Jul 10, 2025

Threat modeling for Web3

What is Threat Modeling?

Threat modeling is the process of identifying points in a protocol where a breach could lead to significant losses. The process itself is not aimed at identifying vulnerabilities, but rather at highlighting critical areas. The result of the threat modeling process is a document containing a description of the findings and their prioritization. This document is then used either to update the protocol architecture, if threat modeling is performed at an early stage of development, or as a guide for auditors to focus their efforts on the specified areas. It is part of the Web3 Protocol Security Roadmap.

Understanding the System

The most important prerequisite for effective threat modeling is a complete understanding of the protocol's logic by the team conducting the procedure.

A deep understanding of the principles underlying the product protocol and their practical implementation is necessary for a comprehensive understanding of HOW the system functions.

The participation of various team members in the threat modeling process allows for clarity from different perspectives of understanding the protocol.

Involving the Entire Team in the Process

In addition to adding context from different team members, the practice of involving participants from various departments allows for a look at possible attack vectors from different points of view. For example, representatives from the financial department may see potential threats in different places than those that concern the user support department. The threat modeling process leader should encourage alternative views on system characteristics.

Who Conducts Threat Modeling

The threat modeling procedure should be led by a person with a deep understanding of decentralized application security. This role can be performed by an in-house specialist if they possess the relevant competencies.

In most cases, however, it is recommended to hire an external expert with sufficient experience in conducting threat modeling. An external expert will help accelerate the procedure due to accumulated experience in conducting threat modeling for other clients.

At What Stage is Threat Modeling Conducted?

Threat modeling can be conducted at different stages of protocol development.

A comprehensive approach to protocol security should include the threat modeling procedure both at an early stage of project development and at the stage of completing the codebase development. These two procedures complement each other in striving to provide the maximum possible protection for the protocol against threats.

Threat Modeling for Protocol Design Improvement

At an early stage, before code writing begins, threat modeling aims to identify weaknesses in the protocol's architecture and assess the viability of the business logic. Early-stage threat modeling is useful because discovered shortcomings can be immediately used to revise the protocol's architecture, which creates a short feedback loop and positively impacts the speed of project development.

Threat Modeling as a Preliminary Stage of Security Audit

Threat modeling in the final stages of writing the protocol code aims to find places for potential attacks by malicious actors. The document obtained as a result of such modeling is of great importance for the subsequent security audit of the codebase. Clearly defined and prioritized attack vectors allow auditors to concentrate their attention on the most important areas. Vulnerabilities found in such places will have the highest level of criticality.

Methodology

Understanding the System

For the purpose of system understanding by all participants in the process, decomposition and visualization are used. Diagrams and sketches are used to represent data flows, define key system components, processes, data stores, external dependencies, and trust boundaries between system elements.

Understanding Threat Actors

To understand potential threats, it is necessary to form an understanding of the entities interacting with the system and their incentives. Financially motivated attackers, MEV bots, insiders, competitors, and others.

Defining Attack Vectors

In the process of identifying threats, it is necessary to model and evaluate various attack options for each identified component.

Prioritization of Findings

Identified threats and attack vectors should be assessed by the degree of possible consequences, the likelihood, the effort required by the attacker, and the actions required to prevent or mitigate damage.

Resulting Document

The resulting document is used depending on the stage at which threat modeling was conducted. At an early stage of protocol development, discovered vulnerabilities should be used in the process of revising the protocol's architecture to reduce the number and severity of threats. At the stage of completing codebase development, this document is used to direct the attention of security auditors during the audit or penetration testing phases.