Smart Contract Security Weakness Enumeration (SCWE)

Content in BETA

This content is in beta and still under active development, so it is subject to change any time (e.g. structure, IDs, content, URLs, etc.).

Send Feedback

GitHub Repo

OWASP Project Page

About the SCWE

The Smart Contract Security Weakness Enumeration (SCWE) is a list of common security and privacy weaknesses in smart contracts. It is intended to be used as a reference for developers, security researchers, and security professionals. It acts as the bridge between the SCSVS and the SCSTG.

For its definition we draw inspiration from the Common Weakness Enumeration (CWE), which is a community-developed list of common software security weaknesses. The SCWE is intended to be a complementary list to the CWE, focusing specifically on security weaknesses in smart contracts.

A weakness is a security or privacy issue that can be introduced into a smart contracts. Weaknesses are categorized by the MASVS categories and controls. For example, a weakness related to the use of insecure random number generators is categorized under the SCSVS-CODE-1 control.

Each weakness contains the following information:

• Overview: A brief description of the weakness.
• Impact: The potential impact of the weakness on the security or privacy of the application.
• Modes of Introduction: The ways in which the weakness can be introduced into an application.
• Mitigations: Recommendations for mitigating the weakness.

"Weakness vs Vulnerability": It is important to note that a weakness is not a vulnerability, but it can lead to the introduction of vulnerabilities. According to the CWE, a weakness is a condition in a software, firmware, hardware, or service component that, under certain circumstances, could contribute to the introduction of vulnerabilities. Whereas a vulnerability is a flaw in a software, firmware, hardware, or service component resulting from a weakness that can be exploited, causing a negative impact to the confidentiality, integrity, or availability of an impacted component or components.

SCWE ID	Title	SCSVS CG ID	SCSVS SCG IDs	L1	L2	Status
SCWE-016	Insufficient Authorization	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1		newstatus:new
SCWE-020	Absence of Time-Locked Functions	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1		newstatus:new
SCWE-018	Use of tx.origin for Authorization	SCSVS-AUTH	SCSVS-AUTH-1	profile:L1		newstatus:new
SCWE-019	Insecure Signature Verification	SCSVS-AUTH	SCSVS-AUTH-2	profile:L1		newstatus:new
SCWE-017	Privileged Role Mismanagement	SCSVS-AUTH	SCSVS-AUTH-1	profile:L1		newstatus:new
SCWE-002	Excessive Contract Complexity	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1		newstatus:new
SCWE-003	Lack of Modularity	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1		newstatus:new
SCWE-005	Insecure Upgradeable Proxy Design	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1		newstatus:new
SCWE-006	Inconsistent Inheritance Hierarchy	SCSVS-ARCH	SCSVS-ARCH-3	profile:L1		newstatus:new
SCWE-004	Circular Dependencies	SCSVS-ARCH	SCSVS-ARCH-2	profile:L1		newstatus:new
SCWE-001	Improper Contract Architecture	SCSVS-ARCH	SCSVS-ARCH-1	profile:L1		newstatus:new
SCWE-015	Lack of Emergency Stop Mechanism	SCSVS-GOV	SCSVS-GOV-3	profile:L1		newstatus:new
SCWE-021	Insecure Block Timestamp Usage	SCSVS-BLOCK	SCSVS-BLOCK-2	profile:L1		newstatus:new
SCWE-012	Improper Function Definitions	SCSVS-CODE	SCSVS-CODE-1	profile:L1		newstatus:new
SCWE-009	Code Duplication	SCSVS-CODE	SCSVS-CODE-1	profile:L1		newstatus:new
SCWE-008	Presence of Unused Variables	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new
SCWE-007	Unmaintainable Code Structure	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new
SCWE-011	Deprecated Variable and Function Usage	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new
SCWE-010	Hardcoded Constants	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new
SCWE-013	Dead Code	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new
SCWE-014	Shadowing Variables and Functions	SCSVS-CODE	SCSVS-CODE-2	profile:L1		newstatus:new