Home

Awesome

Decentralized Finance Threat Matrix

Advisories

We are now publishing Security Advisories https://github.com/manifoldfinance/defi-threat/security/advisories

Link to the latest published ones here

Changes

v3.0.3 New attack: Secret Size Attack New Category: Interchain, id: 006

v3.0.2 New attacks such as: <br> Ex Post/Ex Ante Reorg (On-Chain), <br> Compiler not Optimizing errors (Solidity), <br> BGP Routing Hijacking (Off-chain) and more.

Abstract

This work is inspired by attack.mitre.org. Please use attack for "normal" InfoSec/Dev/Sys security check-listing, this is meant to be specialized towards the unique issues brought about in blockchain/cryptocurrency applications (i.e. protocols).

Repository Structure

v4 Draft of Threat Matrix

Market AttacksEconomic AttacksOff-Chain AttacksOn-Chain AttacksSolidity-Specific Attacks
Front-RunningIn Arrears LiabilityPrice FeedTimestamp DependenceInteger Overflow and Underflow
Coordinated AttackInsufficient Gas GriefingQuote StuffingAdmin Key ExploitsDoS with (Unexpected) Revert
Liquidity PocketToken InflationSpoofingTimelock ExploitsDoS with Block Gas Limit
Quote StuffingCirculating Supply AttackCredential AccessLateral MovementsArithmetic Over/Under Flows
Wash TradingGas Griefing (DoS)ReentrancyMulti-Sig Key ExploitsForcibly Sending Ether to a Contract
Ramping The MarketNetwork Congestion (uDoS)Privilege EscalationMiner Cartel AttacksDelegatecall
Cornering The MarketLiquidity SqueezeCredential AccessFinality ExploitsEntropy Illusion
ChurningGovernance CartelsEncryption ProtectionsHoneypot AttacksShort Address/Parameter Attack
Flash LoansInterlocking DirectoratePhishingRed Queen AttacksUninitialized Storage Pointers
Aggregated TransactionsGovernance AttackUnicode ExploitsSole Block SynchronizationFloating Points and Numerical Precision
Bulge Bracket TransactionsSlippage ExploitAPITransaction PoolRight-To-Left-Override Control Character (U+202E)
LayeringSafety Check ExploitsDNS AttacksPerformance Fee MintingDelegatecall to Untrusted Callee
SpoofingCirculating Supply DumpTransaction PoolFront-RunningRequirement Violation
Order BookFlash "Straddle"Checksum AddressSandwich AttacksShadowing State Variables
Market Index Calculation AttackStructuringSiphon FundsSecond System EffectorTransaction Order Dependence
Flash CrashStalking HorseInfluencer AttacksBackrunningAssert Violation
RepoLike Asset Price DivergenceSynthetic Mint SpreadBlock Producer CartelUninitialized Storage Pointer
Excessive LeverageReserve Asset Liquidity ManipulationSyscall ExploitUnlimited Permissions on Token ApprovalUnprotected Ether Withdrawal
Breaking the "Buck"Stable Reserve Asset ManipulationContainer Privilege EscalationNaked CallFloating Pragma
Fake NewsPrice Induced Oracle VolatilityKeyctl Misuse (syscall)Block Constructor CartelOutdated Compiler Version
Nested BotFake Token Trading PairSupply Chain DependencyMalicious AirdropFunction Default Visibility
Audience of BotsVolume Manipulation by Re-circulating FlashloanCompiled Output Destructuring Const ValuesOracle HALT by MultiSigmsg.sender
Arbitrage ExploitPersistent De-Peg InstabilityBrowser in the Browser AttackEx Ante ReorgWallet Balance
Cascading Loan FailureUnexpected Fee on TransferMan in the BlotterEx Post ReorgCompiler Optimizer Not Optimizing
BGP RoutingNonstandard Proxy ImplementationMath Operations Differ in Certain Pragmas
IP4/IP6 MisconfigurationTyranny of the MajorityUninitialized Contract

v3 Threat Matrix

version v3.0.3/2022.08

001002003004005
Market AttacksEconomic AttackOff-ChainOn-ChainSolidity
Front-RunningIn Arrears liabilityPrice FeedTimestamp DependenceInteger Overflow and Underflow
Coordinated AttackInsufficient gas griefingQuote StuffingAdmin KeyDoS with (Unexpected) revert
Liquidity PocketToken InflationSpoofingTimelockDoS with Block Gas Limit
Quote StuffingCirculating Supply AttackCredential AccessLateral MovementsArithmetic Over/Under Flows
Wash TradingGas Griefing (DoS)ReentrancyMulti-Sig KeysForcibly Sending Ether to a Contract
Ramping The MarketNetwork Congestion (uDoS)Privilage EsclationMiner CartelDelegatecall
Cornering The MarketLiquidity SqueezeCredential AccessFinalityEntropy Illusion
ChurningGovernance CartelsEncryption ProtectionsHoneypotShort Address/Parameter Attack
Flash LoansInterlocking DirectoratePhishingRed QueenUninitialised Storage Pointers
Aggregated TransactionsGovernance AttackUnicode ExploitsSole block synchronizationFloating Points and Numerical Precision
Bulge Bracket TransactionsSlippage ExploitAPITransaction PoolRight-To-Left-Override control character (U+202E)
LayeringSafety Check ExploitsDNS AttacksPerformance Fee MintingDelegatecall to Untrusted Callee
SpoofingCirculating Supply DumpTransaction PoolFront-RunningRequirement Violation
Order BookFlash "Straddle"Checksum AddressSandwhichingShadowing State Variables
Market Index Calculation AttackStructuringSiphon FundsSecond System EffectorTransaction Order Dependence
Flash CrashStalking HorseInfluencers'BackrunningAssert Violation
RepoLike Asset Price DiverganceSynthetic Mint SpreadBlock Producer CartelUninitialized Storage Pointer
Excessive LeverageReserve Asset Liquidity ManipulationSyscall ExploitUnlimited Permissions on Token ApprovalUnprotected Ether Withdrawal
Breaking the "Buck"Stable Reserve Asset ManipulationContainer Priv. EsclationNaked CallFloating Pragma
"Fake" NewsPrice Induced Oracle VolatilityKeyctl missuse (syscall)Block Constructor CartelOutdated Compiler Version
Nested BotFake Token Trading PairSupply Chain DependencyMaliciousAirdropFunction Default Visibility
Audience of BotsVolume Manipulation by re-circulating flashloanCompiled output destructuring const valuesOracle HALT by MultiSigmsg.sender
Arb. ExploitPersistant de-peg instabilityBrowser in the Browser attackEx Ante ReorgWallet Balance
Cascading Loan FailureUnexpected Fee on TransferMan in the BlotterEx Post ReorgCompiler Optimizer not Optimizing
BGP RoutingNonstandard Proxy ImplementationMath operations differ in certain pragmas
IP4/IP6 misconfigurationTyranny of the MajorityUninitialized Contract
Secret Size Attack

v2 Matrix

For Reference use only!

Protocol / Interaction BasedBlockchain Transaction BasedNon-Blockchain SourcesBlockchain SourcesSWC Registry (Solidity Exploits)
Market AttacksEconomic AttackOff-ChainOn-ChainSolidity
Front-RunningFront-RunningPrice FeedTimestamp DependenceInteger Overflow and Underflow
Coordinated AttackInsufficient gas griefingQuote StuffingAdmin KeyDoS with (Unexpected) revert
Liquidity PocketToken InflationSpoofingTimelockDoS with Block Gas Limit
Quote StuffingCirculating Supply AttackCredential AccessLateral MovementsArithmetic Over/Under Flows
Wash TradingGas Griefing (DoS)ReentrancyMulti-Sig KeysForcibly Sending Ether to a Contract
Ramping The MarketNetwork Congestion (uDoS)Privilege EscalationMiner CartelDelegatecall
Cornering The MarketLiquidity SqueezeCredential AccessFinalityEntropy Illusion
ChurningSmurfingEncryption ProtectionsShort Address/Parameter Attack
Flash LoansPhishingUninitialised Storage Pointers
Aggregated TransactionsUnicode ExploitsFloating Points and Numerical Precision
Bulge Bracket TransactionsAPIRight-To-Left-Override control character (U+202E)
LayeringBlockchain Transaction BasedDNS AttacksDelegatecall to Untrusted Callee
SpoofingGovernance AttackTransaction PoolTransaction PoolRequirement Violation
Order BookInterlocking DirectorateChecksum AddressShadowing State Variables
Market Index Calculation AttackGovernance CartelsSiphon FundsTransaction Order Dependence
Flash CrashAssert Violation
RepoStalking HorseSynthetic Mint SpreadSole block synchronizationUninitialized Storage Pointer
Excessive LeverageSyscall ExploitUnprotected Ether Withdrawal
Breaking the "Buck"Container Priv. EsclationFloating Pragma
"Fake" NewsKeyctl missuse (syscall)Outdated Compiler Version
Nested BotFunction Default Visibility
Audience of BotsInfluencers'
Arb. Exploit
Slippage Exploit
Safety Check Exploits
Circulating Supply Dump
Governance Cartel
Flash "Straddle"
Structuring
Back-Running

UML Diagrams of Real World Attacks

Example: Fake Trading Volume on UniswapV2

Contributions and Acknowledgements

Ali Atiia <br /> John Mardlin <br /> Raul Jack <br /> samczsun <br /> Sam Bacha <br /> James Zaki <br />

v1 Sheet

DeFi Sec Matrix Sheet

v2 Sheet

DeFi Sec Page

License

Software Components under Mozilla Public License 2.0 <br />

CVE/SWC are licensed under their respective author's licenses. <br />

Everything else is under CC-2.5-NC-ND. If you would like an exemption to this license pleasae contact: sam@manifoldfinance.com