Combined Attack Patterns
Detects combinations of individually lower-severity issues that together form exploitable attack chains.
Combined Attack Patterns
Overview
The combo attacks detector identifies combinations of individually low/medium-severity findings that, when chained together, create exploitable attack vectors. A read-only reentrancy plus a stale price read might be individually medium severity, but together they enable a flash-loan-funded price manipulation attack.
Why This Is an Issue
Security auditors frequently find that major exploits require chaining multiple vulnerabilities. The Cream Finance V2 attack ($130M, 2021) combined flash loans, price oracle manipulation, and reentrancy. Individually, each weakness might be classified as medium severity, but the combination was critical.
Common combo patterns:
- Flash loan + oracle manipulation + reentrancy
- Missing access control + delegatecall + selfdestruct
- Signature replay + missing nonce + cross-chain deployment
How to Resolve
Address each individual finding in the chain. The combo detector links related findings so developers can prioritize the weakest link in the attack chain.
Examples
Sample Sigvex Output
{
"detector_id": "combo-attacks",
"severity": "medium",
"confidence": 0.65,
"description": "Attack chain detected: (1) Flash loan entry via flashLoan() at offset 0x4a, (2) Oracle price manipulation via getPrice() reading spot price at offset 0x8c, (3) Profitable exit via withdraw() at offset 0xb2. Individual findings are medium severity; chain severity is high.",
"location": { "function": "contract-level", "offset": 0 }
}Detection Methodology
- Finding aggregation: Collects all individual findings from other detectors.
- Pattern matching: Matches finding combinations against known attack chain templates (flash loan + oracle, reentrancy + unchecked call, etc.).
- Data flow linking: Verifies that findings are connected via data flow (output of one vulnerability feeds into another).
- Severity escalation: Combines individual severities using a weighted model where chains of medium findings escalate to high/critical.
Limitations
- Pattern matching is template-based; novel attack chains not in the template library are missed.
- Cross-contract attack chains (involving multiple contracts) are only partially analyzed.
- Confidence decreases with chain length due to compounding uncertainty.
Related Detectors
- Flash Loan — flash loan attack vectors
- Oracle Manipulation — oracle manipulation
- Reentrancy — reentrancy vulnerabilities