Web3 attack surface assessment: wallets, smart contracts & blockchain security
An attack surface assessment identifies and evaluates all points at which an attacker can interact with a blockchain system before funds move. In Web3, this spans smart contracts, wallets, transaction flows, RPC endpoints, and cross-chain bridges — many of which are immutable after deployment and financially exposed from the moment they are live.
Unlike traditional blockchain security audits, which assess code at a point in time, a continuous attack surface assessment evaluates operational exposure across your entire transaction lifecycle and counterparty environment — including the wallets and contracts you interact with every day.
Crypto wallet attack surface risks
Wallets are among the highest-value targets in Web3 and carry a broader attack surface than most operators account for. Key exposure areas include:
Unlimited token approvals — previously granted approvals to contracts that have since been compromised or become malicious remain exploitable until revoked
Wallet drainer contracts — newly deployed contracts with no on-chain history used to solicit approvals and drain assets in a single transaction
Phishing and social engineering — users directed to sign transactions that appear legitimate but transfer assets to attacker-controlled addresses
Zero-history counterparty wallets — wallets with no prior on-chain activity used as first-stage attack vectors before funds are bridged or mixed
How to protect a crypto wallet from attacks
Effective wallet protection requires controls applied before a transaction is signed, not only after it is broadcast. This includes revoking unnecessary token approvals, avoiding interactions with unverified or zero-history contracts, simulating transactions before signing to detect unexpected token flows, and monitoring wallet counterparties for changes in risk profile over time.
Smart contract attack surface
Smart contracts represent a structurally unique attack surface: they are publicly accessible, often immutable after deployment, and directly control asset flows. Common smart contract vulnerabilities that contribute to attack surface exposure include:
Reentrancy vulnerabilities — contracts that allow external calls to re-enter a function before state is updated, enabling recursive asset withdrawal
Access control failures — misconfigured ownership or role permissions that allow unauthorised actors to call privileged functions
Upgrade proxy risks — upgradeable contracts where the implementation or admin key is insufficiently protected
Malicious external calls — contracts that delegate execution to external addresses, which may be replaced with attacker-controlled logic
Smart contract audit vs attack surface assessment
Smart contract audit
Attack surface assessment
Pre-deployment, code-level
Continuous, behaviour-level
Static analysis of a fixed version
Dynamic evaluation across live interactions
One-time engagement
Ongoing as counterparties and assets evolve
Identifies bugs in contract logic
Identifies gaps in operational controls
Both are necessary. An audit reduces code-level risk at deployment; an attack surface assessment reduces operational risk across the full transaction lifecycle.
What is transaction simulation in crypto security?
Transaction simulation analyses a blockchain transaction before it is signed or broadcast, evaluating what the transaction will actually do on-chain — including token transfers, contract interactions, approval changes, and state modifications — before any funds move.
This is the control layer with the highest potential for loss prevention in Web3. By the time a transaction is confirmed on-chain, it is typically irreversible. Simulation applied at the pre-execution stage allows risk policies to be enforced — blocking, flagging, or modifying transactions — before exposure becomes loss.
Pre-sign analysis — simulate the full on-chain outcome of a transaction before the user or system commits to signing
Malicious interaction detection — identify unexpected token outflows, approval grants, or interactions with flagged contracts
Policy enforcement before execution — apply configurable risk thresholds that block or escalate transactions before they reach the mempool
Chain-agnostic coverage — simulation applied across EVM and non-EVM networks, including chains with limited coverage from traditional screening providers
Web3 security: common questions
What is a Web3 attack surface?
A Web3 attack surface refers to all possible points where an attacker can interact with or influence a blockchain system, including smart contracts, wallet approvals, transaction flows, RPC endpoints, cross-chain bridges, and the off-chain infrastructure that supports them. Unlike traditional attack surfaces, many Web3 components are immutable and permissionless, making pre-execution controls critical.
How do you protect a crypto wallet from being drained?
Protecting a crypto wallet from drainer attacks requires several layers of control: revoking unnecessary or unlimited token approvals to contracts you no longer use; avoiding interactions with unverified or zero-history contracts; using transaction simulation before signing to detect unexpected token flows or approval changes; and monitoring counterparty wallets for changes in risk profile over time. Reactive measures after a transaction is confirmed are generally insufficient given the irreversible nature of on-chain settlement.
What is transaction simulation in crypto?
Transaction simulation analyses a blockchain transaction before it is signed to detect malicious behaviour, unexpected token transfers, or high-risk contract interactions. It returns a verdict in milliseconds — allowing risk policies to block or escalate the transaction before any funds move. This is the most effective available control for preventing loss in real-time transaction environments.
What is an attack surface in blockchain?
A blockchain attack surface encompasses all the points at which an external actor can interact with or influence a system — including smart contracts, wallet approvals, transaction flows, RPC endpoints, bridge mechanisms, and the off-chain infrastructure that supports them. Mapping and continuously monitoring this surface is the foundation of effective Web3 security.
How is a Web3 attack surface different from Web2?
Web2 attack surfaces centre on servers, APIs, and network perimeters that can be patched and updated. Web3 attack surfaces include immutable smart contracts, permissionless transaction flows, and on-chain interactions where exploits result in immediate, often irreversible asset loss. Traditional security frameworks do not map cleanly onto this threat model, and most Web2-era tooling provides limited coverage of the on-chain attack surface.
Is this assessment relevant for MiCA compliance?
The assessment covers several control areas relevant to MiCA and broader regulatory frameworks, including pre-transaction risk controls, ongoing counterparty monitoring, and provider dependency. It is not a compliance assessment, but the observations it generates may inform your regulatory readiness review.
How long does the assessment take?
Six questions, typically two to three minutes. Each question is weighted based on your operating model and focuses on the control areas most material to your risk profile.
What does the result include?
Your result includes an indicative exposure band, a control maturity score, and observations across five areas: wallet handling, pre-execution enforcement, allowlist governance, provider dependency, and chain and asset coverage. A full written report is available on request.
