Threat Model

The STRIDE framework is a systematic method for categorizing threats. It examines a system for six types of vulnerabilities:

• Spoofing: Impersonating a user or node.
• Tampering: Unauthorized data modification.
• Repudiation: Denying an action occurred.
• Information Disclosure: Data leakage.
• Denial of Service: Disrupting system availability.
• Elevation of Privilege: Gaining unauthorized access rights.

Threat modeling relies on creating Data Flow Diagrams (DFDs) to visualize the system. These diagrams map:

• External Entities (users, oracles).
• Processes (smart contract functions).
• Data Stores (on-chain state, off-chain databases).
• Data Flows (transactions, messages). Trust boundaries are drawn between these components to identify where security checks are critical.

Specific threats unique to decentralized systems include:

• 51% Attacks: Majority control of consensus power.
• Reentrancy: A contract calling back into itself before state updates.
• Front-running: Exploiting transaction ordering in the mempool.
• Oracle Manipulation: Feeding incorrect off-chain data.
• Governance Attacks: Exploiting token-weighted voting mechanisms.
• Sybil Attacks: Creating many fake identities to influence the network.

After identifying threats, they are analyzed based on impact and likelihood. A common method is the DREAD model:

• Damage Potential: Financial loss or data breach scale.
• Reproducibility: Ease of executing the attack.
• Exploitability: Technical skill required.
• Affected Users: Scope of the impact.
• Discoverability: How easy the flaw is to find. This prioritizes mitigation efforts on high-risk, high-probability threats.

Identified threats are addressed with specific controls:

• Access Controls: Role-based permissions and multi-signature wallets.
• Input Validation: Sanitizing all external data and parameters.
• State Machine Guards: Ensuring contracts progress through valid states only.
• Formal Verification: Mathematically proving code correctness.
• Circuit Breakers: Emergency pause functions for critical contracts.
• Upgradability Patterns: Secure mechanisms for patching vulnerabilities (e.g., proxy patterns).

Threat modeling is not a one-time audit but a continuous practice integrated into development (DevSecOps). Tools and practices include:

• Automated Scanners: Static analysis (Slither, MythX) and fuzzing (Echidna).
• Bug Bounties: Crowdsourced security testing programs.
• Incident Response Plans: Pre-defined steps for when a breach occurs.
• Architectural Reviews: Re-assessing threats after major protocol upgrades or forking.

A formal threat model is built on three pillars:

• Assets: What needs protection (e.g., user funds, private keys, consensus integrity).
• Adversaries: Who poses a threat (e.g., malicious validators, economically rational attackers, external hackers).
• Attack Vectors: How threats are realized (e.g., 51% attacks, smart contract exploits, governance manipulation). This framework forces explicit consideration of trust assumptions and system boundaries.

Every blockchain system operates on explicit and implicit trust assumptions. Threat modeling makes these explicit to evaluate risk.

• Cryptographic Primitives: Assumes underlying algorithms (e.g., SHA-256, ECDSA) are secure.
• Network Model: Assumes a certain fraction of nodes are honest (e.g., >2/3 for BFT consensus).
• Economic Security: Assumes rational actors are deterred by the cost of attack (e.g., slashing penalties, high stake requirements). A model's validity depends on these assumptions holding true.

Threat models categorize adversaries by their resources, motives, and access.

• Byzantine Validators: Nodes that arbitrarily deviate from protocol to disrupt consensus.
• Rational Economic Actors: Participants who maximize profit, potentially through short-term attacks like reorgs or MEV extraction.
• External Hackers: Entities targeting software clients, RPC endpoints, or user wallets outside the core protocol.
• Sybil Actors: Creating many fake identities to influence peer-to-peer networks or governance votes.
• Protocol Developers & Governance: Insiders with privileged access or voting power.

For decentralized applications, the threat model expands beyond the base layer to include:

• Smart Contract Vulnerabilities: Reentrancy, logic errors, and oracle manipulation.
• Composability Risks: Exploits that cascade through interconnected protocols (e.g., flash loan attacks).
• Front-running & MEV: Validators or bots extracting value by manipulating transaction order.
• Admin Key Risk: Centralization vectors via upgradeable contract owners or multi-sig signers. Modeling these requires analyzing the entire transaction lifecycle and dependency graph.

Threat modeling is a repeatable process, not a one-time audit. Key steps include:

1. Diagramming: Creating data flow diagrams (DFDs) or component maps of the system.
2. Identification: Using frameworks like STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) to catalog threats.
3. Mitigation Mapping: Documenting how each identified threat is addressed (e.g., via cryptography, economic incentives, or access controls). The primary output is a living document that guides security priorities and audits.

A threat model is only as good as its assumptions and scope. Key limitations include:

• Unknown Unknowns: Novel attack vectors (e.g., zero-day vulnerabilities in cryptographic libraries) are, by definition, unmodeled.
• Complexity Blind Spots: Emergent risks from system complexity or unforeseen interactions.
• Static Snapshot: Models can become outdated quickly with new upgrades, forks, or economic shifts.
• Quantitative Gaps: It identifies what can happen, but often not the precise probability or cost of an attack, which requires separate risk assessment.

The total sum of all possible entry points, vulnerabilities, and assets an attacker could exploit. In blockchain, this includes smart contract functions, RPC endpoints, governance mechanisms, and user wallets. Key actions are:

• Inventory: Cataloging all system components.
• Prioritization: Identifying which surfaces are most exposed.
• Reduction: Minimizing unnecessary access points to shrink the target area.

The specific path or method an attacker uses to exploit a vulnerability and achieve their objective. This is the how of an attack. Common blockchain vectors include:

• Reentrancy: Exploiting callback functions before state updates.
• Oracle Manipulation: Feeding incorrect external data to a contract.
• Front-running: Submitting a transaction with a higher gas fee to exploit known pending transactions.
• Governance Takeover: Accumulating enough tokens to maliciously pass proposals.

A systematic mnemonic for categorizing threats, developed by Microsoft. It breaks down threats into six types:

• Spoofing: Impersonating a user or system.
• Tampering: Unauthorized modification of data.
• Repudiation: Denying an action occurred.
• Information Disclosure: Exposing data to unauthorized parties.
• Denial of Service: Making a resource unavailable.
• Elevation of Privilege: Gaining capabilities without authorization. It provides a structured checklist for threat identification.

A visual model that maps how data moves through a system, identifying trust boundaries between components. It is a foundational artifact for threat modeling. Key elements are:

• External Entities: Users, oracles, other contracts.
• Processes: Smart contract functions or off-chain services.
• Data Stores: On-chain state, off-chain databases.
• Data Flows: The pathways data travels between elements. Threats are analyzed at each boundary where data crosses.

The process of evaluating identified threats to determine their potential impact and likelihood. It follows threat identification and informs mitigation priorities. Core steps include:

• Impact Analysis: Estimating financial, reputational, or operational damage.
• Likelihood Estimation: Assessing the probability of exploitation.
• Risk Scoring: Combining impact and likelihood (e.g., using a 5x5 matrix) to rank risks.
• Treatment Decision: Choosing to Mitigate, Accept, Transfer, or Avoid each risk.

The specific controls, countermeasures, or design changes implemented to reduce a threat's risk to an acceptable level. Strategies are tailored to the threat type. Examples in DeFi:

• For Reentrancy: Using the checks-effects-interactions pattern and reentrancy guards.
• For Oracle Risk: Using decentralized oracle networks and circuit breakers.
• For Admin Key Risk: Implementing multi-signature wallets and timelocks for privileged functions.
• For Front-running: Using commit-reveal schemes or fair sequencing services.