OWASP has released its updated list of the top 10 vulnerabilities in smart contracts for 2025. This guide highlights the most critical vulnerabilities and provides developers and security professionals with a roadmap to reduce risks in decentralized systems.
OWASP 2023 – 2025
The OWASP Smart Contract Top 10 lists the most common vulnerabilities in the Web3 space, including:
Cybersecurity researcher Jeremiah Fowler discovered an unsecured database with 170,360 records belonging to a real estate company. It contained personal...
GreyNoise found attempts to exploit CVE-2023-28771, a vulnerability in Zyxel's IKE affecting UDP port 500. The attack centers around CVE-2023-28771,...
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included two high-risk vulnerabilities in its Known Exploited Vulnerabilities (KEV)...
SoftBank has disclosed that personal information of more than 137,000 mobile subscribers—covering names, addresses, and phone numbers—might have been leaked...
Access Control Vulnerabilities (SC01:2025):Access control flaws can let unauthorized users modify a contract’s data or functions, resulting in major security breaches. In 2024, these issues caused losses of $953.2 million, as reported by SolidityScan’s Web3HackHub.
Price Oracle Manipulation (SC02:2025): Attackers exploit weak data feeds to manipulate external data sources, destabilizing protocols and creating financial chaos.
Logic Errors (SC03:2025): Mistakes in business logic remain a costly issue, leading to improper token minting, flawed lending logic, or incorrect reward distributions.
Reentrancy Attacks (SC05:2025):These attacks exploit a contract’s weak functions to drain funds or disrupt logic, leading to $35.7 million in losses in 2024.
Flash Loan Attacks (SC07:2025): These attacks exploit uncollateralized loans, disrupting liquidity and token prices. Key vulnerabilities include Integer Overflow and Underflow, Insecure Randomness, and Denial of Service Attacks.