Awesome
Decentralized Finance Threat Matrix
Advisories
We are now publishing Security Advisories https://github.com/manifoldfinance/defi-threat/security/advisories
Link to the latest published ones here
Changes
v3.0.3 New attack: Secret Size Attack New Category: Interchain, id: 006
v3.0.2 New attacks such as: <br> Ex Post/Ex Ante Reorg (On-Chain), <br> Compiler not Optimizing errors (Solidity), <br> BGP Routing Hijacking (Off-chain) and more.
Abstract
This work is inspired by attack.mitre.org. Please use attack for "normal" InfoSec/Dev/Sys security check-listing, this is meant to be specialized towards the unique issues brought about in blockchain/cryptocurrency applications (i.e. protocols).
Repository Structure
-
libtx: transaction library with example transactions from hacks in a UML format
-
src: Source of the latest DeFi Threat Mapping and Matrix. Provided in
.mediawikiand.tsvformats.
v4 Draft of Threat Matrix
| Market Attacks | Economic Attacks | Off-Chain Attacks | On-Chain Attacks | Solidity-Specific Attacks |
|---|---|---|---|---|
| Front-Running | In Arrears Liability | Price Feed | Timestamp Dependence | Integer Overflow and Underflow |
| Coordinated Attack | Insufficient Gas Griefing | Quote Stuffing | Admin Key Exploits | DoS with (Unexpected) Revert |
| Liquidity Pocket | Token Inflation | Spoofing | Timelock Exploits | DoS with Block Gas Limit |
| Quote Stuffing | Circulating Supply Attack | Credential Access | Lateral Movements | Arithmetic Over/Under Flows |
| Wash Trading | Gas Griefing (DoS) | Reentrancy | Multi-Sig Key Exploits | Forcibly Sending Ether to a Contract |
| Ramping The Market | Network Congestion (uDoS) | Privilege Escalation | Miner Cartel Attacks | Delegatecall |
| Cornering The Market | Liquidity Squeeze | Credential Access | Finality Exploits | Entropy Illusion |
| Churning | Governance Cartels | Encryption Protections | Honeypot Attacks | Short Address/Parameter Attack |
| Flash Loans | Interlocking Directorate | Phishing | Red Queen Attacks | Uninitialized Storage Pointers |
| Aggregated Transactions | Governance Attack | Unicode Exploits | Sole Block Synchronization | Floating Points and Numerical Precision |
| Bulge Bracket Transactions | Slippage Exploit | API | Transaction Pool | Right-To-Left-Override Control Character (U+202E) |
| Layering | Safety Check Exploits | DNS Attacks | Performance Fee Minting | Delegatecall to Untrusted Callee |
| Spoofing | Circulating Supply Dump | Transaction Pool | Front-Running | Requirement Violation |
| Order Book | Flash "Straddle" | Checksum Address | Sandwich Attacks | Shadowing State Variables |
| Market Index Calculation Attack | Structuring | Siphon Funds | Second System Effector | Transaction Order Dependence |
| Flash Crash | Stalking Horse | Influencer Attacks | Backrunning | Assert Violation |
| Repo | Like Asset Price Divergence | Synthetic Mint Spread | Block Producer Cartel | Uninitialized Storage Pointer |
| Excessive Leverage | Reserve Asset Liquidity Manipulation | Syscall Exploit | Unlimited Permissions on Token Approval | Unprotected Ether Withdrawal |
| Breaking the "Buck" | Stable Reserve Asset Manipulation | Container Privilege Escalation | Naked Call | Floating Pragma |
| Fake News | Price Induced Oracle Volatility | Keyctl Misuse (syscall) | Block Constructor Cartel | Outdated Compiler Version |
| Nested Bot | Fake Token Trading Pair | Supply Chain Dependency | Malicious Airdrop | Function Default Visibility |
| Audience of Bots | Volume Manipulation by Re-circulating Flashloan | Compiled Output Destructuring Const Values | Oracle HALT by MultiSig | msg.sender |
| Arbitrage Exploit | Persistent De-Peg Instability | Browser in the Browser Attack | Ex Ante Reorg | Wallet Balance |
| Cascading Loan Failure | Unexpected Fee on Transfer | Man in the Blotter | Ex Post Reorg | Compiler Optimizer Not Optimizing |
| BGP Routing | Nonstandard Proxy Implementation | Math Operations Differ in Certain Pragmas | ||
| IP4/IP6 Misconfiguration | Tyranny of the Majority | Uninitialized Contract |
v3 Threat Matrix
version v3.0.3/2022.08
| 001 | 002 | 003 | 004 | 005 |
|---|---|---|---|---|
| Market Attacks | Economic Attack | Off-Chain | On-Chain | Solidity |
| Front-Running | In Arrears liability | Price Feed | Timestamp Dependence | Integer Overflow and Underflow |
| Coordinated Attack | Insufficient gas griefing | Quote Stuffing | Admin Key | DoS with (Unexpected) revert |
| Liquidity Pocket | Token Inflation | Spoofing | Timelock | DoS with Block Gas Limit |
| Quote Stuffing | Circulating Supply Attack | Credential Access | Lateral Movements | Arithmetic Over/Under Flows |
| Wash Trading | Gas Griefing (DoS) | Reentrancy | Multi-Sig Keys | Forcibly Sending Ether to a Contract |
| Ramping The Market | Network Congestion (uDoS) | Privilage Esclation | Miner Cartel | Delegatecall |
| Cornering The Market | Liquidity Squeeze | Credential Access | Finality | Entropy Illusion |
| Churning | Governance Cartels | Encryption Protections | Honeypot | Short Address/Parameter Attack |
| Flash Loans | Interlocking Directorate | Phishing | Red Queen | Uninitialised Storage Pointers |
| Aggregated Transactions | Governance Attack | Unicode Exploits | Sole block synchronization | Floating Points and Numerical Precision |
| Bulge Bracket Transactions | Slippage Exploit | API | Transaction Pool | Right-To-Left-Override control character (U+202E) |
| Layering | Safety Check Exploits | DNS Attacks | Performance Fee Minting | Delegatecall to Untrusted Callee |
| Spoofing | Circulating Supply Dump | Transaction Pool | Front-Running | Requirement Violation |
| Order Book | Flash "Straddle" | Checksum Address | Sandwhiching | Shadowing State Variables |
| Market Index Calculation Attack | Structuring | Siphon Funds | Second System Effector | Transaction Order Dependence |
| Flash Crash | Stalking Horse | Influencers' | Backrunning | Assert Violation |
| Repo | Like Asset Price Divergance | Synthetic Mint Spread | Block Producer Cartel | Uninitialized Storage Pointer |
| Excessive Leverage | Reserve Asset Liquidity Manipulation | Syscall Exploit | Unlimited Permissions on Token Approval | Unprotected Ether Withdrawal |
| Breaking the "Buck" | Stable Reserve Asset Manipulation | Container Priv. Esclation | Naked Call | Floating Pragma |
| "Fake" News | Price Induced Oracle Volatility | Keyctl missuse (syscall) | Block Constructor Cartel | Outdated Compiler Version |
| Nested Bot | Fake Token Trading Pair | Supply Chain Dependency | MaliciousAirdrop | Function Default Visibility |
| Audience of Bots | Volume Manipulation by re-circulating flashloan | Compiled output destructuring const values | Oracle HALT by MultiSig | msg.sender |
| Arb. Exploit | Persistant de-peg instability | Browser in the Browser attack | Ex Ante Reorg | Wallet Balance |
| Cascading Loan Failure | Unexpected Fee on Transfer | Man in the Blotter | Ex Post Reorg | Compiler Optimizer not Optimizing |
| BGP Routing | Nonstandard Proxy Implementation | Math operations differ in certain pragmas | ||
| IP4/IP6 misconfiguration | Tyranny of the Majority | Uninitialized Contract | ||
| Secret Size Attack |
v2 Matrix
For Reference use only!
| Protocol / Interaction Based | Blockchain Transaction Based | Non-Blockchain Sources | Blockchain Sources | SWC Registry (Solidity Exploits) |
|---|---|---|---|---|
| Market Attacks | Economic Attack | Off-Chain | On-Chain | Solidity |
| Front-Running | Front-Running | Price Feed | Timestamp Dependence | Integer Overflow and Underflow |
| Coordinated Attack | Insufficient gas griefing | Quote Stuffing | Admin Key | DoS with (Unexpected) revert |
| Liquidity Pocket | Token Inflation | Spoofing | Timelock | DoS with Block Gas Limit |
| Quote Stuffing | Circulating Supply Attack | Credential Access | Lateral Movements | Arithmetic Over/Under Flows |
| Wash Trading | Gas Griefing (DoS) | Reentrancy | Multi-Sig Keys | Forcibly Sending Ether to a Contract |
| Ramping The Market | Network Congestion (uDoS) | Privilege Escalation | Miner Cartel | Delegatecall |
| Cornering The Market | Liquidity Squeeze | Credential Access | Finality | Entropy Illusion |
| Churning | Smurfing | Encryption Protections | Short Address/Parameter Attack | |
| Flash Loans | Phishing | Uninitialised Storage Pointers | ||
| Aggregated Transactions | Unicode Exploits | Floating Points and Numerical Precision | ||
| Bulge Bracket Transactions | API | Right-To-Left-Override control character (U+202E) | ||
| Layering | Blockchain Transaction Based | DNS Attacks | Delegatecall to Untrusted Callee | |
| Spoofing | Governance Attack | Transaction Pool | Transaction Pool | Requirement Violation |
| Order Book | Interlocking Directorate | Checksum Address | Shadowing State Variables | |
| Market Index Calculation Attack | Governance Cartels | Siphon Funds | Transaction Order Dependence | |
| Flash Crash | Assert Violation | |||
| Repo | Stalking Horse | Synthetic Mint Spread | Sole block synchronization | Uninitialized Storage Pointer |
| Excessive Leverage | Syscall Exploit | Unprotected Ether Withdrawal | ||
| Breaking the "Buck" | Container Priv. Esclation | Floating Pragma | ||
| "Fake" News | Keyctl missuse (syscall) | Outdated Compiler Version | ||
| Nested Bot | Function Default Visibility | |||
| Audience of Bots | Influencers' | |||
| Arb. Exploit | ||||
| Slippage Exploit | ||||
| Safety Check Exploits | ||||
| Circulating Supply Dump | ||||
| Governance Cartel | ||||
| Flash "Straddle" | ||||
| Structuring | ||||
| Back-Running |
UML Diagrams of Real World Attacks
Example: Fake Trading Volume on UniswapV2
Contributions and Acknowledgements
Ali Atiia <br /> John Mardlin <br /> Raul Jack <br /> samczsun <br /> Sam Bacha <br /> James Zaki <br />
v1 Sheet
v2 Sheet
- Updates to the Sheet can be found in in the 'legend' section
License
Software Components under Mozilla Public License 2.0 <br />
CVE/SWC are licensed under their respective author's licenses. <br />
Everything else is under CC-2.5-NC-ND. If you would like an exemption to this license pleasae contact: sam@manifoldfinance.com