Vulnerability Patterns Overview
The table below presents the total number of findings for each vulnerability pattern across all analyzed contracts.
| Vulnerability Patterns | Findings |
|---|---|
| Business Logic | 296 |
| Input Validation | 170 |
| Calculation Errors | 148 |
| Coding Mistake | 76 |
| Access Control | 73 |
| State Management | 64 |
| Code Optimization | 43 |
| Denial of Service | 40 |
| Missing Functions | 37 |
| Data Inconsistency | 31 |
| Oracle Issues | 27 |
| Centralization Risk | 25 |
| Constant Definition | 21 |
| Cross-Implementation | 16 |
| Runtime/Development Issues | 15 |
| Missing Version Check | 12 |
| Gas-related Issues | 11 |
| Looping Issues | 10 |
| Front-running | 7 |
| Collision | 5 |
| Inflation Attacks | 5 |
| Documentation Mismatch | 3 |
| Signature Replay | 3 |
| Third-Party Risk | 2 |
| Race Condition | 1 |
| Total | 1141 |
As we can see, business logic vulnerabilities account for more than 25% of the database findings. Input validation was the second most common issue, followed by calculation errors.
Next, let's examine the vulnerability patterns in detail, broken down by severity.
| Vulnerability Patterns | C | H | M | L | Total |
|---|---|---|---|---|---|
| Business Logic | 21 | 58 | 89 | 128 | 296 |
| Input Validation | 16 | 29 | 34 | 91 | 170 |
| Calculation Errors | 13 | 28 | 61 | 46 | 148 |
| Coding Mistake | 0 | 0 | 0 | 76 | 76 |
| Access Control | 13 | 20 | 14 | 26 | 73 |
| State Management | 7 | 14 | 19 | 24 | 64 |
| Code Optimization | 0 | 0 | 0 | 43 | 43 |
| Denial of Service | 2 | 4 | 27 | 7 | 40 |
| Missing Functions | 1 | 3 | 15 | 18 | 37 |
| Data Inconsistency | 2 | 10 | 10 | 9 | 31 |
| Oracle Issues | 3 | 5 | 11 | 8 | 27 |
| Centralization Risk | 0 | 8 | 10 | 7 | 25 |
| Constant Definition | 3 | 2 | 5 | 11 | 21 |
| Cross-Implementation | 0 | 0 | 2 | 14 | 16 |
| Runtime/Development Issues | 0 | 0 | 10 | 5 | 15 |
| Missing Version Check | 0 | 2 | 1 | 9 | 12 |
| Gas-related Issues | 0 | 0 | 11 | 0 | 11 |
| Looping Issues | 0 | 3 | 3 | 4 | 10 |
| Front-running | 0 | 3 | 2 | 2 | 7 |
| Collision | 0 | 0 | 1 | 4 | 5 |
| Inflation Attacks | 0 | 0 | 1 | 4 | 5 |
| Documentation Mismatch | 0 | 0 | 0 | 3 | 3 |
| Signature Replay | 0 | 0 | 0 | 3 | 3 |
| Third-Party Risk | 0 | 0 | 0 | 2 | 2 |
| Race Condition | 0 | 0 | 0 | 1 | 1 |
| Total | 81 | 189 | 326 | 545 | 1141 |
Based on Criticals and Highs: Business Logic, Input Validation, Calculation Errors, Access Control, and State Management are the top 5 vulnerability classes.
Based on Mediums: Business Logic, Calculation Errors, and Input Validation are the top 3 most commonly found vulnerability patterns.
Coding Mistakes and Code Optimization were the most commonly found Low severity issues.
💡 Note
The Move Vulnerability Database provides a comprehensive overview of vulnerabilities observed across audited Move protocols and serves as a guide to understanding risk concentration. Readers are encouraged to use the data to draw their own conclusions, identify trends, and consider protocol context, design, and specific use cases when assessing potential vulnerabilities.