Home / Risk Lists / OWASP Smart Contract Top 10

OWASP Smart Contract Top 10 v2026

The most critical security risks in smart contract development, based on 2025 incident data

This is a reference tool, not an authoritative source. For official documentation, visit owasp.org.

10 risks

Access Control — Risks related to access control enforcement in smart contracts

SC01Access Control Vulnerabilities

Arithmetic — Risks related to integer math errors, rounding, and precision loss

SC07Arithmetic Errors

Business Logic — Risks related to design-level flaws in protocol economics and state transitions

SC02Business Logic Vulnerabilities

External Calls — Risks related to unsafe interactions with external contracts and callbacks

SC06Unchecked External Calls

Flash Loans — Risks related to uncollateralized same-transaction borrowing amplifying vulnerabilities

SC04Flash Loan-Facilitated Attacks

Input Validation — Risks related to insufficient validation of external data and parameters

SC05Lack of Input Validation

Integer Safety — Risks related to integer overflow and underflow in arithmetic operations

SC09Integer Overflow and Underflow

Oracle Security — Risks related to price feed manipulation and oracle trust boundaries

SC03Price Oracle Manipulation

Reentrancy — Risks related to external calls re-entering vulnerable functions before state updates

SC08Reentrancy Attacks

Upgradeability — Risks related to proxy patterns and contract upgrade mechanisms

SC10Proxy & Upgradeability Vulnerabilities