Web3 attack vectors are the real-world patterns and failure modes attackers use to drain DeFi pools, hijack governance, and subvert protocol assumptions. This home page is your jumping-off point to explore how those exploits actually work before they show up in your own threat model.
Below is a catalogue of individual attack vectors. Click any item to open a dedicated page with: a clear explanation of the vector, real-world examples from incidents in the wild (including TX hashes where useful), and a concise checklist of what developers, auditors, and protocol architects should watch out for when designing, deploying, or upgrading smart contracts, bridges, NFTs, and wider Web3 infrastructure.
Reentrancy family
Reentrancy family covers reentry bugs that loop withdrawals, drain DeFi pools, and bypass accounting in vulnerable contracts.
MEV / transaction-order abuse
MEV / transaction-order abuse explains front-running, back-running, sandwich trades, helping users understand hidden extraction risks in DeFi.
Flash-loan & governance / price attacks
Flash-loan & governance / price attacks show temporary capital distorting prices, votes, and collateral, breaking protocol assumptions.
Oracle & exchange-rate manipulation
Oracle & exchange-rate manipulation covers compromised feeds, spoofed trades, and liquidity pools attackers weaponise to misprice assets.
Cross-chain bridges & cross-chain logic
Cross-chain bridges & cross-chain logic highlights messaging bugs, replay issues, and assumptions that let attackers drain assets.
Integer math & rounding
Integer math & rounding explores overflows, underflows, division quirks, and precision loss breaking balances and fee calculations.
Denial of service & gas limits
Denial of service & gas limits examines griefing, unbounded loops, gas bombs, and patterns that freeze contracts.
Proxies, storage & metamorphic contracts
Proxies, storage & metamorphic contracts covers upgrade bugs, storage collisions, and metamorphic tricks used to hijack implementations.
Signatures, replay, ECDSA quirks
Signatures, replay, ECDSA quirks documents malleability, domain mistakes, chain-id errors, and replay attacks enabling unexpected on-chain operations.
Stablecoins & peg breaks
Stablecoins & peg breaks analyses collateral failures, liquidity shocks, governance errors, and design flaws pushing assets off-peg.
Human-layer / social vectors
Human-layer / social vectors tracks phishing, fake support, insider collusion, leaked keys, and front-end compromises bypassing contracts.
Business logic & access-control
Business logic & access-control focuses missing checks, unsafe roles, flawed incentives, and upgrade paths turning features exploitable.
Time, randomness & deprecated patterns
Time, randomness & deprecated patterns highlights timestamp tricks, miner-influenced entropy, weak randomness, and legacy patterns attackers exploit.
