A Concise Review of Blockchain Attack Vectors: A Layered Taxonomy

Abstract

This paper is a systematic examination of the security environment in decentralized ledger systems. As the ecosystem of blockchain systems is in a constant state of evolution, threats have been identified in various areas of the system stack, from the base network stack to the intricacies of the economics of the system. We have identified these threats in five main areas of the system: Infrastructure & Network, Smart Contract & VM, Economic & Composability, dApp & Application, and Forensic & Data Analysis.

Introduction

Modern blockchain systems face multi-layered vulnerabilities due to smart contracts, decentralized finance (DeFi), and decentralized applications (dApps). These introduce new risks such as coding flaws (reentrancy, overflow), economic exploits (flash loan attacks, oracle manipulation), and network-level attacks (Sybil, Eclipse, routing attacks). Traditional web threats like phishing and XSS have also adapted to blockchain environments, while data analysis techniques enable user de-anonymization and privacy breaches.

The paper proposes a structured taxonomy of blockchain attacks across five layers: infrastructure/network, smart contracts/virtual machines, economic/composability systems, dApp/application interfaces, and forensic/data analysis. Each layer contains distinct attack types, ranging from consensus manipulation and mempool exploitation to frontend vulnerabilities and privacy attacks.

Conclusion

This shift towards a decentralized digital economy has created a multifaceted and complex threat landscape. As illustrated in this taxonomy, the threats are not limited to a specific layer but have a presence throughout the entire blockchain stack, from the fundamental P2P network and consensus algorithms to the advanced logic in smart contracts and the financial interactions in decentralized finance. Our analysis has shown that, although the blockchain technology has the fundamental property of immutability, it is not impervious to common web-based threats such as phishing and XSS, nor is it immune to the latest threats in the decentralized ecosystem, such as flash loan attacks and oracle manipulation. Moreover, although the transparency provided by the public ledger is a fundamental property, it also makes the technology vulnerable to advanced de-anonymization using dust attacks and ingesting forensic data. As the ecosystem develops, the \"code is law\" principle must be complemented by security audits, key management, and defensive techniques. As a next step, we should investigate mitigation techniques that can effectively protect users from the combined effect of technical and economic attacks. To secure the future of blockchains, we need a comprehensive approach that recognizes the interdependency of infrastructure, code, and incentives.

References

[1] Nakamoto, S. (2008). Bitcoin: A peer-to-peer electronic cash system. [2] Tapscott, D., & Tapscott, A. (2016). Blockchain revolution. Penguin. [3] Deirmentzoglou, E., Papakyriakopoulos, G., & Patsakis, C. (2019). A survey on blockchain surveys. IEEE Access, 7, 6452–6476. [4] Pishdar, M., & Manzoor, J. (2026). Why no consensus on consensus? A deep dive into blockchain consensus protocols (arXiv:2603.08629). arXiv. [5] Sayeed, S., & Marco-Gisbert, H. (2019). Assessing blockchain consensus and security mechanisms. Algorithms, 12(1), 10. [6] Atzei, N., Bartoletti, M., & Cimoli, T. (2017). A survey of attacks on Ethereum smart contracts (SoK). In Principles of Security and Trust (POST). [7] Werner, S. M., et al. (2021). SoK: Decentralized finance (DeFi). In IEEE Computer Security Foundations Symposium (CSF). [8] Chen, H., et al. (2020). A survey on Ethereum systems security: Vulnerabilities, attacks, and defenses. ACM Computing Surveys (CSUR), 53(3), 1–35. [9] Conti, M., et al. (2018). A survey on security and privacy issues of Bitcoin. IEEE Communications Surveys & Tutorials, 20(4), 3416–3452. [10] Saad, M., et al. (2020). Exploring the attack surface of blockchain: A comprehensive survey. IEEE Communications Surveys & Tutorials, 22(3), 1977–2008. [11] Wood, G. (2014). Ethereum: A secure decentralised generalised transaction ledger (Ethereum Project Yellow Paper). [12] Heilman, E., et al. (2015). Eclipse attacks on Bitcoin’s peer-to-peer network. In USENIX Security Symposium. [13] Luu, L., et al. (2016). Making smart contracts smarter. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. [14] Eskandari, S., et al. (2021). SoK: Oracles from the ground truth to market manipulation (arXiv:2106.00667). arXiv. [15] Daian, P., et al. (2020). Flash boys 2.0: Front-running in decentralized exchanges. In IEEE Symposium on Security and Privacy (S&P). [16] Fröwis, M., & Böhme, R. (2018). In code we trust? Measuring the adaptability of smart contracts. In International Conference on Blockchain (ICBC). [17] Eskandari, S., et al. (2019). SoK: Transparent dishonesty: Front-running attacks on blockchain. In Financial Cryptography and Data Security (FC). [18] Qin, K., et al. (2022). Quantifying blockchain extractable value: Before and after the merge. In IEEE Symposium on Security and Privacy (S&P). [19] Eyal, I., & Sirer, E. G. (2014). Majority is not enough: Bitcoin mining is vulnerable. Communications of the ACM, 57(7), 95–102. [20] Bonneau, J. (2016). Why buy when you can rent? Bribery attacks on Bitcoin-style proof-of-work. In Financial Cryptography and Data Security. [21] Li, W., et al. (2017). A survey on the security of blockchain consensus algorithms. In IEEE Conference on Communications and Network Security (CNS). [22] Douceur, J. R. (2002). The Sybil attack. In International Workshop on Peer-to-Peer Systems (IPTPS). [23] Marcus, Y., et al. (2018). Low-resource eclipse attacks on Ethereum’s P2P network. In ACM SIGSAC Conference on Computer and Communications Security. [24] Culver, K. (2011). Bitcoin-Timejacking (Technical Report). [25] Apostolaki, M., et al. (2017). Hijacking Bitcoin: Routing attacks on advertising protocols. In IEEE Symposium on Security and Privacy (S&P). [26] Pishdar, M., Lei, Y., Harfoush, K., & Manzoor, J. (2025). Denial-of-service attacks on permissioned blockchains: A practical study. Journal of Cybersecurity and Privacy, 5(3), 39. [27] Torres, C. F., et al. (2018). Osiris: Trustworthy smart contract execution. In Annual Computer Security Applications Conference (ACSAC). [28] Pishdar, M., Bahaghighat, M., Kumar, R., & Xin, Q. (2024). Major vulnerabilities in Ethereum smart contracts: Investigation and statistical analysis. EAI Endorsed Transactions on Internet of Things, 11. [29] Fattahdizaji, A., Pishdar, M., & Shukur, Z. (2024, October). Investigating cyber threats against proof-of-work blockchain networks. In 2024 IEEE International Conference on Blockchain and Distributed Systems Security (ICBDS) (pp. 1–14). IEEE. [30] Fattahdizaji, A., Pishdar, M., & Shukur, Z. (2026). SmartGraphical: A human-in-the-loop framework for detecting smart contract logical vulnerabilities via pattern-driven static analysis and visual abstraction (arXiv:2603.08580). arXiv. [31] Payer, U., et al. (2018). A survey of security vulnerabilities in Ethereum smart contracts. In International Conference on Information Security. [32] Zhang, P., et al. (2020). Smart contract security: A survey. In IEEE International Conference on Blockchain. [33] Nikolic, I., et al. (2018). Finding the greedy, prodigal, and suicidal smart contracts at scale. In Annual Computer Security Applications Conference (ACSAC). [34] Feist, J., et al. (2019). Slither: A static analysis framework for smart contracts. In WETSEB. [35] Karame, G. O., et al. (2012). Two Bitcoins at the price of one? Double-spending attacks on fast payments. In ACM SIGSAC Conference on Computer and Communications Security. [36] Qin, K., et al. (2021). Attacking the DeFi ecosystem with flash loans for fun and profit. In Financial Cryptography and Data Security. [37] Angeris, G., et al. (2020). Analysis of Uniswap markets. Cryptoeconomic Systems. [38] Gudgeon, L., et al. (2020). DeFi is the future of finance, but is it secure? ACM SIGMETRICS Performance Evaluation Review. [39] Zhou, L., et al. (2021). Just-in-time liquidity: Risks and rewards in DeFi (arXiv:2106.01830). arXiv. [40] Johnson, A., et al. (2020). Liveness and denial-of-service in Ethereum. In ACM Conference on Advances in Financial Technologies (AFT). [41] He, Y., et al. (2020). Security analysis of cryptocurrency wallets. In ACM Conference on Advances in Financial Technologies (AFT). [42] Vasek, M., & Moore, T. (2015). There’s no free lunch, even using Bitcoin: Tracking the popularity and profits of virtual currency scams. In Financial Cryptography and Data Security. [43] Onaolapo, J., et al. (2016). The adventures of a discarded Bitcoin wallet. In Workshop on Hot Topics in Privacy Enhancing Technologies (HotPETs). [44] Mense, A., & Boxler, C. (2020). Analysis of the proxy pattern in Ethereum smart contracts. In International Electronics Communication Conference (IECC). [45] Biryukov, A., & Tikhomirov, S. (2019). Security and privacy of mobile wallet applications. In IEEE Symposium on Security and Privacy (S&P). [46] Meiklejohn, S., et al. (2013). A fistful of Bitcoins: Characterizing payments among men with no names. In Internet Measurement Conference (IMC). [47] Biryukov, A., et al. (2014). Deanonymisation of clients in Bitcoin P2P network. In ACM SIGSAC Conference on Computer and Communications Security. [48] Kocher, P., et al. (2011). Introduction to differential power analysis. Journal of Cryptographic Engineering. [49] Fanti, G., & Viswanath, P. (2017). Deanonymization in the Bitcoin P2P network. In Advances in Neural Information Processing Systems (NIPS). [50] Genkin, D., et al. (2017). LVI: Low-value information leakage in Bitcoin-style systems. In USENIX Security Symposium.

Copyright

Copyright © 2026 Ali Rezaei. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.