OWASP Smart Contract Top 10 (2025)

The most critical security risks facing smart contracts and Web3 applications in 2025. Our data shows access control vulnerabilities alone accounted for 67% of losses in 2024.

SC01:2025Critical

Access Control Vulnerabilities

Improper access controls allowing unauthorized users to execute privileged functions.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC02:2025Critical

Reentrancy Attacks

External calls that allow attackers to recursively call functions before state updates.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC03:2025High

Integer Overflow/Underflow

Mathematical operations that exceed variable limits causing unexpected behavior.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC04:2025High

Unchecked External Calls

Failed external calls that don't properly handle return values or exceptions.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC05:2025High

Denial of Service

Contract states or gas limit exploits that prevent normal operation.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC06:2025Medium

Bad Randomness

Predictable random number generation that can be exploited by attackers.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC07:2025Medium

Front-running

Transaction ordering manipulation in mempool for financial advantage.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC08:2025Medium

Time Manipulation

Reliance on block timestamps that miners can manipulate within limits.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC09:2025Low

Short Address Attack

EVM padding behavior exploited through malformed address parameters.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M

SC10:2025Low

Unchecked Return Values

Silent failures from external calls that don't validate return values.

REAL-WORLD EXAMPLE

Poly Network Bridge Exploit - $611M