Skip to content

SPECS.md

Latest commit

 

History

History
251 lines (208 loc) · 28 KB

SPECS.md

File metadata and controls

251 lines (208 loc) · 28 KB

OAK Detection Specs — Index

Auto-generated by tools/build_specs_index.py from tools/specs.json. Do not edit by hand.

Coverage: 144/144 Techniques (100%) · 144 specs across 17 Tactics.

Maturity distribution: 39 stable · 29 observed · 71 emerging · 5 draft.

Specs are vendor-neutral, language-agnostic YAML detection specs (one per Technique). Each spec carries data_sources, detection_logic.pseudocode (orthogonal PATH A / PATH B / ... paths), parameters, test_fixtures, false_positive_modes, mitigations cross-refs, and reference_implementations. Schema is Sigma-shape — the closest existing-format analogue is Sigma rules aligned to MITRE ATT&CK. See CONTRIBUTING.md for the spec-authoring convention and tools/build_specs.py for the validator.

Maturity legend:

  • 🟢 stable — multi-anchor, multi-vendor agreement, positive fixture present.
  • 🔵 observed — field-confirmed at single anchor, cross-vendor agreement still pending.
  • 🟡 emerging — recently introduced; small worked-example set.
  • draft — definition still consolidating; no positive fixture.

✅ OAK-T1 — Token Genesis (7/7)

Technique Maturity Spec
OAK-T1.001 — Modifiable Tax Function 🟢 stable T1.001-modifiable-tax-function.yml
OAK-T1.002 — Token-2022 Permanent Delegate Authority 🔵 observed T1.002-token-2022-permanent-delegate.yml
OAK-T1.003 — Renounced-But-Not-Really (Proxy-Upgrade Backdoor) 🟢 stable T1.003-renounced-but-not-really.yml
OAK-T1.004 — Blacklist / Pausable Transfer Weaponization 🟢 stable T1.004-blacklist-pausable-weaponization.yml
OAK-T1.005 — Hidden Fee-on-Transfer 🟢 stable T1.005-hidden-fee-on-transfer.yml
OAK-T1.006 — Honeypot-by-Design 🟡 emerging T1.006-honeypot-by-design.yml
OAK-T1.007 — Token-2022 Transfer-Hook Abuse 🟡 emerging T1.007-token-2022-transfer-hook-abuse.yml

✅ OAK-T2 — Liquidity Establishment (5/5)

Technique Maturity Spec
OAK-T2.001 — Single-Sided Liquidity Plant 🟢 stable T2.001-single-sided-liquidity-plant.yml
OAK-T2.002 — Locked-Liquidity Spoof 🟢 stable T2.002-locked-liquidity-spoof.yml
OAK-T2.003 — Cross-Chain Locked-Liquidity Spoof 🔵 observed T2.003-cross-chain-locked-liquidity-spoof.yml
OAK-T2.004 — Initial-Liquidity Backdoor 🔵 observed T2.004-initial-liquidity-backdoor.yml
OAK-T2.005 — Token Metadata Spoofing 🔵 observed T2.005-token-metadata-spoofing.yml

✅ OAK-T3 — Holder Capture (6/6)

Technique Maturity Spec
OAK-T3.001 — Sybil-Bundled Launch 🟢 stable T3.001-sybil-bundled-launch.yml
OAK-T3.002 — Wash-Trade Volume Inflation 🟢 stable T3.002-wash-trade-volume.yml
OAK-T3.003 — Coordinated Pump-and-Dump 🟢 stable T3.003-pump-and-dump-coordination.yml
OAK-T3.004 — Influencer-Amplified Promotion-and-Dump 🟡 emerging T3.004-influencer-amplified-promotion-and-dump.yml
OAK-T3.005 — Fake-Validator Staking-Frontend Phishing 🟡 emerging T3.005-fake-validator-staking-frontend-phishing.yml
OAK-T3.006 — Insider Multi-Vector Supply Extraction 🟡 emerging T3.006-insider-multi-vector-supply-extraction.yml

✅ OAK-T4 — Access Acquisition (11/11)

Technique Maturity Spec
OAK-T4.001 — Permit2 Signature-Based Authority Misuse 🟢 stable T4.001-permit2-authority-misuse.yml
OAK-T4.002 — Compromised Front-End Permit Solicitation 🔵 observed T4.002-compromised-frontend-permit-solicitation.yml
OAK-T4.003 — Address Poisoning 🟢 stable T4.003-address-poisoning.yml
OAK-T4.004 — Allowance / Approve-Pattern Drainer 🟢 stable T4.004-allowance-approve-drainer.yml
OAK-T4.005setApprovalForAll NFT Drainer 🟢 stable T4.005-setapprovalforall-nft-drainer.yml
OAK-T4.006 — WalletConnect Session Hijack 🔵 observed T4.006-walletconnect-session-hijack.yml
OAK-T4.007 — Native-app Social Phishing on Engagement-Weighted Platforms 🟡 emerging T4.007-native-app-social-phishing-engagement-weighted-platforms.yml
OAK-T4.008 — Fake-DEX Clone-Frontend Phishing 🟡 emerging T4.008-fake-dex-clone-frontend-phishing.yml
OAK-T4.009 — Pre-token Brand-Anticipation Phishing 🟡 emerging T4.009-pre-token-brand-anticipation-phishing.yml
OAK-T4.010 — Fake Security-Tool / Browser-Extension Phishing 🟡 emerging T4.010-fake-security-tool-browser-extension-phishing.yml
OAK-T4.011 — Push-Notification Infrastructure Compromise 🟡 emerging T4.011-push-notification-infrastructure-compromise.yml

✅ OAK-T5 — Value Extraction (8/8)

Technique Maturity Spec
OAK-T5.001 — Hard LP Drain 🟢 stable T5.001-hard-lp-drain.yml
OAK-T5.002 — Slow LP Trickle Removal 🟡 emerging T5.002-slow-lp-trickle-removal.yml
OAK-T5.003 — Hidden-Mint Dilution 🟢 stable T5.003-hidden-mint-dilution.yml
OAK-T5.004 — Sandwich / MEV Extraction 🟢 stable T5.004-sandwich-mev-extraction.yml
OAK-T5.005 — Treasury-Management Exit 🟢 stable T5.005-treasury-management-exit.yml
OAK-T5.006 — Vesting Cliff Dump 🟡 emerging T5.006-vesting-cliff-dump.yml
OAK-T5.007 — Third-party Brand-impersonation Custodial Soft-rug 🟡 emerging T5.007-third-party-brand-impersonation-custodial-soft-rug.yml
OAK-T5.008 — Ransomware Extortion Payment ⚪ draft T5.008-ransomware-extortion-payment.yml

✅ OAK-T6 — Defense Evasion (8/8)

Technique Maturity Spec
OAK-T6.001 — Source-Verification Mismatch 🟢 stable T6.001-source-verification-mismatch.yml
OAK-T6.002 — Fake Audit-Claim 🔵 observed T6.002-fake-audit-claim.yml
OAK-T6.003 — Audit-of-Different-Bytecode-Version 🟢 stable T6.003-audit-of-different-bytecode-version.yml
OAK-T6.004 — Audit-Pending Marketing Claim 🔵 observed T6.004-audit-pending-marketing-claim.yml
OAK-T6.005 — Proxy-Upgrade Malicious Switching 🟡 emerging T6.005-proxy-upgrade-malicious-switching.yml
OAK-T6.006 — Counterfeit Token Impersonation 🟡 emerging T6.006-counterfeit-token-impersonation.yml
OAK-T6.007 — Trust-substrate Shift / Vendor-side Promise Revocation 🟡 emerging T6.007-trust-substrate-shift-vendor-promise-revocation.yml
OAK-T6.008 — Verified-but-Malicious Frontend Routing 🟡 emerging T6.008-verified-but-malicious-frontend-routing.yml

✅ OAK-T7 — Laundering (10/10)

Technique Maturity Spec
OAK-T7.001 — Mixer-Routed Hop 🟢 stable T7.001-mixer-routed-hop.yml
OAK-T7.002 — CEX Deposit-Address Layering 🟢 stable T7.002-cex-deposit-layering.yml
OAK-T7.003 — Cross-Chain Bridge Laundering 🟢 stable T7.003-cross-chain-bridge-laundering.yml
OAK-T7.004 — NFT Wash-Laundering 🔵 observed T7.004-nft-wash-laundering.yml
OAK-T7.005 — Privacy-Chain Hops 🟢 stable T7.005-privacy-chain-hops.yml
OAK-T7.006 — DeFi Yield-Strategy Laundering 🔵 observed T7.006-defi-yield-strategy-laundering.yml
OAK-T7.007 — DEX Aggregator Routing Laundering 🟡 emerging T7.007-dex-aggregator-routing-laundering.yml
OAK-T7.008 — Stablecoin Issuer Freeze-Asymmetry Laundering 🟡 emerging T7.008-stablecoin-issuer-freeze-asymmetry-laundering.yml
OAK-T7.009 — Sanctioned-Entity and Illicit-Purpose Financing 🔵 observed T7.009-sanctioned-entity-illicit-purpose-financing.yml
OAK-T7.010 — Travel Rule Evasion 🔵 observed T7.010-travel-rule-evasion.yml

✅ OAK-T8 — Operator Continuity / Attribution Signals (5/5)

Technique Maturity Spec
OAK-T8.001 — Common-Funder Cluster Reuse 🟢 stable T8.001-cluster-reuse.yml
OAK-T8.002 — Cross-Chain Operator Continuity 🔵 observed T8.002-cross-chain-operator-continuity.yml
OAK-T8.003 — On-Chain Transaction Graph De-Anonymization 🔵 observed T8.003-on-chain-transaction-graph-de-anonymization.yml
OAK-T8.004 — Exchange Account Farming / Sybil Account Creation 🔵 observed T8.004-exchange-account-farming-sybil-accounts.yml
OAK-T8.005 — Operational Security Procedural Failure (Non-Technical OpSec) 🟢 stable T8.005-operational-security-procedural-failure.yml

✅ OAK-T9 — Smart-Contract Exploit (19/19)

Technique Maturity Spec
OAK-T9.001 — Oracle Price Manipulation 🟢 stable T9.001-oracle-price-manipulation.yml
OAK-T9.002 — Flash-Loan-Enabled Exploit 🟢 stable T9.002-flash-loan-enabled-exploit.yml
OAK-T9.003 — Governance Attack 🟢 stable T9.003-governance-attack.yml
OAK-T9.004 — Access-Control Misconfiguration 🟢 stable T9.004-access-control-misconfiguration.yml
OAK-T9.005 — Reentrancy 🟢 stable T9.005-reentrancy.yml
OAK-T9.006 — Subjective-Oracle Resolution Manipulation 🟡 emerging T9.006-subjective-oracle-resolution-manipulation.yml
OAK-T9.006.001 — DVM Vote Capture by Economically-Interested Holder 🟡 emerging T9.006.001-dvm-vote-capture.yml
OAK-T9.006.002 — Resolution-Spec Ambiguity Exploitation 🟡 emerging T9.006.002-resolution-spec-ambiguity-exploitation.yml
OAK-T9.006.003 — Off-chain Resolution-Source Coercion 🟡 emerging T9.006.003-off-chain-resolution-source-coercion.yml
OAK-T9.006.004 — Operational-Insider Trading on Subjective-Resolution Prediction Markets 🟡 emerging T9.006.004-operational-insider-trading.yml
OAK-T9.006.005 — Platform-Override of Oracle Outcome 🟡 emerging T9.006.005-platform-override-oracle-outcome.yml
OAK-T9.007 — Fork-Substrate Vulnerability (Not Mitigated at Fork Time) 🟢 stable T9.007-fork-substrate-vulnerability-not-mitigated.yml
OAK-T9.008 — Diamond-Pattern Facet-Audit Incomplete 🟡 emerging T9.008-diamond-pattern-facet-audit-incomplete.yml
OAK-T9.009 — Cross-Contract Reinitialization Attack 🟡 emerging T9.009-cross-contract-reinitialization-attack.yml
OAK-T9.010 — Read-Only Reentrancy 🟡 emerging T9.010-read-only-reentrancy.yml
OAK-T9.011 — Precision-Loss Rounding Attack 🟢 stable T9.011-precision-loss-rounding-attack.yml
OAK-T9.012 — Initial Liquidity Sandwich Attack 🟡 emerging T9.012-initial-liquidity-sandwich-attack.yml
OAK-T9.013 — Slippage-Manipulation Sandwich Attack 🔵 observed T9.013-slippage-manipulation-sandwich-attack.yml
OAK-T9.014 — Protocol-Client Consensus Bug 🟡 emerging T9.014-protocol-client-consensus-bug.yml

✅ OAK-T10 — Bridge and Cross-Chain (8/8)

Technique Maturity Spec
OAK-T10.001 — Validator / Signer Key Compromise 🟢 stable T10.001-validator-signer-key-compromise.yml
OAK-T10.002 — Message-Verification Bypass 🟢 stable T10.002-message-verification-bypass.yml
OAK-T10.003 — Cross-Chain Replay 🔵 observed T10.003-cross-chain-replay.yml
OAK-T10.004 — Optimistic-Bridge Fraud-Proof Gap 🔵 observed T10.004-optimistic-bridge-fraud-proof-gap.yml
OAK-T10.005 — Light-Client Verification Bypass 🔵 observed T10.005-light-client-verification-bypass.yml
OAK-T10.006 — Cross-Chain Governance Relay Attack 🟡 emerging T10.006-cross-chain-governance-relay-attack.yml
OAK-T10.007 — Bridge Validator Economic-Incentive Misalignment 🟡 emerging T10.007-bridge-validator-economic-incentive-misalignment.yml
OAK-T10.008 — Bridge Observer Signature Scope Truncation 🟡 emerging T10.008-bridge-observer-signature-scope-truncation.yml

✅ OAK-T11 — Custody and Signing Infrastructure (21/21)

Technique Maturity Spec
OAK-T11.001 — Third-Party Signing-Vendor UI / Signing-Flow Compromise 🟢 stable T11.001-third-party-signing-vendor-compromise.yml
OAK-T11.002 — Wallet-Software Distribution Compromise 🟢 stable T11.002-wallet-software-distribution-compromise.yml
OAK-T11.003 — In-Use Multisig Smart-Contract Manipulation 🔵 observed T11.003-multisig-contract-manipulation.yml
OAK-T11.004 — Insufficient-Entropy Key Generation 🟢 stable T11.004-insufficient-entropy-key-generation.yml
OAK-T11.005 — Operator-side Fake-Platform Fraud 🟡 emerging T11.005-operator-side-fake-platform-fraud.yml
OAK-T11.005.001 — Fake-CEX / Pig-Butchering Platform 🟡 emerging T11.005.001-fake-cex-pig-butchering-platform.yml
OAK-T11.005.002 — Fake-Custodian / Fake-Asset-Manager Fraud 🔵 observed T11.005.002-fake-custodian-fake-asset-manager-fraud.yml
OAK-T11.005.003 — Compound-Operated Investment-Fraud Platforms 🟡 emerging T11.005.003-compound-operated-investment-fraud-platforms.yml
OAK-T11.006 — Cold-storage Seed-phrase Exfiltration at Rest 🟡 emerging T11.006-cold-storage-seed-phrase-exfiltration-at-rest.yml
OAK-T11.006.001 — User-Initiated Plaintext-Equivalent Seed Storage 🟡 emerging T11.006.001-user-initiated-plaintext-seed-storage.yml
OAK-T11.006.002 — Implicit Cloud-Custody via Default-On Cloud-Backup 🟡 emerging T11.006.002-implicit-cloud-custody-default-backup.yml
OAK-T11.007 — Hardware-wallet Supply-chain / Physical-access Compromise 🟡 emerging T11.007-hardware-wallet-supply-chain-physical-access-compromise.yml
OAK-T11.007.001 — Counterfeit-Hardware Substitution 🟡 emerging T11.007.001-counterfeit-hardware-substitution.yml
OAK-T11.007.002 — Physical-Access Hardware-Side Seed Extraction 🟡 emerging T11.007.002-physical-access-hardware-seed-extraction.yml
OAK-T11.007.003 — Brand-Trust-Leveraged Active Phishing for Seed-Phrase Exfiltration 🟡 emerging T11.007.003-brand-trust-active-phishing-seed-exfiltration.yml
OAK-T11.008 — Embedded-Wallet Identity-Provider Compromise 🟡 emerging T11.008-embedded-wallet-identity-provider-compromise.yml
OAK-T11.009 — Trader-Tooling Supply-Chain Compromise targeting .env Private Keys 🟡 emerging T11.009-trader-tooling-supply-chain-env-key-compromise.yml
OAK-T11.010 — Off-chain Counterparty-Risk Insolvency 🟡 emerging T11.010-off-chain-counterparty-risk-insolvency.yml
OAK-T11.011 — Multi-chain Key-store Co-location 🟡 emerging T11.011-multi-chain-key-store-co-location.yml
OAK-T11.012 — Server-side Raw Private-Key Storage (Custodial Trading-Bot Anti-pattern) 🟡 emerging T11.012-server-side-raw-private-key-storage.yml
OAK-T11.013 — Legacy-Version Maintenance Attack Surface 🟡 emerging T11.013-legacy-version-maintenance-attack-surface.yml

✅ OAK-T12 — NFT-Specific Patterns (5/5)

Technique Maturity Spec
OAK-T12.001 — NFT Wash-Trade Volume Inflation 🔵 observed T12.001-nft-wash-trade-volume-inflation.yml
OAK-T12.002 — Fake-Mint / Counterfeit Collection 🟢 stable T12.002-fake-mint-counterfeit-collection.yml
OAK-T12.003 — Royalty Bypass / Marketplace Manipulation 🔵 observed T12.003-royalty-bypass-marketplace-manipulation.yml
OAK-T12.004 — Timelock-Free Protocol Upgrade Execution 🟡 emerging T12.004-timelock-free-protocol-upgrade-execution.yml
OAK-T12.005 — Flash-Loan Governance Vote Manipulation 🟡 emerging T12.005-flash-loan-governance-vote-manipulation.yml

✅ OAK-T13 — Account Abstraction Attacks (8/8)

Technique Maturity Spec
OAK-T13.001 — Paymaster Compromise 🔵 observed T13.001-paymaster-compromise.yml
OAK-T13.001.001 — Paymaster Accounting Drain 🔵 observed T13.001.001-paymaster-accounting-drain.yml
OAK-T13.001.002 — Paymaster Policy Bypass 🔵 observed T13.001.002-paymaster-policy-bypass.yml
OAK-T13.001.003 — Paymaster Reentrancy 🔵 observed T13.001.003-paymaster-reentrancy.yml
OAK-T13.001.004 — Paymaster Griefing 🔵 observed T13.001.004-paymaster-griefing.yml
OAK-T13.002 — Bundler MEV 🟡 emerging T13.002-bundler-mev.yml
OAK-T13.003 — Session-Key Hijacking 🟡 emerging T13.003-session-key-hijacking.yml
OAK-T13.004 — EIP-7702 Delegation Abuse 🟡 emerging T13.004-eip7702-delegation-abuse.yml

✅ OAK-T14 — Validator / Staking / Restaking Attacks (7/7)

Technique Maturity Spec
OAK-T14.001 — Slashing-Condition Exploit 🟡 emerging T14.001-slashing-condition-exploit.yml
OAK-T14.002 — MEV-Boost Relay Attack 🟢 stable T14.002-mev-boost-relay-attack.yml
OAK-T14.003 — Restaking Cascading Risk 🟡 emerging T14.003-restaking-cascading-risk.yml
OAK-T14.003.001 — LST/LRT Depeg-Cascade as Constrained-Primitive Sub-class 🟡 emerging T14.003.001-lst-lrt-depeg-cascade-constrained-primitive.yml
OAK-T14.004 — Liquid Restaking Token Pricing Manipulation 🟡 emerging T14.004-liquid-restaking-token-pricing-manipulation.yml
OAK-T14.005 — Builder Censorship MEV Extraction 🟡 emerging T14.005-builder-censorship-mev-extraction.yml
OAK-T14.006 — Validator/Proposer Liveness-Fault Griefing 🟡 emerging T14.006-validator-proposer-liveness-fault-griefing.yml

✅ OAK-T15 — Off-chain Entry-Vector / Pre-Positioning (6/6)

Technique Maturity Spec
OAK-T15.001 — Social Engineering of Operator Personnel 🟡 emerging T15.001-social-engineering-of-operator-personnel.yml
OAK-T15.002 — Supply-Chain / Vendor-Pipeline Compromise 🟡 emerging T15.002-supply-chain-vendor-pipeline-compromise.yml
OAK-T15.003 — Operator-Endpoint Compromise (Developer Workstation / Signing Machine) 🟡 emerging T15.003-operator-endpoint-compromise.yml
OAK-T15.004 — Operator-Side Credential Compromise (SSO / Cloud / Registrar / DNS / Package Registry) 🟡 emerging T15.004-operator-credential-compromise.yml
OAK-T15.005 — Operator-Communication-Channel Takeover (Discord / X / Telegram) 🟡 emerging T15.005-operator-communication-channel-takeover.yml
OAK-T15.006 — Impersonation via Verified Social-Account Compromise 🟡 emerging T15.006-impersonation-via-verified-social-account-compromise.yml

✅ OAK-T16 — Governance / Voting Manipulation (5/5)

Technique Maturity Spec
OAK-T16.001 — Vote Takeover via Flash-Loan 🟡 emerging T16.001-vote-takeover-via-flash-loan.yml
OAK-T16.002 — Hostile-Vote Treasury Drain 🟡 emerging T16.002-hostile-vote-treasury-drain.yml
OAK-T16.003 — Delegation-Cluster Vote Takeover 🟡 emerging T16.003-delegation-cluster-vote-takeover.yml
OAK-T16.004 — Snapshot / Off-chain Voting Exploitation ⚪ draft T16.004-snapshot-off-chain-voting-exploitation.yml
OAK-T16.005 — Malicious Proposal Snowballing 🟡 emerging T16.005-malicious-proposal-snowballing.yml

✅ OAK-T17 — Market Manipulation (5/5)

Technique Maturity Spec
OAK-T17.001 — Cross-Venue Arbitrage-Driven Price-Discovery Distortion ⚪ draft T17.001-cross-venue-arbitrage-price-distortion.yml
OAK-T17.002 — Liquidation-Cascade Engineering 🟡 emerging T17.002-liquidation-cascade-engineering.yml
OAK-T17.003 — Spoofing / Cancel-Flood Order-Book Manipulation ⚪ draft T17.003-orderbook-spoofing-cancel-flood.yml
OAK-T17.004 — TWAP / Time-Window Manipulation Against DAO Treasury / Vesting Math ⚪ draft T17.004-twap-window-manipulation.yml
OAK-T17.005 — TWAP Oracle Manipulation via Multi-Block MEV 🔵 observed T17.005-multi-block-mev-twap-oracle-manipulation.yml

Updated automatically when tools/build_specs_index.py runs as part of npm run site:data. Last regenerated from corpus state at 2026-05-16T08:36:38+00:00.