Skip to main content

Overview

The Webacy API categorizes smart contract threats into six primary categories, ranging from noteworthy characteristics to serious safety concerns.

Threat Categories

1. Rugpull

Abandoned projects or intentionally deceptive smart contracts designed to enable theft of funds. Key Mechanisms:
TypeDescription
DrainContracts that steal assets from hot wallets through reentrancy vulnerabilities
HoneypotContracts that promise asset transfers but execute rugpulls once funds accumulate
Associated Risk Tags:
  • Reentrancy variants (1, 3, 4)
  • Unchecked low-level calls
  • Looped calls (DoS potential)

2. Asset Value Attack

Manipulation tactics that cause sudden price changes for existing token holders. Attack Types:
TypeDescription
Supply manipulationHidden minting functions or absent multi-signature controls
Price manipulationFlash loan attacks affecting asset valuations
Associated Risk Tags:
  • Reentrancy variants
  • Unchecked calls
  • Faulty calculations
  • Uninitialized variables
  • Hidden mint functions

3. Third-Party Dependency

Vulnerabilities from off-chain data feeds (oracles, pricing information) that aren’t properly decentralized. Risks:
  • Artificial buy/sell conditions
  • Price oracle manipulation
  • Single points of failure

4. Code Mutability

Upgradeable contracts that may introduce behavioral changes over time. Concerns:
  • Proxy patterns allowing logic replacement
  • Admin-controlled upgrades
  • Lack of timelock mechanisms

5. Backdoor

Administrative functions that can be misused to bypass security measures. Examples:
  • Hidden owner functions
  • Pausable transfers
  • Blacklist/whitelist manipulation
  • Emergency withdrawal functions

6. Combined Risks

Complex vulnerabilities combining multiple categories:
  • Low-level calls with shadowed implementations
  • Unauthorized administrator access
  • Nested proxy patterns

Using Threat Categories

When evaluating risk, consider:
  1. Severity - Rugpull and Asset Value Attack are highest severity
  2. Likelihood - Code Mutability and Backdoor are common but not always malicious
  3. Context - Third-Party Dependency risk varies by oracle quality
function categorizeRisk(issues) {
  const critical = issues.filter(i =>
    ['drain', 'honeypot', 'hidden_mint'].includes(i.tag)
  );

  const high = issues.filter(i =>
    ['reentrancy', 'unchecked_call', 'backdoor'].includes(i.tag)
  );

  return { critical, high };
}