dApp Threat Modeling
Berachain dApp Threat Model Docs
This page provides a comprehensive analysis of how the core DApps within the Berachain ecosystem organically interact and create synergy.
In particular, this page is written from the perspective of a DApp developer. Accordingly, elements in the threat modeling, such as Entity and Asset, have been selected to be practically helpful, focusing on targets that developers must directly define and protect through their code.
On this page, you can find the following:
DApp Interaction DFD
This is an overall architecture diagram showing how Berachain's main DAppsโ
BEX,Kodiak,Beraborrow, andInfraredโexchange data and connect with each other. It provides an intuitive understanding of how a user's assets create new value as they move through each DApp and the synergistic effects that occur between the protocols.
Threat Modeling - DApp System-Centric
Entity: Identifies the core smart contracts and Externally Owned Accounts (EOAs) that developers must directly implement and interact with.Asset: Defines core assets within the contract that developers must directly manage and protect, such as state variables, tokens, and administrative privileges.Entry Point: Identifies all paths through which external attacks can be initiated.Scenarios: Analyzes the system's security vulnerabilities through specific threat scenarios.
DFD
Entity
ET - 1
Distributor
Manages the distribution logic for BGT and incentive tokens.
ET - 2
RewardVault
Receives LP token deposits and distributes BGT.
ET - 3
BlockReward Controller
Responsible for BGT issuance.
ET - 4
BGTIncentive Distributor
Distributes incentive tokens based on the amount of BGT issued.
ET - 5
BGTStaker
Manages BGT Boost and provides HONEY as a Boost reward.
ET - 6
CometBFT
Berachain's BFT consensus module.
ET - 7
BeaconDeposit
Processes BERA deposits for becoming a validator.
ET - 8
Operator
Entity to which validators delegate reward allocation and commission settings.
ET - 9
dApp owner
Entity that sends dApp fees to the FeeCollector.
ET - 10
Oracle
Entity that fetches the price of HONEY / NECT collateral.
ET - 11
Guardians
Entity that makes final decisions in governance.
ET - 12
BatchRelayer
Entity for batch processing of Balancer v2-based BEX operations.
ET - 13
BalancerRelayer
Entity that mediates Balancer v2-based BEX multicalls.
ET - 14
ProtocolFees
Withdrawer
Withdraws fees for using the BEX protocol.
ET - 15
BEXAuthorizer
Approver for creating BEX liquidity pools.
ET - 16
KodiakIsland
Kodiak automated liquidity management Vault.
ET - 17
KodiakIsland
Factory
Manager for creating KodiakIsland.
ET - 18
KodiakIsland
WithRouter
Contract combining Kodiak's Island and Router functions.
ET - 19
IslandRouter
Contract for Kodiak users to supply liquidity to the Island.
ET - 20
KodiakFarm
Manages Kodiak reward distribution.
ET - 21
PandaFactory
Kodiak-based ERC-20 Meme coin launchpad.
ET - 22
UniswapV3Pool
UniswapV3-based liquidity pool contract within Kodiak.
ET - 23
Infrared
Manager of core Infrared functions.
ET - 24
InfraredBERA
Manages Infrared BERA tokens.
ET - 25
InfraredBERA
Depositor
Manages Infrared BERA asset deposits.
ET - 26
InfraredBERA
Claimor
Requester for claiming Infrared BERA rewards.
ET - 27
InfraredBERA
Withdrawor
Manages Infrared BERA asset withdrawals.
ET - 28
InfraredBERA
FeeReceivor
Manages Infrared fees.
ET - 29
Infrared
Distributor
Manages Infrared reward distribution.
ET - 30
InfraredVault
Infrared rewards vault.
ET - 31
MultiReward
Manages Infrared multiple rewards.
ET - 32
BribeCollector
Manages Infrared protocol incentives.
ET - 33
CollVaultRouter
Manages Beraborrow loan processing.
ET - 34
DenManager
Beraborrow collateral processing system.
ET - 35
DebtToken
Manages Beraborrow loan LP tokens (NECT).
ET - 36
LiquidStability
Pool
Beraborrow NECT staking pool.
ET - 37
CollectralVault
Beraborrow collateral LP token issuance vault.
ET - 38
Liquidation
Manager
Manages Beraborrow liquidation logic.
Asset
AT - 1
BGT
A token that functions as governance and an economic incentive.
AT - 2
BERA
Native coin used for gas and deposits.
AT - 3
WBERA
Token that wraps BERA in the ERC-20 standard.
AT - 4
FeeโฏToken
Token collected as fees from various dApps.
AT - 5
LP Token (Receipt Token)
Token that certifies liquidity provision to protocols like Bex.
AT - 6
Incentive Token
Token provided as a reward to BGT boosters.
AT - 7
HONEY
Berachain's native stablecoin.
AT - 8
iBERA
Infrared native BERA.
AT - 9
iBGT
Infrared native governance token.
AT - 10
Infrared Points
Additional reward points that can be earned for Infrared activities.
AT - 11
NECT
Beraborrow native stablecoin.
AT - 12
sNECT
LP token for Beraborrow NECT staking rewards.
AT - 13
Collaterals
Collateral available for Beraborrow loans.
Entry Point
EP - 1
joinPool
Starting point for supplying token pairs to the BEX liquidity pool.
EP - 2
exitPool
Starting point for withdrawing token pairs from the BEX liquidity pool.
EP - 3
onJoinPool
Supplies the specified token pair to the BEX liquidity pool.
EP - 4
onExitPool
Withdraws the supplied token pair from the BEX liquidity pool.
EP - 5
distributeAndWithdrawCollectedFees
The BEX Fee Collector sends the collected fees to the Berachain PoL's FeeCollector and FeeReceiver.
EP - 6
withdrawCollectedFee
Withdraws the fees collected by the BEX FeeCollector.
EP - 7
deposit
Deposits BERA into the protocol contract.
EP - 8
withdraw
Withdraws BERA from the protocol contract.
EP - 9
swap
Executes a single swap in the BEX liquidity pool.
EP - 10
batchSwap
Executes multiple swaps on the BEX liquidity pool at once.
EP - 11
queryBatchSwap
Schedules a BEX batchSwap operation.
EP - 12
create
Creates a new BEX liquidity pool.
EP - 13
setPOLFeeCollector
Percentage
Sets the fee for the BEX pool.
EP - 14
executiveRebalance
WithRouter
Pool rebalancing by the manager via the router.
EP - 15
addLiquidity
Supplies an ERC-20 token pair to the Kodiak liquidity pool.
EP - 16
addLiquidityNative
Supplies an ERC-20 - BERA token pair to the Kodiak liquidity pool.
EP - 17
addLiquiditySingle
Supplies single-sided liquidity to a Kodiak ERC-20 token pair pool.
EP - 18
addLiquiditySingle
Native
Supplies single-sided liquidity to a Kodiak ERC-20 - BERA token pair pool.
EP - 19
removeLiquidity
Withdraws an ERC-20 token pair from the Kodiak liquidity pool.
EP - 20
removeLiquidityNative
Withdraws an ERC-20 - BERA token pair from the Kodiak liquidity pool.
EP - 21
KodiakFarm.stake
Stakes LP tokens in the Kodiak reward distribution vault.
EP - 22
KodiakFarm.withdraw
Withdraws LP tokens from the Kodiak reward distribution vault.
EP - 23
KodiakFarm.getReward
Claims accumulated reward tokens from the Kodiak reward distribution vault.
EP - 24
KodiakIsland
FactorydeployVault
Deploys the Kodiak liquidity pool contract.
EP - 25
FarmFactorydeploy
Farm
Deploys the Kodiak reward distribution vault contract.
EP - 26
InfraredVault.stake
Stakes LP tokens in the Infrared rewards vault.
EP - 27
InfraredVaultwithdraw
Withdraws LP tokens from the Infrared rewards vault.
EP - 28
getReward
Claims accumulated reward tokens from the Infrared rewards vault.
EP - 29
mint
Converts BERA to iBERA within Infrared.
EP - 30
redeem
Exchanges Base BGT for BERA and sends it to InfraredBERAFeeReceivor.
EP - 31
harvestVault
Harvests rewards from the RewardVault for a specific asset and issues iBGT.
EP - 32
harvestOperator
Rewards
Distributes operator rewards accumulated in InfraredBERAFeeReceivor.
EP - 33
claimBGTIncentives
The Keeper claims incentive tokens from the BGTIncentiveDistributor.
EP - 34
harvestBribes
Moves incentive tokens from Infrared to the BribeCollector.
EP - 35
claimFees
Withdraws incentive tokens from the BribeCollector by paying WBERA.
EP - 36
collectBribes
Recovers WBERA from the BribeCollector to Infrared.
EP - 37
execute
Sends BERA externally when processing an Infrared user's withdrawal.
EP - 38
process
Processes requests in the Infrared withdrawal queue.
EP - 39
sweep
Sends accumulated BERA from InfraredBERAClaimor to the user.
EP - 40
claim
Claims BGT rewards corresponding to the validator's pubkey.
EP - 41
updateFee
Changes Infrared fees.
EP - 42
claimExternalVault
Rewards
Requests rewards for a Vault that is not an Infrared Vault.
EP - 43
openDenVault
Creates a new CDP loan vault within Beraborrow.
EP - 44
adjustDenVault
Adjusts the collateral/debt of an existing CDP loan vault in Beraborrow.
EP - 45
closeDenVault
Closes a CDP loan vault in Beraborrow.
EP - 46
redeemCollateralVault
Repays a Beraborrow CDP loan.
EP - 47
redeemToOne
Withdraws all rewards earned from Beraborrow as a single token.
EP - 48
liquidate
Liquidates unhealthy CDP loan history within Beraborrow.
EP - 49
flashLoan
Executes the Flash Loan function within Beraborrow.
EP - 50
mint
Deposits NECT within Beraborrow to issue sNECT.
EP - 51
redeem
Burns sNECT within Beraborrow and returns NECT.
EP - 52
setParameters
Configures Beraborrow collateral assets and interest rates.
EP - 53
deposit
NECT deposit function within Beraborrow.
EP - 54
openDen
Creates a new CDP loan position within Beraborrow.
EP - 55
addColl
Sets collateral within a Beraborrow loan position.
EP - 56
withdrawColl
Withdraws collateral from a Beraborrow loan position.
EP - 57
withdrawDebt
Withdraws loan tokens from a Beraborrow loan position.
EP - 58
repayDebt
Repays loan tokens within a Beraborrow loan position.
EP - 59
adjustDen
Adjusts an existing Beraborrow CDP loan position.
EP - 60
startSunset
Function to close collateral within a Beraborrow loan position.
EP - 61
mintCap
Mints other stablecoins and the Beraborrow native stablecoin NECT at a 1:1 ratio.
Scenarios
Click the ID to check the security guidelines for that scenario.
EP - 46
EP - 52
AT - 11
AT - 13
A large-scale liquidation causes a sharp drop in the price of collateral assets, triggering a chain reaction that leads to more position liquidations.
EP - 50
EP - 53
AT - 2
AT - 11
AT - 13
An inflation attack is performed on an ERC-4626 vault with almost no total supply, causing losses to subsequent depositors' assets.
EP - 55
EP - 56
EP - 57
EP - 58
EP - 59
AT - 2
AT - 5
AT - 11
AT - 13
Bypassing the collateral ratio (ICR/TCR) verification logic allows bad loans even when the system is in Recovery Mode, causing system losses.
EP - 54
AT - 11
AT - 13
If the owner abuses their authority to maliciously change the protocol's critical parameters, problems such as excessive fee payments and increased risk of asset liquidation can occur.
EP - 13
EP - 14
EP - 15
EP - 16
AT - 5
When adding liquidity to a pool, if the actual value of the pool assets and the value of the issued LP tokens do not match, it results in profit or loss for new liquidity providers.
EP - 19
EP - 20
AT - 1
AT - 5
Removing liquidity during a sharp price fluctuation causes the remaining liquidity in the pool to fall below the reference value or bypasses the minimum holding period to realize profits.
EP - 1
EP - 2
EP - 3
EP - 4
EP - 15
EP - 16
EP - 17
EP - 18
EP - 19
EP - 20
AT - 5
Repeated large deposits and withdrawals of a specific token cause the token ratio in the liquidity pool to collapse, leading to price distortion or depletion of some token liquidity.
EP - 9
AT - 2
AT - 5
Large trades cause unfavorable changes in the actual execution price, or errors in the minimum output calculation lead to losses.
EP - 13
AT - 5
If an administrator suddenly changes the fee ratio or withdraws a large amount of fees, liquidity providers will incur losses.
EP - 14
AT - 3
AT - 6
During pool rebalancing, changing the state of some tokens and causing transaction failures results in a discrepancy between the pool invariant and the total supply.
EP - 29
AT - 2
AT - 8
Instantaneously manipulating the iBERA/BERA exchange ratio through large trades can lead to unfair gains, reducing protocol assets and undermining user trust, thus harming system stability.
EP - 41
EP - 42
AT - 2
AT - 5
AT - 6
Exploiting the timing of a protocol fee change to harvest large amounts of rewards immediately before/after the change can distort the reward distribution system, causing losses to users or the protocol's finances.
EP - 31
EP - 35
AT - 6
If a malicious token is used as a reward token in the Bribe system, it can contaminate the Bribe system and lead to malicious activities.
EP - 35
AT - 5
AT - 9
If staking funds are concentrated in a specific validator, it can lead to an imbalance in staking rewards and validator centralization.
EP - 15
EP - 16
EP - 17
EP - 18
EP - 48
EP - 53
AT - 7
AT - 11
AT - 12
AT - 13
By exploiting the interdependence between Berachain's PoL mechanism and Beraborrow's multi-collateral lending system, an attacker can induce an imbalance in the target collateral pool through large DEX trades, followed by an ERC-4626 inflation attack to realize profits.
EP - 53
EP - 61
AT - 7
AT - 11
AT - 12
AT - 13
When Berachain's native stablecoin HONEY de-pegs, an attacker can acquire a large amount of NECT at a low price through Beraborrow's PermissionlessPSM contract to realize profits, depleting the protocol's assets.
EP - 20
EP - 21
EP - 53
EP - 54
AT - 1
AT - 2
AT - 8
AT - 9
When the LST token of Infrared, which holds about 62% of Berachain's BGT issuance, de-pegs, a chain reaction to the LST token's price drop causes a negative flywheel effect throughout the chain's ecosystem.
EP - 15
EP - 16
EP - 17
EP - 18
EP - 48
EP - 53
AT - 5
AT - 11
AT - 12
AT - 13
Repeating large swaps in an LP with low pool TVL and high sensitivity to price impact distorts the reserve ratio, inducing artificial surges and drops in the LP price, leading to a chain liquidation of loan positions due to collateral value collapse.
Last updated