OWASP Smart Contract Top 10

About the Smart Contract Top 10

The OWASP Smart Contract Top 10 is a standard awareness document that intends to provide Web3 developers and security teams with insight into the top 10 vulnerabilities found in smart contracts.

It will serve as a reference to ensure that smart contracts are secured against the top 10 weaknesses exploited/discovered over the last couple of years.

Top 10


Title Description
SC01 - Reentrancy Attacks This is when an attacker is able to repeatedly call a function within a smart contract, exploiting the fact that the state of the contract hasn’t been updated as expected. This could lead to funds or other resources being drained from the contract.
SC02 - Integer Overflow and Underflow These vulnerabilities occur when a numerical operation results in a value that is outside the range of the variable’s data type. In a smart contract, this could be exploited to manipulate balances or other critical values.
SC03 - Timestamp Dependence If a smart contract’s behavior relies on the timestamp of the block it’s included in, it may be vulnerable to manipulation. This is because miners have a degree of control over the block timestamp.
SC04 - Access Control Vulnerabilities If a smart contract doesn’t properly implement access control, it can leave critical functions exposed. This could allow unauthorized users to perform actions that should be restricted, such as altering the contract’s state or withdrawing funds.
SC05 - Front-running Attacks Front-running is a vulnerability specific to blockchain systems. An attacker can observe a pending transaction and then issue their own transaction with a higher gas fee, incentivizing miners to include it in the blockchain first.
SC06 - Denial of Service (DoS) Attacks DoS attacks aim to make a contract unresponsive or otherwise unavailable. In smart contracts, this could be achieved by consuming all available gas, or causing transactions to continually fail.
SC07 - Logic Errors If a smart contract is poorly coded, it may contain logic errors that lead to unintended behavior. This could range from incorrect calculations to faulty conditional statements, or even exposed administrative functions.
SC08 - Insecure Randomness Blockchain networks are deterministic by nature, making it difficult to generate true randomness in smart contracts. If an attacker can predict or influence a supposedly random number, they can manipulate the contract to their advantage.
SC09 - Gas Limit Vulnerabilities Each Ethereum block has a gas limit, restricting the number of operations it can include. If a function within a contract requires more gas than this limit, it may become unexecutable, potentially freezing the contract or its funds.
SC10 - Unchecked External Calls When a contract calls an external function, it may not properly check the result of the call. If the external call fails but the original contract doesn’t check for this, it could assume the call was successful and continue its execution, leading to unintended consequences.


The OWASP Smart Contract Top 10 document is licensed under the CC BY-NC-SA 4.0, the Creative Commons Attribution-ShareAlike 4.0 license. Some rights reserved.

Project Leaders


Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.

Project Lead

Name Affiliation Personal Links
Jinson Varghese Behanan Astra Security Website, Twitter, LinkedIn


Individuals that provided a significant contribution to the project:

Name Affiliation Personal Links
Moises Ruiz Diaz Web3 Security Latam Twitter, LinkedIn
Hansen Wong - Twitter

All discussions take place on the OWASP Smart Contract Top Ten GitHub repository.

We welcome all community members to actively participate and help enhance this project. If you have any suggestions, feedback or want to help improve the list, we invite you to kickstart a dialogue by raising an issue or submitting a pull request.

You can read our contributing guidelines here.