025.

01
Access control & logic
Misconfigured roles and business logic flaws remained the dominant category. A single protocol compromise via access control failure cost $500M+ in 2025.
~$1.2B+ · Largest category
02
Flash loans & oracle attacks
The new standalone flash loan category reflects a sharp rise in multi-step atomic exploits combining uncollateralized borrowing with oracle manipulation to drain liquidity pools.
~$900M+ · Fastest growing
03
Proxy & upgrade flaws
The new proxy category reflects a surge in post-deployment takeovers via uninitialized implementation slots and unconstrained upgrade authority in upgradeable contract patterns.
~$600M+ · New in 2026
05 · Why These Risks Matter
The stakes of smart contract security.
Instant & irreversible.
Unlike Web2, exploits in smart contracts are instant, irreversible, and on-chain. Once funds are drained, they're gone forever. There is no rollback, no chargeback, no recovery.
Enterprise adoption.
With Web3 adoption by enterprises and regulators rising, compliance with security standards is no longer optional. Institutional auditors now reference the OWASP SC Top 10 directly in due diligence checklists.
Prevention is key.
Over $3.67B was lost to Web3 hacks in 2025, most linked to these exact categories. A professional audit before deployment costs a fraction of one incident. Prevention is the only protection.
06 · Adjacent practices
Explore related solutions.
Chain
Smart Contract Audits
  • Manual + AI-assisted code review
  • EVM, Solana, Move, Rust
  • OWASP SC Top 10 mapped findings
  • Attestation letter included
Request Audit → Archive
OWASP SC Top 10 2025
  • First-ever edition with OWASP
  • $1.42B loss data from 2024
  • 149 documented incidents
  • Ethereum Foundation ESP grant
View 2025 Edition →
07 · Frequently Asked Questions
Common questions about the 2026 standard.

The 2026 edition adds four new standalone categories - Business Logic Errors, Oracle Manipulation, Flash Loan Attacks, and Proxy & Upgrade Vulnerabilities - each driven by $100M+ loss clusters in 2025. Rankings across all ten categories were updated based on 134 incidents and $3.67B in tracked losses from the 2025 Web3HackHub dataset.

The 2025 edition established the baseline top 10. The 2026 edition reflects a materially changed threat landscape: flash loan attacks, proxy vulnerabilities, and business logic errors have each grown into distinct, high-impact categories that warrant separate audit focus. Total tracked losses grew from $1.42B (2024) to $3.67B (2025) - a 158% increase.

The 2026 update was developed by CredShields researchers in collaboration with the OWASP Foundation. The ranking methodology uses empirical data from 50,000+ contracts scanned via SolidityScan and 134 real-world incidents tracked via Web3HackHub through 2025. New categories were added only where multiple high-value incidents confirmed the pattern as a systemic, not isolated, risk.

Yes. Every CredShields smart contract audit explicitly maps findings to the OWASP SC Top 10 2026 categories. The audit report includes a coverage matrix showing which categories were tested, what was found, and the severity classification for each finding. Free AI-powered pre-screening is available via SolidityScan before you engage for a full manual audit.

Adoption is accelerating. Institutional investors, crypto exchanges, and DeFi protocols increasingly cite the OWASP SC Top 10 in their security requirements and listing criteria. With MiCA enforcement underway in the EU and similar frameworks developing globally, audits mapped to OWASP categories provide the clearest compliance evidence available for smart contract security.

It can be embedded into:

  • Threat modeling exercises
  • Secure coding checklists
  • Pre-deployment review gates
  • CI/CD static analysis baselines
  • Auditor scoping discussions

Many teams map their controls against each category to ensure systematic coverage.

Yes. Static analyzers, AI-based scanners, fuzzers, and manual review methodologies can map findings to the Top 10 categories. This enables:

  • Standardized reporting
  • Risk scoring alignment
  • Better communication with stakeholders
  • Board-level risk articulation

SolidityScan maps every finding to its corresponding OWASP SC Top 10 2026 category automatically.

Start here

Don't Let Your Project Become
the Next Headline.

Run a free scan today and see how your code stacks up against the OWASP Smart Contract Top 10.

Secure your protocol today

Don't wait for a
security incident.

Get your comprehensive security audit from the team trusted by 200+ protocols and enterprises worldwide. Fast turnaround. Proven track record. Direct access to senior security engineers.

Request Manual Audit → Run Free AI Scan ↗ Request Manual Audit → Run Free AI Scan ↗
NDA by default
Signed before kickoff
SOC 2 Type II
Certified
ISO 27001
Compliant