Blockchain Purple Team — Meta-Security & Structural Gap Analysis
When to Use This vs Others
- Use this (Purple Team) when Black/Red findings exist but you need structural gap analysis and cross-team coverage mapping.
- Use
blockchain-black-teamfor known exploit patterns grounded in historical incidents. - Use
blockchain-red-teamfor novel offensive technique discovery and defense-bypass pressure testing.
Find what Black Team and Red Team cannot see — but do not confuse exposure with exploitability. Structural blind spots are useful internally; external vulnerability reports should be exploitability-backed whenever possible.
Reference Map
- Read
references/exploitability-gate.mdbefore deciding whether a finding is a real vulnerability or just an interesting exposure. - Read
references/reporting-thresholds.mdwhen deciding whether a finding stays internal or is strong enough for external disclosure. - Read
references/disclosure-templates.mdwhen preparing a message for a project team, security inbox, bug bounty form, or maintainer. - Read
references/purple-team-pipeline.mdwhen running Purple Team as an end-to-end workflow from intake to validation to disclosure. - Read
references/project-execution-template.mdwhen opening a new testnet project review. - Read
references/triad-investigation-template.mdwhen combining Black, Red, and Purple outputs into one packet. - Read
references/disclosure-tracker-format.mdwhen tracking sent findings, acknowledgements, fixes, and retests.
When to Use
- Post-audit gap analysis ("what did the auditors miss?")
- Cross-team coverage assessment (Black + Red + Blue coverage map)
- Architecture-level security review (not code, but system design)
- Operational security assessment (key management, deployment, monitoring)
- Systemic risk modeling (correlation, cascade, contagion)
- Defense effectiveness validation (do the patches actually work?)
Purple Team Unique Perspective
| Team | Question | Time | Level | |---|---|---|---| | Black | "What attacks happened?" | Past | Code | | Red | "What attacks are possible?" | Future | Code | | Purple | "Why do defenses fail?" | Meta | Architecture + Operations |
Five Pillars of Analysis
Pillar 1: Audit Failure Patterns
Why do professional audits miss critical vulnerabilities?
Read references/audit-failures.md for patterns including:
- Scope blindness (auditor focuses on code, misses economic design)
- Assumption inheritance (auditor trusts external dependencies)
- Temporal blindness (point-in-time audit vs evolving protocol)
- Composition blindness (individual components audited separately)
Pillar 2: Defense Bypass Evolution
How do patched vulnerabilities get re-exploited?
Read references/defense-evolution.md for patterns including:
- Patch regression (fix breaks something else)
- Variant attacks (same root cause, different vector)
- Defense decay (defense valid at deployment, invalid after upgrades)
- Incomplete fix (root cause unaddressed, symptom patched)
Pillar 3: Systemic Composition Risk
When individually safe components create dangerous combinations.
Analysis framework:
- Map all trust boundaries (on-chain ↔ off-chain ↔ oracle ↔ frontend)
- For each boundary: "What happens if the other side lies?"
- Map all state dependencies (A reads from B, B reads from C)
- For each chain: "What's the longest stale-data path?"
- Map all authority overlaps (same key controls multiple things)
- For each overlap: "What's the blast radius of compromise?"
Pillar 4: Operational Security Gaps
Code is secure but operations fail.
Checklist:
- Key management (HSM vs file, rotation, backup, access control)
- Deployment (CI/CD security, binary verification, upgrade process)
- Monitoring (what's watched, what's not, alert fatigue, response time)
- Incident response (playbook exists? tested? who decides? communication)
- Dependency management (lockfiles, audit trail, update cadence)
Pillar 5: Economic Systemic Risk
Cross-protocol and macro-level risks.
Analysis:
- Collateral correlation (what happens when everything drops at once?)
- Liquidity dependency (which external liquidity sources are critical?)
- Oracle dependency (single oracle failure → cascade?)
- Governance capture (what's the cost of 51% control?)
- Contagion paths (protocol failure → which other protocols affected?)
Coverage Gap Detection
Method: Cross-Team Matrix
Build a matrix of [Attack Vectors × Defense Layers]:
| On-chain | Keeper | Oracle | Frontend | Ops |
Reentrancy | B+R | - | - | - | - |
Flash Loan | B+R | - | B | - | - |
Key Compromise | - | B | - | - | B |
Governance | B | - | - | - | - |
Cascade/Depeg | B | - | B | - | ? | ← GAP
...
Empty cells = coverage gaps. "?" = partially covered. Fill gaps with new analysis.
Method: Assumption Inventory
For every security property the protocol claims:
- State the assumption explicitly
- Ask: "Who/what can violate this assumption?"
- Ask: "What happens when it's violated?"
- Ask: "Is there detection? Is there recovery?"
Report Format
# Purple Team Report — {Protocol Name}
## Coverage Map
{Cross-team matrix with gap highlights}
## Structural Gaps Found: N
## Audit Failure Patterns Applicable: N
## {ID}: {Gap Description}
- **Pillar**: 1-5
- **Gap Type**: Coverage / Assumption / Composition / Operational / Systemic
- **Missed By**: Black / Red / Both
- **Why Missed**: {explanation}
- **Risk If Exploited**: {impact}
- **Recommendation**: {architecture/process change}
Cycling Protocol
Purple Team runs after Black+Red and reviews Blue fixes:
Black+Red → Blue fix → Purple review → Blue fix → ... → Full coverage
Purple validates that Blue fixes don't create new gaps.
Scan to join WeChat group