Skip to main content

Overview

The Webacy API categorizes smart contract threats into six primary categories, ranging from noteworthy characteristics to serious safety concerns.

Threat Categories

1. Rugpull

Abandoned projects or intentionally deceptive smart contracts designed to enable theft of funds. Key Mechanisms: Associated Risk Tags:
  • Reentrancy variants (1, 3, 4)
  • Unchecked low-level calls
  • Looped calls (DoS potential)

2. Asset Value Attack

Manipulation tactics that cause sudden price changes for existing token holders. Attack Types: Associated Risk Tags:
  • Reentrancy variants
  • Unchecked calls
  • Faulty calculations
  • Uninitialized variables
  • Hidden mint functions

3. Third-Party Dependency

Vulnerabilities from off-chain data feeds (oracles, pricing information) that aren’t properly decentralized. Risks:
  • Artificial buy/sell conditions
  • Price oracle manipulation
  • Single points of failure

4. Code Mutability

Upgradeable contracts that may introduce behavioral changes over time. Concerns:
  • Proxy patterns allowing logic replacement
  • Admin-controlled upgrades
  • Lack of timelock mechanisms

5. Backdoor

Administrative functions that can be misused to bypass security measures. Examples:
  • Hidden owner functions
  • Pausable transfers
  • Blacklist/whitelist manipulation
  • Emergency withdrawal functions

6. Combined Risks

Complex vulnerabilities combining multiple categories:
  • Low-level calls with shadowed implementations
  • Unauthorized administrator access
  • Nested proxy patterns

Using Threat Categories

When evaluating risk, consider:
  1. Severity - Rugpull and Asset Value Attack are highest severity
  2. Likelihood - Code Mutability and Backdoor are common but not always malicious
  3. Context - Third-Party Dependency risk varies by oracle quality