Smart Contract Security Weakness Enumeration (SCWE)

Stable Version v0.0.1

This content is in the version-(v0.0.1) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

GitHub Repo

OWASP Project Page

About the SCWE

The Smart Contract Security Weakness Enumeration (SCWE) is a list of common security and privacy weaknesses in smart contracts. It is intended to be used as a reference for developers, security researchers, and security professionals. It acts as the bridge between the SCSVS and the SCSTG.

For its definition we draw inspiration from the Common Weakness Enumeration (CWE), which is a community-developed list of common software security weaknesses. The SCWE is intended to be a complementary list to the CWE, focusing specifically on security weaknesses in smart contracts.

A weakness is a security or privacy issue that can be introduced into a smart contracts. Weaknesses are categorized by the SCSVS categories and controls. For example, a weakness related to the use of insecure random number generators is categorized under the SCSVS-CODE-1 control.

Each weakness contains the following information:

Overview: A brief description of the weakness.
Impact: The potential impact of the weakness on the security or privacy of the application.
Modes of Introduction: The ways in which the weakness can be introduced into an application.
Mitigations: Recommendations for mitigating the weakness.

"Weakness vs Vulnerability": It is important to note that a weakness is not a vulnerability, but it can lead to the introduction of vulnerabilities. According to the CWE, a weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Whereas a vulnerability is a flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

SCWE ID	Title	SCSVS CG ID	SCSVS SCG IDs	L1	Status
SCWE-004	Uncaught Exceptions	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1	newstatus:new
SCWE-006	Inconsistent Inheritance Hierarchy	SCSVS-ARCH	SCSVS-ARCH-3	profile:L1	newstatus:new
SCWE-051	Improper Use of CREATE2 for Contract Deployment	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1	newstatus:new
SCWE-080	Incorrect Type Conversion	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1	newstatus:new
SCWE-003	Lack of Modularity	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1	newstatus:new
SCWE-001	Improper Contract Architecture	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1	newstatus:new
SCWE-002	Excessive Contract Complexity	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1	newstatus:new
SCWE-071	Uninitialized Storage Pointer	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1	newstatus:new
SCWE-070	Incorrect Constructor Name	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1	newstatus:new
SCWE-064	Incorrect Inheritance Order	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1	newstatus:new
SCWE-052	Transaction Order Dependence	SCSVS-ARCH	SCSVS-ARCH-3	profile:L1	newstatus:new
SCWE-005	Insecure Upgradeable Proxy Design	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1	newstatus:new
SCWE-065	Block Values as a Proxy for Time	SCSVS-BLOCK	SCSVS-BLOCK-2	profile:L1	newstatus:new
SCWE-031	Insecure use of Block Variables	SCSVS-BLOCK	SCSVS-BLOCK-2	profile:L1	newstatus:new
SCWE-073	Message Call with Hardcoded Gas Amount	SCSVS-BLOCK	SCSVS-BLOCK-1	profile:L1	newstatus:new
SCWE-024	Weak Randomness Sources	SCSVS-BLOCK	SCSVS-BLOCK-1	profile:L1	newstatus:new
SCWE-029	Lack of Decentralized Oracle Sources	SCSVS-BRIDGE	SCSVS-BRIDGE-1	profile:L1	newstatus:new
SCWE-032	Dependency on Block Gas Limit	SCSVS-BRIDGE	SCSVS-BRIDGE-2	profile:L1	newstatus:new
SCWE-028	Price Oracle Manipulation	SCSVS-BRIDGE	SCSVS-BRIDGE-1	profile:L1	newstatus:new
SCWE-033	Chain Split Risks	SCSVS-BRIDGE	SCSVS-BRIDGE-1	profile:L1	newstatus:new
SCWE-034	Insecure Cross-Chain Messaging	SCSVS-BRIDGE	SCSVS-BRIDGE-2	profile:L1	newstatus:new
SCWE-019	Insecure Signature Verification	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-049	Unprotected Ether Withdrawal	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-016	Insufficient Authorization Checks	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-017	Privileged Role Mismanagement	SCSVS-AUTH	SCSVS-AUTH-1	profile:L1	newstatus:new
SCWE-050	Unprotected SELFDESTRUCT Instruction	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-018	Use of tx.origin for Authorization	SCSVS-AUTH	SCSVS-AUTH-1	profile:L1	newstatus:new
SCWE-038	Insecure Use of Selfdestruct	SCSVS-AUTH	SCSVS-AUTH-1	profile:L1	newstatus:new
SCWE-020	Absence of Time-Locked Functions	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-045	Insecure Use of Modifiers	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1	newstatus:new
SCWE-083	Failure to Handle Edge Cases	SCSVS-COMP	SCSVS-COMP-2	profile:L1	newstatus:new
SCWE-057	Write to Arbitrary Storage Location	SCSVS-COMP	SCSVS-COMP-2	profile:L1	newstatus:new
SCWE-082	Lack of Proper Gas Management	SCSVS-DEFI	SCSVS-DEFI-1	profile:L1	newstatus:new
SCWE-059	Insufficient Gas Griefing	SCSVS-DEFI	SCSVS-DEFI-2	profile:L1	newstatus:new
SCWE-077	Lack of Rate Limiting	SCSVS-DEFI	SCSVS-DEFI-2	profile:L1	newstatus:new
SCWE-058	DoS with Block Gas Limit	SCSVS-DEFI	SCSVS-DEFI-1	profile:L1	newstatus:new
SCWE-036	Inadequate Gas Limit Handling	SCSVS-DEFI	SCSVS-DEFI-1	profile:L1	newstatus:new
SCWE-047	Integer Overflows and Underflows	SCSVS-ORACLE	SCSVS-ORACLE-2	profile:L1	newstatus:new
SCWE-030	Insecure Oracle Data Updates	SCSVS-ORACLE	SCSVS-ORACLE-1	profile:L1	newstatus:new
SCWE-084	Insecure Use of blockhash	SCSVS-CRYPTO	SCSVS-CRYPTO-2	profile:L1	newstatus:new
SCWE-027	Vulnerable Cryptographic Algorithms	SCSVS-CRYPTO	SCSVS-CRYPTO-2	profile:L1	newstatus:new
SCWE-055	Missing Protection against Signature Replay Attacks	SCSVS-CRYPTO	SCSVS-CRYPTO-1	profile:L1	newstatus:new
SCWE-025	Improper Cryptographic Key Management	SCSVS-CRYPTO	SCSVS-CRYPTO-1	profile:L1	newstatus:new
SCWE-054	Signature Malleability	SCSVS-CRYPTO	SCSVS-CRYPTO-2	profile:L1	newstatus:new
SCWE-056	Lack of Proper Signature Verification	SCSVS-CRYPTO	SCSVS-CRYPTO-1	profile:L1	newstatus:new
SCWE-026	Insufficient Hash Verification	SCSVS-CRYPTO	SCSVS-CRYPTO-2	profile:L1	newstatus:new
SCWE-074	Hash Collisions with Multiple Variable Length Arguments	SCSVS-CRYPTO	SCSVS-CRYPTO-2	profile:L1	newstatus:new
SCWE-063	Insecure Event Emission	SCSVS-COMM	SCSVS-COMM-2	profile:L1	newstatus:new
SCWE-042	Insecure Use of External Calls	SCSVS-COMM	SCSVS-COMM-2	profile:L1	newstatus:new
SCWE-021	Unsecured Data Transmission	SCSVS-COMM	SCSVS-COMM-1	profile:L1	newstatus:new
SCWE-035	Insecure Delegatecall Usage	SCSVS-COMM	SCSVS-COMM-1	profile:L1	newstatus:new
SCWE-023	Lack of Communication Authenticity	SCSVS-COMM	SCSVS-COMM-1	profile:L1	newstatus:new
SCWE-022	Message Replay Vulnerabilities	SCSVS-COMM	SCSVS-COMM-1	profile:L1	newstatus:new
SCWE-040	Incorrect Storage Packing	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-009	Deprecated Variable and Function Usage	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-007	Presence of Unused Variables	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-039	Insecure Use of Inline Assembly	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-053	Improper Deletion of Mappings	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-046	Reentrancy Attacks	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-012	Lack of Multisig Governance	SCSVS-GOV	SCSVS-GOV-1	profile:L1	newstatus:new
SCWE-013	Unauthorized Parameter Changes	SCSVS-GOV	SCSVS-GOV-2	profile:L1	newstatus:new
SCWE-048	Unchecked Call Return Value	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-060	Floating Pragma	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-068	State Variable Default Visibility	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-076	Right-To-Left-Override Control Character (U+202E)	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-041	Unsafe Downcasting	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-010	Shadowing Variables and Functions	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-069	Shadowing State Variables	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-067	Assert Violation	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-072	Use of Deprecated Solidity Functions	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-061	Outdated Compiler Version	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-066	Incorrect Handling of Bitwise Operations	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-008	Hardcoded Constants	SCSVS-CODE	SCSVS-CODE-2	profile:L1	newstatus:new
SCWE-062	Dead Code	SCSVS-CODE	SCSVS-CODE-1	profile:L1	newstatus:new
SCWE-014	Lack of Emergency Stop Mechanism	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-011	Insecure ABI Encoding and Decoding	SCSVS-ARCH	SCSVS-ARCH-3	profile:L1	newstatus:new
SCWE-075	Incorrect Ether Balance Tracking	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-015	Poor Governance Documentation	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-037	Insufficient Protection Against Front-Running	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-044	Insecure Use of Storage	SCSVS-GOV	SCSVS-GOV-1	profile:L1	newstatus:new
SCWE-079	Insecure Use of Transfer and Send	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-043	Insecure Use of Fallback Functions	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-078	Improper Handling of Ether Transfers	SCSVS-GOV	SCSVS-GOV-3	profile:L1	newstatus:new
SCWE-081	Improper Handling of Nonce	SCSVS-GOV	SCSVS-GOV-2	profile:L1	newstatus:new