Blockchain Security — Reference.

Smart-contract threat classes

• Reentrancy. External call before state update lets callee call back into the contract in a state where invariants don't hold. Audit pattern: every external call (.call, ERC-20 transfer to unknown address, safeTransferFrom with hooks) followed by state mutation = reentrancy candidate. Mitigation: checks-effects-interactions ordering, reentrancy-guard modifier, pull-payment over push.
• Integer overflow/underflow. Solidity ≥0.8 reverts on overflow; pre-0.8 used SafeMath. Audit pattern: explicit unchecked { … } blocks must be reviewed. Common bug: unchecked used for gas savings in subtraction without bounds check.
• Access control. Missing onlyOwner on privileged function; tx.origin for auth (bypassable via intermediate contract); initializer callable twice; role-renounce paths that brick the contract.
• Oracle manipulation. Price feed = on-chain DEX spot price. Attacker flash-loans, swaps to move price, calls liquidation. Mitigation: TWAP over >30 minutes; Chainlink-style off-chain aggregation; circuit breakers on price-delta.
• Time-dependence. block.timestamp miner-manipulable by ~15 sec. Don't use for randomness, narrow window comparisons.
• Gas DoS. Unbounded loop over user-controlled array; send to address that consumes more gas than 2300. Mitigation: paginate iteration; pull pattern.
• Front-running / MEV. Mempool-visible transactions copied with higher gas to extract value. Mitigation: commit-reveal, private mempool (Flashbots), batch auctions.
• Signature replay. EIP-712 signature missing chainId or nonce → replayable across chain or session.

Bridge architecture — where the losses live

• Validator-set integrity. Bridge security == validator set. Ronin (2022, $625M) compromised 5/9 validator keys. Wormhole (2022, $326M) — signature-verification bypass. Audit: how is the validator set rotated? key custody (HSM, threshold)? slashing on misbehavior?
• Message replay. Withdrawal proof reusable across chains or twice on same chain. Nomad (2022, $190M) — uninitialized trusted root, every message valid by default.
• Asset accounting reconciliation. Locked on chain A, minted on chain B. Drift = solvency bug. Audit: invariant that locked == minted at any block. Off-chain monitor that fires on drift.
• Upgradeability. Proxy upgrades by admin = unilateral rug risk. Audit: timelock + multisig + on-chain visibility. Compare upgrade governance against actual TVL — TVL grows faster than governance maturity in nearly all projects.

Consensus-layer threats

• Long-range attack (PoS). Attacker buys old validator keys (worthless after they unstake), rewrites history from epoch where they had stake. Mitigation: weak subjectivity checkpoints.
• Nothing-at-stake. Validator votes on every fork because no cost. Mitigation: slashing on conflicting votes.
• MEV at consensus. Proposer-builder separation (PBS) tries to limit proposer rents; censorship and inclusion-list debates ongoing.
• 51% attack on PoW. Rent enough hash → reorg → double-spend. Economically rational on small chains; Bitcoin-Gold, Ethereum-Classic real-world examples.

Audit-pattern checklist

1. External calls + state mutations — reentrancy review.
2. unchecked blocks — arithmetic review.
3. Every privileged function — access-control review (who can call, can be revoked, can be transferred).
4. Price-input source — TWAP or single-block? Manipulable via flash loan?
5. Loops — bounded by constant or by user input?
6. Upgrade path — admin, timelock, multisig configuration?
7. Signature verification — chainId, nonce, EIP-712 structure correct?
8. Initialization — initializer one-shot? Constructor sets all state? Proxy implementation initialized?