Skip to content

Please note, this content is no longer actively maintained.

The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions.

For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the EEA EthTrust Security Levels specification. As well as the latest release version, an Editor's draft is available, that represents the latest work of the group developing the specification.

General guidance for developers on how to ensure security, that is currently maintained, is also available through the Smart Contract Security Verification Standard (SCSVS), or the Smart Contract Security Field Guide.

The following table contains an overview of the SWC registry. Each row consists of an SWC identifier (ID), weakness title, CWE parent and list of related code samples. The links in the ID and Test Cases columns link to the respective SWC definition. Links in the Relationships column link to the CWE Base or Class type.

ID Title Relationships
SWC-136 Unencrypted Private Data On-Chain CWE-767: Access to Critical Private Variable via Public Method
SWC-135 Code With No Effects CWE-1164: Irrelevant Code
SWC-134 Message call with hardcoded gas amount CWE-655: Improper Initialization
SWC-133 Hash Collisions With Multiple Variable Length Arguments CWE-294: Authentication Bypass by Capture-replay
SWC-132 Unexpected Ether balance CWE-667: Improper Locking
SWC-131 Presence of unused variables CWE-1164: Irrelevant Code
SWC-130 Right-To-Left-Override control character (U+202E) CWE-451: User Interface (UI) Misrepresentation of Critical Information
SWC-129 Typographical Error CWE-480: Use of Incorrect Operator
SWC-128 DoS With Block Gas Limit CWE-400: Uncontrolled Resource Consumption
SWC-127 Arbitrary Jump with Function Type Variable CWE-695: Use of Low-Level Functionality
SWC-126 Insufficient Gas Griefing CWE-691: Insufficient Control Flow Management
SWC-125 Incorrect Inheritance Order CWE-696: Incorrect Behavior Order
SWC-124 Write to Arbitrary Storage Location CWE-123: Write-what-where Condition
SWC-123 Requirement Violation CWE-573: Improper Following of Specification by Caller
SWC-122 Lack of Proper Signature Verification CWE-345: Insufficient Verification of Data Authenticity
SWC-121 Missing Protection against Signature Replay Attacks CWE-347: Improper Verification of Cryptographic Signature
SWC-120 Weak Sources of Randomness from Chain Attributes CWE-330: Use of Insufficiently Random Values
SWC-119 Shadowing State Variables CWE-710: Improper Adherence to Coding Standards
SWC-118 Incorrect Constructor Name CWE-665: Improper Initialization
SWC-117 Signature Malleability CWE-347: Improper Verification of Cryptographic Signature
SWC-116 Block values as a proxy for time CWE-829: Inclusion of Functionality from Untrusted Control Sphere
SWC-115 Authorization through tx.origin CWE-477: Use of Obsolete Function
SWC-114 Transaction Order Dependence CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
SWC-113 DoS with Failed Call CWE-703: Improper Check or Handling of Exceptional Conditions
SWC-112 Delegatecall to Untrusted Callee CWE-829: Inclusion of Functionality from Untrusted Control Sphere
SWC-111 Use of Deprecated Solidity Functions CWE-477: Use of Obsolete Function
SWC-110 Assert Violation CWE-670: Always-Incorrect Control Flow Implementation
SWC-109 Uninitialized Storage Pointer CWE-824: Access of Uninitialized Pointer
SWC-108 State Variable Default Visibility CWE-710: Improper Adherence to Coding Standards
SWC-107 Reentrancy CWE-841: Improper Enforcement of Behavioral Workflow
SWC-106 Unprotected SELFDESTRUCT Instruction CWE-284: Improper Access Control
SWC-105 Unprotected Ether Withdrawal CWE-284: Improper Access Control
SWC-104 Unchecked Call Return Value CWE-252: Unchecked Return Value
SWC-103 Floating Pragma CWE-664: Improper Control of a Resource Through its Lifetime
SWC-102 Outdated Compiler Version CWE-937: Using Components with Known Vulnerabilities
SWC-101 Integer Overflow and Underflow CWE-682: Incorrect Calculation
SWC-100 Function Default Visibility CWE-710: Improper Adherence to Coding Standards