Blockchain Application Security · Morana, Singh & Piccoli · Wiley 2026 View PDF on GitHub
Interactive Learning Companion

Blockchain Application Security

Morana · Singh · Piccoli — Wiley, 2026 · 641 pages · 4 chapters + 9 appendices
How to Design Secure and Attack-Resilient Blockchain Applications
GitHub Repo
Total Pages
641
4 core chapters + 9 appendices
Primary Focus
dApp Security
Design, threat model, audit, deploy
Key Framework
PASTA
Process for Attack Simulation & Threat Analysis
Authors
3 Experts
Marco Morana · Harpreet Singh · Francesco Piccoli
📖 What This Book Is About

A practical, risk-centric guide to securing blockchain applications — specifically decentralised applications (dApps). It bridges the gap between blockchain fundamentals and real-world security engineering: cryptographic primitives, consensus algorithms, smart contract vulnerabilities, DeFi exploit case studies, and full threat-modelling walkthroughs. Security is treated not as an afterthought but as an architectural requirement baked into every design decision.

🎯 Who Should Read This
Blockchain Developers Security Architects Smart Contract Auditors DevSecOps Engineers Penetration Testers dApp Designers Web3 Builders CTOs / Field CISOs
⚡ Key Takeaways
  • Decentralisation doesn't eliminate risk — it spreads it across smart contracts, wallets, oracles, bridges, and consensus mechanisms
  • Security-by-design is not optional — architecture decisions made early determine exploitability forever (code is immutable on-chain)
  • PASTA threat modelling provides a 7-stage structured process to identify, analyse, and mitigate blockchain-specific threats
  • Real attack case studies — the 2016 DAO hack, DeFi exploits, wallet drains — show exactly how theory translates to loss of funds
Ch. 1
The Blockchain Technology Primer
Pages 1–119 · 14 sections

Your foundation. Covers DLT vs blockchain, node types (full, light, validator, archive), scalability layers (L1/L2, sharding, payment channels), hash functions (SHA-256, Keccak-256), digital signatures (ECDSA, EdDSA), Merkle trees, consensus algorithms (PoW, PoS, DPoS, PBFT, Raft), cryptocurrencies, digital wallets (hot/cold/hardware), smart contracts, token transactions, privacy techniques (zero-knowledge proofs, ring signatures, stealth addresses), DIDs, and the legal/regulatory landscape.

  • 1.2 History of Blockchain
  • 1.3 DLT and Blockchain
  • 1.4 Blockchain Networks
  • 1.5 Data Structure
  • 1.5.1 Hash Functions
  • 1.5.2 Digital Signatures
  • 1.5.3 Block Structure
  • 1.5.4 Merkle Trees
  • 1.5.6 Inherent Security Risks
  • 1.6 Consensus Algorithms
  • 1.7 Cryptocurrencies
  • 1.8 Digital Wallets
  • 1.10 Privacy Controls
  • 1.11 Identity Controls & DIDs
SHA-256ECDSA Merkle TreesPoW / PoS PBFTZero-Knowledge Proofs DIDs51% Attack Sybil AttackEclipse Attack
Ch. 2
Designing Secure Decentralised Applications
Pages 121–267 · 10 major sections

The design-phase security chapter. Covers dApp architectures (frontend, smart contracts, oracles, wallets), security requirements elicitation, secure design principles, securing APIs (OWASP API Top 10 for blockchain), protecting secrets and private keys, consensus algorithm vulnerabilities, token standards (ERC-20, ERC-721, ERC-1155), DEX integration security, DID security, and comprehensive smart contract security — reentrancy, integer overflow, access control, flash loan attacks. Every subsection pairs vulnerability identification with mitigation best practices.

  • 2.2 dApp Architectures
  • 2.3 Security Requirements
  • 2.4.1 Secure Design Principles
  • 2.4.2 Securing by Design
  • 2.4.3 Blockchain APIs
  • 2.4.4 Confidential Data
  • 2.4.5 Consensus Security
  • 2.4.6 Key Management
  • 2.4.7–8 Token & DEX Security
  • 2.4.10 Smart Contracts
ReentrancyFlash Loan Attacks Front-RunningAPI Vulnerabilities ERC-20 / ERC-721Key Management Security-by-DesignChecks-Effects-Interactions
Ch. 3
Mitigating Blockchain Vulnerabilities
Pages 269–459 · Largest chapter (~190 pages)

The intellectual core of the book. Introduces PASTA (Process for Attack Simulation and Threat Analysis) and applies all 7 stages exhaustively to a real DeFi lending/borrowing dApp case study — including full threat matrices, attack trees, vulnerability scoring (CVSS), risk registers, and mitigation plans. Also covers real incidents (DAO hack, wallet breaches), security-driven tooling (Slither, Mythril, Echidna, formal verification), and compliance/audit frameworks.

  • 3.1.3 Security Incidents & Lessons
  • 3.2.1 Intro to Threat Modelling
  • 3.2.2 PASTA Framework (7 Stages)
  • Stage I: Business Objectives
  • Stage II: Technical Scope
  • Stage III: App Decomposition
  • Stage IV: Threat Analysis
  • Stage V: Vulnerability Analysis
  • Stage VI: Attack Modelling
  • Stage VII: Risk Management
  • 3.2.4 Security-Driven Tools
  • 3.3 Compliance Auditing
PASTA MethodologyDeFi Exploit Analysis STRIDE / DREADAttack Trees Slither / MythrilFormal Verification CVSS ScoringRisk Registers
Ch. 4
Securing Blockchain Applications: Practical Examples
Pages 461–495 · Hands-on capstone

Hands-on implementation. Builds a complete ERC-20 dApp on AWS (Token.sol → Lambda → API Gateway → React frontend), then performs a layer-by-layer security review. Followed by comprehensive auditing tutorials covering smart contract vulnerabilities, automated tools (Slither, Mythril, Echidna), node software auditing, wallet security auditing, and full dApp audit methodology. Ends with a reporting framework and responsible disclosure best practices.

  • 4.2 dApp Creation (ERC-20 + AWS)
  • 4.2.3 API Gateway Setup
  • 4.2.4 React Frontend
  • 4.2.5 Security Review
  • 4.3.3.1 Reentrancy Audit
  • 4.3.3.2 Integer Over/Underflow
  • 4.3.3.3 DoS Patterns
  • 4.3.3.4 Access Control
  • 4.3.4 Audit Tools
  • 4.3.6–8 Node/Wallet/dApp Audit
Solidity / ERC-20AWS Lambda SlitherMythril Echidna (Fuzzing)Formal Verification Audit ReportingReentrancy Guard
📎 Appendices Quick Reference (A–I)
A · Threat Modelling Matrix
B · Threat → Weaknesses Mapping
C · Threat → Attack Paths
D · Attack Simulation Tests
E · Weakness Risk Ratings
F · Risks Mitigation Plan
G · Threats Risk Register
H · Attack Simulation Report
I · Risk Analysis Report
0
Correct
0
Answered
Score

A suggested 4-week self-study plan for working through this 641-page book. Adjust pace to your existing blockchain and security background. Each week builds on the previous.

Week 1 — Chapter 1
Blockchain Foundations & Cryptography
Read §1.1–1.6: DLT basics, node types, hash functions (SHA-256, Keccak), ECDSA signatures, Merkle trees, block structure, then §1.6 consensus algorithms — understand PoW, PoS, and BFT variants.

Practice: Draw a Merkle tree by hand. Explain how PoS differs from PoW in terms of security assumptions.
Key section: §1.5.6 — Inherent Security Risks of Blockchain Technology.
Week 2 — Chapter 1 (cont.) + Chapter 2 start
Wallets, Transactions, Privacy & dApp Architectures
Complete Ch. 1: §1.7–1.12 — cryptocurrencies, wallet types, smart contracts, token transactions, ZK proofs, DIDs, regulatory landscape. Then begin Ch. 2: §2.1–2.3 on dApp architectures and security requirements elicitation.

Practice: List security requirements for a hypothetical NFT marketplace. Categorise them (confidentiality, integrity, availability, non-repudiation).
Focus concept: How DIDs differ from centralised identity systems.
Week 3 — Chapter 2 (finish) + Chapter 3
Secure Design Patterns + PASTA Threat Modelling
Finish Ch. 2: §2.4 in full — secure design, API security, key management, token standards, DEX security, smart contract vulnerabilities (reentrancy, flash loans, access control).
Then Ch. 3: §3.1 incident case studies, PASTA 7-stage model (§3.2.2), and trace the DeFi case study (§3.2.3) stage by stage.

Practice: Apply PASTA Stage I–III to a simple voting dApp.
Key appendices: A (Threat Matrix), C (Attack Paths), G (Risk Register).
Week 4 — Chapter 4 + Appendices
Practical Auditing + Hands-On Implementation
Work through Ch. 4: build the ERC-20 + AWS example, then review each security layer. Read §4.3 auditing methodology — smart contracts, nodes, wallets, full dApps.
Review appendices D (Attack Simulation Tests), H (Simulation Report), I (Risk Analysis Report).

Capstone: Find an open-source Solidity contract on GitHub. Run Slither. Identify one real vulnerability using patterns from the book.
Tools to install: Slither, Mythril, Echidna, Hardhat, Foundry, Remix IDE.
🛠 Recommended Toolchain
Slither (Trail of Bits) Mythril Echidna (Fuzzing) Hardhat Foundry Remix IDE OpenZeppelin Contracts Ganache (local chain)