A forensic taxonomy of attack classes — from bridge invariant violations to decade-old reentrancy bugs still draining protocols today.
Cross-chain bridge contracts hold locked assets on one chain and mint wrapped tokens on another. Attackers forge withdrawal proofs, exploit validator threshold bugs, or manipulate the verification logic to drain the locked side.
Long-term infiltration of development teams — fake employees, compromised contractors, or insider threats plant malicious code or steal signing keys. Nation-state groups like Lazarus operate campaigns spanning months.
Attackers use flash loans or large capital positions to move thin on-chain oracle prices, then exploit protocols that rely on those prices for collateral valuation, liquidation thresholds, or payout calculations.
Uncollateralised loans borrowed and repaid within a single transaction block. They amplify capital for price manipulation, governance attacks, and reentrancy exploits — requiring zero upfront capital from the attacker.
A contract calls an external address before updating its own state. The external address re-enters the original contract and drains funds before the balance is decremented. The original DeFi vulnerability class.
On-chain price oracles report external data to smart contracts. Attackers manipulate spot prices on low-liquidity DEX pools that serve as oracles, or exploit stale data windows in aggregators like Chainlink.
Compromised infrastructure, leaked .env files, malicious dependencies (supply chain), or phishing give attackers direct access to admin or treasury signing keys — bypassing all smart contract security entirely.
Missing or misconfigured access modifiers on privileged contract functions — initializers callable by anyone, admin functions without ownership checks, or proxy upgrade paths left unprotected.
Confirmed exploits, attack vector breakdowns, and recovered-funds updates delivered every week. Independent — no protocol sponsorships, no advertising.