ANALYTICAL STANDARD

Methodology

Evidence standard

Forensic Capital produces independent forensic intelligence on DeFi security incidents. Every report is built from primary, externally verifiable evidence — on-chain transaction traces, contract bytecode and storage, vendor and protocol post-mortems, and the cryptographic record of the event itself. Where a claim cannot be reconstructed from observable data, it is not made.

The analytical chain proceeds in four stages. First, observation: the incident is reconstructed transaction by transaction from chain data, with block heights, addresses, and call traces preserved as the evidentiary spine. Second, classification: each incident is assigned to the Forensic Capital Vulnerability Class Taxonomy, situating it by failure mechanism rather than by headline. This discipline matters — an event widely reported as one class of failure frequently resolves, on inspection, into another, and the distinction changes who is exposed and how it is remediated. Third, scoring: severity, defensibility, recovery probability, and blast radius are assessed against fixed published anchors, so that two analysts working the same evidence arrive at comparable figures. Fourth, corroboration: findings are cross-checked against multiple independent sources before a report is released.

Forensic Capital grounds its frameworks in established external standards. Vulnerability severity is expressed in CVSS terms. Failure mechanisms are mapped where applicable to MITRE classifications. Loss, cost, and recovery context draws on recognized industry baselines, including the IBM Cost of a Data Breach Report and the Verizon Data Breach Investigations Report.

The defensibility score is central. It measures how completely a finding can be reproduced from public and forensic data alone, without reliance on privileged access or unverifiable testimony. A high-tier report is one a reasonable reviewer could reconstruct independently and reach the same conclusion.

Forensic Capital does not disclose private operational methods, proprietary tooling, or the identities of sources. What it discloses is the standard every report is held to: evidence that is observable, classification that is consistent, and conclusions that are defensible on their own terms.

FC Vulnerability Class Taxonomy — v1.0
FC-CLASS-001
Cross-Chain State Validation Failure
Failure to validate cross-chain state, allowing an attacker to forge proofs or bypass relay node consensus mechanisms. CVSS 9.0–10.0.
CRITICAL
FC-CLASS-002
Privileged Key Compromise
Compromise of admin or governance private keys, enabling full protocol control without significant exploit cost. CVSS 8.5–10.0.
CRITICAL
FC-CLASS-003
Oracle Price Manipulation
Manipulation of price oracles enabling forced liquidations or undercollateralized borrowing. CVSS 7.0–9.0.
HIGH
FC-CLASS-004
Reentrancy
Recursive calls exploiting execution order before state updates to drain funds. CVSS 8.0–10.0.
HIGH
FC-CLASS-005
Access Control
Insufficient access controls on critical functions permitting unauthorized calls. CVSS 7.0–10.0.
HIGH
FC-CLASS-006
Economic Design Failure
Flaws in protocol economic mechanics (tokenomics, incentives) enabling governance attacks or destructive arbitrage. CVSS 7.0–9.5.
MEDIUM
FC-CLASS-007
Flash Loan Attack
Use of flash loans to manipulate protocol state within a single atomic transaction. CVSS 8.0–10.0.
HIGH