Beyond the Basics: Blockchain Security and Threat Modeling

The Octave Threat Model

The Square Threat Model

The Stride Threat Model

The PASTA Threat Model

Linddun and Atlas Threat Modeling

NIST Blockchain Models

Example: Using STRIDE to threat model an EVM

Using STRIDE in a Smart Contract

Using PASTA in an EVM

Using PASTA in a Smart Contract

Using NIST Framework in a Smart Contract

Its OK to combine Threat Models

Section Quiz

Legacy Attacks

Baking in security from Day 1

Economic Attacks in Consensus Systems

Long Range Attacks

Restaking

Emerging threats in Blockchain Security

Finality Reversion

Fork Choice Rule

Section Quiz

Modern Blockchain Attack Vectors

Overview of Blockchain Layers

Blockchain Layers and Functions

PoS Attack Surfaces

Censorship and Compliance Attacks

Mempool Attacks

MEV Attacks

Oracle and Data Integrity Attacks

Restaking and Economic Attacks

Shared Security and Consensus Abstraction

Relay Builder and Centralization Attacks

Blockchain Based Malware

Click Fix and Clear Fake

Ether Hiding

Persistence Attacks

OpCodes for Blockchain Security Analysts

EVM OpCodes for Blockchain Security Analysts

Blockchain OpCode Case Study

Malware C&C in OpCodes

Cross Chain Bridge Attacks

Core Network Attacks

What does Quantum Computing change?

Fun networking Lab

AI Is transforming Blockchain Security

Section 3 Quiz

Security Requirements Engineering

NIST Blockchain

NIST Framework for Smart Contracts

Threat Modeling Solidity Best Practices

Secure Application Architecture

Solidity Programming Structures

Overview of Token Standards

TokenStandards

Types of Distributed Applications (dApps)

Working with Public API's

Working with Private API's

Example Overflows

Example Signature Replay

OpCodes

Delegate Call Storage Initialization

ERC 20 and Fake Tokens

ERC 777 Security Concerns for DeFi

The "onlyOwner" problem

Economic Soundness Audits

Technical Soundness Audits

Section 4 Quiz

Advanced Oracle Manipulation

AMM Liquidity Manipulation

What is Uniswap?

Uniswap Version 2 Overview

Uniswap Version 3 overview

Cross Protocol Contagion

Delegated Token Economic Failure

Delegated Token Case Study

Economic Griefing

Economic Griefing Case Study

Flash Loan Attacks

Flash Loan Case Study

Governance Exploits

Incentive and Game Theory Failures

Mempool Bots and Economic Attacks

MEV Sandwich Attacks

MEV Sandwich attack Case Study

MEV Defense and Mitigation

MEV Mitigation Implementation

Stable Coins Failures

Stable Coin Case Study

Ghost Chains as an Attack Surface

Ghost Chain case study

Fun Opcode Project to do

Section Quiz

Why Bridges Break

Why Bridges keep on Breaking

Bridge Case Study Wormhole Bridge

Bridge Message Attack

BNB Chain Reorg Case Study

Bridge Monitoring and Observability

Bridge Timing and Finality

Cross Domain MEV

Interop Stack

Interop Trust

l2 Bridge Architecture

l2 Token Account Failure

Nomad Case Study

Optimistic Rollup Bridge

Shared Sequencer

zkRollupBridge

Section Quiz

The Visibility Paradox

Immutable Liability and Shadow Copies

Input Data Integrity and Delayed Disclosure

Off-Chain Storage and Pinning (IPCS, Arweave and Cloud Backends)

RPC Infrastructure

The Indexing layer and API Consistency

CI/CD, Dependency Chains, and Supply Chain Attacks

Cross-Chain bridges and Off-Chain Operator Risk

Calldata vs Blobs vs L2 Batch Posts

Frontend Fortification

Signature Hygiene and Transaction Trust

User-Side Infrastructure Security

Dangerous Browser Extensions

zk Off-Chain Ecosystem

RWA Token Security for Real World Assets

RWA Case Study

AI in Off-Chain Blockchain Operations

Unified Threat Model

Hybrid Trust Risk

Metadata Off-Chain Store

Section Quiz

DevSecOps and a Culture of Security

Defensive Threat Modeling

Threat Model Audit Workflow

UPbit Circuit Breaker Case Study

Case Study Nation State - Lazarus Group

Avoiding Single Points of Failure (SPoF)

The Process of Upgrade Security

Data Protection

On-Off Chain Data Protection

Multi-Signature Attacks

Multi-Signature Defense

Security Gates

Run Time Monitoring

Using the SDLC in dApps

SDLC - Secrets And Keys

DAO Key Rotation Best Practices

DAO Admin Key Rotation Case Study

Using RBAC in Smart Contracts

Web3 CI/CD Pipeline

Section Quiz

Why AI is Part of Blockchain Security

How AI Changes Traditional Security Models

What is An AI Agent?

AI Tool Chains in Blockchain

New Trust Boundaries introduced by AI

Inputs and Prompt Attack Vectors

Output and Execution Vulnerabilities

Tooling Level Vulnerabilities

Agent Persistence and Scheduling

Reinforcement Learning Bots

AI Driven MEV Strategies

AI Augmented Arbitrage

Risks of over reliance on AI trading bots

LLM Assisted Development Pitfalls

Detecting AI Generated Malicous Code

Multi-Model Verification

AI and Oracles

RPC and Wallet Infrastructure

Wallet and AI products on the market

Cloud and Hybrid Infrastructure

Adversarial Nation State Activity

Autonomous Exploit Pipelines

Multi-Agent coordinated attacks

Defensive AI Security

Hardening AI Agents

AI Secure By Design

AI Bottle Necks

EVM Bench and other AI automation tools

AI Case Study Lazarus

AI Threat Matrix

Case Study AII Generated Vault Exploit (theory)

Output Execution Side Vulnerabilities

World Models

Section Quiz

The Future of Fraud, Regulation and Forensics

The Future of OFAC Sanctions and Crypto

Future Regulatory Expectations

Future SEC Engagement with Blockchain

SEC Enforcement Overview

SEC Case Studies

Ethereum Planned Upgrades

How those planned upgrades change security

Nation State Concerns

World Models

Future trap and trace issues

Section Quiz

Final Exam Open Book Open Note