solidity-adversarial-analysis
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseSolidity Adversarial Scenario Analysis
Solidity智能合约对抗场景分析
When to Apply
适用场景
- Red-team security reviews and penetration testing
- Pre-deployment threat modeling for DeFi protocols
- Analyzing contracts that handle significant TVL
- Investigating suspicious behavior or incident response
- Extending a standard security audit with attacker-perspective analysis
- 红队安全评审与渗透测试
- DeFi协议部署前的威胁建模
- 分析处理高TVL(总锁仓价值)的合约
- 调查可疑行为或开展事件响应
- 在标准安全审计基础上补充攻击者视角分析
Adversarial Thinking Framework
对抗性思维框架
| Step | Action | Key Question |
|---|---|---|
| 1. Identify Assets | Map valuable targets | What can be stolen, locked, or manipulated? |
| 2. Enumerate Entry Points | List all external/public functions | Which functions change state or move value? |
| 3. Model Adversary | Define attacker capabilities | What resources (flash loans, MEV, tokens) does the attacker have? |
| 4. Construct Sequences | Build multi-step attack paths | What sequence of calls achieves the attack goal? |
| 5. Verify Invariants | Check contract assumptions | Which mathematical or state invariants can be violated? |
| 步骤 | 行动内容 | 核心问题 |
|---|---|---|
| 1. 识别资产目标 | 梳理高价值攻击目标 | 哪些资产可被窃取、锁定或操控? |
| 2. 枚举攻击入口点 | 列出所有外部/公共函数 | 哪些函数会改变合约状态或转移资产价值? |
| 3. 建模攻击者能力 | 定义攻击者拥有的资源能力 | 攻击者具备哪些资源(闪电贷、MEV、代币等)? |
| 4. 构建攻击路径序列 | 设计多步骤攻击流程 | 通过哪些调用序列可达成攻击目标? |
| 5. 验证合约不变量 | 检查合约的假设条件 | 哪些数学或状态不变量可被违反? |
Attack Scenario Categories
攻击场景分类
| Category | Severity | Key Indicators | Example Attack |
|---|---|---|---|
| Reentrancy | Critical | External calls before state updates, missing guards | Drain via fallback re-entry |
| Flash Loan | Critical | Price-dependent logic, spot price reliance | Borrow → manipulate → profit |
| Oracle Manipulation | High | External price feeds, single-source oracles | Inflate collateral value |
| MEV / Front-running | High | DEX interactions, unprotected swaps | Sandwich attack on swap |
| Governance | High | Token-weighted voting, timelocks | Flash-borrow votes |
| Access Control | Critical | Initializers, proxy patterns, ownership | Unprotected initializer takeover |
| Economic / Logic | High | Reward calculations, share math, minting | Rounding exploit in rewards |
| Cross-contract | High | Token callbacks, composability assumptions | Malicious ERC777 callback |
| 分类 | 严重程度 | 关键识别指标 | 攻击示例 |
|---|---|---|---|
| 重入攻击(Reentrancy) | 严重 | 状态更新前存在外部调用、缺少防护机制(如ReentrancyGuard) | 通过回退函数重入窃取资产 |
| 闪电贷攻击(Flash Loan) | 严重 | 依赖价格的逻辑、使用即时现货价格 | 借贷→操控价格→获利 |
| 预言机操控(Oracle Manipulation) | 高 | 依赖外部价格喂价、单一来源预言机 | 抬高抵押品估值 |
| MEV/抢先交易(MEV / Front-running) | 高 | 与DEX交互、未受保护的兑换操作 | 对兑换交易实施三明治攻击 |
| 治理漏洞利用(Governance) | 高 | 代币权重投票、时间锁机制 | 闪电借贷获取投票权 |
| 访问控制绕过(Access Control) | 严重 | 初始化函数、代理模式、所有权机制 | 未受保护的初始化函数接管 |
| 经济/逻辑漏洞(Economic / Logic) | 高 | 奖励计算、份额数学逻辑、铸币机制 | 奖励计算中的舍入漏洞利用 |
| 跨合约风险(Cross-contract) | 高 | 代币回调函数、组合性假设条件 | 恶意ERC777回调干扰合约状态 |
Scenario Analysis Process
场景分析流程
- Feature Detection: Identify what the contract does (oracle usage? governance? DEX interaction?)
- Threat Mapping: Map detected features to applicable attack categories
- Scenario Construction: For each applicable category, build: Pre-conditions → Attack Steps → Impact
- Invariant Verification: Define properties that must always hold (e.g., )
totalDeposits <= balance - Mitigation Assessment: Check if existing defenses (ReentrancyGuard, access control, slippage checks) adequately cover the scenario
- 特征检测:识别合约的核心功能(是否使用预言机?是否涉及治理?是否与DEX交互?)
- 威胁映射:将检测到的合约特征匹配到对应的攻击场景类别
- 场景构建:针对每个适用类别,构建:前置条件→攻击步骤→影响范围
- 不变量验证:定义合约必须始终满足的属性(例如:)
totalDeposits <= balance - 防护措施评估:检查现有防御机制(ReentrancyGuard、访问控制、滑点检查等)是否能充分覆盖识别出的场景
Category Deep Dives
分类深度解析
Reentrancy
重入攻击(Reentrancy)
- Does the contract make external calls before updating state?
- Are there cross-function interactions sharing mutable state?
- Is ReentrancyGuard applied to all functions with external calls?
- 合约是否在更新状态前执行外部调用?
- 是否存在跨函数交互且共享可变状态?
- 所有包含外部调用的函数是否都应用了ReentrancyGuard?
Flash Loan
闪电贷攻击(Flash Loan)
- Does any calculation depend on a spot price that can be manipulated within one transaction?
- Can the attacker's position be established and unwound atomically?
- 是否存在依赖即时现货价格且可在单笔交易内被操控的计算逻辑?
- 攻击者是否能在单笔交易内完成建仓和平仓操作?
Oracle Manipulation
预言机操控(Oracle Manipulation)
- Is a single oracle source used for critical price data?
- Can the oracle price be influenced by large trades in the same block?
- Are there fallback oracles or sanity checks on price deviations?
- 是否将单一预言机来源用于关键价格数据?
- 攻击者能否通过同区块内的大额交易影响预言机价格?
- 是否设置了备用预言机或价格偏差 sanity 检查?
MEV / Front-running
MEV/抢先交易(MEV / Front-running)
- Are there unprotected swaps or liquidity operations?
- Does the contract rely on or
block.numberfor ordering?block.timestamp - Can an attacker sandwich a user's transaction for profit?
- 是否存在未受保护的兑换或流动性操作?
- 合约是否依赖或
block.number进行排序?block.timestamp - 攻击者能否对用户交易实施三明治攻击获利?
Governance
治理漏洞利用(Governance)
- Can voting power be acquired via flash loans or flash mints?
- Is there a sufficient timelock between proposal and execution?
- Can a malicious actor bypass quorum requirements?
- 是否可通过闪电贷或闪电铸币获取投票权?
- 提案与执行之间是否设置了足够的时间锁?
- 恶意攻击者能否绕过法定人数要求?
Access Control
访问控制绕过(Access Control)
- Are initializers protected against multiple calls?
- Can ownership be hijacked through uninitialized storage or logic flaws?
- Are administrative functions restricted to trusted roles?
- 初始化函数是否防止多次调用?
- 能否通过未初始化存储或逻辑漏洞劫持所有权?
- 管理功能是否仅限可信角色调用?
Economic / Logic
经济/逻辑漏洞(Economic / Logic)
- Are there rounding errors in reward or share calculations?
- Can an attacker mint tokens or inflate balances through logic gaps?
- Does the contract handle fee-on-transfer or rebasing tokens correctly?
- 奖励或份额计算中是否存在舍入误差?
- 攻击者能否通过逻辑漏洞铸币或膨胀余额?
- 合约是否正确处理手续费转账或重基代币?
Cross-contract
跨合约风险(Cross-contract)
- Does the contract interact with untrusted tokens (e.g., ERC777)?
- Are there assumptions about external contract behavior that can be violated?
- Can a malicious callback disrupt the contract's state?
- 合约是否与不可信代币(如ERC777)交互?
- 是否存在关于外部合约行为的可被违反的假设?
- 恶意回调能否破坏合约状态?
Enhanced with MCP
结合MCP增强分析
If using the MCP server:
solidity-agent-toolkit- : Detect contract features and match applicable attack scenarios automatically
analyze_adversarial_scenarios - prompt: Guided adversarial analysis with scenario knowledge injected
adversarial_analysis - : Browse all attack scenario categories
adversarial://list - : Deep dive into specific attack category
adversarial://category/{category} - : Complement with regex-based vulnerability detection
match_vulnerability_patterns - /
run_slither: Automated static analysis for supporting evidencerun_aderyn
For defensive patterns against identified threats, see the Security Best Practices skill.
如果使用 MCP服务器:
solidity-agent-toolkit- :自动检测合约特征并匹配适用的攻击场景
analyze_adversarial_scenarios - 提示词:注入场景知识的引导式对抗分析
adversarial_analysis - :浏览所有攻击场景分类
adversarial://list - :深入解析特定攻击分类
adversarial://category/{category} - :结合基于正则的漏洞检测功能
match_vulnerability_patterns - /
run_slither:自动化静态分析获取支撑证据run_aderyn
针对已识别威胁的防御模式,请查看安全最佳实践技能。
References
参考资料
- For defensive countermeasures: Security Best Practices skill
- For audit methodology: Code Review skill
- 防御对策参考:安全最佳实践技能
- 审计方法论参考:代码评审技能