threat-matrix.cspec
1 # Alpha/Delta Threat Matrix (Machine-Readable) 2 # Source of truth for threat data 3 # Version: 1.0.0 4 # Updated: 2026-01-08 5 6 schema_version: 1.0.0 7 8 metadata: 9 document_type: threat_matrix 10 version: 1.0.0 11 created: 2026-01-08 12 updated: 2026-01-08 13 source: S001_threat_model 14 human_doc: docs/security/attack-vectors.md 15 16 # === THREAT ACTORS === 17 actors: 18 external_attacker: 19 description: Unauthorized network access, exploit attempts 20 motivation: [financial_gain, disruption, reputation_damage] 21 capability: variable 22 resources: [botnets, exploit_kits, rented_infra] 23 detection_difficulty: low_to_medium 24 25 malicious_validator: 26 description: Colluding or byzantine validator nodes 27 motivation: [economic_gain, protocol_disruption, competitive_advantage] 28 capability: high 29 resources: [staked_capital, validator_infra, insider_knowledge] 30 detection_difficulty: medium_to_high 31 32 compromised_user: 33 description: Stolen keys, phished credentials 34 motivation: na # Victim, not actor 35 capability: na 36 resources: [valid_credentials, signed_transactions] 37 detection_difficulty: medium 38 39 insider_threat: 40 description: Rogue admin, supply chain compromise 41 motivation: [financial_gain, coercion, ideological] 42 capability: very_high 43 resources: [admin_credentials, infra_access, codebase_knowledge] 44 detection_difficulty: high 45 46 # === ATTACK VECTORS === 47 vectors: 48 # Network vectors 49 NET-001: 50 name: DDoS Amplification 51 domain: network 52 severity: high 53 likelihood: high 54 actors: [external_attacker] 55 targets: [public_api_3030, public_api_4030] 56 mitigations: 57 - id: M-NET-001a 58 control: rate_limiting 59 implementation: caddy_rate_limit_module 60 - id: M-NET-001b 61 control: geographic_distribution 62 implementation: multi_region_deployment 63 64 NET-002: 65 name: Application-Layer DDoS 66 domain: network 67 severity: high 68 likelihood: medium 69 actors: [external_attacker] 70 targets: [api_endpoints] 71 mitigations: 72 - id: M-NET-002a 73 control: waf_rules 74 implementation: caddy_request_filtering 75 - id: M-NET-002b 76 control: request_validation 77 implementation: input_size_limits 78 79 NET-003: 80 name: Mempool Flooding 81 domain: network 82 severity: medium 83 likelihood: medium 84 actors: [external_attacker] 85 targets: [mempool] 86 mitigations: 87 - id: M-NET-003a 88 control: minimum_fee 89 implementation: base_100u_alpha_10u_delta 90 - id: M-NET-003b 91 control: mempool_eviction 92 implementation: priority_by_fee 93 94 NET-004: 95 name: TLS Downgrade 96 domain: network 97 severity: critical 98 likelihood: low 99 actors: [external_attacker] 100 targets: [all_connections] 101 mitigations: 102 - id: M-NET-004a 103 control: tls_minimum_version 104 implementation: tls_1_3_required 105 - id: M-NET-004b 106 control: hsts 107 implementation: strict_transport_security_header 108 109 NET-005: 110 name: Certificate Spoofing 111 domain: network 112 severity: critical 113 likelihood: low 114 actors: [external_attacker] 115 targets: [public_endpoints] 116 mitigations: 117 - id: M-NET-005a 118 control: certificate_pinning 119 implementation: critical_endpoints_only 120 - id: M-NET-005b 121 control: certificate_transparency 122 implementation: ct_log_monitoring 123 124 NET-006: 125 name: P2P Interception 126 domain: network 127 severity: high 128 likelihood: low 129 actors: [external_attacker] 130 targets: [validator_p2p] 131 mitigations: 132 - id: M-NET-006a 133 control: message_signing 134 implementation: ed25519_signatures 135 - id: M-NET-006b 136 control: peer_authentication 137 implementation: validator_identity_verification 138 139 NET-007: 140 name: Peer Isolation (Eclipse) 141 domain: network 142 severity: high 143 likelihood: low 144 actors: [external_attacker] 145 targets: [node_p2p_layer] 146 mitigations: 147 - id: M-NET-007a 148 control: peer_diversity 149 implementation: min_peers_distinct_asns 150 - id: M-NET-007b 151 control: outbound_preference 152 implementation: prefer_outbound_connections 153 154 NET-008: 155 name: Network Partition 156 domain: network 157 severity: critical 158 likelihood: low 159 actors: [external_attacker, malicious_validator] 160 targets: [validator_network] 161 mitigations: 162 - id: M-NET-008a 163 control: checkpoint_sync 164 implementation: regular_finality_checkpoints 165 - id: M-NET-008b 166 control: bootstrap_diversity 167 implementation: multiple_geographic_locations 168 169 # Consensus vectors 170 CON-001: 171 name: 51% Attack 172 domain: consensus 173 severity: critical 174 likelihood: very_low 175 actors: [malicious_validator] 176 targets: [block_production] 177 mitigations: 178 - id: M-CON-001a 179 control: bft_threshold 180 implementation: f_less_than_n_div_3 181 - id: M-CON-001b 182 control: stake_monitoring 183 implementation: concentration_alerts 184 185 CON-002: 186 name: Equivocation (Double Voting) 187 domain: consensus 188 severity: high 189 likelihood: low 190 actors: [malicious_validator] 191 targets: [block_finality] 192 mitigations: 193 - id: M-CON-002a 194 control: slashing 195 implementation: automatic_stake_penalty 196 - id: M-CON-002b 197 control: evidence_collection 198 implementation: proof_of_equivocation 199 200 CON-003: 201 name: Finality Delay 202 domain: consensus 203 severity: medium 204 likelihood: low 205 actors: [malicious_validator] 206 targets: [consensus_liveness] 207 mitigations: 208 - id: M-CON-003a 209 control: timeout_mechanisms 210 implementation: fallback_leader_election 211 - id: M-CON-003b 212 control: uptime_requirements 213 implementation: clp_95_percent_minimum 214 215 CON-004: 216 name: History Rewrite (Long-Range) 217 domain: consensus 218 severity: critical 219 likelihood: very_low 220 actors: [malicious_validator] 221 targets: [chain_history] 222 mitigations: 223 - id: M-CON-004a 224 control: checkpointing 225 implementation: regular_finality_snapshots 226 - id: M-CON-004b 227 control: weak_subjectivity 228 implementation: social_consensus_checkpoints 229 230 CON-005: 231 name: Nothing-at-Stake 232 domain: consensus 233 severity: high 234 likelihood: low 235 actors: [malicious_validator] 236 targets: [fork_resolution] 237 mitigations: 238 - id: M-CON-005a 239 control: slashing_conditions 240 implementation: multi_fork_validation_penalty 241 - id: M-CON-005b 242 control: finality_gadget 243 implementation: 3_block_finality 244 245 CON-006: 246 name: Stake Grinding 247 domain: consensus 248 severity: medium 249 likelihood: low 250 actors: [malicious_validator] 251 targets: [leader_selection] 252 mitigations: 253 - id: M-CON-006a 254 control: vrf_selection 255 implementation: unpredictable_leader_election 256 - id: M-CON-006b 257 control: commit_reveal 258 implementation: hidden_randomness 259 260 # Smart contract vectors 261 SC-001: 262 name: Reentrancy 263 domain: smart_contract 264 severity: critical 265 likelihood: medium 266 actors: [external_attacker] 267 targets: [contract_state] 268 mitigations: 269 - id: M-SC-001a 270 control: cei_pattern 271 implementation: checks_effects_interactions 272 - id: M-SC-001b 273 control: reentrancy_guard 274 implementation: mutex_locks 275 276 SC-002: 277 name: Integer Overflow 278 domain: smart_contract 279 severity: high 280 likelihood: low 281 actors: [external_attacker] 282 targets: [arithmetic_operations] 283 mitigations: 284 - id: M-SC-002a 285 control: safe_math 286 implementation: bounded_types_checked_arithmetic 287 - id: M-SC-002b 288 control: type_system 289 implementation: adl_compiler_enforcement 290 291 SC-003: 292 name: Access Control Bypass 293 domain: smart_contract 294 severity: critical 295 likelihood: medium 296 actors: [external_attacker] 297 targets: [privileged_functions] 298 mitigations: 299 - id: M-SC-003a 300 control: ownership_model 301 implementation: explicit_ownership_adl 302 - id: M-SC-003b 303 control: function_visibility 304 implementation: default_private 305 306 SC-004: 307 name: Oracle Manipulation 308 domain: smart_contract 309 severity: critical 310 likelihood: medium 311 actors: [external_attacker] 312 targets: [price_feeds] 313 mitigations: 314 - id: M-SC-004a 315 control: twap_oracles 316 implementation: time_weighted_average_prices 317 - id: M-SC-004b 318 control: multi_source 319 implementation: multiple_oracle_providers 320 321 SC-005: 322 name: Flash Loan Attack 323 domain: smart_contract 324 severity: high 325 likelihood: medium 326 actors: [external_attacker] 327 targets: [governance, price_oracles] 328 mitigations: 329 - id: M-SC-005a 330 control: timelock_requirements 331 implementation: delay_sensitive_operations 332 - id: M-SC-005b 333 control: snapshot_voting 334 implementation: historical_balance_governance 335 336 SC-006: 337 name: Frontrunning 338 domain: smart_contract 339 severity: medium 340 likelihood: high 341 actors: [external_attacker, malicious_validator] 342 targets: [dex_trades] 343 mitigations: 344 - id: M-SC-006a 345 control: private_transactions 346 implementation: zk_hidden_tx_details 347 - id: M-SC-006b 348 control: commit_reveal 349 implementation: two_phase_order_submission 350 351 # Infrastructure vectors 352 INF-001: 353 name: SSH Brute Force 354 domain: infrastructure 355 severity: high 356 likelihood: high 357 actors: [external_attacker] 358 targets: [server_access] 359 mitigations: 360 - id: M-INF-001a 361 control: key_only_auth 362 implementation: password_authentication_no 363 - id: M-INF-001b 364 control: fail2ban 365 implementation: 5_attempts_10min_ban 366 367 INF-002: 368 name: Privilege Escalation 369 domain: infrastructure 370 severity: critical 371 likelihood: low 372 actors: [external_attacker, compromised_user] 373 targets: [root_access] 374 mitigations: 375 - id: M-INF-002a 376 control: minimal_sudo 377 implementation: explicit_command_allowlist 378 - id: M-INF-002b 379 control: security_updates 380 implementation: unattended_upgrades 381 382 INF-003: 383 name: Credential Theft 384 domain: infrastructure 385 severity: critical 386 likelihood: medium 387 actors: [external_attacker, insider_threat] 388 targets: [api_keys, tls_certs] 389 mitigations: 390 - id: M-INF-003a 391 control: secrets_manager 392 implementation: hashicorp_vault 393 - id: M-INF-003b 394 control: key_rotation 395 implementation: quarterly_operational_keys 396 397 INF-004: 398 name: Dependency Poisoning 399 domain: infrastructure 400 severity: critical 401 likelihood: low 402 actors: [external_attacker, insider_threat] 403 targets: [build_pipeline] 404 mitigations: 405 - id: M-INF-004a 406 control: cargo_audit 407 implementation: weekly_ci_release_blocking 408 - id: M-INF-004b 409 control: dependency_pinning 410 implementation: cargo_lock_committed 411 412 INF-005: 413 name: Build Tampering 414 domain: infrastructure 415 severity: critical 416 likelihood: low 417 actors: [insider_threat] 418 targets: [ci_pipeline] 419 mitigations: 420 - id: M-INF-005a 421 control: reproducible_builds 422 implementation: deterministic_compilation 423 - id: M-INF-005b 424 control: build_isolation 425 implementation: ephemeral_ci_runners 426 427 INF-006: 428 name: Release Substitution 429 domain: infrastructure 430 severity: critical 431 likelihood: very_low 432 actors: [insider_threat] 433 targets: [release_artifacts] 434 mitigations: 435 - id: M-INF-006a 436 control: signed_releases 437 implementation: gpg_signatures 438 - id: M-INF-006b 439 control: hash_verification 440 implementation: sha256_checksums_published 441 442 # Cross-chain vectors 443 XC-001: 444 name: Message Forgery 445 domain: cross_chain 446 severity: critical 447 likelihood: low 448 actors: [external_attacker] 449 targets: [ipc_messages] 450 mitigations: 451 - id: M-XC-001a 452 control: internal_ipc 453 implementation: not_external_bridge 454 - id: M-XC-001b 455 control: attestation 456 implementation: validator_signed_messages 457 458 XC-002: 459 name: Replay Attack 460 domain: cross_chain 461 severity: high 462 likelihood: medium 463 actors: [external_attacker] 464 targets: [cross_chain_messages] 465 mitigations: 466 - id: M-XC-002a 467 control: nonce_tracking 468 implementation: unique_message_ids 469 - id: M-XC-002b 470 control: expiration 471 implementation: message_ttl_enforcement 472 473 XC-003: 474 name: Timing Attack 475 domain: cross_chain 476 severity: medium 477 likelihood: medium 478 actors: [external_attacker] 479 targets: [finality_gap] 480 mitigations: 481 - id: M-XC-003a 482 control: wait_for_finality 483 implementation: 3_block_confirmation 484 - id: M-XC-003b 485 control: atomic_operations 486 implementation: all_or_nothing_semantics 487 488 XC-004: 489 name: sAX Unbacked Mint 490 domain: cross_chain 491 severity: critical 492 likelihood: very_low 493 actors: [malicious_validator] 494 targets: [synthetic_ax] 495 mitigations: 496 - id: M-XC-004a 497 control: lock_verification 498 implementation: proof_of_ax_lock_required 499 - id: M-XC-004b 500 control: validator_attestation 501 implementation: multi_sig_confirmation 502 503 XC-005: 504 name: Double Unlock 505 domain: cross_chain 506 severity: critical 507 likelihood: very_low 508 actors: [external_attacker] 509 targets: [locked_ax] 510 mitigations: 511 - id: M-XC-005a 512 control: burn_before_unlock 513 implementation: sax_destroyed_first 514 - id: M-XC-005b 515 control: atomic_operations 516 implementation: lock_unlock_single_tx 517 518 XC-006: 519 name: Backing Discrepancy 520 domain: cross_chain 521 severity: high 522 likelihood: low 523 actors: [external_attacker, malicious_validator] 524 targets: [sax_backing] 525 mitigations: 526 - id: M-XC-006a 527 control: invariant_checks 528 implementation: continuous_balance_verification 529 - id: M-XC-006b 530 control: circuit_breaker 531 implementation: pause_on_discrepancy 532 533 # === SUMMARY STATISTICS === 534 summary: 535 total_vectors: 27 536 by_domain: 537 network: 8 538 consensus: 6 539 smart_contract: 6 540 infrastructure: 6 541 cross_chain: 6 542 by_severity: 543 critical: 13 544 high: 9 545 medium: 5 546 low: 0 547 total_mitigations: 54 548 549 # === CHANGELOG === 550 changelog: 551 - version: 1.0.0 552 date: 2026-01-08 553 type: initial 554 description: Initial threat matrix from S001 expansion