What "input validation" means in smart contracts
Web-app input validation is mostly about preventing injection. Smart-contract input validation is mostly about preventing economically invalid states. The cost of accepting a bad input on chain is not data corruption - it is a permanent value transfer.
The category covers five common failure modes: out-of-bounds numeric values (fees above 100%, max-uint amounts), malformed addresses or payloads bypassing allowlists, replay attacks via missing nonce / expiry / chain-ID validation, composability edge cases in relayed data, and missing token authenticity checks before accepting tokens as collateral.
2025 incidents
-
Cetus (May 2025) lost $223M. Unvalidated liquidity parameters reaching ~2^113 were combined with the
checked_shlwoverflow in the Moveinteger-matelibrary. OWASP cross-references this incident under SC09 as well - the input validation failure made the arithmetic bug exploitable. -
Ionic Money (Feb 2025) lost ~$6.9M because it accepted counterfeit LBTC as collateral without an on-chain authenticity check. Attackers minted 250 fake tokens and borrowed $8.6M against them.
How AI auditors handle this category
This is one of the strongest categories for AI auditing. Pattern matching against "missing zero check," "missing range guard," "calldata trusted without verification" is exactly the work LLMs do well. The remaining gap is protocol-specific - knowing that, for example, a positive fee that is technically valid is economically invalid in this protocol's context.