Vulnerability classes
Every catalog detector carries one or more class codes. They follow the OWASP Smart Contract Top 10 (2026) taxonomy, plus a set of X-classes for the “the code is perfect, the process isn’t” bugs that produced the largest 2026 losses.
SC — on-chain code bugs
| ID | Class | What it is |
|---|---|---|
| SC01 | Access Control | Unauthorized callers invoke privileged functions / modify critical state |
| SC02 | Business Logic | Design flaws in lending/AMM/governance that break economic rules |
| SC03 | Price Oracle Manipulation | Weak oracles let attackers skew reference prices for borrow/swap |
| SC04 | Flash-Loan Facilitated | Uncollateralized loans magnify a latent bug within one transaction |
| SC05 | Lack of Input Validation | Missing validation of user/admin/cross-chain inputs corrupts state |
| SC06 | Unchecked External Calls | Failures / reverts / callbacks not handled safely |
| SC07 | Arithmetic / Precision | Rounding & precision bugs in share/interest math siphon value |
| SC08 | Reentrancy | An external call re-enters before state is finalized → repeated withdrawals |
| SC09 | Integer Overflow / Underflow | Arithmetic exceeds limits and breaks invariants (mostly killed by ^0.8) |
The catalog also tags SC09 — insecure randomness on the
insecure-randomnessdetector and X04 — cryptographic on the THORChain TSS entry; these are tracked taxonomy refinements.
X — process / config classes
These aren’t contract-code bugs but matter for target selection and for protocols where governance/config is in scope.
| ID | Class | One-liner | Example |
|---|---|---|---|
| X01 | Cross-chain / bridge trust config | Single-DVN / single-verifier messaging = single point of failure | Kelp DAO rsETH, $292M |
| X02 | Governance social engineering | Off-chain compromise of signers/operators | Drift Protocol, $285M |
| X03 | Supply-chain / signing infra | Compromised frontend / signing pipeline, not the contract | Bybit, ~$1.4B |
| X04 | Cryptographic | Threshold-signature / MPC / proof-system flaws (off-chain) | THORChain TSS/GG20 |
Where the findable bugs are
For code-level bounty bugs (vs. ops failures), effort ranks roughly:
SC02 (logic) ≈ SC03 (oracle) ≈ SC07 (arithmetic) > SC01 (access control) > SC08 (reentrancy) > rest.
The top three are where modern, already-audited protocols still bleed — tools can’t read economic intent, so the catalog’s applies_when preconditions are how you find them. Full taxonomy + per-class checklists live in docs/vuln-classes/ and checklists/.