Smart Contract Security Weakness Enumeration (SCWE)

Stable Version v1.0

This content is in the version-(v1.0) and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

GitHub Repo

OWASP Project Page

About the SCWE

The Smart Contract Security Weakness Enumeration (SCWE) is a list of common security and privacy weaknesses in smart contracts. It is intended to be used as a reference for developers, security researchers, and security professionals. It acts as the bridge between the SCSVS and the SCSTG.

For its definition we draw inspiration from the Common Weakness Enumeration (CWE), which is a community-developed list of common software security weaknesses. The SCWE is intended to be a complementary list to the CWE, focusing specifically on security weaknesses in smart contracts.

A weakness is a security or privacy issue that can be introduced into a smart contracts. Weaknesses are categorized by the SCSVS categories and controls. For example, a weakness related to the use of insecure random number generators is categorized under the SCSVS-CODE-1 control.

Each weakness contains the following information:

  • Overview: A brief description of the weakness.
  • Impact: The potential impact of the weakness on the security or privacy of the application.
  • Modes of Introduction: The ways in which the weakness can be introduced into an application.
  • Mitigations: Recommendations for mitigating the weakness.

"Weakness vs Vulnerability": It is important to note that a weakness is not a vulnerability, but it can lead to the introduction of vulnerabilities. According to the CWE, a weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Whereas a vulnerability is a flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

Open Call for New SCWE Submissions

Want to contribute a new SCWE entry?

Thank you for helping us improve the security of smart contracts!

SCWE ID Title SCSVS CG ID SCSVS SCG IDs Status
SCWE-059 Insufficient Gas Griefing SCSVS-DEFI SCSVS-DEFI-2 newstatus:new
SCWE-116 Missing Supply Cap Enforcement SCSVS-DEFI SCSVS-DEFI-2 newstatus:new
SCWE-151 Add/Remove Liquidity Without Minimum Output Validation SCSVS-DEFI SCSVS-DEFI-2 newstatus:new
SCWE-077 Lack of Rate Limiting SCSVS-DEFI SCSVS-DEFI-2 newstatus:new
SCWE-148 Gas Exhaustion via Unbounded Loops with External Calls SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-058 DoS with Block Gas Limit SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-036 Inadequate Gas Limit Handling SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-109 Unbounded Loops on Untrusted Input SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-082 Lack of Proper Gas Management SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-126 Unbounded Withdrawal Queue Growth SCSVS-DEFI SCSVS-DEFI-2 newstatus:new
SCWE-125 Missing Post-Operation Health Check SCSVS-DEFI SCSVS-DEFI-1 newstatus:new
SCWE-033 Chain Split Risks SCSVS-BRIDGE SCSVS-BRIDGE-1 newstatus:new
SCWE-094 Insufficient Gas Limit Validation in LayerZero Message Sending SCSVS-BRIDGE SCSVS-BRIDGE-2 newstatus:new
SCWE-032 Dependency on Block Gas Limit SCSVS-BRIDGE SCSVS-BRIDGE-2 newstatus:new
SCWE-034 Insecure Cross-Chain Messaging SCSVS-BRIDGE SCSVS-BRIDGE-2 newstatus:new
SCWE-087 Missing Payload Size Validation in Cross-Chain Messaging (Denial of Service/Stuck Funds) SCSVS-BRIDGE SCSVS-BRIDGE-2 newstatus:new
SCWE-132 Mismatched Token Decimals in Bridge Mint/Burn SCSVS-BRIDGE SCSVS-BRIDGE-1 newstatus:new
SCWE-133 Missing Replay Nonce per Bridge Lane SCSVS-BRIDGE SCSVS-BRIDGE-1 newstatus:new
SCWE-096 Missing Token Burn During Cross-Chain NFT Withdrawal SCSVS-BRIDGE SCSVS-BRIDGE-1 newstatus:new
SCWE-057 Write to Arbitrary Storage Location SCSVS-COMP SCSVS-COMP-2 newstatus:new
SCWE-110 Fee-On-Transfer Token Misaccounting SCSVS-COMP SCSVS-COMP-1 newstatus:new
SCWE-135 ERC4626 Share Inflation via Donations SCSVS-COMP SCSVS-COMP-1 newstatus:new
SCWE-111 Rebase Token Balance Drift SCSVS-COMP SCSVS-COMP-1 newstatus:new
SCWE-083 Failure to Handle Edge Cases SCSVS-COMP SCSVS-COMP-2 newstatus:new
SCWE-145 Unvalidated Constructor Parameters SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-064 Incorrect Inheritance Order SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-071 Uninitialized Storage Pointer SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-119 Shared Proxy Admin and Logic Owner Key SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-006 Inconsistent Inheritance Hierarchy SCSVS-ARCH SCSVS-ARCH-3 newstatus:new
SCWE-001 Improper Contract Architecture SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-150 Storage Slot Collision When Upgrading Implementation SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-051 Improper Use of CREATE2 for Contract Deployment SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-070 Incorrect Constructor Name SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-005 Insecure Upgradeable Proxy Design SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-099 Storage Layout Collision on Upgrade SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-117 Proxy Implementation Selfdestruct Exposure SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-004 Uncaught Exceptions SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-080 Incorrect Type Conversion SCSVS-ARCH SCSVS-ARCH-2 newstatus:new
SCWE-052 Transaction Order Dependence SCSVS-ARCH SCSVS-ARCH-3 newstatus:new
SCWE-003 Lack of Modularity SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-118 Unauthenticated Beacon Upgrade SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-002 Excessive Contract Complexity SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-098 Initialization Front-Running in Upgradeable Contracts SCSVS-ARCH SCSVS-ARCH-1 newstatus:new
SCWE-037 Insufficient Protection Against Front-Running SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-044 Insecure Use of Storage SCSVS-GOV SCSVS-GOV-1 newstatus:new
SCWE-142 Extractable Value from Predictable Transaction Ordering SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-136 Unbounded Proposal Execution Gas SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-012 Lack of Multisig Governance SCSVS-GOV SCSVS-GOV-1 newstatus:new
SCWE-015 Poor Governance Documentation SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-078 Improper Handling of Ether Transfers SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-075 Incorrect Ether Balance Tracking SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-140 Ether Locked Due to Missing Withdrawal Path SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-102 Missing Checks-Effects-Interactions Pattern SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-043 Insecure Use of Fallback Functions SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-079 Insecure Use of Transfer and Send SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-101 Flash-Loan-Fueled Governance Manipulation SCSVS-GOV SCSVS-GOV-1 newstatus:new
SCWE-100 Missing Quorum Validation in Governance Execution SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-156 Missing Emergency Circuit Breaker for Critical Operations SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-081 Improper Handling of Nonce SCSVS-GOV SCSVS-GOV-2 newstatus:new
SCWE-038 Insecure Use of Selfdestruct SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-129 Single EOA Admin Without Rotation SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-017 Privileged Role Mismanagement SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-147 Permit or Meta-Transaction Signatures Without Expiration SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-019 Insecure Signature Verification SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-106 Unauthenticated Meta-Transactions SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-139 Single-Step Ownership Transfer Without Confirmation SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-049 Unprotected Ether Withdrawal SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-020 Absence of Time-Locked Functions SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-018 Use of tx.origin for Authorization SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-105 Permit Signature Replay via Missing Domain Separator or Nonce SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-045 Insecure Use of Modifiers SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-016 Insufficient Authorization Checks SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-155 Single Point of Failure in Administrative Key Management SCSVS-AUTH SCSVS-AUTH-1 newstatus:new
SCWE-050 Unprotected SELFDESTRUCT Instruction SCSVS-AUTH SCSVS-AUTH-2 newstatus:new
SCWE-093 Unnamed Function Parameters SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-154 Calldata Decode Without Length Check SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-144 Bypassable Contract Existence Check via extcodesize SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-039 Insecure Use of Inline Assembly SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-076 Right-To-Left-Override Control Character (U+202E) SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-072 Use of Deprecated Solidity Functions SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-097 Missing Explicit Function Visibility SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-061 Outdated Compiler Version SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-062 Dead Code SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-141 Lack of Deadline Validation in Time-Sensitive External Calls SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-041 Unsafe Downcasting SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-007 Presence of Unused Variables SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-069 Shadowing State Variables SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-121 Swallowed Revert Reasons SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-146 Improper Use of try/catch Leading to Silent Failures SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-122 Calldata Length Not Validated Before Decode SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-010 Shadowing Variables and Functions SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-048 Unchecked Call Return Value SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-095 Missing Destination Address Size Check SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-014 Lack of Emergency Stop Mechanism SCSVS-GOV SCSVS-GOV-3 newstatus:new
SCWE-152 Misuse of Custom Errors Leading to Information Leakage or Wrong Revert Behavior SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-124 Inconsistent Rounding Direction in Financial Math SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-053 Improper Deletion of Mappings SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-013 Unauthorized Parameter Changes SCSVS-GOV SCSVS-GOV-2 newstatus:new
SCWE-091 Lack of Zero Value Check in Token Transfers SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-120 Missing Return Data Length Validation SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-060 Floating Pragma SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-123 Corrupt Free Memory Pointer in Assembly SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-011 Insecure ABI Encoding and Decoding SCSVS-ARCH SCSVS-ARCH-3 newstatus:new
SCWE-067 Assert Violation SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-143 Critical Address Parameters Not Validated for Zero Address SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-040 Incorrect Storage Packing SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-046 Reentrancy Attacks SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-009 Deprecated Variable and Function Usage SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-092 Missing Disable Initializer in Constructor for Proxy Contracts SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-068 State Variable Default Visibility SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-066 Incorrect Handling of Bitwise Operations SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-008 Hardcoded Constants SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-089 Vulnerable & Outdated Libraries SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-090 Missing Slippage Protection in Automated Token Swaps SCSVS-CODE SCSVS-CODE-1 newstatus:new
SCWE-047 Integer Overflows and Underflows SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-137 Read-Only Reentrancy via View Function State Staleness SCSVS-CODE SCSVS-CODE-2 newstatus:new
SCWE-030 Insecure Oracle Data Updates SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-085 Misuse of Oracle Min/Max Price Band Without Validation SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-029 Lack of Decentralized Oracle Sources SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-112 Reliance on Low-Liquidity Spot Prices SCSVS-ORACLE SCSVS-ORACLE-2 newstatus:new
SCWE-088 Improper Decimal Normalization in Price-Based Calculations SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-113 Insufficient TWAP Window or Single Observation SCSVS-ORACLE SCSVS-ORACLE-2 newstatus:new
SCWE-028 Price Oracle Manipulation SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-086 Missing Validation of Oracle Response Fields (Stale or Incomplete Data) SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-130 Admin-Write Oracle Without Delay SCSVS-ORACLE SCSVS-ORACLE-1 newstatus:new
SCWE-153 Reliance on block.prevrandao for High-Value Randomness SCSVS-BLOCK SCSVS-BLOCK-1 newstatus:new
SCWE-031 Insecure use of Block Variables SCSVS-BLOCK SCSVS-BLOCK-2 newstatus:new
SCWE-024 Weak Randomness Sources SCSVS-BLOCK SCSVS-BLOCK-1 newstatus:new
SCWE-073 Message Call with Hardcoded Gas Amount SCSVS-BLOCK SCSVS-BLOCK-1 newstatus:new
SCWE-127 EIP-1559 Basefee Assumptions SCSVS-BLOCK SCSVS-BLOCK-2 newstatus:new
SCWE-065 Block Values as a Proxy for Time SCSVS-BLOCK SCSVS-BLOCK-2 newstatus:new
SCWE-149 Transfers to Addresses That Cannot Receive Funds SCSVS-COMM SCSVS-COMM-2 newstatus:new
SCWE-104 Unprotected ERC777 Token Hooks SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-134 Low-Level Call to Non-Contract Address SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-063 Insecure Event Emission SCSVS-COMM SCSVS-COMM-2 newstatus:new
SCWE-022 Message Replay Vulnerabilities SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-023 Lack of Communication Authenticity SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-035 Insecure Delegatecall Usage SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-138 Reentrancy via ERC721/ERC1155 Safe Transfer Callbacks SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-128 Insecure Multicall Context Forwarding SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-042 Insecure Use of External Calls SCSVS-COMM SCSVS-COMM-2 newstatus:new
SCWE-107 Missing Chain ID Validation in Cross-Chain Messages SCSVS-COMM SCSVS-COMM-3 newstatus:new
SCWE-021 Unsecured Data Transmission SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-108 Unverified Cross-Chain Message Proofs SCSVS-COMM SCSVS-COMM-3 newstatus:new
SCWE-103 ERC20 Approval Double-Spend (Allowance Race) SCSVS-COMM SCSVS-COMM-1 newstatus:new
SCWE-131 Missing Domain Separation in Aggregate Signatures SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-025 Improper Cryptographic Key Management SCSVS-CRYPTO SCSVS-CRYPTO-1 newstatus:new
SCWE-115 Weak VRF Parameterization or Callback Validation SCSVS-CRYPTO SCSVS-CRYPTO-1 newstatus:new
SCWE-027 Vulnerable Cryptographic Algorithms SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-054 Signature Malleability SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-026 Insufficient Hash Verification SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-074 Hash Collisions with Multiple Variable Length Arguments SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-056 Lack of Proper Signature Verification SCSVS-CRYPTO SCSVS-CRYPTO-1 newstatus:new
SCWE-084 Insecure Use of blockhash SCSVS-CRYPTO SCSVS-CRYPTO-2 newstatus:new
SCWE-055 Missing Protection against Signature Replay Attacks SCSVS-CRYPTO SCSVS-CRYPTO-1 newstatus:new
SCWE-114 ECDSA Nonce Reuse SCSVS-CRYPTO SCSVS-CRYPTO-1 newstatus:new