Tuesday, May 6, 2025
HomeCyber Security NewsOWASP Smart Contract Top 10 2025 Released - What’s new!

OWASP Smart Contract Top 10 2025 Released – What’s new!

Published on

SIEM as a Service

Follow Us on Google News

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for 2025, providing essential insights for developers and security teams in the rapidly evolving Web3 environment.

This document outlines the most pressing vulnerabilities found in smart contracts, serving as a crucial resource for maintaining security and protecting against exploitation.

OWASP’s new release reflects changes in the landscape of smart contract security, informed by data from multiple authoritative sources, including SolidityScan’s Web3HackHub.

- Advertisement - Google News

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Overview of the OWASP Smart Contract Top 10 (2025)

The OWASP Smart Contract Top 10 (2025) categorizes vulnerabilities into ten key areas that developers must pay close attention to to enhance the security of their smart contracts. The updated list includes:

Vulnerability CodeVulnerability NameDescription
SC01:2025Access Control VulnerabilitiesFlaws that allow unauthorized access or modifications.
SC02:2025Price Oracle ManipulationExploitation of vulnerabilities in external data fetching for contract logic manipulation.
SC03:2025Logic ErrorsDeviations from intended functionality affecting contract performance.
SC04:2025Lack of Input ValidationInsufficient checks allowing harmful inputs to disrupt contract behavior.
SC05:2025Reentrancy AttacksExploiting functions by re-entering before completion, leading to state changes or fund loss.
SC06:2025Unchecked External CallsFailures in verifying the results of external calls can result in unintended consequences.
SC07:2025Flash Loan AttacksManipulations exploiting rapid multiple actions in single transactions to drain liquidity.
SC08:2025Integer Overflow and UnderflowArithmetic errors causing serious vulnerabilities due to fixed-size integer limitations.
SC09:2025Insecure RandomnessPredictable random number generation leading to exploitation in sensitive functionalities.
SC10:2025Denial of Service (DoS) AttacksExploiting vulnerabilities to exhaust resources and render contracts non-functional.

Changes from 2023 to 2025

The OWASP Smart Contract Top 10 has evolved to reflect the latest threats and vulnerabilities observed in the blockchain space.

The 2023 version has seen a reclassification and introduction of vulnerabilities based on recent attack data and trends:

  • Reentrancy Attacks have been highlighted due to their prevalence in high-profile breaches.
  • Flash Loan Attacks have been recognized as a significant threat in decentralized finance (DeFi) ecosystems.
  • Access Control Vulnerabilities remain at the forefront, with notable financial impacts documented in the past year.
Changes from 2023 to 2052
Changes from 2023 to 2052

In 2024, the financial impact of vulnerabilities in smart contracts was staggering.

According to data from the SolidityScan’s Web3HackHub, the total losses amounted to $1.42 billion across 149 documented incidents. Below is a summary of the most impacted vulnerability categories:

Vulnerability TypeTotal Financial Loss (in USD)Incident Count
Access Control Vulnerabilities$953.2M45
Logic Errors$63.8M20
Reentrancy Attacks$35.7M15
Flash Loan Attacks$33.8M10
Lack of Input Validation$14.6M8
Price Oracle Manipulation$8.8M5
Unchecked External Calls$550.7K6

The OWASP Smart Contract Top 10 (2025) serves as a critical resource for developers within the Web3 ecosystem, emphasizing the need for rigorous testing and security measures against common vulnerabilities.

By integrating insights from various sources, including Kacherginsky’s “Top 10 DeFi Attack Vectors – 2024,” OWASP aims to provide a comprehensive framework for understanding and mitigating risks in smart contract development.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...