Definition
An attack vector is a defined avenue through which an attacker can gain unauthorized influence over a system’s integrity, availability, or confidentiality. In blockchain and smart contract security, it refers to the concrete mechanism, state, or interaction pattern that can be exploited to trigger unintended behavior or extract value. Attack vectors can arise from protocol design flaws, implementation errors, or unsafe assumptions about external components such as an Oracle.
Unlike a general vulnerability, which is a weakness in the system, an attack vector describes how that weakness is practically reached and leveraged by an adversary. For example, a Reentrancy condition in a smart contract is a vulnerability, while the sequence of calls and state changes that make it exploitable forms the attack vector. Security reviews, Bug Bounty programs, and White Hat research focus on identifying and characterizing attack vectors before they are turned into a live Exploit.
Context and Usage
In advanced crypto security discussions, the term attack vector is used to categorize and communicate the precise route of potential compromise within complex, composable systems. It can describe low-level issues in smart contract logic, cross-contract interactions, protocol-level incentive failures, or dependencies on off-chain data sources and infrastructure. Mapping attack vectors helps formalize the threat model of a protocol and clarify which assumptions, such as the trustworthiness of an Oracle, are most critical.
Attack vectors are often documented in post-mortems of incidents, where the full chain of conditions leading to an Exploit is reconstructed. They also appear in Bug Bounty disclosures, where White Hat researchers specify the exact preconditions and transaction patterns required to trigger the issue. Over time, recurring attack vectors, such as those involving Reentrancy or misconfigured access controls, become standard categories in security taxonomies and inform best practices for protocol design and auditing.