integer overflow dropped from second to eighth risk after solidity 0.8 default protections

# integer overflow dropped from second to eighth risk after solidity 0.8 default protections Since [[solidity 0.8.0 introduced default arithmetic overflow protection making unchecked blocks the new attack surface]], compiler-enforced overflow checks removed the most common manifestation of integer vulnerabilities. The drop from #2 to #8 in the OWASP ranking quantifies this impact. However, the risk is not eliminated: older contracts compiled pre-0.8.0 remain vulnerable, custom math libraries may contain unchecked operations, and [[unchecked arithmetic blocks reintroduce overflow vulnerabilities in post-0.8 solidity|explicit unchecked blocks reintroduce the attack surface]]. --- Relevant Notes: - [[solidity 0.8.0 introduced default arithmetic overflow protection making unchecked blocks the new attack surface]]: the change that caused this drop - [[unchecked arithmetic blocks reintroduce overflow vulnerabilities in post-0.8 solidity]]: the residual risk - [[owasp smart contract top 10 2025 ranks access control as the highest risk category]]: the full ranking context - [[solidity 0.8 default checked arithmetic converts overflow from a value manipulation vulnerability into a denial-of-service vulnerability]]: extends: the OWASP rank drop conceals a threat model inversion; the same arithmetic edge cases now brick functions rather than inflate balances, keeping them high-value audit targets regardless of version - [[owasp smart contract top 10 2026 confirms business logic and access control together account for 78 percent of all 2025 incidents]]: extends: SC09 in the 2026 ranking shows integer overflow at #9 with $260.4M across only 3 incidents, confirming the compiler protection pattern produces high-impact, low-frequency occurrences when bypassed - [[Solidity functions without an explicit visibility modifier defaulted to public before version 0.5.0 allowing anyone to call intended-internal functions]]: exemplifies: parallel case where compiler enforcement (0.5.0 mandatory visibility) eliminated a vulnerability class; both demonstrate that language-level invariants can close entire attack surfaces Topics: - [[vulnerability-patterns]]