What are the Actual Flaws in Important Smart Contracts (and How Can We Find Them)?

We summarize and systematically categorize results from more than 20 security assessments of Ethereum smart contracts performed by a leading company in blockchain security. These assessments contain over 200 individual defect findings. By limiting our results to contracts for which assessment by paid experts was deemed worthwhile, we avoid the problem of over-reporting problems that primarily appear in low-quality, uninteresting contracts. Because findings are based on expert human analysis aided by high-quality public and internal analysis tools, we expect that the results are generally representative of actual weaknesses in important contracts. These results make it possible to compare impact and frequency of different flaw types, contrast smart contract flaws with non-smart-contract flaws, and estimate the potential of automated flaw-detection approaches.