# Smart Contract Threat Model Template

> The template DField Solutions fills in on day one of every smart-contract audit.
> Free · MIT licensed · [dfieldsolutions.com](https://dfieldsolutions.com)

---

## 0 · Meta

- **Contract name**:
- **Chain / L2**:
- **Language**: Solidity · Rust (CosmWasm / Solana Anchor / NEAR) · Cairo
- **Compiler version**:
- **Audit window start**:
- **Audit lead**:

## 1 · Entities

| ID | Entity | On-chain address? | Role |
|----|--------|-------------------|------|
| E1 | Deployer | yes / no | — |
| E2 | Owner / admin | | |
| E3 | User / caller | | |
| E4 | External contract (X) | | |
| E5 | Oracle | | |
| E6 | Keeper / bot | | |

## 2 · Trust boundaries

- **User → Contract**: which functions are public? Which require auth?
- **Contract → External contract**: is the callee trusted? Upgradeable?
- **Oracle → Contract**: is the price / data feed trusted? Circuit-breaker?
- **Admin → Contract**: what can admin do? Is it timelocked? Multisig?

## 3 · STRIDE per contract function

For each external/public function, fill in:

| Function | Spoofing | Tampering | Repudiation | Information disclosure | Denial of service | Elevation of privilege |
|----------|----------|-----------|-------------|------------------------|-------------------|-----------------------|
| `deposit()` | Can the caller fake tx origin? | Can they manipulate state? | Is there an audit log? | Does this leak balances? | Can they spam? | Can they become admin? |
| `withdraw()` | | | | | | |
| `execute()` | | | | | | |

## 4 · Invariants (must never break)

- [ ] **Conservation**: `sum(balances) == totalSupply`
- [ ] **Access control**: only owner can call `setOwner()`
- [ ] **No reentrancy**: external calls happen after state changes
- [ ] **Oracle freshness**: price data is < 5 minutes old
- [ ] **Rate limits**: no single user can withdraw > cap per day
- [ ] **Monotonicity**: nonces / IDs only increase
- [ ] **Custom invariant 1**:
- [ ] **Custom invariant 2**:

## 5 · Known crypto threat classes

- [ ] **Reentrancy** · single-function, cross-function, read-only
- [ ] **Integer over/underflow** · check all arithmetic, even post-0.8
- [ ] **Access control** · missing `onlyOwner` / wrong role check
- [ ] **Front-running / MEV** · sandwich, back-run, reorg
- [ ] **Oracle manipulation** · flash-loan price attack, stale data
- [ ] **Upgrade risk** · admin can change implementation unilaterally
- [ ] **Denial of service** · gas griefing, loop bounds, block-stuffing
- [ ] **Flash loan abuse** · can attacker get uncollateralized capital?
- [ ] **Signature replay** · is nonce in the signed message?
- [ ] **ERC-4626 donation attack** · inflation / donation to vault

## 6 · Post-deploy monitoring matrix

| Metric | Alert threshold | Owner | Runbook |
|--------|-----------------|-------|---------|
| TVL delta / hour | > 20% | Security | `runbook-tvl-spike.md` |
| Withdraw events / minute | > 30 | Oncall | `runbook-withdraw-spam.md` |
| Oracle staleness | > 10 min | Oncall | `runbook-oracle-stuck.md` |
| Admin function calls | any | Security | `runbook-admin-call.md` |
| Failed tx rate | > 5% | Eng | `runbook-high-fail.md` |

## 7 · Sign-off

- [ ] All Severe + High findings remediated
- [ ] Re-audit run on patched code
- [ ] Monitoring matrix live in production
- [ ] Incident runbooks reviewed
- [ ] Upgrade path documented (who, how, time-lock)

---

Cite as: DField Solutions, "Smart Contract Threat Model Template" (April 2026) · MIT licensed.