OWASP Smart Contract Top 10 2026: changes and audit guide

TL;DR

• The 2026 OWASP Smart Contract Top 10 reorders around how protocols actually fail. Access control (SC01), business logic (SC02), oracle manipulation (SC03), and flash-loan-amplified composition (SC04) are now the top four. Proxy & upgradeability has been added as SC10.
• Reentrancy fell from #2 to #8 because tooling and patterns matured (ReentrancyGuard and ReentrancyGuardTransient are near-universal, Slither and Mythril detect classic reentrancy reliably). The class did not disappear — cross-contract and read-only reentrancy still appear in 2025/2026 findings, with Solv's ERC-3525 incident ($2.7M) as the canonical recent case.
• Business logic moved to #2 because invariant collapse and economic-edge-case bugs are now the largest single-protocol losses. Yearn's yETH pool collapse ($9M, November 2025), Cetus ($223M, May 2025), Balancer V2's ComposableStablePool ($128M, November 2025), and the Aave$50M slippage event (March 2026) are the worked examples OWASP cites.
• Proxy & upgradeability is new because uninitialized ERC1967 proxies became a campaign in 2025. Kinto Protocol ($1.55M, July 2025) is the most-cited example; the broader uninitialized-proxy automation drove$10M+ in aggregate losses across protocols.
• Detection is structural, not lexical. The audit response across the 2026 list is invariant testing, trust-boundary mapping, and formal verification of high-value properties — not a category-by-category code review.

The 2026 list, in order

What changed from 2025 to 2026

Why business logic moved up

• Yearn yETH (~$9M, November 2025). A weighted stableswap pool's fixed-point iteration solver was forced into a divergent regime by sufficiently imbalanced add and remove liquidity calls. The product term Π collapsed to zero, and the s invariant degenerated from hybrid stableswap into constant-sum. Roughly 2.35×10⁵⁶ yETH LP tokens were minted without backing collateral.
• Cetus Protocol (~$223M, May 22, 2025). A checked_shlw overflow check in a u256 fixed-point library on Sui was structurally flawed. Shifting bits beyond type capacity did not abort. The attacker manipulated a liquidity parameter so the get_delta_a calculation overflowed silently and returned that only one unit of token A was needed to mint a massive LP position. Multiple audits — MoveBit, OtterSec, Zellic in April 2025 — had reviewed the protocol; library-level numerical code was effectively out of audit scope.
• **Aave $50M slippage event (March 2026).** A trader swapped roughly$50.4M USDT for ~$36K of AAVE through an interface routed via a thin SushiSwap pool. Sandwich extraction approached$44M. The frontend warned. The contract did not enforce a protocol-level cap.

Why proxy & upgradeability is new

1. Upgrade and admin role hijack — who can change implementation, and is the storage layout compatible.
2. Initialization and re-initialization — unprotected initialize, missing initializer guards, initialization front-running.
3. Delegatecall context errors — msg.sender, msg.value, and storage context confusion.
4. Storage layout collisions — slot collisions between proxy and implementation, unreserved gaps, missing append-only discipline.

Why reentrancy dropped

SC01:2026 — Access control vulnerabilities

• Manual review — enumerate every external/public function and prove a path to a documented role; verify all administrative addresses are multisig + timelock; check ownership transfer is two-step (Ownable2Step or equivalent); look for tx.origin use; look for selfdestruct exposure on implementations.
• Tooling — Slither's arbitrary-send, unprotected-upgrade, suicidal, and incorrect-modifier detectors are first pass; Aderyn for cross-checks; Halmos to symbolically prove that only authorized callers reach state mutations.
• Process — threat-model the off-chain signing pipeline; require raw-calldata clear-signing or transaction simulation on hardware wallets that support it.

SC02:2026 — Business logic vulnerabilities

1. Reward and fee logic flaws (double counting, wrong beneficiary, miscounted accrual).
2. Eligibility and limit bypasses (borrowing caps, mint limits, liquidation thresholds).
3. Path-dependent state machines (the same end state reached via two paths produces different outcomes).
4. Cross-module and cross-chain assumptions (one contract assumes a property the other does not enforce).

• Yearn yETH (~$9M, November 2025). Detailed in the previous section — fixed-point solver collapse converting a stableswap invariant into constant-sum.
• Cetus ($223M, May 2025). Library-level u256 overflow check that did not abort. Detailed in the previous section.
• Balancer V2 ComposableStablePool (~$128.64M, November 3, 2025). Per Trail of Bits attribution: a rounding-error vulnerability in _upscaleArray combined with crafted batchSwap operations let the attacker artificially inflate share prices. This straddles SC02 (business logic) and SC07 (rounding) — which is the point. Compound failures rarely live in a single category.
• Abracadabra (~$13M, March 2025). GMX-liquidity-token cauldrons. Attacker exploited interactions between liquidation logic and the GLP underlying.

1. Threat model first. Define the protocol's invariants explicitly. For a lending protocol: Σ user_balances ≤ totalAssets, health_factor ≥ 1 after every state-changing path including donate*, migrate*, and rebalance*. For an AMM: x · y ≥ k after fee. For a stableswap: bounds on the iteration solver under all liquidity ratios.
2. Invariant fuzzing. Foundry stateful fuzz, Echidna, or Medusa run randomized call sequences against those invariants. This is non-negotiable for any protocol with composable state.
3. Formal verification of high-value properties. Halmos symbolically proves invariants across all bounded inputs; Certora's CVL covers protocol-level rules.
4. Adversarial economic simulation. Agent-based models that assume infinite-capital flash loans, MEV mempool ordering, and adversarial sequencing.

1// foundry-rs/forge-std invariant test
2function invariant_solvency() public {
3    assertLe(vault.totalSupply() * vault.convertToAssets(1e18) / 1e18, vault.totalAssets());
4}
5
6function invariant_round_trip_loss() public {
7    uint256 shares = vault.convertToShares(amount);
8    uint256 assets = vault.convertToAssets(shares);
9    assertLe(assets, amount); // round against the user
10}

• How to audit complex DeFi protocols: the divide and conquer methodology — the methodology pillar.
• The power of fuzzing and formal verification in blockchain security — tooling matrix (Foundry, Echidna, Medusa, Halmos, Kontrol, ItyFuzz).
• Balancer security analysis: critical architecture risks — V1→V3 architectural risk analysis with rounding/precision discussion.
• Bybit, Cetus & Balancer 2025 exploit lessons.

SC03:2026 — Price oracle manipulation

1function getPrice() internal view returns (uint256) {
2    (, int256 answer,, uint256 updatedAt, uint80 answeredInRound) = feed.latestRoundData();
3    require(answer > 0, "negative price");
4    require(updatedAt + STALENESS_THRESHOLD >= block.timestamp, "stale feed");
5    require(answeredInRound > 0, "incomplete round");
6    require(uint256(answer) >= MIN_PRICE && uint256(answer) <= MAX_PRICE, "out of band");
7    return uint256(answer);
8}

SC04:2026 — Flash loan–facilitated attacks

SC05:2026 — Lack of input validation

1function swap(address tokenIn, uint256 amountIn, uint256 minAmountOut, uint256 deadline) external {
2    require(tokenIn != address(0), "zero token");
3    require(amountIn > 0, "zero amount");
4    require(minAmountOut > 0, "zero min out"); // critical — prevents trivial sandwich
5    require(deadline >= block.timestamp, "deadline passed");
6    require(deadline <= block.timestamp + MAX_DEADLINE, "deadline too far");
7    // ...
8}

SC06:2026 — Unchecked external calls

1// wrong
2token.transfer(recipient, amount);
3
4// right (OZ SafeERC20)
5token.safeTransfer(recipient, amount);
6
7// wrong
8(bool ok,) = target.call(data);
9
10// right
11(bool ok, bytes memory ret) = target.call(data);
12require(ok, _getRevertMsg(ret));

SC07:2026 — Arithmetic errors (rounding & precision)

1∀ x: convertToAssets(convertToShares(x)) ≤ x

SC08:2026 — Reentrancy attacks

SC09:2026 — Integer overflow and underflow

• TrueBit ($26.2M, January 2026). Pre-0.8 contract, unprotected addition in getPurchasePrice overflowed to zero, minting massive TRU at zero cost. A 2026 incident on a 2018-era codebase.
• Cetus ($223M, May 2025). Sui's u256 checked_shlw left-shift did not abort on overflow. Move's design choice for left-shift, combined with a flawed safety check on the high bits, produced the SC07/SC09 hybrid.

SC10:2026 — Proxy & upgradeability vulnerabilities

• **Kinto Protocol ($1.55M, July 2025).** Attackers detected freshly deployed but not-yet-initialized ERC1967 proxies. Called `initialize` themselves with malicious implementations containing dormant backdoors. Months later, the backdoor was activated, the proxy was upgraded to malicious code, and K tokens were minted to drain$1.55M.
• The broader uninitialized-proxy campaign (2025, $10M+ aggregate). Automated scanners watched for new ERC1967 proxies on multiple EVM chains, race-initialized them before the legitimate deployer's transaction landed, and embedded dormant backdoors that survived later audits.
• FOOMCASH ($2.26M, 2025). Upgradeable proxy fronting a zkSNARK verifier; misconfigured verification key allowed forged proofs; upgrade mechanism lacked timelock and proper access control.

1. Pattern selection. Choose proxy pattern (Transparent, UUPS, Beacon, Diamond) before writing code; use OpenZeppelin Upgrades plugins, not bespoke implementations. Bespoke proxies are the highest-risk subset of the category.
2. Initializer hygiene. initializer and reinitializer modifiers correctly applied. Implementation contracts call _disableInitializers() in the constructor. Initialization performed atomically with proxy deployment via ERC1967Proxy calldata to prevent the Kinto-class race.
3. Storage discipline. Reserve gaps via uint256[50] __gap, or — better — use ERC-7201 namespaced storage. Verify storage layout compatibility across versions with the OpenZeppelin Upgrades plugin. UUPS implementations must include proxiableUUID() (slot 60894...) and override _authorizeUpgrade` with access control.
4. Upgrade governance. Timelock + multisig. On-chain announcement. Review window. Rollback capability. Single-EOA upgrade authority is automatic critical finding.
5. Special cases. Beacon upgrades require auth on the beacon; shared proxy-admin and logic-owner keys must be split; selfdestruct exposure on implementations is fatal.

1contract MyImplementation is UUPSUpgradeable, OwnableUpgradeable {
2    /// @custom:oz-upgrades-unsafe-allow constructor
3    constructor() {
4        _disableInitializers(); // prevents implementation initialization
5    }
6
7    function initialize(address owner_) public initializer {
8        __Ownable_init(owner_);
9        __UUPSUpgradeable_init();
10    }
11
12    function _authorizeUpgrade(address newImpl) internal override onlyOwner {
13        require(newImpl != address(0), "zero impl");
14        require(newImpl.code.length > 0, "not a contract");
15    }
16}

• Smart contract upgrade patterns security: audit guide for UUPS, Transparent, Beacon & Diamond proxies — pattern comparison, storage collision exploits, and references to storage collisions identified in protocols governing >$50M TVL.
• The 33-check proxy & upgradeability security checklist — checks organized into eight domains (storage layout, initialization, upgrade authorization, UUPS specifics, Transparent specifics, Diamond specifics, monitoring/rollback, cross-chain consistency).

How to actually run an audit against the 2026 list

1. Map the trust boundaries. Every external/public function, every external call out, every cross-contract dependency, every off-chain input. Diagrams help. The divide-and-conquer methodology Zealynx publishes is the framing we use internally.
2. Define the invariants in plain English. Ten or more for any non-trivial protocol. Σ user_balances ≤ totalAssets. health_factor ≥ 1 after every state-changing path. convertToAssets(convertToShares(x)) ≤ x. Solvency. Conservation. Accessibility.
3. Translate invariants into property tests. Foundry stateful fuzz, Echidna, Medusa for randomized search. Halmos and Certora for the high-value subset that needs proof rather than search.
4. Apply per-category tooling. Slither and Aderyn for SC01/SC06/SC09. Halmos for SC07 conversion identities. Echidna for SC02 invariant collapse. The OpenZeppelin Upgrades plugin for SC10 storage-layout checks.
5. Manual review of what the tooling cannot reach. Business logic correctness against protocol intent. Off-chain trust assumptions. Composability with external protocols not in scope. Game-theoretic edge cases.
6. Continuous verification post-deployment. The same invariants run as on-chain monitors. The same property tests run in CI on every commit. The same readiness check runs before every upgrade.

Get in touch with Zealynx

FAQ: OWASP smart contract top 10 2026

Glossary