Skip to content

Commit

Permalink
Blockchain Security
Browse files Browse the repository at this point in the history 
P1 - Decentralized Application Misconfiguration - Insecure Data Storage - Plaintext Private Key
Varies - Decentralized Application Misconfiguration - Insecure Data Storage - Sensitive Information Exposure
Varies - Decentralized Application Misconfiguration - Improper Authorization - Insufficient Signature Validation
Varies - Decentralized Application Misconfiguration - DeFi Security - Flash Loan Attack
Varies - Decentralized Application Misconfiguration - DeFi Security - Pricing Oracle Manipulation
Varies - Decentralized Application Misconfiguration - DeFi Security - Function-Level Accounting Error
Varies - Decentralized Application Misconfiguration - DeFi Security - Improper Implementation of Governance
P1 - Decentralized Application Misconfiguration - Marketplace Security - Signer Account Takeover
P1 - Decentralized Application Misconfiguration - Marketplace Security - Unauthorized Asset Transfer
P1 - Decentralized Application Misconfiguration - Marketplace Security - Orderbook Manipulation
P2 - Decentralized Application Misconfiguration - Marketplace Security - Malicious Order Offer
P2 - Decentralized Application Misconfiguration - Marketplace Security - Price or Fee Manipulation
P3 - Decentralized Application Misconfiguration - Marketplace Security - OFAC Bypass
Varies - Decentralized Application Misconfiguration - Marketplace Security - Improper Validation and Checks For Deposits and Withdrawals
Varies - Decentralized Application Misconfiguration - Marketplace Security - Miscalculated Accounting Logic
Varies - Decentralized Application Misconfiguration - Marketplace Security - Denial of Service
P1 - Decentralized Application Misconfiguration - Protocol Security Misconfiguration - Node-level Denial of Service
P2 - Protocol Specific Misconfiguration - Frontrunning-Enabled Attack
P2 - Protocol Specific Misconfiguration - Sandwich-Enabled Attack
Varies - Protocol Specific Misconfiguration - Misconfigured Staking Logic
Varies - Protocol Specific Misconfiguration - Improper Validation and Finalization Logic
P1 - Smart Contract Misconfiguration - Reentrancy Attack
P1 - Smart Contract Misconfiguration - Smart Contract Owner Takeover
P1 - Smart Contract Misconfiguration - Uninitialized Variables
P1 - Smart Contract Misconfiguration - Unauthorized Transfer of Funds
P2 - Smart Contract Misconfiguration - Integer Overflow / Underflow
P2 - Smart Contract Misconfiguration - Unauthorized Smart Contract Approval
P3 - Smart Contract Misconfiguration - Irreversible Function Call
P3 - Smart Contract Misconfiguration - Function-level Denial of Service
P3 - Smart Contract Misconfiguration - Malicious Superuser Risk
P3 - Smart Contract Misconfiguration - Improper Fee Implementation
P4 - Smart Contract Misconfiguration - Improper Use of Modifier
P4 - Smart Contract Misconfiguration - Improper Decimals Implementation
Varies - Smart Contract Misconfiguration - Inaccurate Rounding Calculation
Varies - Smart Contract Misconfiguration - Bypass of Function Modifiers & Checks
Varies - Zero Knowledge Security Misconfiguration - Missing Constraint
Varies - Zero Knowledge Security Misconfiguration - Mismatching Bit Lengths
Varies - Zero Knowledge Security Misconfiguration - Misconfigured Trusted Setup
Varies - Zero Knowledge Security Misconfiguration - Missing Range Check
P1 - Zero Knowledge Security Misconfiguration - Improper Proof Validation and Finalization Logic
P1 - Zero Knowledge Security Misconfiguration - Deanonymization of Data
Varies - Blockchain Infrastructure Misconfiguration - Improper Bridge Validation and Verification Logic
  • Loading branch information
@TimmyBugcrowd
TimmyBugcrowd committed Jan 11, 2025
1 parent 5c0a021 commit c459413
Show file tree
Hide file tree
Showing 2 changed files with 359 additions and 0 deletions.
35 changes: 35 additions & 0 deletions mappings/remediation_advice/remediation_advice.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,41 @@
"https://portswigger.net/web-security/email-security"
]
},
{
"id": "decentralized_application_misconfiguration",
"remediation_advice": "1. Ensure that there are checks on price and liquidity changes to prevent sudden manipulation caused by flash loans.\n2. Implement replay auditing of smart contracts to detect vulnerabilities exploitable by flash loans.\n3. Ensure accurate, real-time price feeds from decentralized oracles to mitigate manipulation.\n4. Enable circuit breakers to pause the system in the event of large, suspicious transactions.",
"references": [
"https://nordlayer.com/blog/blockchain-security-issues/"
]
},
{
"id": "protocol_specific_misconfiguration",
"remediation_advice": "1. Conduct formal verification of protocol logic and consensus rules.\n2. Regularly audit and test protocol configurations under various conditions.\n3. Implement failsafes to detect and mitigate abnormal behaviors.\n4. Use robust cryptographic primitives to secure protocol operations.",
"references": [
"https://nordlayer.com/blog/blockchain-security-issues/"
]
},
{
"id": "smart_contract_misconfiguration",
"remediation_advice": "1. Conduct security audits and code reviews of smart contracts.\n2. Implement automated tools to detect common vulnerabilities.\n3. Use modifiers and access control patterns to enforce secure logic.\n4. Test contracts extensively with edge cases and different stress scenarios.",
"references": [
"https://nordlayer.com/blog/blockchain-security-issues/"
]
},
{
"id": "zero_knowledge_security_misconfiguration",
"remediation_advice": "1. Regularly audit zero-knowledge implementations and parameter settings.\n2. Use well-established cryptographic libraries for proof generation and validation.\n3. Implement rigorous input validation to detect malformed proofs.\n4. Employ formal verification to ensure proof logic integrity. ",
"references": [
"https://nordlayer.com/blog/blockchain-security-issues/"
]
},
{
"id": "blockchain_infrastructure_misconfiguration",
"remediation_advice": "1. Implement secure default settings and restrict administrative access to nodes and infrastructure.\n2. Regularly audit and validate network configurations against industry best practices.\n3. Use automated tools to detect and resolve misconfigurations in real time.\n4. Harden consensus mechanisms by enforcing robust cryptographic standards and validating peer integrity.\n5. Monitor network activity to detect and mitigate potential exploits stemming from misconfigurations.",
"references": [
"https://nordlayer.com/blog/blockchain-security-issues/"
]
},
{
"id": "missing_subresource_integrity",
"remediation_advice": "1. **Implement SRI:** Add an `integrity` attribute with a base64-encoded hash to `<script>` and `<link>` tags for external resources. \n2. **Validate Hashes:** Always check the hashes of resources yourself before implementation to ensure they haven't been altered. \n3. **Update Hashes Regularly:** Monitor and update the hashes to reflect changes in the external libraries or resources you use.",
Expand Down
324 changes: 324 additions & 0 deletions vulnerability-rating-taxonomy.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,330 @@
}
]
},
{
"id": "decentralized_application_misconfiguration",
"name": "Decentralized Application Misconfiguration",
"type": "category",
"children": [
{
"id": "insecure_data_storage",
"name": "Insecure Data Storage",
"type": "subcategory",
"children": [
{
"id": "plaintext_private_key",
"name": "Plaintext Private Key",
"type": "variant",
"priority": 1
},
{
"id": "sensitive_information_exposure",
"name": "Sensitive Information Exposure",
"type": "variant",
"priority": null
}
]
},
{
"id": "improper_authorization",
"name": "Improper Authorization",
"type": "subcategory",
"children": [
{
"id": "insufficient_signature_validation",
"name": "Insufficient Signature Validation",
"type": "variant",
"priority": null
}
]
},
{
"id": "defi_security",
"name": "DeFi Security",
"type": "subcategory",
"children": [
{
"id": "flash_loan_attack",
"name": "Flash Loan Attack",
"type": "variant",
"priority": null
},
{
"id": "pricing_oracle_manipulation",
"name": "Pricing Oracle Manipulation",
"type": "variant",
"priority": null
},
{
"id": "function_level_accounting_error",
"name": "Function-Level Accounting Error",
"type": "variant",
"priority": null
},
{
"id": "improper_implementation_of_governance",
"name": "Improper Implementation of Governance",
"type": "variant",
"priority": null
}
]
},
{
"id": "marketplace_security",
"name": "Marketplace Security",
"type": "subcategory",
"children": [
{
"id": "signer_account_takeover",
"name": "Signer Account Takeover",
"type": "variant",
"priority": 1
},
{
"id": "unauthorized_asset_transfer",
"name": "Unauthorized Asset Transfer",
"type": "variant",
"priority": 1
},
{
"id": "orderbook_manipulation",
"name": "Orderbook Manipulation",
"type": "variant",
"priority": 1
},
{
"id": "malicious_order_offer",
"name": "Malicious Order Offer",
"type": "variant",
"priority": 2
},
{
"id": "price_or_fee_manipulation",
"name": "Price or Fee Manipulation",
"type": "variant",
"priority": 2
},
{
"id": "ofac_bypass",
"name": "OFAC Bypass",
"type": "variant",
"priority": 3
},
{
"id": "improper_validation_and_checks_for_deposits_and_withdrawals",
"name": "Improper Validation and Checks For Deposits and Withdrawals",
"type": "variant",
"priority": null
},
{
"id": "miscalculated_accounting_logic",
"name": "Miscalculated Accounting Logic",
"type": "variant",
"priority": null
},
{
"id": "denial_of_service",
"name": "Denial of Service",
"type": "variant",
"priority": null
}
]
},
{
"id": "protocol_security_misconfiguration",
"name": "Protocol Security Misconfiguration",
"type": "subcategory",
"children": [
{
"id": "node_level_denial_of_service",
"name": "Node-level Denial of Service",
"type": "variant",
"priority": 1
}
]
}
]
},
{
"id": "protocol_specific_misconfiguration",
"name": "Protocol Specific Misconfiguration",
"type": "category",
"children": [
{
"id": "frontrunning_enabled_attack",
"name": "Frontrunning-Enabled Attack",
"type": "variant",
"priority": 2
},
{
"id": "sandwich_enabled_attack",
"name": "Sandwich-Enabled Attack",
"type": "variant",
"priority": 2
},
{
"id": "misconfigured_staking_logic",
"name": "Misconfigured Staking Logic",
"type": "variant",
"priority": null
},
{
"id": "improper_validation_and_finalization_logic",
"name": "Improper Validation and Finalization Logic",
"type": "variant",
"priority": null
}
]
},
{
"id": "smart_contract_misconfiguration",
"name": "Smart Contract Misconfiguration",
"type": "category",
"children": [
{
"id": "reentrancy_attack",
"name": "Reentrancy Attack",
"type": "variant",
"priority": 1
},
{
"id": "smart_contract_owner_takeover",
"name": "Smart Contract Owner Takeover",
"type": "variant",
"priority": 1
},
{
"id": "uninitialized_variables",
"name": "Uninitialized Variables",
"type": "variant",
"priority": 1
},
{
"id": "unauthorized_transfer_of_funds",
"name": "Unauthorized Transfer of Funds",
"type": "variant",
"priority": 1
},
{
"id": "integer_overflow_underflow",
"name": "Integer Overflow / Underflow",
"type": "variant",
"priority": 2
},
{
"id": "unauthorized_smart_contract_approval",
"name": "Unauthorized Smart Contract Approval",
"type": "variant",
"priority": 2
},
{
"id": "irreversible_function_call",
"name": "Irreversible Function Call",
"type": "variant",
"priority": 3
},
{
"id": "function_level_denial_of_service",
"name": "Function-level Denial of Service",
"type": "variant",
"priority": 3
},
{
"id": "malicious_superuser_risk",
"name": "Malicious Superuser Risk",
"type": "variant",
"priority": 3
},
{
"id": "improper_fee_implementation",
"name": "Improper Fee Implementation",
"type": "variant",
"priority": 3
},
{
"id": "improper_use_of_modifier",
"name": "Improper Use of Modifier",
"type": "variant",
"priority": 4
},
{
"id": "improper_decimals_implementation",
"name": "Improper Decimals Implementation",
"type": "variant",
"priority": 4
},
{
"id": "inaccurate_rounding_calculation",
"name": "Inaccurate Rounding Calculation",
"type": "variant",
"priority": null
},
{
"id": "bypass_of_function_modifiers_and_checks",
"name": "Bypass of Function Modifiers & Checks",
"type": "variant",
"priority": null
}
]
},
{
"id": "zero_knowledge_security_misconfiguration",
"name": "Zero Knowledge Security Misconfiguration",
"type": "category",
"children": [
{
"id": "missing_constraint",
"name": "Missing Constraint",
"type": "variant",
"priority": null
},
{
"id": "mismatching_bit_lengths",
"name": "Mismatching Bit Lengths",
"type": "variant",
"priority": null
},
{
"id": "misconfigured_trusted_setup",
"name": "Misconfigured Trusted Setup",
"type": "variant",
"priority": null
},
{
"id": "missing_range_check",
"name": "Missing Range Check",
"type": "variant",
"priority": null
},
{
"id": "improper_proof_validation_and_finalization_logic",
"name": "Improper Proof Validation and Finalization Logic",
"type": "variant",
"priority": 1
},
{
"id": "deanonymization_of_data",
"name": "Deanonymization of Data",
"type": "variant",
"priority": 1
}
]
},
{
"id": "blockchain_infrastructure_misconfiguration",
"name": "Blockchain Infrastructure Misconfiguration",
"type": "category",
"children": [
{
"id": "improper_bridge_validation_and_verification_logic",
"name": "Improper Bridge Validation and Verification Logic",
"type": "variant",
"priority": null
}
]
}
]
}
{
"id": "mail_server_misconfiguration",
"name": "Mail Server Misconfiguration",
Expand Down

0 comments on commit c459413

Please sign in to comment.