返回 Skill 列表
extension
分类: 开发与工程无需 API Key

blockchain-purple-team

元安全分析,发现黑队(历史模式)和红队(新技术)错过的结构差距。在分析为什么审计失败、为什么补丁被绕过、系统性风险模式、架构层面的漏洞或区块链协议中的操作安全失败时使用。触发于紫色团队、元安全、差距分析、审计失败分析、防御审查、架构安全、操作安全、系统性风险评估或跨团队覆盖分析。

person作者: jakexiaohubgithub

Blockchain Purple Team — Meta-Security & Structural Gap Analysis

When to Use This vs Others

  • Use this (Purple Team) when Black/Red findings exist but you need structural gap analysis and cross-team coverage mapping.
  • Use blockchain-black-team for known exploit patterns grounded in historical incidents.
  • Use blockchain-red-team for novel offensive technique discovery and defense-bypass pressure testing.

Find what Black Team and Red Team cannot see — but do not confuse exposure with exploitability. Structural blind spots are useful internally; external vulnerability reports should be exploitability-backed whenever possible.

Reference Map

  • Read references/exploitability-gate.md before deciding whether a finding is a real vulnerability or just an interesting exposure.
  • Read references/reporting-thresholds.md when deciding whether a finding stays internal or is strong enough for external disclosure.
  • Read references/disclosure-templates.md when preparing a message for a project team, security inbox, bug bounty form, or maintainer.
  • Read references/purple-team-pipeline.md when running Purple Team as an end-to-end workflow from intake to validation to disclosure.
  • Read references/project-execution-template.md when opening a new testnet project review.
  • Read references/triad-investigation-template.md when combining Black, Red, and Purple outputs into one packet.
  • Read references/disclosure-tracker-format.md when tracking sent findings, acknowledgements, fixes, and retests.

When to Use

  • Post-audit gap analysis ("what did the auditors miss?")
  • Cross-team coverage assessment (Black + Red + Blue coverage map)
  • Architecture-level security review (not code, but system design)
  • Operational security assessment (key management, deployment, monitoring)
  • Systemic risk modeling (correlation, cascade, contagion)
  • Defense effectiveness validation (do the patches actually work?)

Purple Team Unique Perspective

| Team | Question | Time | Level | |---|---|---|---| | Black | "What attacks happened?" | Past | Code | | Red | "What attacks are possible?" | Future | Code | | Purple | "Why do defenses fail?" | Meta | Architecture + Operations |

Five Pillars of Analysis

Pillar 1: Audit Failure Patterns

Why do professional audits miss critical vulnerabilities?

Read references/audit-failures.md for patterns including:

  • Scope blindness (auditor focuses on code, misses economic design)
  • Assumption inheritance (auditor trusts external dependencies)
  • Temporal blindness (point-in-time audit vs evolving protocol)
  • Composition blindness (individual components audited separately)

Pillar 2: Defense Bypass Evolution

How do patched vulnerabilities get re-exploited?

Read references/defense-evolution.md for patterns including:

  • Patch regression (fix breaks something else)
  • Variant attacks (same root cause, different vector)
  • Defense decay (defense valid at deployment, invalid after upgrades)
  • Incomplete fix (root cause unaddressed, symptom patched)

Pillar 3: Systemic Composition Risk

When individually safe components create dangerous combinations.

Analysis framework:

  1. Map all trust boundaries (on-chain ↔ off-chain ↔ oracle ↔ frontend)
  2. For each boundary: "What happens if the other side lies?"
  3. Map all state dependencies (A reads from B, B reads from C)
  4. For each chain: "What's the longest stale-data path?"
  5. Map all authority overlaps (same key controls multiple things)
  6. For each overlap: "What's the blast radius of compromise?"

Pillar 4: Operational Security Gaps

Code is secure but operations fail.

Checklist:

  • Key management (HSM vs file, rotation, backup, access control)
  • Deployment (CI/CD security, binary verification, upgrade process)
  • Monitoring (what's watched, what's not, alert fatigue, response time)
  • Incident response (playbook exists? tested? who decides? communication)
  • Dependency management (lockfiles, audit trail, update cadence)

Pillar 5: Economic Systemic Risk

Cross-protocol and macro-level risks.

Analysis:

  • Collateral correlation (what happens when everything drops at once?)
  • Liquidity dependency (which external liquidity sources are critical?)
  • Oracle dependency (single oracle failure → cascade?)
  • Governance capture (what's the cost of 51% control?)
  • Contagion paths (protocol failure → which other protocols affected?)

Coverage Gap Detection

Method: Cross-Team Matrix

Build a matrix of [Attack Vectors × Defense Layers]:

                | On-chain | Keeper | Oracle | Frontend | Ops |
Reentrancy      |  B+R     |  -     |  -     |  -       | -   |
Flash Loan      |  B+R     |  -     |  B     |  -       | -   |
Key Compromise  |  -       |  B     |  -     |  -       | B   |
Governance      |  B       |  -     |  -     |  -       | -   |
Cascade/Depeg   |  B       |  -     |  B     |  -       | ?   |  ← GAP
...

Empty cells = coverage gaps. "?" = partially covered. Fill gaps with new analysis.

Method: Assumption Inventory

For every security property the protocol claims:

  1. State the assumption explicitly
  2. Ask: "Who/what can violate this assumption?"
  3. Ask: "What happens when it's violated?"
  4. Ask: "Is there detection? Is there recovery?"

Report Format

# Purple Team Report — {Protocol Name}

## Coverage Map
{Cross-team matrix with gap highlights}

## Structural Gaps Found: N
## Audit Failure Patterns Applicable: N

## {ID}: {Gap Description}
- **Pillar**: 1-5
- **Gap Type**: Coverage / Assumption / Composition / Operational / Systemic
- **Missed By**: Black / Red / Both
- **Why Missed**: {explanation}
- **Risk If Exploited**: {impact}
- **Recommendation**: {architecture/process change}

Cycling Protocol

Purple Team runs after Black+Red and reviews Blue fixes:

Black+Red → Blue fix → Purple review → Blue fix → ... → Full coverage

Purple validates that Blue fixes don't create new gaps.