InfoSecBulletin Cybersecurity for mankind
OWASP has released the Smart Contract Top 10: 2026, a guide to help Web3 developers, security auditors, and protocol owners identify critical vulnerabilities in smart contracts.
This edition, part of the OWASP Smart Contract Security initiative, uses security incidents and survey data from 2025 to identify the most impactful risks ahead.
LastPass says hackers stole customer data via Klue, supply chain breach
By infosecbulletin
/ Tuesday , June 23 2026
LastPass has reported a security issue with its vendor, Klue. This incident allowed an attacker unauthorized access to customer data....
Read More
New Apple Exploit Bypasses Boot Defenses, Possibly Affects Millions of iPhones Worldwide
By infosecbulletin
/ Tuesday , June 23 2026
Researchers at cybersecurity firm Paradigm Shift found a new flaw called usbliter8. This flaw can get around main boot protections...
Read More
India’s Tata Electronics hit by cyber breach: Hacker target 630 GB record
By infosecbulletin
/ Tuesday , June 23 2026
A cyber attack seems to have affected one of India's top electronics companies. Tata Electronics has said there was a...
Read More
Anthropic’s Mythos reportedly broke NSA classified systems in hours
By infosecbulletin
/ Monday , June 22 2026
The recent finding shows how powerful Mythos is: the AI can access the US government's secret networks in just a...
Read More
OpenAI New Method “Deployment Simulation” Predicts AI Risks Before Deployment
By infosecbulletin
/ Monday , June 22 2026
Test before going live is important for AI developers. But there's a problem: testing usually uses fake scenarios that often...
Read More
AryStinger botnet infected thousands of D-Link routers globally
By infosecbulletin
/ Sunday , June 21 2026
AryStinger has taken control of over 4,000 old D-Link routers to use them as proxies for harmful traffic. The team...
Read More
Hacker suspected of sending alerts across Brazil
By infosecbulletin
/ Sunday , June 21 2026
Brazil's government suspects a hacking attack triggered an unauthorized ‌alert sent to cell phones across parts of the country early...
Read More
CyberSentinel AI features 33 security tools like Nmap, SQLMap, and ZAP, utilizing Claude and GPT
By infosecbulletin
/ Sunday , June 21 2026
A new open-source cybersecurity tool named CyberSentinel AI v3.0 has come out. It is an important step in self-operated security...
Read More
Barracuda hosts Dhaka roundtable on cyber resilience
By infosecbulletin
/ Saturday , June 20 2026
Barracuda gathered industry people in Dhaka on 18 June 2026 for a roundtable talk about cyber resilience. The company shared...
Read More
CISA Alerts Fortinet Users as FortiBleed Affects 86,644 FortiGate Devices
By infosecbulletin
/ Saturday , June 20 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) asked Fortinet users with FortiGate devices on Thursday to act to protect...
Read More
The 2026 ranking shows that attackers are evolving. They are now combining different vulnerabilities, such as linking flash loans with oracle manipulation and exploiting poor upgrade governance, to cause more financial harm.
2026 Ranking
| Rank | Vulnerability | Description |
|---|---|---|
| SC01:2026 | Access Control Vulnerabilities | Flaws that allow unauthorized users or roles to invoke privileged functions or modify critical state, often leading to full protocol compromise. |
| SC02:2026 | Business Logic Vulnerabilities | Design-level flaws in lending, AMM, reward, or governance logic that break economic or functional rules, enabling value extraction even when low-level checks appear correct. |
| SC03:2026 | Price Oracle Manipulation | Weak oracles and unsafe price integrations that let attackers skew reference prices, enabling under-collateralized borrowing and mispriced swaps. |
| SC04:2026 | Flash Loan–Facilitated Attacks | Attacks using large, uncollateralized flash loans to amplify small logic, pricing, or arithmetic bugs into large drains within a single transaction. |
| SC05:2026 | Lack of Input Validation | Missing or weak validation of user, admin, or cross-chain inputs that allows unsafe parameters to reach core logic, corrupting state or enabling fund loss. |
| SC06:2026 | Unchecked External Calls | Unsafe interactions with external contracts where failures, reverts, or callbacks are not safely handled, often enabling reentrancy or inconsistent state. |
| SC07:2026 | Arithmetic Errors | Subtle bugs in integer math, scaling, and rounding — especially in share, interest, and AMM calculations — that can siphon value when paired with flash loans. |
| SC08:2026 | Reentrancy Attacks | External calls that re-enter vulnerable functions before state is fully updated, allowing repeated withdrawals or state changes from outdated contract views. |
| SC09:2026 | Integer Overflow and Underflow | Dangerous arithmetic on code paths without robust overflow checks, leading to wrapped values, broken invariants, and potential liquidity drains. |
| SC10:2026 | Proxy & Upgradeability Vulnerabilities | Misconfigured or weakly governed proxy, initialization, and upgrade mechanisms that let attackers seize control of implementations or reinitialize critical state. |
Over $2.2 billion has been lost to crypto hacks recently, highlighting the need for a structured vulnerability framework in the blockchain ecosystem.
The OWASP Smart Contract Top 10: 2026 is designed to work with other OWASP resources like the SC Weakness Enumeration, Checklist, and Top 15 Web3 Attack Vectors to create a full framework for secure smart contract development, auditing, and compliance.
