Smart contracts are revolutionizing how we interact with blockchain technology. However, they are not without their risks. This guide provides a comprehensive list of vulnerabilities to help you understand, identify, and mitigate these risks, ensuring the security and success of your blockchain projects. We've compiled vulnerabilities from Smart Contract Weakness Classification (SWC), OWASP Smart Contract Top 10, and Not-So-Smart Contracts GitHub Repo. Each vulnerability is categorized by its severity and accompanied by a direct link to the original reference.
- Financial Risks: Vulnerabilities can lead to financial losses, affecting your bottom line.
- Reputation: Security incidents can severely damage your brand and customer trust.
- Regulatory Compliance: Understanding vulnerabilities helps in adhering to increasing regulatory requirements around blockchain technology.
- 📘 Smart Contract Weakness Classification (SWC)
- 📗 OWASP Smart Contract Top 10
- 📙 Not-So-Smart Contracts GitHub Repo
SWC provides a detailed classification of 37 smart contract vulnerabilities. Below is the complete list:
| Ref ID | Title | Severity |
|---|---|---|
| SWC-100 | Function Default Visibility | 🔴 High |
| SWC-101 | Integer Overflow and Underflow | 🔴 High |
| SWC-102 | Unchecked Return Values | 🔴 High |
| SWC-103 | Floating Pragma | 🟠 Medium |
| SWC-104 | Unprotected Ether Withdrawal | 🔴 High |
| SWC-105 | Unprotected SELFDESTRUCT Instruction | 🔴 High |
| SWC-106 | Unprotected Function of Gatekeeper | 🟠 Medium |
| SWC-107 | Reentrancy | 🔴 High |
| SWC-108 | State Variable Default Visibility | 🟠 Medium |
| SWC-109 | Uninitialized Storage Pointer | 🔴 High |
| SWC-110 | Assert Violation | 🟠 Medium |
| SWC-111 | Use of Deprecated Solidity Functions | 🟠 Medium |
| SWC-112 | Delegatecall to Untrusted Callee | 🔴 High |
| SWC-113 | DoS with Failed Call | 🔴 High |
| SWC-114 | Transaction Order Dependence | 🟠 Medium |
| SWC-115 | Authorization through tx.origin | 🔴 High |
| SWC-116 | Timestamp Dependence | 🟠 Medium |
| SWC-117 | Signature Malleability | 🔴 High |
| SWC-118 | Incorrect Constructor Name | 🔴 High |
| SWC-119 | Shadowing State Variables | 🟠 Medium |
| SWC-120 | Weak Sources of Randomness from Chain Attributes | 🔴 High |
| SWC-121 | Missing Protection against Signature Replay Attacks | 🔴 High |
| SWC-122 | Lack of Proper Signature Verification | 🔴 High |
| SWC-123 | Requirement Violation | 🟠 Medium |
| SWC-124 | Write to Arbitrary Storage Location | 🔴 High |
| SWC-125 | Incorrect Inheritance Order | 🟠 Medium |
| SWC-126 | Insufficient Gas Griefing | 🔴 High |
| SWC-127 | Arbitrary Jump with Function Type Variable | 🔴 High |
| SWC-128 | DoS With Block Gas Limit | 🟠 Medium |
| SWC-129 | Typographical Error | 🟠 Medium |
| SWC-130 | Right-To-Left-Override control character (U+202E) | 🟠 Medium |
| SWC-131 | Presence of unused variables | 🟢 Low |
| SWC-132 | Unexpected Ether balance | 🟠 Medium |
| SWC-133 | Hash Collisions With Multiple Variable Length Arguments | 🔴 High |
| SWC-134 | Message call with hardcoded gas amount | 🟠 Medium |
| SWC-135 | Code With No Effects | 🟢 Low |
| SWC-136 | Unencrypted Private Data On-Chain | 🔴 High |
| SWC-137 | Hardcoded Secrets | 🔴 High |
For complete details, check out the full SWC list.
OWASP outlines the top 10 vulnerabilities in smart contracts. Here's the complete rundown:
| Ref ID | Title | Severity |
|---|---|---|
| SC01:2023 | Reentrancy Attacks | 🔴 High |
| SC02:2023 | Integer Overflow and Underflow | 🔴 High |
| SC03:2023 | Timestamp Dependence | 🟠 Medium |
| SC04:2023 | Access Control Vulnerabilities | 🔴 High |
| SC05:2023 | Front-running Attacks | 🟠 Medium |
| SC06:2023 | Denial of Service (DoS) Attacks | 🔴 High |
| SC07:2023 | Logic Errors | 🟠 Medium |
| SC08:2023 | Insecure Randomness | 🟠 Medium |
| SC09:2023 | Gas Limit Vulnerabilities | 🟠 Medium |
| SC10:2023 | Unchecked External Calls | 🔴 High |
For complete details, check out the full OWASP Smart Contract Top 10 list.
The Not-So-Smart Contracts GitHub Repo provides examples of common Ethereum smart contract vulnerabilities. Here's the complete list:
| Ref ID | Title | Severity |
|---|---|---|
| Bad Randomness | Bad Randomness | 🟠 Medium |
| Denial of Service | Denial of Service | 🔴 High |
| Forced Ether Reception | Forced Ether Reception | 🟠 Medium |
| Incorrect Interface | Incorrect Interface | 🟠 Medium |
| Integer Overflow | Integer Overflow | 🔴 High |
| Race Condition | Race Condition | 🟠 Medium |
| Reentrancy | Reentrancy | 🔴 High |
| Unchecked External Call | Unchecked External Call | 🔴 High |
| Unprotected Function | Unprotected Function | 🟠 Medium |
| Variable Shadowing | Variable Shadowing | 🟠 Medium |
| Wrong Constructor Name | Wrong Constructor Name | 🔴 High |
For complete details, check out the full Not-So-Smart Contracts GitHub Repo.
- Regular Audits: Conduct smart contract audits regularly with specialized security firms.
- Employee Training: Educate your development team on these vulnerabilities to avoid common pitfalls.
- Use Verified Libraries: Whenever possible, use libraries and contracts that have been audited and verified.
- Real-time Monitoring: Implement real-time monitoring systems to catch unusual activities as they happen.
Consider implementing a real-time security dashboard that tracks key metrics like:
- Number of transactions processed
- Unusual or suspicious activities
- Audit results and their status
For specialized assistance, consider reaching out to security firms that focus on smart contract auditing. Your investment in security now can save significant costs in the future.