Threat modeling is a systematic process for identifying, quantifying, and addressing security risks in a system. For DeFi protocols, which manage billions in user funds through immutable smart contracts, this proactive exercise is non-negotiable. A successful session moves the team from reactive patching to designing security in from the start. The core methodology involves four key questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good job? This guide outlines a practical, repeatable framework to answer these questions effectively.
LABS
Guides
How to Run Threat Modeling Sessions
A practical guide for developers and security engineers to systematically identify and mitigate security threats in decentralized finance protocols and smart contracts.
Chainscore © 2026
introduction
PRACTICAL GUIDE
How to Run Threat Modeling Sessions for DeFi Protocols
A structured, step-by-step process for identifying and mitigating security risks in decentralized finance applications before they are exploited.
Begin by defining the scope and creating a clear data flow diagram (DFD). For a DeFi protocol like a lending market, this involves mapping all actors (users, admins, oracles, other contracts), data stores (storage variables, external price feeds), processes (borrow, repay, liquidate), and trust boundaries (between EOAs and contracts, between your protocol and external dependencies). Use tools like draw.io or Miro. This visual artifact is critical—it creates a shared understanding of the system's architecture and surfaces all entry points an attacker could target, which is the first step in moving from abstract worry to concrete analysis.
With the DFD complete, conduct the threat identification phase. A proven technique is using the STRIDE framework, which categorizes threats into six types: Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege. For each component in your diagram, ask STRIDE-based questions. For a price oracle: Can it be spoofed to provide false data? Can the data feed be tampered with? Could a flash loan cause a denial of service on a critical function? Document every potential threat in a threat registry, noting the vulnerable component, attack vector, and potential impact (e.g., "Theft of user collateral").
Next, prioritize the identified threats using a risk assessment model like DREAD (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) or a simpler Impact/Likelihood matrix. A threat with high impact (total loss of protocol TVL) and high likelihood (reliance on a single admin key) must be addressed immediately. For each high-priority threat, brainstorm and document mitigation strategies. These can be technical (implementing a timelock for admin functions, adding circuit breakers), procedural (implementing a bug bounty program), or a decision to accept the risk. Assign each mitigation to an owner and a timeline.
Finally, integrate the findings into your development lifecycle. The output of a threat model should be actionable security requirements and test cases. For a mitigation like "prevent reentrancy," the requirement translates to using the Checks-Effects-Interactions pattern and the OpenZeppelin ReentrancyGuard. Update your audit scope to specifically test the identified high-risk areas. Threat modeling is not a one-time event; schedule follow-up sessions after major protocol upgrades, when integrating new external dependencies, or if the underlying risk landscape changes (e.g., a novel attack vector emerges in the ecosystem).
prerequisites
PREREQUISITES AND PREPARATION
How to Run Threat Modeling Sessions
Effective threat modeling requires structured preparation. This guide outlines the essential steps to set up a productive session for your smart contract or protocol.
Before convening your team, clearly define the scope of the session. This includes specifying the target system, such as a new DeFi lending pool, a governance upgrade, or a cross-chain bridge component. Establish clear objectives: are you conducting a high-level design review, analyzing a specific attack vector like a flash loan exploit, or performing a final security audit before mainnet deployment? Document the system's architecture, including data flow diagrams (DFDs) that outline external entities, trust boundaries, data stores, and processes. Tools like draw.io or Miro can be used to create these visual aids.
Assemble a cross-functional team with diverse expertise. Essential participants include core protocol developers, a security engineer or auditor, a product manager to define business logic assumptions, and potentially a DevOps engineer familiar with deployment and key management. For blockchain-specific modeling, ensure at least one participant has deep knowledge of the underlying virtual machine (e.g., the EVM), common vulnerability patterns from the SWC Registry, and the economic incentives at play. Schedule a 2-3 hour block and use a structured methodology like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to guide the analysis.
Prepare the technical context for all attendees. Share the system's technical specifications, relevant smart contract addresses (on testnet), and any existing audit reports. If analyzing code, provide a link to the repository and highlight the specific files or functions in scope. Create a simple threat modeling template in a shared document or a dedicated tool like OWASP Threat Dragon. The template should have columns for: Threat Description, Affected Component, STRIDE Category, Potential Impact, and Mitigation Strategy. Setting these foundations ensures the session time is spent on analysis, not on basic questions.
key-concepts-text
PRACTICAL GUIDE
How to Run Threat Modeling Sessions
A structured process for identifying and mitigating security risks in blockchain applications, from preparation to actionable mitigation.
A successful threat modeling session requires preparation. First, define the scope: is it a new smart contract, a governance upgrade, or a cross-chain bridge? Assemble a cross-functional team including developers, security researchers, and product managers. Prepare key artifacts: a data flow diagram (DFD) showing how assets and messages move between users, contracts, and external services, and a clear list of trust assumptions (e.g., "the oracle is assumed to be correct"). Tools like the OWASP Threat Dragon can help visualize the system. This upfront work ensures the session is focused and productive.
The core of the session is structured analysis using a framework like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege). For each component in your DFD, systematically ask: "How could an attacker spoof this user's identity?" or "How could data in this storage slot be tampered with?" Document each potential threat. For a DeFi lending protocol, a Tampering threat might be: "An attacker could manipulate the price oracle to borrow assets without sufficient collateral." Rate each threat using a simple risk matrix (e.g., Likelihood x Impact) to prioritize follow-up actions.
The final, critical phase is translating threats into mitigations. For each high-priority threat, brainstorm and assign concrete countermeasures. These can be technical (e.g., "implement a decentralized oracle with fallback mechanisms"), procedural (e.g., "add a timelock for governance upgrades"), or monitoring-based (e.g., "create an alert for sudden TVL drops"). Assign each action to an owner and a timeline. Document everything in a living threat model, which should be revisited after major code changes or incidents. This creates a continuous security feedback loop, turning theoretical risks into managed, actionable items for your development roadmap.
resource-links
THREAT MODELING PRACTICE
Essential Tools and Resources
Threat modeling sessions benefit from repeatable frameworks, shared artifacts, and concrete tooling. These resources help teams structure discussions, document risks, and translate findings into actionable engineering work.
01
STRIDE Threat Modeling Framework
STRIDE is a structured threat classification framework originally developed at Microsoft. It is widely used in security reviews because it is simple, systematic, and easy to apply in group sessions.
STRIDE maps threats to six categories:
- Spoofing: forging identities, compromised private keys, signature replay
- Tampering: state manipulation, calldata modification, storage corruption
- Repudiation: lack of audit trails, unverifiable transactions
- Information Disclosure: leaked secrets, exposed off-chain APIs
- Denial of Service: gas griefing, validator-level censorship, RPC overload
- Elevation of Privilege: unauthorized role escalation, admin key misuse
During a session, teams walk through each category per component of the system architecture. For smart contracts, this often starts at external entry points and moves inward. STRIDE works well when teams need consistent coverage across contracts, services, and infrastructure without deep modeling overhead.
03
Architecture Diagrams and Trust Boundaries
Effective threat modeling sessions start with shared understanding of the system. Architecture diagrams with explicit trust boundaries are a prerequisite, not an optional step.
Best practices for diagramming before or during a session:
- Separate on-chain and off-chain components clearly
- Mark externally controlled actors like users, validators, and oracles
- Draw trust boundaries around admin roles, multisigs, and upgrade keys
- Annotate entry points such as public functions, APIs, or message relayers
For Web3 systems, it is critical to diagram governance mechanisms, upgrade paths, and key management flows. Missing these elements often leads to blind spots during threat discussions. Diagrams should be lightweight enough to update live as assumptions are challenged during the session.
04
Risk Tracking and Remediation Backlogs
Threat modeling is only useful if findings are tracked and resolved. Teams should leave each session with a prioritized backlog rather than a static report.
Recommended practices:
- Assign severity and likelihood to each identified threat
- Map threats to specific code locations, components, or processes
- Create explicit remediation tasks with owners and deadlines
- Track residual risk for accepted threats
Many teams integrate outputs into existing issue trackers such as GitHub Issues or Linear. For protocol development, it is common to tag threats as pre-launch blockers or post-launch monitoring items. This closes the loop between security discussions and engineering execution and prevents threat modeling from becoming a one-time exercise.
FRAMEWORK OVERVIEW
Threat Modeling Methodologies Comparison
A comparison of popular structured approaches for identifying and prioritizing security threats in system design.
| Methodology | STRIDE | PASTA | OCTAVE | Attack Trees |
|---|---|---|---|---|
Primary Focus | Microsoft's threat classification | Risk-centric, business impact | Operational risk management | Graph-based attack paths |
Process Structure | Data flow diagrams (DFDs) | 7-stage process | 3-phase workshop | Tree hierarchy |
Best For | Software architecture review | Aligning security with business objectives | Organization-wide risk assessment | Analyzing specific attack vectors |
Ease of Adoption | ||||
Quantitative Output | ||||
Integration with Dev | SDLC integration | Requires process tailoring | Minimal | Tool-dependent |
Common Artifacts | Threat list, DFDs | Risk matrix, attack library | Risk profile, strategy plan | Attack tree diagrams |
Time to Complete (avg.) | 2-4 hours | 2-3 days | 1-2 weeks | 1-8 hours per tree |
step-by-step-process
SECURITY GUIDE
How to Run Threat Modeling Sessions
A structured, repeatable process for identifying and mitigating security risks in smart contracts and decentralized applications.
Effective threat modeling is a proactive security exercise, not a one-time audit. The goal is to systematically deconstruct a system—like a DeFi protocol's PoolManager contract or a cross-chain bridge's relayer network—to uncover potential attack vectors before they are exploited. This process shifts security left in the development lifecycle, saving significant time and capital compared to post-deployment bug bounties or emergency responses. A successful session requires a cross-functional team including developers, architects, and product managers to ensure all perspectives on asset flows and trust boundaries are considered.
The first critical step is defining the scope and creating a data flow diagram (DFD). Clearly outline which components are in-scope: the core Vault.sol contract, the off-chain keeper bot, or the governance multi-sig. Then, map the data flows. Identify all external entities (users, oracles, other contracts), processes (key functions like deposit() or swap()), data stores (mappings, arrays), and trust boundaries (where control moves from an EOA to a contract, or from L1 to L2). Tools like draw.io or Miro are excellent for this collaborative visual mapping, which becomes the foundation for all subsequent analysis.
With the DFD complete, the team systematically applies a threat identification framework. The STRIDE model is particularly effective for blockchain systems: Spoofing (e.g., fake ERC-20 approvals), Tampering (manipulating contract storage), Repudiation (lack of non-repudiable logs), Information Disclosure (leaking private data via event logs), Denial of Service (gas griefing, locking funds), and Elevation of Privilege (unauthorized access to admin functions). For each element on the DFD, ask: "How could an attacker abuse this to achieve a STRIDE category?" Document every potential threat, no matter how unlikely, in a centralized threat registry.
Each identified threat must then be prioritized and mitigated. Use the DREAD model (Damage, Reproducibility, Exploitability, Affected Users, Discoverability) or a simple risk matrix to score threats as High, Medium, or Low. Focus immediate efforts on High-priority items. For each high-risk threat, define a specific mitigation strategy. This could be a code change (adding a reentrancy guard), a configuration update (lowering oracle heartbeat thresholds), or the implementation of a monitoring alert (for anomalous withdrawal volumes). Assign each mitigation to an owner and a timeline.
The final, often overlooked, step is validation and integration into the SDLC. Threat modeling is not complete until mitigations are verified. This involves reviewing pull requests for the implemented fixes, writing or updating relevant tests (e.g., a Foundry invariant test for a newly added guard), and updating documentation. Furthermore, the threat model itself is a living document. It must be revisited and updated for every major protocol upgrade, new feature addition, or when a similar system suffers a novel exploit (e.g., after a cross-chain bridge hack). Integrate a lightweight threat modeling review as a mandatory gate before production deployments.
common-threats
THREAT MODELING
Common DeFi Threat Categories
Effective threat modeling starts with understanding the core categories of risk. This framework helps teams systematically identify and prioritize security vulnerabilities before they are exploited.
04
Economic & Incentive Failures
Design flaws in a protocol's tokenomics or incentive structures that lead to instability or exploitation. Examples include:
- Ponzi Dynamics: Reliance on new deposits to pay existing users, leading to collapse.
- Liquidity Fragility: Incentives that cause liquidity to rapidly enter and exit, causing slippage or insolvency.
- MEV Extraction: Validators or bots extracting value at the expense of regular users through transaction ordering.
05
Frontend & Dependency Risks
Compromises in the web interface or external libraries that users interact with. This category includes:
- DNS Hijacking: Attackers redirecting a protocol's domain to a malicious site.
- Compromised CDN/API: Malicious code injected into hosted frontend dependencies.
- Wallet Drainers: Malicious signatures tricking users into approving harmful transactions via a fake UI.
RISK PRIORITIZATION
DeFi Threat Risk Assessment Matrix
A framework for scoring and prioritizing identified threats based on impact and likelihood.
| Threat Category | Low Risk | Medium Risk | High Risk | Critical Risk |
|---|---|---|---|---|
Smart Contract Logic Bug | Minor UI error, no fund impact | Logic flaw affecting < 1% of TVL | Exploit draining 1-10% of TVL | Total protocol insolvency or >10% TVL loss |
Oracle Manipulation | Temporary price deviation < 1% | Price error causing small liquidations | Cascading liquidations, <$1M loss | Protocol insolvency via price feed attack |
Governance Attack | Proposal spam, no execution | Malicious proposal passes but is vetoed | Treasury drain of <$100k executed | Full governance takeover and treasury theft |
Frontend/Client-Side Attack | Phishing link on website | DNS hijack redirecting to clone site | Malicious contract injection stealing approvals | Large-scale private key theft via compromised CDN |
Economic/MEV Exploit | Sandwich attack on small trader | Liquidation bot extracting <$50k value | Flash loan attack extracting $1M-$10M | Permanent arbitrage draining protocol reserves |
Admin Key Compromise | Time-locked function paused | Non-critical parameter changed | Emergency withdrawal of unclaimed rewards | Immediate, unrestricted treasury drain |
Cross-Chain Bridge Risk | Temporary deposit/withdrawal delay | Validator downtime causing 1-6 hour delay | Signer key compromise on one chain | Bridge validator majority compromise |
documentation-templates
SECURITY OPERATIONS
How to Run Threat Modeling Sessions
A structured guide for security teams to systematically identify and mitigate risks in Web3 protocols and smart contracts before deployment.
Threat modeling is a proactive security analysis that identifies potential threats, vulnerabilities, and attack vectors in a system's design. For Web3 projects, this process is critical for securing smart contracts, oracle integrations, and governance mechanisms before they are deployed on-chain. The core methodology involves four key questions: What are we building? What can go wrong? What are we doing about it? Did we do a good job? Frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) provide a structured way to categorize threats specific to decentralized applications.
To run an effective session, assemble a cross-functional team including developers, architects, product managers, and dedicated security engineers. Begin by creating a high-level Data Flow Diagram (DFD) of the application. This visual should map out all trust boundaries—such as transitions between user wallets, frontend clients, smart contracts, and external oracles. Clearly delineating these boundaries is essential, as they are the primary locations where threats manifest. For a DeFi protocol, key components to diagram include the liquidity pool contracts, price feed oracles, admin multisig, and user interaction flows.
With the diagram complete, conduct a structured brainstorming session using the STRIDE framework per element. For each component and data flow, ask: Could an attacker spoof this identity? Tamper with this data? For example, for a price oracle, consider tampering and information disclosure threats. For a governance voting contract, evaluate elevation of privilege and repudiation risks. Document every potential threat in a centralized threat registry, noting the affected component, the STRIDE category, a brief description, and the potential impact severity (e.g., Critical, High, Medium).
For each identified threat, the team must define a mitigation strategy. These are security controls designed to reduce risk to an acceptable level. Mitigations can be technical (e.g., implementing access control with OpenZeppelin's Ownable, adding checks-effects-interactions patterns, using decentralized oracle networks like Chainlink), operational (e.g., implementing a timelock on admin functions), or architectural (e.g., reducing complexity by modularizing contracts). Document the chosen mitigation and the residual risk after its implementation.
The final output is a living threat model report. This document should include the DFD, the complete threat registry with mitigations, and any open issues or assumptions. Tools like the OWASP Threat Modeling Toolkit, draw.io, or even a well-structured spreadsheet are sufficient. This model is not a one-time exercise; it must be revisited and updated after any significant change to the system's design, after a security incident, or as part of a regular quarterly review cycle to ensure ongoing security coverage.
THREAT MODELING
Frequently Asked Questions
Common questions and solutions for developers running threat modeling sessions on blockchain protocols and smart contracts.
Threat modeling is a structured process for identifying, analyzing, and mitigating security risks in a system before they are exploited. In Web3, it's critical because smart contracts are immutable once deployed, and vulnerabilities can lead to irreversible losses exceeding $3.8 billion in 2023 alone. The process involves creating a model of your system (e.g., a DeFi protocol's components and data flows), identifying potential threats using frameworks like STRIDE, and prioritizing them based on impact and likelihood. Unlike traditional security audits that find bugs in existing code, threat modeling proactively designs security into the architecture from the start, addressing risks like logic errors, oracle manipulation, and governance attacks.
SECURITY
Common Threat Modeling Mistakes
Threat modeling is a critical security practice for Web3 developers, but common pitfalls can render sessions ineffective or create false confidence. This guide identifies frequent errors and provides actionable solutions.
Threat models become outdated because teams treat them as a one-time audit rather than a living document. A smart contract's threat landscape changes with every new integration, governance update, or external protocol upgrade.
Common causes of staleness:
- Modeling only at the initial design phase.
- Not updating the model after adding new dependencies (e.g., a new oracle or bridge).
- Failing to re-assess after major ecosystem incidents (like a fork or a widely exploited vulnerability).
Solution: Integrate threat modeling into your development lifecycle. Revisit and update the model during:
- Sprint Planning: For any feature touching core logic or external calls.
- Post-Incident Reviews: After any near-miss or external protocol exploit.
- Dependency Updates: When upgrading critical libraries like OpenZeppelin contracts or oracle interfaces.
Treat the model as a version-controlled artifact, not a static report.
conclusion
CONTINUOUS IMPROVEMENT
Conclusion and Next Steps
Threat modeling is not a one-time audit but a continuous process that must evolve with your protocol. This section outlines how to institutionalize security practices and where to go from here.
Integrating threat modeling into your development lifecycle is the most critical next step. Formalize it as a mandatory gate before major releases or significant smart contract upgrades. Use frameworks like the OWASP SAMM (Software Assurance Maturity Model) to benchmark and improve your security processes. Automate where possible by integrating tools like Slither or MythX into CI/CD pipelines to catch common vulnerabilities, but remember these tools complement, rather than replace, structured human analysis.
To scale the practice, document your findings in a living Threat Model Registry. This should catalog each model (e.g., VaultDeposit.sol), its associated STRIDE-per-element analysis, mitigated risks, and accepted residual risks. This registry becomes an invaluable onboarding tool for new engineers and auditors. Furthermore, establish a regular cadence for threat model review sessions, especially after any major protocol incident in the broader ecosystem (e.g., a novel oracle manipulation attack) to reassess your assumptions.
Your next actionable steps should include: 1) Running a follow-up session on a cross-chain bridge component or governance mechanism, as these are high-value attack surfaces. 2) Exploring advanced methodologies like FAIR (Factor Analysis of Information Risk) for quantitative risk analysis. 3) Contributing findings (anonymized) to community resources like the Smart Contract Security Registry to advance ecosystem-wide knowledge. The goal is to shift from reactive security patching to proactive, systematic risk management.