/defi-threat

a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations on decentralized finance

Primary LanguageJavaScriptMozilla Public License 2.0MPL-2.0

Decentralized Finance Threat Matrix

  • v3.0.2 is the latest release (v2022.06.13-302)

Advisories

We are now publishing Security Advisories https://github.com/manifoldfinance/defi-threat/security/advisories

Link to the latest published ones here

Changes

New attacks such as:
Ex Post/Ex Ante Reorg (On-Chain),
Compiler not Optimizing errors (Solidity),
BGP Routing Hijacking (Off-chain) and more.

Abstract

This work is inspired by attack.mitre.org. Please use attack for "normal" InfoSec/Dev/Sys security check-listing, this is meant to be specialized towards the unique issues brought about in blockchain/cryptocurrency applications (i.e. protocols).

Repository Structure

  • libtx: transaction library with example transactions from hacks in a UML format

  • src: Source of the latest DeFi Threat Mapping and Matrix. Provided in .mediawiki and .tsv formats.

Overview of Threat Matrix

version v3.0.2/2022.06

001 002 003 004 005
Market Attacks Economic Attack Off-Chain On-Chain Solidity
Front-Running In Arrears liability Price Feed Timestamp Dependence Integer Overflow and Underflow
Coordinated Attack Insufficient gas griefing Quote Stuffing Admin Key DoS with (Unexpected) revert
Liquidity Pocket Token Inflation Spoofing Timelock DoS with Block Gas Limit
Quote Stuffing Circulating Supply Attack Credential Access Lateral Movements Arithmetic Over/Under Flows
Wash Trading Gas Griefing (DoS) Reentrancy Multi-Sig Keys Forcibly Sending Ether to a Contract
Ramping The Market Network Congestion (uDoS) Privilage Esclation Miner Cartel Delegatecall
Cornering The Market Liquidity Squeeze Credential Access Finality Entropy Illusion
Churning Governance Cartels Encryption Protections Honeypot Short Address/Parameter Attack
Flash Loans Interlocking Directorate Phishing Red Queen Uninitialised Storage Pointers
Aggregated Transactions Governance Attack Unicode Exploits Sole block synchronization Floating Points and Numerical Precision
Bulge Bracket Transactions Slippage Exploit API Transaction Pool Right-To-Left-Override control character (U+202E)
Layering Safety Check Exploits DNS Attacks Performance Fee Minting Delegatecall to Untrusted Callee
Spoofing Circulating Supply Dump Transaction Pool Front-Running Requirement Violation
Order Book Flash "Straddle" Checksum Address Sandwhiching Shadowing State Variables
Market Index Calculation Attack Structuring Siphon Funds Second System Effector Transaction Order Dependence
Flash Crash Stalking Horse Influencers' Backrunning Assert Violation
Repo Like Asset Price Divergance Synthetic Mint Spread Block Producer Cartel Uninitialized Storage Pointer
Excessive Leverage Reserve Asset Liquidity Manipulation Syscall Exploit Unlimited Permissions on Token Approval Unprotected Ether Withdrawal
Breaking the "Buck" Stable Reserve Asset Manipulation Container Priv. Esclation Naked Call Floating Pragma
"Fake" News Price Induced Oracle Volatility Keyctl missuse (syscall) Block Constructor Cartel Outdated Compiler Version
Nested Bot Fake Token Trading Pair Supply Chain Dependency MaliciousAirdrop Function Default Visibility
Audience of Bots Volume Manipulation by re-circulating flashloan Compiled output destructuring const values Oracle HALT by MultiSig msg.sender
Arb. Exploit Persistant de-peg instability Browser in the Browser attack Ex Ante Reorg Wallet Balance
Cascading Loan Failure Unexpected Fee on Transfer Man in the Blotter Ex Post Reorg Compiler Optimizer not Optimizing
BGP Routing Nonstandard Proxy Implementation Math operations differ in certain pragmas
IP4/IP6 misconfiguration Tyranny of the Majority Uninitialized Contract

v2 Matrix

For Reference use only!

Protocol / Interaction Based Blockchain Transaction Based Non-Blockchain Sources Blockchain Sources SWC Registry (Solidity Exploits)
Market Attacks Economic Attack Off-Chain On-Chain Solidity
Front-Running Front-Running Price Feed Timestamp Dependence Integer Overflow and Underflow
Coordinated Attack Insufficient gas griefing Quote Stuffing Admin Key DoS with (Unexpected) revert
Liquidity Pocket Token Inflation Spoofing Timelock DoS with Block Gas Limit
Quote Stuffing Circulating Supply Attack Credential Access Lateral Movements Arithmetic Over/Under Flows
Wash Trading Gas Griefing (DoS) Reentrancy Multi-Sig Keys Forcibly Sending Ether to a Contract
Ramping The Market Network Congestion (uDoS) Privilege Escalation Miner Cartel Delegatecall
Cornering The Market Liquidity Squeeze Credential Access Finality Entropy Illusion
Churning Smurfing Encryption Protections Short Address/Parameter Attack
Flash Loans Phishing Uninitialised Storage Pointers
Aggregated Transactions Unicode Exploits Floating Points and Numerical Precision
Bulge Bracket Transactions API Right-To-Left-Override control character (U+202E)
Layering Blockchain Transaction Based DNS Attacks Delegatecall to Untrusted Callee
Spoofing Governance Attack Transaction Pool Transaction Pool Requirement Violation
Order Book Interlocking Directorate Checksum Address Shadowing State Variables
Market Index Calculation Attack Governance Cartels Siphon Funds Transaction Order Dependence
Flash Crash Assert Violation
Repo Stalking Horse Synthetic Mint Spread Sole block synchronization Uninitialized Storage Pointer
Excessive Leverage Syscall Exploit Unprotected Ether Withdrawal
Breaking the "Buck" Container Priv. Esclation Floating Pragma
"Fake" News Keyctl missuse (syscall) Outdated Compiler Version
Nested Bot Function Default Visibility
Audience of Bots Influencers'
Arb. Exploit
Slippage Exploit
Safety Check Exploits
Circulating Supply Dump
Governance Cartel
Flash "Straddle"
Structuring
Back-Running

UML Diagrams of Real World Attacks

Example: Fake Trading Volume on UniswapV2

Contributions and Acknowledgements

Ali Atiia
John Mardlin
Raul Jack
samczsun
Sam Bacha
James Zaki

v1 Sheet

DeFi Sec Matrix Sheet

v2 Sheet

DeFi Sec Page

  • Updates to the Sheet can be found in in the 'legend' section

License

Software Components under Mozilla Public License 2.0

CVE/SWC are licensed under their respective author's licenses.

Everything else is under CC-2.5-NC-ND. If you would like an exemption to this license pleasae contact: sam@manifoldfinance.com