#05 SC05:2026 High Held #4

Lack of Input Validation

Lack of input validation describes any situation where a smart contract processes external data - function parameters, calldata, cross-chain messages, or signed payloads - without rigorously enforcing that the data is well-formed, within expected bounds, and authorized for the intended operation.

Official OWASP description, from scs.owasp.org (CC BY-NC-SA 4.0).

Why this rank in 2026

Held mid-list. Severity is high - Cetus lost $223M partly because liquidity parameters were unvalidated - but mature lint rules and clearer audit checklists kept this from climbing higher.

What "input validation" means in smart contracts

Web-app input validation is mostly about preventing injection. Smart-contract input validation is mostly about preventing economically invalid states. The cost of accepting a bad input on chain is not data corruption - it is a permanent value transfer.

The category covers five common failure modes: out-of-bounds numeric values (fees above 100%, max-uint amounts), malformed addresses or payloads bypassing allowlists, replay attacks via missing nonce / expiry / chain-ID validation, composability edge cases in relayed data, and missing token authenticity checks before accepting tokens as collateral.

2025 incidents

  • Cetus (May 2025) lost $223M. Unvalidated liquidity parameters reaching ~2^113 were combined with the checked_shlw overflow in the Move integer-mate library. OWASP cross-references this incident under SC09 as well - the input validation failure made the arithmetic bug exploitable.

  • Ionic Money (Feb 2025) lost ~$6.9M because it accepted counterfeit LBTC as collateral without an on-chain authenticity check. Attackers minted 250 fake tokens and borrowed $8.6M against them.

How AI auditors handle this category

This is one of the strongest categories for AI auditing. Pattern matching against "missing zero check," "missing range guard," "calldata trusted without verification" is exactly the work LLMs do well. The remaining gap is protocol-specific - knowing that, for example, a positive fee that is technically valid is economically invalid in this protocol's context.

2025 incidents tied to this category

Pulled live from the SCH hack database, ordered by amount lost. Click any incident for the full post-mortem.

View the full SCH hack dashboard →

Vulnerable vs secure code

✗ Vulnerable solidity
// Vulnerable: protocol fee accepted as raw input with no bounds
function setProtocolFee(uint256 newFee) external onlyOwner {
    protocolFee = newFee;       // can be set above 100% - drains all swap output
}
✓ Secure solidity
// Secure: bounded with a documented invariant
uint256 public constant MAX_FEE_BPS = 1000;     // 10%

function setProtocolFee(uint256 newFeeBps) external onlyOwner {
    require(newFeeBps <= MAX_FEE_BPS, "fee too high");
    emit FeeChanged(protocolFeeBps, newFeeBps);
    protocolFeeBps = newFeeBps;
}

AI vs human auditor on this category

Each bar is a detection rate: out of 100 known input validation bugs, how many that auditor type finds. Higher means more reliable. The gap below is the percentage-point difference - the work senior humans still do that AI does not.

AI auditor (frontier LLM)
81%
Human auditor (senior)
90%

% of SC05 bugs caught - higher is better.

Human advantage on SC05
+9 percentage points
Senior auditors catch 9 more input validation bugs per 100 than frontier AI today. That gap is the skill the SCH course teaches.

One of the strongest categories for AI. Frontier models reliably flag missing zero-address checks, missing range checks, and obvious calldata trust assumptions. Humans still catch protocol-specific cases where the "right" input range depends on system context.

Methodology: EVMbench, Cecuro purpose-built agent benchmarks, and senior-auditor self-reported catch rates. SCH editorial, not OWASP-authored.

Prevention checklist

  • Validate all external inputs: function parameters, signed data, cross-chain payloads.
  • Enforce tight invariants on fees, rates, limits, and addresses.
  • Require non-zero values for any critical parameter.
  • Treat admin and governance inputs as untrusted until explicitly verified.
  • Add negative test cases (fuzzing, property tests) for every external entry point.
  • Use custom errors for clarity and gas savings.

Detection tools

Industry-standard tools that detect this category. Tool mappings are SCH editorial - OWASP's per-category pages do not list specific tools.

Slither
static

missing-zero-check, arbitrary-send-erc20, incorrect-equality

Aderyn
static

zero-address-check, useless-public-function

Echidna
fuzz

boundary value generators

FAQ

What is OWASP SC05 Lack of Input Validation?
SC05 covers any situation where a smart contract processes external data - function parameters, calldata, cross-chain messages, or signed payloads - without rigorously enforcing that the data is well-formed, within expected bounds, and authorized for the intended operation. It is #5 in the OWASP Smart Contract Top 10 2026.
How is smart contract input validation different from web app input validation?
Web-app input validation is mostly about preventing injection (SQL, XSS, command injection). Smart-contract input validation is mostly about preventing economically invalid states - fees above 100%, max-uint amounts, malformed addresses bypassing allowlists, missing nonce or chain-ID validation, and counterfeit token authenticity checks. The cost of accepting a bad input on chain is a permanent value transfer, not data corruption.
What is an example of a smart contract input validation hack?
Cetus on Sui (May 2025) lost $223M when unvalidated liquidity parameters reaching around 2^113 were combined with the checked_shlw overflow in the Move integer-mate library. Ionic Money (Feb 2025) lost roughly $6.9M because it accepted counterfeit LBTC as collateral without an on-chain authenticity check - attackers minted 250 fake tokens and borrowed $8.6M against them.
How do you implement input validation in Solidity?
Validate every external input: function parameters, signed data, cross-chain payloads, admin and governance calls. Enforce tight invariants on fees, rates, limits, and addresses. Require non-zero values for any critical parameter. Treat admin inputs as untrusted until explicitly verified. Add negative test cases (fuzzing, property tests) for every external entry point, and use custom errors for clarity and gas savings.
How well do AI auditors detect input validation bugs?
One of the strongest categories for AI auditing - around 81% detection versus 90% for senior human auditors. Frontier LLMs reliably flag missing zero-address checks, missing range guards, and obvious calldata trust assumptions. The remaining gap is protocol-specific: knowing that a technically valid input is economically invalid in a particular protocol context.

Master the techniques that make this category exploitable

The SCH Smart Contract Hacking Course teaches the exploit primitives, audit techniques, and tool workflows for lack of input validation and every other OWASP 2026 category.