Blockchain attack surface documentation is the process of systematically identifying and cataloging all potential entry points and vulnerabilities within a decentralized system. Unlike traditional software, a blockchain's attack surface spans multiple layers: the consensus mechanism, the peer-to-peer network, the execution environment (EVM, SVM, etc.), and the smart contract logic itself. Effective documentation creates a living artifact for security teams, auditors, and developers, transforming abstract risks into actionable, prioritized items. This guide outlines a framework for creating comprehensive attack surface documents that serve as the foundation for security audits and ongoing monitoring.
LABS
Guides
How to Document Blockchain Attack Surfaces
A practical guide for developers and security researchers to systematically identify, categorize, and document the attack surface of a blockchain protocol or smart contract system.
Chainscore © 2026
introduction
SECURITY GUIDE
How to Document Blockchain Attack Surfaces
A systematic approach to identifying, cataloging, and analyzing potential vulnerabilities across smart contracts, nodes, and network infrastructure.
Begin by defining the system's architecture and components. Create an inventory that includes all smart contracts with their addresses and versions, external dependencies like oracles (Chainlink, Pyth) and bridges, privileged roles (owners, minters, governors), and key off-chain services. For each component, document its intended function and trust assumptions. For example, a UniswapV3Pool contract assumes the correctness of its mathematical formulas and the integrity of the underlying WETH token. Use tools like Etherscan's contract tab, Dedaub's Contract Library, or Tenderly's explorer to gather this data programmatically and ensure your inventory is accurate and up-to-date.
Next, analyze each component for specific vulnerability classes. Map threats using established frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). For a staking contract, this involves checking for spoofing of reward claims, tampering with share calculations, or denial of service via gas griefing. Document each potential threat with a clear identifier, a description of the attack vector, the components involved, and its potential impact (High/Medium/Low). Reference real-world incidents, such as the reentrancy pattern from The DAO hack or the price oracle manipulation in the Cream Finance exploit, to ground your analysis in practical risks.
The documentation must be actionable. For each identified threat, specify the necessary validation steps. This often involves writing specific test cases. For instance, to validate a contract is safe from reentrancy, you would write a Foundry test that uses a malicious contract to call back into a vulnerable function. ```solidity // Example test setup for reentrancy check function test_ReentrancyOnWithdraw() public { MaliciousActor attacker = new MaliciousActor(address(vault)); attacker.attack(); // Assert final state is correct }
Includeundefined
Finally, maintain the document as a living resource. Integrate it into your development lifecycle. Update it with every new contract deployment, library upgrade, or change in protocol parameters. Use it as a checklist during internal reviews and to onboard external auditors. The completed attack surface document is not just a report; it's a critical security tool that enhances team understanding, focuses audit efforts, and provides a baseline for monitoring tools like Forta or OpenZeppelin Defender to watch for anomalous activity matching the documented threats.
prerequisites
GETTING STARTED
Prerequisites and Tools
Before documenting a blockchain's attack surface, you need the right foundational knowledge and a toolkit for analysis and communication.
A solid understanding of blockchain architecture is non-negotiable. You must be comfortable with core concepts like consensus mechanisms (Proof of Work, Proof of Stake, etc.), smart contract execution environments (EVM, SVM, MoveVM), and the data structures that underpin state (Merkle Patricia Tries). Familiarity with common cryptographic primitives—digital signatures, hash functions, and zero-knowledge proofs—is essential for assessing protocol-level security. This foundation allows you to map theoretical vulnerabilities to real system components.
Your toolkit starts with the blockchain's own resources. Study the official documentation, whitepaper, and audit reports to understand the intended design and known issues. For code-level analysis, you need the ability to navigate the codebase, typically hosted on GitHub. Tools like Slither or Mythril for smart contracts, and geth or erigon for client node inspection, are critical. A local testnet (e.g., using Anvil or Hardhat) is indispensable for reproducing and testing hypothetical attack vectors in a safe environment.
Effective documentation requires structured note-taking and visualization. Use a dedicated tool like Obsidian, Notion, or even a well-organized markdown repository to create a living document. Diagramming tools such as Miro or draw.io are crucial for mapping out system architecture, data flows, and trust boundaries—visualizing the attack surface is half the battle. Establish a consistent taxonomy for categorizing threats (e.g., Network, Consensus, Application, Economic) early on to maintain clarity.
Finally, cultivate a mindset of adversarial thinking. Go beyond checking known CVEs; ask "what if?" questions about state validation, message relay, and incentive misalignment. Follow security researchers and consult frameworks like the Smart Contract Weakness Classification (SWC) Registry or L2BEAT's risk frameworks to ensure your analysis aligns with industry standards. Remember, the goal is to create a clear, actionable artifact that developers and auditors can use to harden the system.
key-concepts
FOUNDATIONAL KNOWLEDGE
Core Concepts for Attack Surface Analysis
Systematically identifying and documenting vulnerabilities requires understanding the key components that define a blockchain system's security perimeter.
01
The Attack Surface Taxonomy
A structured framework for categorizing vulnerabilities. The core layers are:
- Protocol Layer: Consensus mechanisms (PoW, PoS), network P2P communication, and governance.
- Application Layer: Smart contract logic flaws, oracle manipulation, and frontend exploits.
- Financial Layer: Economic design of tokens, staking slashing conditions, and liquidity pool mechanics.
- Operational Layer: Key management, node infrastructure, and upgrade processes. Documenting each layer's entry points is the first step to a comprehensive audit.
02
Smart Contract Entry Points
Every externally callable function is a potential attack vector. Key areas to document include:
- Public/External Functions: Any state-changing function accessible by users or other contracts.
- Cross-contract Calls: Dependencies on external protocols (e.g., Chainlink oracles, Uniswap pools).
- Delegatecall & Fallback: Low-level operations that can lead to storage collisions or unexpected execution.
- Access Controls: Missing or incorrectly implemented modifiers like
onlyOwneror role-based systems. For example, the 2016 DAO hack exploited a reentrancy vulnerability in awithdrawfunction.
03
Consensus & Network Risks
The underlying blockchain layer presents unique risks. Document:
- Consensus Attacks: 51% attacks, long-range attacks on PoS chains, and selfish mining.
- Network Layer: Eclipse attacks, transaction malleability, and peer-to-peer message spoofing.
- Fork Management: How the protocol handles chain reorganizations and the risks to finality.
- Validator/Node Risks: Slashing conditions, validator key compromise, and node client diversity (e.g., Geth vs. Erigon). Understanding these is critical for protocols built on or interacting with base layers.
04
Economic & Incentive Analysis
Document the financial mechanics that secure or destabilize a system. Analyze:
- Tokenomics: Inflation schedules, vesting cliffs for team tokens, and concentration of holdings.
- Staking/Slashing: The cost to attack vs. the slashing penalty for validators or liquidity providers.
- Liquidity Risks: Impermanent loss in AMMs, low-liquidity pools susceptible to manipulation.
- Oracle Reliance: The security and decentralization of price feeds; document the minimum number of nodes required for a malicious report. The 2022 Terra collapse was fundamentally an incentive failure in its algorithmic stablecoin design.
05
Dependency Mapping
No protocol operates in isolation. Create a map of all external dependencies:
- Upstream Dependencies: Libraries (OpenZeppelin), oracles, bridges, and other integrated DeFi protocols.
- Downstream Dependencies: Frontend interfaces, wallets, and indexers that interact with your contracts.
- Tooling & Infrastructure: RPC providers, block explorers, and the specific compiler versions used. The 2022 Nomad bridge hack exploited a bug in a reusable initialization function, highlighting how a single dependency can cripple a system.
documentation-framework
FOUNDATION
Step 1: Establish a Documentation Framework
A systematic framework is essential for consistently documenting and analyzing the attack surface of any blockchain protocol or smart contract system. This step defines the structure and methodology for your security analysis.
Begin by defining the scope of your documentation. Are you analyzing a single smart contract, a DeFi protocol like Aave or Uniswap V3, or an entire Layer 1 blockchain? Clearly outline the system's boundaries, including all external dependencies such as oracles (e.g., Chainlink), cross-chain bridges, and admin multi-signature wallets. This initial scoping prevents oversight of critical, interconnected components that expand the attack surface.
Adopt a structured template to ensure consistency. A robust framework typically includes sections for: System Architecture (data flow diagrams), Asset Inventory (tokens, NFTs, treasury), Access Control (admin keys, roles), External Dependencies, Known Vulnerabilities, and Incident Response Playbooks. Using a standardized format like those suggested by the Secure Software Development Framework (SSDF) ensures no critical category is missed and allows for easier auditing and knowledge transfer within your team.
For smart contracts, your documentation must map the entire function call graph. Tools like Slither or manual analysis can help you trace public and external function paths, highlighting potential reentrancy points, unchecked return values, and privilege escalation routes. Document each function's pre- and post-conditions, its required roles (using OpenZeppelin's AccessControl), and which state variables it modifies. This creates a clear map of how user input and value flow through the system.
Integrate threat modeling methodologies like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to proactively identify risks. For each component in your architecture diagram, ask: "How could this be spoofed or tampered with?" For example, a price oracle dependency presents a tampering and information disclosure risk. Document these potential threats alongside the corresponding component to create a living risk register.
Finally, establish a version control and update protocol. Attack surface documentation is not a one-time task. It must evolve with every code commit, governance proposal, or dependency update. Use a dedicated repository (e.g., in GitHub) and mandate updates as part of the development lifecycle. Each change should log the date, author, affected components, and a rationale, creating an immutable audit trail of the system's security posture over time.
entry-point-catalog
ATTACK SURFACE ANALYSIS
Step 2: Catalog System Entry Points
Identify and document every interface where a blockchain system interacts with external inputs, from user calls to cross-chain messages. This is the foundation of threat modeling.
ATTACK SURFACE ANALYSIS
Common Blockchain Attack Vectors by Layer
A breakdown of primary security threats targeting different architectural layers of a blockchain system.
| Attack Vector | Consensus Layer | Network Layer | Application Layer |
|---|---|---|---|
51% Attack | |||
Sybil Attack | |||
Eclipse Attack | |||
Transaction Malleability | |||
Reentrancy Attack | |||
Front-Running (MEV) | |||
Long-Range Attack | |||
Smart Contract Logic Flaw |
mapping-data-flows
ARCHITECTURAL ANALYSIS
Step 3: Map Critical Data Flocks and Trust Boundaries
This step involves creating a visual and logical map of how data and value move through your system, identifying where trust is placed in external components.
A data flow is the path that information or assets take through your application's components. For a DeFi lending protocol, critical flows include a user depositing collateral, the protocol calculating borrowable value, and the liquidation of an undercollateralized position. Mapping these flows means documenting each step: from the user's wallet interaction with the frontend, to the transaction being submitted to a mempool, validated by the blockchain, and executed by your smart contracts. Visual tools like data flow diagrams (DFDs) or sequence diagrams are invaluable here.
A trust boundary is any interface where your system relies on an external entity whose behavior it cannot fully control or verify. This is a primary source of vulnerability. Common boundaries in Web3 include: the connection between a user's browser and your frontend (risk: malicious injected scripts), your frontend and a node provider/RPC endpoint (risk: manipulated data), your smart contracts and an external oracle (risk: incorrect price feeds), and your contracts and other external protocols via composable integrations (risk: upstream contract vulnerabilities). Each boundary represents a potential attack surface.
To document this systematically, create a diagram for each major user journey. For a cross-chain bridge, map the flow: User locks Asset A on Chain 1, a relayer observes the event, a validator set signs a message, and a minting contract on Chain 2 releases Asset B. The trust boundaries here are critical: you must trust the relayer's availability, the validator's honesty (or the cryptographic security of their multisig), and the correctness of the light client or oracle verifying the source chain. Tools like Miro or draw.io can be used to create clear, shareable diagrams.
For each component and data flow you identify, explicitly document the trust assumptions. For example: 'The PriceFeed.sol contract assumes the Chainlink oracle returns a price within a 1% deviation of the real market price and updates within the last hour.' Or: 'The frontend assumes the RPC endpoint from Infura does not serve a manipulated block hash.' This exercise forces you to question every dependency. It directly informs subsequent steps like threat modeling, as each assumption is a hypothesis an attacker will try to break.
Finally, integrate this map with your component inventory from Step 2. Annotate each component in your diagram with its identified privileges (e.g., 'holds user funds', 'can upgrade logic') and external dependencies. This consolidated view is your attack surface map. It highlights the most critical paths—where high-value data crosses multiple trust boundaries—allowing you to prioritize security efforts on the system's most vulnerable and valuable junctions before writing a single line of exploit code in your analysis.
resource-links
GUIDES
Essential Resources and References
Reference materials and frameworks that help developers systematically document blockchain attack surfaces, from smart contract logic to offchain infrastructure and governance risks.
03
STRIDE Threat Modeling Applied to Web3
STRIDE is a general threat modeling framework created at Microsoft, but it adapts well to Web3 when extended beyond contracts to infrastructure and governance.
When documenting attack surfaces, apply STRIDE across components:
- Spoofing: compromised validators, fake RPC endpoints
- Tampering: state manipulation via malicious upgrades
- Repudiation: lack of audit trails for admin actions
- Information Disclosure: leaked private mempool data
- Denial of Service: gas griefing, block stuffing
- Elevation of Privilege: governance capture, role escalation
STRIDE is especially useful for protocols with bridges, sequencers, or DA layers, where threats are not visible in Solidity code. Documentation that integrates STRIDE diagrams tends to uncover cross-layer risks missed by contract-only reviews.
prioritization-mitigation
ACTIONABLE FRAMEWORK
Step 4: Prioritize and Link to Mitigations
A documented attack surface is only useful if it drives security improvements. This step transforms your inventory into a prioritized action plan by linking each vulnerability to specific, implementable countermeasures.
Begin by assigning a risk severity score to each identified vulnerability. Use a standardized framework like the CVSS (Common Vulnerability Scoring System) or a custom matrix based on likelihood and impact. For smart contracts, impact is often measured by potential financial loss (e.g., "TVL at risk") and likelihood by the complexity of the exploit path. A High severity issue might be a reentrancy vulnerability in a core vault contract, while a Medium could be a front-running opportunity in a non-critical function. This scoring forces objective prioritization beyond gut feeling.
For every high and medium-priority item, document a direct link to a mitigation strategy. This is not a generic "use checks-effects-interactions" statement. Be specific: reference the exact code file, function, or architectural component that needs change. For example, link the "price oracle manipulation" risk to the mitigation: "Implement Chainlink Data Feeds with circuit breakers in Oracle.sol, function updatePrice()." For a centralization risk like an admin key, link to mitigation paths: 1) Implement a 3-of-5 multisig via Safe{Wallet}, 2) Enforce a 48-hour timelock using OpenZeppelin's TimelockController, or 3) Plan for full decentralization by migrating to a DAO.
Create a living document format, such as a table in your project's wiki or a dedicated security.md file. Structure it with columns for: Vulnerability ID, Description, Affected Component, Severity, Mitigation Link, and Status (Open, In Progress, Resolved). This becomes your team's single source of truth for security debt. Tools like Slither or MythX can generate initial findings, but manual review and contextual prioritization are essential for accuracy.
Finally, integrate this process into your development lifecycle. Link mitigation tickets directly in your project management tool (Jira, Linear, GitHub Projects). The act of closing a security ticket should require referencing the code commit that implemented the mitigation. This creates an audit trail, proving to users and auditors that identified risks are being systematically addressed, transforming your attack surface document from a static report into a dynamic security management system.
FOR DEVELOPERS
Frequently Asked Questions on Attack Surface Documentation
Common questions and technical clarifications for systematically documenting and analyzing blockchain protocol vulnerabilities.
A blockchain attack surface is the sum of all potential entry points, components, and trust assumptions where an adversary could exploit a vulnerability to compromise a protocol's security, liveness, or funds. This includes smart contract logic, governance mechanisms, oracle dependencies, cross-chain bridges, and client software.
Documenting it is a proactive security practice. A structured document serves as a single source of truth for auditors, developers, and researchers. It forces systematic thinking, helps identify blind spots in complex systems, and creates a living artifact that tracks security posture over time, especially after upgrades or integrations.
conclusion-maintenance
BEST PRACTICES
Conclusion and Maintaining the Document
A blockchain attack surface analysis is a living document, not a one-time report. This section outlines how to finalize your findings and establish a process for continuous security monitoring.
Your final document should serve as a single source of truth for your project's security posture. It must be actionable for developers and auditable for security teams. Structure it with clear sections: an executive summary of critical risks, a detailed breakdown of each attack vector (including likelihood and impact scores), and specific, prioritized remediation steps. Tools like the Common Vulnerability Scoring System (CVSS) can help standardize risk assessment. Conclude with a roadmap for implementing fixes, assigning owners, and setting deadlines.
Maintaining the document requires integrating it into your development lifecycle. Treat it as a core artifact in your DevSecOps pipeline. Every code change, dependency update, or new feature integration should trigger a review of the relevant attack surfaces. Automate where possible by using Static Application Security Testing (SAST) tools for smart contracts (like Slither or Mythril) and Software Composition Analysis (SCA) for dependency checks. Manual reviews remain essential for complex logic and novel protocol designs.
Establish a regular cadence for updates, such as quarterly deep dives or reviews after major protocol upgrades. The blockchain ecosystem evolves rapidly; new attack vectors like MEV exploitation techniques or cross-chain bridge vulnerabilities emerge constantly. Subscribe to security mailing lists, monitor platforms like Rekt.news, and participate in forums to stay informed. This proactive approach transforms your document from a static checklist into a dynamic framework for building and maintaining a resilient Web3 application.