{"id":13790838,"url":"https://github.com/manifoldfinance/defi-threat","last_synced_at":"2025-04-04T22:07:37.436Z","repository":{"id":39256922,"uuid":"290301022","full_name":"manifoldfinance/defi-threat","owner":"manifoldfinance","description":"a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations on decentralized finance ","archived":false,"fork":false,"pushed_at":"2024-06-22T20:04:54.000Z","size":14085,"stargazers_count":492,"open_issues_count":19,"forks_count":53,"subscribers_count":21,"default_branch":"master","last_synced_at":"2025-04-02T22:35:33.810Z","etag":null,"topics":["advisories","blockchain","cve","defi","defi-threat","erc20","erc721","ethereum","evm","infosec","kill-chain","nfts","smart-contracts","smart-contracts-audit","solidity","threat","threat-matrix"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/manifoldfinance.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-08-25T19:09:04.000Z","updated_at":"2025-03-18T19:01:13.000Z","dependencies_parsed_at":"2023-01-19T17:04:45.856Z","dependency_job_id":"89d6ea71-d5d0-4de1-afa3-3e9018aed7af","html_url":"https://github.com/manifoldfinance/defi-threat","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manifoldfinance%2Fdefi-threat","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manifoldfinance%2Fdefi-threat/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manifoldfinance%2Fdefi-threat/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/manifoldfinance%2Fdefi-threat/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/manifoldfinance","download_url":"https://codeload.github.com/manifoldfinance/defi-threat/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247256112,"owners_count":20909240,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["advisories","blockchain","cve","defi","defi-threat","erc20","erc721","ethereum","evm","infosec","kill-chain","nfts","smart-contracts","smart-contracts-audit","solidity","threat","threat-matrix"],"created_at":"2024-08-03T22:00:51.809Z","updated_at":"2025-04-04T22:07:37.420Z","avatar_url":"https://github.com/manifoldfinance.png","language":"JavaScript","funding_links":[],"categories":["Roadmap"],"sub_categories":[],"readme":"# Decentralized Finance Threat Matrix\n\n- **[v3.0.3 (v2022.08.23-303) (current release)](https://github.com/manifoldfinance/defi-threat/blob/master/v3.0.3.md)**\n- [v3.0.2 (v2022.06.13-302) (previous release)](https://github.com/manifoldfinance/defi-threat/blob/master/src/v3.0.2.tsv)\n\n## Advisories \n\nWe are now publishing Security Advisories [https://github.com/manifoldfinance/defi-threat/security/advisories](https://github.com/manifoldfinance/defi-threat/security/advisories)\n\n[Link to the latest published ones here](https://github.com/manifoldfinance/defi-threat/security/advisories?state=published)\n\n### Changes\n\nv3.0.3\nNew attack: Secret Size Attack\nNew Category: Interchain, id: 006\n\nv3.0.2\nNew attacks such as: \u003cbr\u003e\nEx Post/Ex Ante Reorg (On-Chain),  \u003cbr\u003e\nCompiler not Optimizing errors (Solidity),  \u003cbr\u003e\nBGP Routing Hijacking (Off-chain) and more.\n\n## Abstract\n\nThis work is inspired by [attack.mitre.org](https://attack.mitre.org). Please\nuse attack for \"normal\" InfoSec/Dev/Sys security check-listing, this is meant to\nbe specialized towards the unique issues brought about in blockchain/cryptocurrency applications (i.e. protocols).\n\n### Repository Structure\n\n- libtx: transaction library with example transactions from hacks in a UML format\n\n- src: Source of the latest DeFi Threat Mapping and Matrix. Provided in `.mediawiki` and `.tsv` formats.\n\n## v4 Draft of Threat Matrix\n\n| **Market Attacks**              \t| **Economic Attacks**                            \t| **Off-Chain Attacks**                      \t| **On-Chain Attacks**                    \t| **Solidity-Specific Attacks**                     \t|\n|---------------------------------\t|-------------------------------------------------\t|--------------------------------------------\t|-----------------------------------------\t|---------------------------------------------------\t|\n| Front-Running                   \t| In Arrears Liability                            \t| Price Feed                                 \t| Timestamp Dependence                    \t| Integer Overflow and Underflow                    \t|\n| Coordinated Attack              \t| Insufficient Gas Griefing                       \t| Quote Stuffing                             \t| Admin Key Exploits                      \t| DoS with (Unexpected) Revert                      \t|\n| Liquidity Pocket                \t| Token Inflation                                 \t| Spoofing                                   \t| Timelock Exploits                       \t| DoS with Block Gas Limit                          \t|\n| Quote Stuffing                  \t| Circulating Supply Attack                       \t| Credential Access                          \t| Lateral Movements                       \t| Arithmetic Over/Under Flows                       \t|\n| Wash Trading                    \t| Gas Griefing (DoS)                              \t| Reentrancy                                 \t| Multi-Sig Key Exploits                  \t| Forcibly Sending Ether to a Contract              \t|\n| Ramping The Market              \t| Network Congestion (uDoS)                       \t| Privilege Escalation                       \t| Miner Cartel Attacks                    \t| Delegatecall                                      \t|\n| Cornering The Market            \t| Liquidity Squeeze                               \t| Credential Access                          \t| Finality Exploits                       \t| Entropy Illusion                                  \t|\n| Churning                        \t| Governance Cartels                              \t| Encryption Protections                     \t| Honeypot Attacks                        \t| Short Address/Parameter Attack                    \t|\n| Flash Loans                     \t| Interlocking Directorate                        \t| Phishing                                   \t| Red Queen Attacks                       \t| Uninitialized Storage Pointers                    \t|\n| Aggregated Transactions         \t| Governance Attack                               \t| Unicode Exploits                           \t| Sole Block Synchronization              \t| Floating Points and Numerical Precision           \t|\n| Bulge Bracket Transactions      \t| Slippage Exploit                                \t| API                                        \t| Transaction Pool                        \t| Right-To-Left-Override Control Character (U+202E) \t|\n| Layering                        \t| Safety Check Exploits                           \t| DNS Attacks                                \t| Performance Fee Minting                 \t| Delegatecall to Untrusted Callee                  \t|\n| Spoofing                        \t| Circulating Supply Dump                         \t| Transaction Pool                           \t| Front-Running                           \t| Requirement Violation                             \t|\n| Order Book                      \t| Flash \"Straddle\"                                \t| Checksum Address                           \t| Sandwich Attacks                        \t| Shadowing State Variables                         \t|\n| Market Index Calculation Attack \t| Structuring                                     \t| Siphon Funds                               \t| Second System Effector                  \t| Transaction Order Dependence                      \t|\n| Flash Crash                     \t| Stalking Horse                                  \t| Influencer Attacks                         \t| Backrunning                             \t| Assert Violation                                  \t|\n| Repo                            \t| Like Asset Price Divergence                     \t| Synthetic Mint Spread                      \t| Block Producer Cartel                   \t| Uninitialized Storage Pointer                     \t|\n| Excessive Leverage              \t| Reserve Asset Liquidity Manipulation            \t| Syscall Exploit                            \t| Unlimited Permissions on Token Approval \t| Unprotected Ether Withdrawal                      \t|\n| Breaking the \"Buck\"             \t| Stable Reserve Asset Manipulation               \t| Container Privilege Escalation             \t| Naked Call                              \t| Floating Pragma                                   \t|\n| Fake News                       \t| Price Induced Oracle Volatility                 \t| Keyctl Misuse (syscall)                    \t| Block Constructor Cartel                \t| Outdated Compiler Version                         \t|\n| Nested Bot                      \t| Fake Token Trading Pair                         \t| Supply Chain Dependency                    \t| Malicious Airdrop                       \t| Function Default Visibility                       \t|\n| Audience of Bots                \t| Volume Manipulation by Re-circulating Flashloan \t| Compiled Output Destructuring Const Values \t| Oracle HALT by MultiSig                 \t| msg.sender                                        \t|\n| Arbitrage Exploit               \t| Persistent De-Peg Instability                   \t| Browser in the Browser Attack              \t| Ex Ante Reorg                           \t| Wallet Balance                                    \t|\n| Cascading Loan Failure          \t| Unexpected Fee on Transfer                      \t| Man in the Blotter                         \t| Ex Post Reorg                           \t| Compiler Optimizer Not Optimizing                 \t|\n|                                 \t|                                                 \t| BGP Routing                                \t| Nonstandard Proxy Implementation        \t| Math Operations Differ in Certain Pragmas         \t|\n|                                 \t|                                                 \t| IP4/IP6 Misconfiguration                   \t| Tyranny of the Majority                 \t| Uninitialized Contract                            \t|\n\n## v3 Threat Matrix\n\n\u003e version v3.0.3/2022.08\n\n| _001_ \t| _002_ \t| _003_ \t| _004_ \t| _005_ \t|\n|---\t|---\t|---\t|---\t|---\t|\n| **Market Attacks** \t| **Economic Attack** \t| **Off-Chain** \t| **On-Chain** \t| **Solidity** \t|\n| Front-Running \t| In Arrears liability \t| Price Feed \t| Timestamp Dependence \t| Integer Overflow and Underflow \t|\n| Coordinated Attack \t| Insufficient gas griefing \t| Quote Stuffing \t| Admin Key \t| DoS with (Unexpected) revert \t|\n| Liquidity Pocket \t| Token Inflation \t| Spoofing \t| Timelock \t| DoS with Block Gas Limit \t|\n| Quote Stuffing \t| Circulating Supply Attack \t| Credential Access \t| Lateral Movements \t| Arithmetic Over/Under Flows \t|\n| Wash Trading \t| Gas Griefing (DoS) \t| Reentrancy \t| Multi-Sig Keys \t| Forcibly Sending Ether to a Contract \t|\n| Ramping The Market \t| Network Congestion (uDoS) \t| Privilage Esclation \t| Miner Cartel \t| Delegatecall \t|\n| Cornering The Market \t| Liquidity Squeeze \t| Credential Access \t| Finality \t| Entropy Illusion \t|\n| Churning \t| Governance Cartels \t| Encryption Protections \t| Honeypot \t| Short Address/Parameter Attack \t|\n| Flash Loans \t| Interlocking Directorate \t| Phishing \t| Red Queen \t| Uninitialised Storage Pointers \t|\n| Aggregated Transactions \t| Governance Attack \t| Unicode Exploits \t| Sole block synchronization \t| Floating Points and Numerical Precision \t|\n| Bulge Bracket Transactions \t| Slippage Exploit \t| API \t| Transaction Pool \t| Right-To-Left-Override control character (U+202E) \t|\n| Layering \t| Safety Check Exploits \t| DNS Attacks \t| Performance Fee Minting \t| Delegatecall to Untrusted Callee \t|\n| Spoofing \t| Circulating Supply Dump \t| Transaction Pool \t| Front-Running \t| Requirement Violation \t|\n| Order Book \t| Flash \"Straddle\" \t| Checksum Address \t| Sandwhiching \t| Shadowing State Variables \t|\n| Market Index Calculation Attack \t| Structuring \t| Siphon Funds \t| Second System Effector \t| Transaction Order Dependence \t|\n| Flash Crash \t| Stalking Horse \t| Influencers' \t| Backrunning \t| Assert Violation \t|\n| Repo \t| Like Asset Price Divergance \t| Synthetic Mint Spread \t| Block Producer Cartel \t| Uninitialized Storage Pointer \t|\n| Excessive Leverage \t| Reserve Asset Liquidity Manipulation \t| Syscall Exploit \t| Unlimited Permissions on Token Approval \t| Unprotected Ether Withdrawal \t|\n| Breaking the \"Buck\" \t| Stable Reserve Asset Manipulation \t| Container Priv. Esclation \t| Naked Call \t| Floating Pragma \t|\n| \"Fake\" News \t| Price Induced Oracle Volatility \t| Keyctl missuse (syscall) \t| Block Constructor Cartel \t| Outdated Compiler Version \t|\n| Nested Bot \t| Fake Token Trading Pair \t| Supply Chain Dependency  \t| MaliciousAirdrop  \t| Function Default Visibility \t|\n| Audience of Bots \t| Volume Manipulation by re-circulating flashloan \t| Compiled output destructuring const values \t| Oracle HALT by MultiSig \t| msg.sender \t|\n| Arb. Exploit \t| Persistant de-peg instability  \t| Browser in the Browser attack \t| Ex Ante Reorg \t| Wallet Balance \t|\n| Cascading Loan Failure \t| Unexpected Fee on Transfer  \t| Man in the Blotter \t| Ex Post Reorg \t| Compiler Optimizer not Optimizing \t|\n|  \t|  \t| BGP Routing \t| Nonstandard Proxy Implementation \t| Math operations differ in certain pragmas \t|\n|  \t|  \t| IP4/IP6 misconfiguration \t| Tyranny of the Majority \t| Uninitialized Contract \t|\n|  \t|  \t|  \t| Secret Size Attack  \t|  \t|\n\n\n### v2 Matrix \n\n\u003e For Reference use only!\n\n| **Protocol / Interaction Based** | **Blockchain Transaction Based** | **Non-Blockchain Sources** | **Blockchain Sources**     | **SWC Registry (Solidity Exploits)**                    |\n| -------------------------------- | -------------------------------- | -------------------------- | -------------------------- | ------------------------------------------------------- |\n| Market Attacks                   | Economic Attack                  | Off\\-Chain                 | On\\-Chain                  | Solidity                                                |\n| Front\\-Running                   | Front\\-Running                   | Price Feed                 | Timestamp Dependence       | Integer Overflow and Underflow                          |\n| Coordinated Attack               | Insufficient gas griefing        | Quote Stuffing             | Admin Key                  | DoS with \\(Unexpected\\) revert                          |\n| Liquidity Pocket                 | Token Inflation                  | Spoofing                   | Timelock                   | DoS with Block Gas Limit                                |\n| Quote Stuffing                   | Circulating Supply Attack        | Credential Access          | Lateral Movements          | Arithmetic Over/Under Flows                             |\n| Wash Trading                     | Gas Griefing \\(DoS\\)             | Reentrancy                 | Multi\\-Sig Keys            | Forcibly Sending Ether to a Contract                    |\n| Ramping The Market               | Network Congestion \\(uDoS\\)      | Privilege Escalation       | Miner Cartel               | Delegatecall                                            |\n| Cornering The Market             | Liquidity Squeeze                | Credential Access          | Finality                   | Entropy Illusion                                        |\n| Churning                         | Smurfing                         | Encryption Protections     |                            | Short Address/Parameter Attack                          |\n| Flash Loans                      |                                  | Phishing                   |                            | Uninitialised Storage Pointers                          |\n| Aggregated Transactions          |                                  | Unicode Exploits           |                            | Floating Points and Numerical Precision                 |\n| Bulge Bracket Transactions       |                                  | API                        |                            | Right\\-To\\-Left\\-Override control character \\(U\\+202E\\) |\n| Layering                         | Blockchain Transaction Based     | DNS Attacks                |                            | Delegatecall to Untrusted Callee                        |\n| Spoofing                         | Governance Attack                | Transaction Pool           | Transaction Pool           | Requirement Violation                                   |\n| Order Book                       | Interlocking Directorate         | Checksum Address           |                            | Shadowing State Variables                               |\n| Market Index Calculation Attack  | Governance Cartels               | Siphon Funds               |                            | Transaction Order Dependence                            |\n| Flash Crash                      |                                  |                            |                            | Assert Violation                                        |\n| Repo                             | Stalking Horse                   | Synthetic Mint Spread      | Sole block synchronization | Uninitialized Storage Pointer                           |\n| Excessive Leverage               |                                  | Syscall Exploit            |                            | Unprotected Ether Withdrawal                            |\n| Breaking the \"Buck\"              |                                  | Container Priv\\. Esclation |                            | Floating Pragma                                         |\n| \"Fake\" News                      |                                  | Keyctl missuse \\(syscall\\) |                            | Outdated Compiler Version                               |\n| Nested Bot                       |                                  |                            |                            | Function Default Visibility                             |\n| Audience of Bots                 |                                  | Influencers'               |                            |                                                         |\n| Arb\\. Exploit                    |                                  |                            |                            |                                                         |\n| Slippage Exploit                 |                                  |                            |                            |                                                         |\n| Safety Check Exploits            |                                  |                            |                            |                                                         |\n| Circulating Supply Dump          |                                  |                            |                            |                                                         |\n| Governance Cartel                |                                  |                            |                            |                                                         |\n| Flash \"Straddle\"                 |                                  |                            |                            |                                                         |\n| Structuring                      |                                  |                            |                            |                                                         |\n|                                  |                                  |                            |                            |                                                         |\n| Back\\-Running                    |                                  |                            |                            |                                                         |\n\n\n## UML Diagrams of Real World Attacks \n\n### Example: Fake Trading Volume on UniswapV2\n\n![](https://d.pr/i/5vsXd4.jpeg)\n\n## Contributions and Acknowledgements\n\nAli Atiia   \u003cbr /\u003e\nJohn Mardlin   \u003cbr /\u003e\nRaul Jack   \u003cbr /\u003e\nsamczsun   \u003cbr /\u003e\nSam Bacha  \u003cbr /\u003e\nJames Zaki  \u003cbr /\u003e\n\n### v1 Sheet\n\n[DeFi Sec Matrix Sheet](https://docs.google.com/spreadsheets/d/1St4BXWpeZdcDaH5Z4nnODrerFAxfdZ4OuHofI-EbKGc/edit?usp=sharing)\n\n### v2 Sheet\n\n[DeFi Sec Page](https://docs.google.com/spreadsheets/d/e/2PACX-1vR5UnBx4M9sg43fO76eWetena1L-4zo82lqsJuMR3uuZPe7luRnakG8jZPG0YbnSDtUOY5nVgSdwpc1/pubhtml)\n\n- Updates to the Sheet can be found in in the 'legend' section\n\n## License\n\nSoftware Components under Mozilla Public License 2.0 \u003cbr /\u003e\n\nCVE/SWC are licensed under their respective author's licenses. \u003cbr /\u003e\n\nEverything else is under CC-2.5-NC-ND. If you would like an exemption to this license pleasae\ncontact: \u003csam@manifoldfinance.com\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmanifoldfinance%2Fdefi-threat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmanifoldfinance%2Fdefi-threat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmanifoldfinance%2Fdefi-threat/lists"}