Adversarial Cheatsheet
Expect things to break on Kusama. To help you break some things, take a look at the following threat model.
| Hacker wants to … | Security promise that should prevent the hack | Hacking Incentive | Hacking Damage | Hacking value details |
|---|---|---|---|---|
| Double spend tokens via getting the clients to accept a different chain | Integrity (System-wide) | High | High | If attackers are able to double spend tokens, they are able to get services without paying for them. This gives them a high monetary incentive to execute the attack. |
| Cause system to mint tokens to his own account | Integrity (System-wide) | Medium | Low - Medium | If an attacker is able to craft transactions that mint tokens to their account, then this provides a high monetary incentive to execute this attack. |
| Validate malicious blocks to double spend tokens | Availability (System-wide) | High | Medium | If an attacker is able to double spend tokens, they are able to get services without paying for them. This gives them a high monetary incentive to execute the attack. |
| Undermine consensus mechanism to split chain | Integrity (System-wide) | High | High | "If an attacker is able to double spend tokens, they are able to get services without paying for them. This gives them a high monetary incentive to execute the attack. Betting on decrease in value of the cryptocurrency or competitors want to damage the reputation, so that the value of their blockchain increases. |
| Tamper/manipulate blockchain history to invalidate transactions (e.g. a voting result) | Integrity (System-wide) | Medium | Medium - High | Attacker can rollback undesired transactions by intentionally invalidating the block where transaction has happened. Attacker can force a governance decision (or even an on-chain update) that favors them. |
| Undermine blockchain or consensus mechanism to damage the ecosystem's reputation | Availability (System-wide) | High | High | Betting on decrease in value of the cryptocurrency or competitors want to damage the reputation, so that the value of their blockchain increases |
| Censorship | Availability (System-wide) | Medium | High | Hackers are able to block undesirable types of transactions (e.g. industry competitor transactions or referendum votes). This could be achieved by colluding with other stakeholders or by otherwise obtaining more voting power. |
| Deanonymize users | Confidentiality (Node) | Medium | Medium | Parties that want to de-anonymize users can use the information to oppress the opposition (e.g. political activists). |
| Steal token from node | Integrity (Node) | High | High | Attackers that are able to steal tokens from nodes can claim assets for themselves, which gives them a high monetary incentive to execute the attack. |
| Steal token from node by leaking credentials | Confidentiality (Node) | High | High | Attackers that are able to steal tokens from nodes can claim assets for themselves, which gives them a high monetary incentive to execute the attack. |
| Prevent node from accessing the Polkadot network | Availability (Node) | Low | Low - Medium | Run a targeted denial-of-service attack out of revenge, monetary interests (in case of a competing coin exchange, etc.). |
| Defraud other participants | Integrity (Node) | Medium | Low - Medium | Attacker can abuse other participants’ misunderstanding of Polkadot's security guarantees to defraud them. Also, if the reward for calling out bad behavior can be set up so that it is higher than the according punishment, a set of self-handled nodes can be set up to generate a source cycle. Other participants are not needed for this attack. |
| Defraud other participants | Integrity (System-wide) | High | High | An attacker could abuse bugs in Polkadot's economic system to defraud other participants. For example, an attacker could exploit a logic bug to not pay transaction fees. |