Saturday, February 8, 2025
HomeCyber Security NewsOWASP Smart Contract Top 10 2025 Released - What’s new!

OWASP Smart Contract Top 10 2025 Released – What’s new!

Published on

SIEM as a Service

Follow Us on Google News

The Open Web Application Security Project (OWASP) has released its updated Smart Contract Top 10 for 2025, providing essential insights for developers and security teams in the rapidly evolving Web3 environment.

This document outlines the most pressing vulnerabilities found in smart contracts, serving as a crucial resource for maintaining security and protecting against exploitation.

OWASP’s new release reflects changes in the landscape of smart contract security, informed by data from multiple authoritative sources, including SolidityScan’s Web3HackHub.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Overview of the OWASP Smart Contract Top 10 (2025)

The OWASP Smart Contract Top 10 (2025) categorizes vulnerabilities into ten key areas that developers must pay close attention to to enhance the security of their smart contracts. The updated list includes:

Vulnerability CodeVulnerability NameDescription
SC01:2025Access Control VulnerabilitiesFlaws that allow unauthorized access or modifications.
SC02:2025Price Oracle ManipulationExploitation of vulnerabilities in external data fetching for contract logic manipulation.
SC03:2025Logic ErrorsDeviations from intended functionality affecting contract performance.
SC04:2025Lack of Input ValidationInsufficient checks allowing harmful inputs to disrupt contract behavior.
SC05:2025Reentrancy AttacksExploiting functions by re-entering before completion, leading to state changes or fund loss.
SC06:2025Unchecked External CallsFailures in verifying the results of external calls can result in unintended consequences.
SC07:2025Flash Loan AttacksManipulations exploiting rapid multiple actions in single transactions to drain liquidity.
SC08:2025Integer Overflow and UnderflowArithmetic errors causing serious vulnerabilities due to fixed-size integer limitations.
SC09:2025Insecure RandomnessPredictable random number generation leading to exploitation in sensitive functionalities.
SC10:2025Denial of Service (DoS) AttacksExploiting vulnerabilities to exhaust resources and render contracts non-functional.

Changes from 2023 to 2025

The OWASP Smart Contract Top 10 has evolved to reflect the latest threats and vulnerabilities observed in the blockchain space.

The 2023 version has seen a reclassification and introduction of vulnerabilities based on recent attack data and trends:

  • Reentrancy Attacks have been highlighted due to their prevalence in high-profile breaches.
  • Flash Loan Attacks have been recognized as a significant threat in decentralized finance (DeFi) ecosystems.
  • Access Control Vulnerabilities remain at the forefront, with notable financial impacts documented in the past year.
Changes from 2023 to 2052
Changes from 2023 to 2052

In 2024, the financial impact of vulnerabilities in smart contracts was staggering.

According to data from the SolidityScan’s Web3HackHub, the total losses amounted to $1.42 billion across 149 documented incidents. Below is a summary of the most impacted vulnerability categories:

Vulnerability TypeTotal Financial Loss (in USD)Incident Count
Access Control Vulnerabilities$953.2M45
Logic Errors$63.8M20
Reentrancy Attacks$35.7M15
Flash Loan Attacks$33.8M10
Lack of Input Validation$14.6M8
Price Oracle Manipulation$8.8M5
Unchecked External Calls$550.7K6

The OWASP Smart Contract Top 10 (2025) serves as a critical resource for developers within the Web3 ecosystem, emphasizing the need for rigorous testing and security measures against common vulnerabilities.

By integrating insights from various sources, including Kacherginsky’s “Top 10 DeFi Attack Vectors – 2024,” OWASP aims to provide a comprehensive framework for understanding and mitigating risks in smart contract development.

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...