CCA Security, Risk, and Vulnerabilities Questions and Answers

Question 1

An auditor is reviewing a DeFi protocol and identifies a vulnerability where an attacker can borrow a massive amount of cryptocurrency without collateral, manipulate an asset's price on a decentralized exchange, and then repay the loan within the same transaction, profiting from the price difference. What is this type of exploit called?

Accepted Answer

Flash Loan Attack

Answer

A Flash Loan Attack involves borrowing uncollateralized funds that must be repaid within the same blockchain transaction. Attackers use this large, temporary capital to manipulate DeFi protocols, often by altering asset prices on an oracle or exchange, to extract value before repaying the loan.

Question 2

During a security audit of a Decentralized Autonomous Organization (DAO), which of the following findings represents the most significant governance risk?

Accepted Answer

A small number of addresses hold enough governance tokens to unilaterally pass proposals.

Answer

A concentration of governance tokens in a few wallets presents a major risk of centralization and a governance attack. This scenario allows a small group to control the DAO's decisions, potentially passing malicious proposals to drain the treasury or alter rules for their own benefit, defeating the purpose of decentralization.

Question 3

An auditor is examining a Proof-of-Work blockchain and is concerned about an attack where a single entity or pool gains control of more than 50% of the network's hash rate. What is the primary risk associated with this type of attack?

Accepted Answer

The attacker can prevent new transactions from being confirmed and can double-spend their own coins.

Answer

A 51% attack grants the attacker control over the block creation process. This allows them to censor transactions by refusing to include them in new blocks and, more critically, to perform a double-spend by creating a private chain where they reverse their own recent transactions and then publish this longer chain to the network.

Question 4

A smart contract audit reveals a critical flaw. The contract's `withdraw` function first sends funds to an external address and then updates the user's internal balance afterward. An attacker could exploit this by creating a contract that calls the `withdraw` function repeatedly before the balance is updated. This vulnerability is known as a:

Accepted Answer

Reentrancy Attack

Answer

This scenario describes a classic Reentrancy Attack. The vulnerability occurs when a contract makes an external call to an untrusted contract before it resolves its own state changes (like updating a balance). The malicious contract can then "re-enter" the original function, calling it again to withdraw funds multiple times before the first call completes and the balance is updated.

Question 5

An auditor is assessing the security of a cross-chain bridge. Which of the following represents the MOST critical vulnerability, often leading to the largest exploits in this type of protocol?

Accepted Answer

Compromise of the centralized validator keys or multisig wallets that secure the bridge's assets.

Answer

Many cross-chain bridges rely on a small set of validators or a multisignature wallet to authorize the locking and unlocking of assets. If these private keys are compromised, attackers can gain direct control over the bridge's smart contracts and drain the entire pool of locked funds, which has historically resulted in exploits worth hundreds of millions of dollars.

(CCA) Certified Cryptocurrency Auditor Practice Test

(CCA) Certified Cryptocurrency Auditor Practice Test

CCA Security, Risk, and Vulnerabilities Questions and Answers