Purpose: Comprehensive knowledge base of security threats and test coverage
Last Updated: February 21, 2026
Status: Production Ready
This documentation serves as both a security knowledge base and test reference guide for the Bloxchain Protocol. It consolidates attack vector analysis, security mitigations, and comprehensive test documentation into an organized, expandable structure.
Purpose: Knowledge library of security threats relevant to this project
A comprehensive catalog of attack vectors organized by category, including:
- Attack descriptions with detailed scenarios
- Current protections and mitigations
- Severity classifications (Critical, High, Medium, Low)
- Code locations where protections are implemented
- Verification requirements for each vector
Categories Covered:
- Access Control & Authorization
- Meta-Transaction Security
- State Machine & Transaction Lifecycle
- Reentrancy Attacks
- Input Validation & Data Manipulation
- Payment & Economic Security
- Composite & Multi-Vector Attacks
- Cryptographic & Signature Attacks
- Time-Based Attacks
- Role Management
How to Use:
- For Security Audits: Reference specific attack vectors and verify protections
- For Development: Understand security requirements when adding features
- For Testing: Identify test coverage gaps and required test scenarios
- For Learning: Study attack patterns and mitigation strategies
Purpose: Complete documentation of all existing tests
A comprehensive reference of all test functions with:
- Test descriptions and purposes
- Attack vectors covered by each test
- Test file organization and structure
- Execution instructions and patterns
- Test status and coverage metrics
Test Categories:
- Comprehensive Fuzz Tests (148 tests in 14 files; 309 total tests in 37 suites)
- Unit Tests
- Integration Tests
- Security Tests
- Invariant Tests
How to Use:
- For Test Execution: Understand what each test verifies
- For Test Maintenance: Know which tests cover which attack vectors
- For Test Development: Identify gaps and required new tests
- For Coverage Analysis: Map tests to attack vectors
Protocol-vulnerabilities-index-derived vectors are documented in the Codex: see §18 Protocol-Vulnerabilities-Index-Derived Vectors.
Purpose: Complete guide for running the test suite
A practical guide for executing tests with:
- Quick start commands for common scenarios
- Detailed command reference for Foundry test options
- Execution strategies for different testing phases
- Troubleshooting common issues
- CI/CD configuration examples
How to Use:
- For Running Tests: Follow execution commands and strategies
- For CI/CD Setup: Use provided configuration examples
- For Troubleshooting: Reference common issues and solutions
- Access Control Attacks - 28 vectors
- Meta-Transaction Attacks - 26 vectors
- State Machine Attacks - 37 vectors
- Reentrancy Attacks - Multiple vectors
- Input Validation Attacks - 30 vectors
- Payment Attacks - 21 vectors
- Composite Attacks - 23 vectors
- Cryptographic Attacks - Multiple vectors
- Time-Based Attacks - Multiple vectors
- Role Management - Multiple vectors
- Whitelist & Schema - Multiple vectors
- Initialization - Multiple vectors
- Hook System - Multiple vectors
- Event Forwarding - Multiple vectors
- ComprehensiveAccessControlFuzz - 14 tests
- ComprehensiveStateMachineFuzz - 23 tests
- ComprehensiveMetaTransactionFuzz - 14 tests
- ComprehensivePaymentSecurityFuzz - 7 tests
- ComprehensiveInputValidationFuzz - 13 tests
- ComprehensiveCompositeFuzz - 5 tests
- ComprehensiveInitializationFuzz - 9 tests
- ComprehensiveHookSystemFuzz - 2 tests
- ComprehensiveEventForwardingFuzz - 2 tests
- ComprehensiveGasExhaustionFuzz - 17 tests
- ComprehensiveSecurityEdgeCasesFuzz - 10 tests
- ComprehensiveWhitelistSchemaFuzz - 8 tests
- ComprehensiveEIP712AndViewFuzz - 4 tests
- ComprehensiveDefinitionSecurityFuzz - 20 tests
- Critical Attack Vectors - 12 critical vectors
- High Severity Vectors - 28 high severity vectors
- Medium Severity Vectors - 45 medium severity vectors
When a new attack vector is identified:
- Add to Codex: Document in
ATTACK_VECTORS_CODEX.mdunder the appropriate category - Include:
- Attack description and scenario
- Code locations affected
- Current protections (if any)
- Severity classification
- Verification requirements
- Update Index: Add to the table of contents
When a new test is created:
- Add to Test Documentation: Document in
TEST_DOCUMENTATION.md - Include:
- Test function name and purpose
- Attack vectors covered
- Test file location
- Execution notes
- Link to Codex: Reference the attack vectors it covers
- Update Coverage: Update test coverage metrics
- After Security Audits: Update codex with new findings
- After Test Additions: Update test documentation
- After Code Changes: Verify protections still apply
- After New Features: Assess new attack vectors
- Keep documentation synchronized with code
- Document changes in commit messages
- Maintain changelog for significant updates
SECURITY_ATTACK_SURFACE_CHECKLIST.md- Consolidated into CodexSECURITY_ATTACK_VECTORS_*.md- Consolidated into CodexSECURITY_ANALYSIS_SUMMARY.md- Consolidated into CodexSECURITY_CRITICAL_FINDINGS.md- Consolidated into CodexSECURITY_RECOMMENDATIONS.md- Consolidated into Codex
When contributing to this documentation:
- Follow Structure: Maintain consistent formatting and organization
- Be Specific: Include code locations, examples, and scenarios
- Link Tests: Always link attack vectors to their test coverage
- Keep Updated: Ensure documentation reflects current code state
- Review Regularly: Update as the codebase evolves
This documentation folder contains the essential security and testing documentation:
- Attack Vectors Codex - Comprehensive catalog of all security threats and mitigations (includes §18 Protocol-Vulnerabilities-Index-derived vectors)
- Test Documentation - Complete reference of all test functions
- Test Execution Guide - Guide for running the test suite
- Final Coverage Report - Test coverage summary and statistics
Note: This documentation is a living knowledge base. It should evolve as new threats are discovered, new protections are implemented, and new tests are added.