Skip to content

Instantly share code, notes, and snippets.

@tlkahn

tlkahn/399c_Smart-Contract-Weakness-Classification-SWC-.org

Created October 11, 2024 03:30
Show Gist options
  • Save tlkahn/c897e5eb375501ab5ae75ced56a5f316 to your computer and use it in GitHub Desktop.
Save tlkahn/c897e5eb375501ab5ae75ced56a5f316 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
399c_Smart-Contract-Weakness-Classification-SWC-.org

Smart Contract Weakness Classification (SWC)

The content of the SWC registry has not been thoroughly updated since 2020. It is known to be incomplete and may contain errors as well as crucial omissions.

For currently maintained guidance on known Smart Contract vulnerabilities written primarily as guidance for security reviewers, please see the EEA EthTrust Security Levels specification. As well as the latest release version, an Editor’s draft is available, that represents the latest work of the group developing the specification.

General guidance for developers on how to ensure security, that is currently maintained, is also available through the Smart Contract Security Verification Standard (SCSVS), or the Smart Contract Security Field Guide.

The following table contains an overview of the SWC registry. Each row consists of an SWC identifier (ID), weakness title, CWE parent and list of related code samples. The links in the ID and Test Cases columns link to the respective SWC definition. Links in the Relationships column link to the CWE Base or Class type.

IDTitleRelationships
SWC-136Unencrypted Private Data On-ChainCWE-767: Access to Critical Private Variable via Public Method
SWC-135Code With No EffectsCWE-1164: Irrelevant Code
SWC-134Message call with hardcoded gas amountCWE-655: Improper Initialization
SWC-133Hash Collisions With Multiple Variable Length ArgumentsCWE-294: Authentication Bypass by Capture-replay
SWC-132Unexpected Ether balanceCWE-667: Improper Locking
SWC-131Presence of unused variablesCWE-1164: Irrelevant Code
SWC-130Right-To-Left-Override control character (U+202E)CWE-451: User Interface (UI) Misrepresentation of Critical Information
SWC-129Typographical ErrorCWE-480: Use of Incorrect Operator
SWC-128DoS With Block Gas LimitCWE-400: Uncontrolled Resource Consumption
SWC-127Arbitrary Jump with Function Type VariableCWE-695: Use of Low-Level Functionality
SWC-126Insufficient Gas GriefingCWE-691: Insufficient Control Flow Management
SWC-125Incorrect Inheritance OrderCWE-696: Incorrect Behavior Order
SWC-124Write to Arbitrary Storage LocationCWE-123: Write-what-where Condition
SWC-123Requirement ViolationCWE-573: Improper Following of Specification by Caller
SWC-122Lack of Proper Signature VerificationCWE-345: Insufficient Verification of Data Authenticity
SWC-121Missing Protection against Signature Replay AttacksCWE-347: Improper Verification of Cryptographic Signature
SWC-120Weak Sources of Randomness from Chain AttributesCWE-330: Use of Insufficiently Random Values
SWC-119Shadowing State VariablesCWE-710: Improper Adherence to Coding Standards
SWC-118Incorrect Constructor NameCWE-665: Improper Initialization
SWC-117Signature MalleabilityCWE-347: Improper Verification of Cryptographic Signature
SWC-116Block values as a proxy for timeCWE-829: Inclusion of Functionality from Untrusted Control Sphere
SWC-115Authorization through tx.originCWE-477: Use of Obsolete Function
SWC-114Transaction Order DependenceCWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
SWC-113DoS with Failed CallCWE-703: Improper Check or Handling of Exceptional Conditions
SWC-112Delegatecall to Untrusted CalleeCWE-829: Inclusion of Functionality from Untrusted Control Sphere
SWC-111Use of Deprecated Solidity FunctionsCWE-477: Use of Obsolete Function
SWC-110Assert ViolationCWE-670: Always-Incorrect Control Flow Implementation
SWC-109Uninitialized Storage PointerCWE-824: Access of Uninitialized Pointer
SWC-108State Variable Default VisibilityCWE-710: Improper Adherence to Coding Standards
SWC-107ReentrancyCWE-841: Improper Enforcement of Behavioral Workflow
SWC-106Unprotected SELFDESTRUCT InstructionCWE-284: Improper Access Control
SWC-105Unprotected Ether WithdrawalCWE-284: Improper Access Control
SWC-104Unchecked Call Return ValueCWE-252: Unchecked Return Value
SWC-103Floating PragmaCWE-664: Improper Control of a Resource Through its Lifetime
SWC-102Outdated Compiler VersionCWE-937: Using Components with Known Vulnerabilities
SWC-101Integer Overflow and UnderflowCWE-682: Incorrect Calculation
SWC-100Function Default VisibilityCWE-710: Improper Adherence to Coding Standards

https://swcregistry.io/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment