Actor-Based Threat Modeling

Actor-based threat modeling is a structured approach to identifying potential threats and vulnerabilities in smart contract systems by analyzing the interactions between different entities (actors) and the system.

The actor-based approach to threat modeling offers a more practical, human-centric perspective compared to other methods like STRIDE, data flow diagrams, or attack trees.

By focusing on the interactions between different actors (e.g., users, administrators, attackers), it better captures the dynamic nature of threats in decentralized systems like smart contracts. This approach allows for tailored mitigation strategies based on actor motivations, priorities risks more effectively, and provides a more comprehensive view of security by considering both technical and human factors. It is particularly well-suited for decentralized systems, where multiple actors, both on-chain and off-chain, interact with the system.

Key principles of Actor-Based Threat Modeling:

  1. Identify Actors Actors are entities that interact with the smart contract. They can be:

  • External Users: Individuals or entities initiating transactions (e.g., token holders, DAO members).

  • External Smart Contracts: Other contracts interacting with the system.

  • Off-chain Components: Systems like oracles or bridges.

  • Administrators: Privileged actors with elevated permissions.

  1. Define Actor Goals and Motivations Each actor interacts with the smart contract to achieve specific objectives:

  • Administrators might upgrade contracts or modify critical parameters.

  • Attackers aim to steal funds, disrupt operations, or exploit vulnerabilities for personal gain.

  1. Map Actor Interactions Document how each actor interacts with the smart contract:

  • Which functions they can call.

  • What permissions or access controls are in place.

  • How data flows between actors and the contract.

  1. Identify Threats and Vulnerabilities For each interaction, analyze potential threats:

  • External Users: Exploiting unchecked inputs, edge cases and/or lack of access control.

  • External Smart Contracts: Reentrancy attacks, broken composability.

  • Off-chain Components: Oracle manipulation, delayed data updates.

  • Administrators: Abuse of privileged roles, key compromise.

  1. Analyze the Impact and Likelihood of Each Threat Prioritize threats based on their potential impact and likelihood:

High Impact, High Likelihood: Must be addressed immediately.

High Impact, Low Likelihood: Require monitoring and mitigations.

Low Impact, High Likelihood: Address if they affect user experience or trust.

  1. Define and Implement Mitigations For each identified threat, propose and implement mitigations.

  2. Test and Iterate Continuously test the smart contract for these threats using:

  • Unit tests for specific vulnerabilities.

  • Fuzz testing for unexpected inputs.

  • Simulations for multi-actor scenarios (e.g., testing oracle failures)

PreviousDesign a Gradual Path Towards ImmutabilityNextPrinciple of Least Privilege

Last updated