OWASP Smart Contract Project · 2026 Edition

The OWASP Smart Contract Top 10 - 2026

The ten most consequential smart contract risks of 2026, mapped to real 2025 incidents from the SCH hack database. Each category includes vulnerable vs secure code, prevention checklists, detection tools, and a candid AI-vs-human auditor analysis.

Last reviewed Jun 03, 2026 · Source: scs.owasp.org

$905.4M
2025 losses (dataset)
122
Smart-contract incidents
10
Risk categories
1 new
SC10 added for 2026

The Top 10 (2026)

Ranked by a combination of practitioner survey, 2025 incident frequency, and total dollar loss.

01 SC01:2026

Access Control Vulnerabilities

Improper access control describes any situation where a smart contract does not rigorously enforce who may invoke privileged behavior, under which conditions, and with which parameters.

Critical held $220M in 2025
02 SC02:2026

Business Logic Vulnerabilities

Business logic vulnerabilities describe any situation where a smart contract's intended economic or functional behavior can be subverted even though individual low-level checks are correct. These are design flaws in how system rules, incentives, and state transitions are modeled, distinct from low-level bugs like overflow or reentrancy.

Critical ↑ from #3 $189M in 2025
03 SC03:2026

Price Oracle Manipulation

Price oracle manipulation describes any situation where a smart contract relies on price or valuation data that can be directly or indirectly influenced by an attacker, causing the protocol to make decisions based on incorrect values.

High ↓ from #2
04 SC04:2026

Flash Loan-Facilitated Attacks

Flash loan-facilitated attacks describe exploits where an attacker uses uncollateralized, same-transaction borrowing to amplify underlying vulnerabilities (logic, pricing, or arithmetic) into large drains by executing complex multi-step sequences in a single transaction.

High ↑ from #7
05 SC05:2026

Lack of Input Validation

Lack of input validation describes any situation where a smart contract processes external data - function parameters, calldata, cross-chain messages, or signed payloads - without rigorously enforcing that the data is well-formed, within expected bounds, and authorized for the intended operation.

High held
06 SC06:2026

Unchecked External Calls

Unchecked external calls describe any situation where a smart contract invokes another contract or address without fully accounting for the callee's behavior, return value, or reentrancy potential.

High held
07 SC07:2026

Arithmetic Errors (Rounding & Precision)

Arithmetic errors (rounding and precision loss) describe any situation where a smart contract performs integer-based calculations that produce incorrect or exploitable results due to truncation, scaling, or unit conversion.

High NEW for 2026 $138M in 2025
08 SC08:2026

Reentrancy Attacks

Reentrancy describes any situation where a smart contract performs an external call (to another contract or address), and the callee can call back into the original contract before the first invocation has completed, allowing repeated withdrawals or state changes from outdated views of contract state.

Medium ↓ from #5
09 SC09:2026

Integer Overflow and Underflow

Integer overflow and underflow describe situations where arithmetic operations produce values outside the representable range of the operand type.

High held $260M in 2025
10 SC10:2026

Proxy & Upgradeability Vulnerabilities

Proxy and upgradeability vulnerabilities describe any situation where a smart contract uses an upgradeable architecture (proxy, beacon, or implementation-swapping pattern) and the upgrade path, initialization, or admin controls are misdesigned or misconfigured.

High NEW for 2026

What changed: 2025 → 2026

OWASP made four major changes for 2026. Reentrancy fell three places, Business Logic was promoted to #2, Proxy & Upgradeability is brand new, and Insecure Randomness + DoS were dropped from the top ten.

# 2025 2026 Delta
1Access ControlAccess Controlheld
2Price Oracle ManipulationBusiness LogicBusiness Logic ↑ from #3
3Logic ErrorsPrice Oracle ManipulationOracle ↓ from #2
4Lack of Input ValidationFlash Loan-Facilitated AttacksFlash Loan ↑ from #7
5Reentrancy AttacksLack of Input ValidationReentrancy ↓ to #8
6Unchecked External CallsUnchecked External Callsheld
7Flash Loan AttacksArithmetic Errors (Rounding & Precision)SC07 reframed
8Integer Overflow / UnderflowReentrancy AttacksReentrancy moved here
9Insecure RandomnessInteger Overflow / UnderflowRandomness removed
10Denial of ServiceProxy & Upgradeability NEWDoS removed

AI vs human auditor detection - by category

SCH analysis of how 2026 frontier LLM auditors compare against senior human auditors for each OWASP category. Based on EVMbench, Cecuro, and CredShields benchmarks plus SCH editorial estimates. Not an OWASP-authored table - see methodology below.

Category AI auditor Human auditor Gap
SC01 Access Control
75%
92%
17 pts
SC02 Business Logic
31%
78%
47 pts
SC03 Oracle Manipulation
48%
82%
34 pts
SC04 Flash Loan Attacks
42%
80%
38 pts
SC05 Input Validation
81%
90%
9 pts
SC06 External Calls
78%
91%
13 pts
SC07 Arithmetic Errors
64%
86%
22 pts
SC08 Reentrancy
94%
96%
2 pts
SC09 Integer Overflow
89%
92%
3 pts
SC10 Proxy & Upgradeability
67%
88%
21 pts

Takeaway: AI auditors have effectively closed the gap on reentrancy and integer overflow because tooling is mature and training data is dense. The widest gaps - business logic, oracle manipulation, flash-loan composition - require multi-step economic reasoning, which is still where senior human auditors win.

Methodology & sources

OWASP-authored vs SCH editorial

The category names, ranks, official descriptions, and 2025 incident citations on this hub are sourced from the OWASP Smart Contract Security project under CC BY-NC-SA 4.0. AI-vs-human detection rates, code examples, prevention checklists in the SCH voice, and the cross-references to SCH attack pages are SCH editorial. We mark this distinction explicitly so the page does not misrepresent OWASP as endorsing material we authored.

The $905.4M / 122 incidents number

OWASP's 2026 ranking is built on 122 deduplicated 2025 smart-contract incidents totalling ~$905.4M, sourced from CredShields' Web3HackHub, SlowMist, BlockSec, and DeFiHackLabs. This is the smart-contract-vector total - broader Web3 figures including phishing and CEX breaches are higher ($2.71B-$3.37B depending on aggregation). When other sites quote different totals, this is usually the reason.

No official OWASP PDF for 2026

OWASP publishes the Top 10 only as a MkDocs site. The PDFs referenced in some news coverage are third-party 2025 reports (Beosin, SlowMist, SolidityScan/CredShields, HackenProof, QuillAudits) that OWASP cites as data sources - not an OWASP-published PDF report.

Companion: Top 15 Web3 Attack Vectors

Alongside the Smart Contract Top 10, OWASP also publishes the Top 15 Web3 Attack Vectors (WA01-WA15) covering off-chain risks: multisig hijacking (Bybit $1.5B), supply-chain compromises, phishing, drainers, UI spoofing, and nation-state infiltration. Worth bookmarking separately - these are out of scope for the Top 10 but very much in scope for any audit engagement.

Learn the techniques behind every OWASP 2026 category

The SCH Smart Contract Hacking Course covers the exploit primitives, audit techniques, and tool workflows that map to every category in this list. Start free and see why what AI can't catch yet still defines the senior auditor.