Decision-makers’ guide to modern Web3 pentesting: what changed post‑2024 (Dencun/EIP‑4844, ERC‑4337 v0.8/0.9, L2 fault proofs), how to scope and execute a real assessment across contracts, AA stacks, bridges, and ZK components, and how to operationalize monitoring and response.

Web3 Application Penetration Testing and Web3 Anwendungs-Penetrationstests: How to Pentest a Blockchain

Blockchain security moved fast in 2024–2025: Ethereum’s Dencun upgrade shifted data paths for rollups, account abstraction matured with EntryPoint v0.8/0.9 and EIP‑7702, and major L2s began turning on permissionless fault proofs. Effective penetration testing now requires treating your dapp as a system of chains, contracts, off‑chain services, and mempools—not just a repository of Solidity files. (eip4844.com)

Executive view: What’s new that changes your pentest scope in 2026

Ethereum Dencun/EIP‑4844 introduced “blob” transactions persisted on beacon nodes and pruned after ~2 weeks; this changes data-availability assumptions, fee dynamics, and L2 incident blast radii. Pentests should validate how your rollup and analytics depend on short‑lived blob data versus calldata. (eip4844.com)
OWASP released the Smart Contract Top 10 (2025) re‑ranking risks: Access Control and Price Oracle Manipulation rise to SC01/SC02, with Flash Loans and Unchecked External Calls explicitly listed. Use it to re‑baseline your risk register and test plan. (scs.owasp.org)
ERC‑4337 EntryPoint v0.8 added native EIP‑7702 support, EIP‑712‑compatible UserOp hashing, and removed gas penalties below a threshold; EntryPoint v0.9 introduced getCurrentUserOpHash and changes to Paymaster ownership. Pentests must verify EntryPoint address selection, 7702 authorization handling, and bundler behaviors. (github.com)
Real AA incidents and advisories (e.g., UserOperation packing/hash divergence, UniPass EntryPoint trust issue) mean “AA threat models” are table stakes. Validate canonical hashing, event/indexer alignment, and trusted EntryPoint pinning. (alchemy.com)
L2 security posture evolved: Arbitrum’s BoLD went live (Feb 12, 2025) enabling permissionless validation; finalize/exit timelines and fraud‑proof assumptions changed. Your pentest must simulate withdrawal challenges and bridge failure modes under the new dispute windows. (docs.arbitrum.io)
Operations tooling shifted: OpenZeppelin announced a phased sunset of Defender SaaS by July 1, 2026, emphasizing open‑source Relayer/Monitor. Review runbooks and monitoring migrations as part of security readiness. (blog.openzeppelin.com)

A practical Web3 pentest playbook for 2026

1) Scope: inventory the system, not just the contracts

Create a living inventory with trust boundaries for:

On-chain: deployed contracts, proxies/implementations, libraries, upgrade authorities, L2 bridge contracts, and on‑chain governance. Include EntryPoint, paymasters, and any EIP‑7702 accounts if using AA. (github.com)
Off‑chain: bundlers, indexers, relayers, keepers, price oracles, provers/sequencers, and any signer infra.
Cross‑domain: bridges/messaging (e.g., LayerZero DVN‑AVS, CCIP, Wormhole‑style guardians), rollup inbox/outbox, and withdrawal paths. (dedaub.com)
ZK stack: circuits/zkVM guest programs, proving keys, verification contracts, recursion/verifier routers. Track specific versions and CVEs where applicable (e.g., RISC Zero zkVM fixes in 2025). (nvd.nist.gov)

Map each boundary to concrete assumptions you will try to break (e.g., “price oracle can be manipulated if publishTime/confidence unchecked,” “bundler event hash divergence confuses off‑chain accounting,” “bridge validator quorum can stall or mis-route”). Use OWASP SCSVS/SCSTG as the control baseline for requirements and test coverage. (scs.owasp.org)

2) Threat modeling: align to today’s dominant exploit patterns

Use the OWASP Smart Contract Top 10 (2025) to seed attack paths: SC01 Access Control, SC02 Price Oracle Manipulation, SC05 Reentrancy, SC07 Flash Loans, SC06 Unchecked External Calls, etc. Tie each to a concrete test case in your backlog. (scs.owasp.org)
Include chain‑specific concerns introduced by Dencun blobs: blob data expiry, DA availability assumptions for off‑chain processors, and fallback logic when blobs are pruned. (eip4844.com)
For rollups, incorporate permissionless fraud proof dynamics: withdrawal challenge windows under BoLD, griefing costs, and censorship resistance assumptions. (docs.arbitrum.io)
For AA, model: EntryPoint version and address pinning, EIP‑7702 delegation lifecycle, bundler mempool behaviors, and canonical UserOp hashing verification. (github.com)
For bridges, use research‑backed taxonomies: validator key compromise, initialization/config errors, message verification bugs; rely on independent SoK and monitoring research to inform scenarios. (arxiv.org)

Smart contract assessment: the modern baseline that actually finds bugs

Static analysis with current rule sets

Run Slither ≥0.11 with new domain‑specific detectors (e.g., Pyth/Chronicle feed checks, Optimism deprecations) and upgradeability checks (recently enhanced). Treat findings as hypotheses to confirm with tests. (github.com)

Property/invariant testing at scale

Foundry’s invariant fuzzing is the default for protocol‑level assertions (e.g., “sum of liabilities ≤ reserves,” “no under‑collateralized liquidation profits”). Configure depth and runs for realistic coverage (e.g., depth≥100, runs≥1,000–10,000 in CI). (rareskills.io)
Specify properties with Scribble (e.g., #invariant, #if_succeeds) to instrument contracts and drive differential tests across upgrades. (docs.scribble.codes)

Economic and oracle manipulation tests

Create “oracle adversary” harnesses that violate Top 10 SC02: test publishTime/confidence checks on data feeds; Slither’s new detectors help spot unvalidated oracle fields. (github.com)

Upgradeability and storage layout safety

If you rely on OpenZeppelin Contracts 5.x, validate ERC‑7201 namespaced storage use and leverage OZ’s audits and security center guidance; include differential tests comparing pre/post‑upgrade invariants and run slither‑check‑upgradeability. (openzeppelin.com)

Reentrancy and call‑graph traps

Use Slither’s call graph and Foundry invariant “handler” patterns to explore nested external calls; add ReentrancyGuardTransient tests if you adopt transient storage variants introduced in OZ 5.1. (openzeppelin.com)

Formal methods where it matters

For core invariants (interest accounting, collateralization), supplement with tools like Certora or similar formal verifiers; encode economic invariants as rules and check them against real deployments. (Select a vendor/tool appropriate to your stack; ensure coverage of proxy+impl.) [General guidance, derive from OZ/formal methods practices.] (openzeppelin.com)

Quick start snippet (illustrative):

# Static + invariants + mutation smoke:
slither . --exclude-dependencies --print human-summary
forge test -vv --ffi
FOUNDRY_INVARIANT_RUNS=5000 FOUNDRY_INVARIANT_DEPTH=200 forge test --match-path test/invariants/**
slither . --detect solc-version,unused-import --solc-remaps @openzeppelin=node_modules/@openzeppelin

References for configurations and detectors. (github.com)

Account Abstraction (ERC‑4337) pentesting: concrete checks that catch real issues

Verify EntryPoint version and address: v0.8 singleton address (Ethereum mainnet) was published by the AA reference repo; confirm your deployment pins the expected codehash and reverts on mismatches. Also review v0.9 changes (getCurrentUserOpHash, Paymaster constructor owner). (github.com)
Canonical hashing and event divergence: reproduce the “UserOperation packing/hash divergence” scenario and ensure your indexers/bundlers recompute hashes using EntryPoint.getUserOpHash against decoded calldata, not events alone. (alchemy.com)
EIP‑7702 authorization safety: test that delegated targets are validated and that 7702 authorizations included in the UserOp hash are enforced; simulate replay/abuse across chains where your stack supports 7702. (github.com)
Trusted EntryPoint assumption: ensure wallets/paymasters cannot silently switch EntryPoint; regression‑test the class of UniPass vulnerability (EntryPoint substitution). Add runbooks to rotate to new EntryPoint versions safely. (rootdata.com)
Shared mempool and bundlers: validate your bundler (e.g., Skandha) supports EntryPoint v0.8+ and consider MEV‑safe flows for UserOps. Document which networks/environments you support. (etherspot.io)

L2 and cross‑chain: from “training wheels” to permissionless challenges

Arbitrum BoLD: test the full withdrawal lifecycle under the default ~6.4‑day challenge period and simulate adversarial delays; validate your bridge UIs/backends display accurate finality windows post‑BoLD and account for the extra challenge period when upgrading. (docs.arbitrum.io)
Operationalize “Stage 1” rollup assumptions: if you integrate multiple OP‑Stack/Arbitrum chains, verify each chain’s proof status and governance model instead of assuming homogeneity. Document per‑chain exit SLAs. (therelaymag.com)
Cross‑chain bridges/messaging:
- Evaluate validator/minisig trust, DVN/AVS parameters, slashing and pause controls (see LayerZero DVN‑AVS audit notes about centralization/trust assumptions). (dedaub.com)
- Use SoK and detection research to prioritize tests for message verification, quorum manipulation, and replay across domains. Incorporate “what if a validator key is compromised?” exercises. (arxiv.org)
- Expect bridges to remain a hot target; recent data shows persistent large losses despite overall improvements—so budget for incident drills. (theblock.co)

Example cross‑domain test ideas:

Exhaustive fuzzing of message encoders/decoders for chain‑ID mixups.
Replay attempts across testnets/mainnets with similar chain configs.
Downgrade attacks: simulate older verifier contracts still accessible via routers.

ZK components: circuits and zkVM guest programs need their own pentest track

Treat circuits like critical code: test for missing range checks, over/under‑constrained relations, and ensuring all public inputs/witness elements are actually used. Reference open checklists for circuit audits. (github.com)
Track concrete 2025 issues: e.g., RISC Zero division/under‑constraint CVE‑2025‑54873 fixed in 2.2.0/3.0.0; ensure your zkVM and verifier contracts are on patched versions and your proofs are regenerated. (nvd.nist.gov)
Verify recursion and verifier routers: confirm “is_complete” or equivalent checks and ordering constraints for recursive proofs in your chosen stack; document emergency router freezes/upgrade paths. (Industry advisories in 2025 emphasized this for several stacks.) (reports.zksecurity.xyz)

Pentest tactics for ZK:

Differential proof tests: same public inputs with varied witnesses must fail unless allowed; try boundary cases on field sizes and bit‑decomposition.
Gas‑aware verifier testing: ensure verifier edge cases don’t hit DoS via unbounded pairing or multi‑proof paths.

MEV and mempool exposure: test your transaction path, not only your code

If your users depend on fair execution (swaps, liquidations), include private‑routing tests and protections. Validate integrations with MEV protection providers that preserve observability and support multi‑endpoint private RPC routing. (docs.blocknative.com)
Be aware of ecosystem changes (e.g., relayer/relay market consolidation); test failover paths and ensure your ops can quickly rotate providers without degrading user protections. (theblock.co)

Monitoring, response, and runbooks: make it measurable

Real‑time anomaly detection: integrate Forta Attack Detector to correlate funding/prep/exploit/laundering phases; tune your bot subscriptions for your protocol addresses. (docs.forta.network)
Defender migration: if you rely on Defender Sentinels/Autotasks, plan the migration to OpenZeppelin’s open‑source Monitor/Relayer before July 1, 2026; treat this as a security control change in audits. (blog.openzeppelin.com)
Alternative monitoring: configure Tenderly Monitoring for on‑chain event alerts, webhooks, and automated Web3 Actions for “pause” or rate‑limit responses. (tenderly.co)

Operational drills to include:

“Pause‑and‑patch” tabletop: simulate a price‑oracle exploit; verify multisig timelock, upgrade steps, and public comms timelines.
Cross‑chain incident: rehearse halting bridge routes while enabling L1 exits and publishing post‑mortems with proof IDs.

Sample deliverables 7Block Labs recommends

Threat model with SCSVS mapping and chain‑by‑chain assumptions (e.g., Arbitrum BoLD exit windows, EntryPoint v0.8/0.9 dependencies). (scs.owasp.org)
Evidence‑backed findings with reproduction steps: Foundry invariant seeds, Scribble properties, Slither traces, and AA hash divergence reproductions. (docs.scribble.codes)
Runbooks: emergency upgrade plan, EntryPoint rotation procedure, bridge incident SOP, and monitoring migration checklist. (blog.openzeppelin.com)

Best emerging practices we see working in 2026

Use OpenZeppelin Contracts 5.x patterns (AccessManager, ERC‑7201 namespaced storage, ReentrancyGuardTransient) with audits and tests tied to their security center releases. (openzeppelin.com)
Bring oracle correctness into CI: enforce publishTime/confidence checks and deviation thresholds; fail builds when Slither flags detectors tied to specific oracle ecosystems. (github.com)
Treat AA as a first‑class surface: pin EntryPoint codehash, verify 7702 auths in tests, and ensure bundlers re‑hash UserOps canonically; adopt a supported v0.8+ bundler stack. (github.com)
Document per‑rollup finality and proof status: your app’s UX and risk disclosures should reflect BoLD or other fault‑proof details and the real exit SLAs. (docs.arbitrum.io)
Align to public standards: map your findings to OWASP SCSVS and Smart Contract Top 10 (2025), and track EEA EthTrust updates (v3 expected) to inform code quality gates. (scs.owasp.org)

Web3 Anwendungs‑Penetrationstests: Kurzanleitung (für deutschsprachige Entscheider)

Umfang definieren: Smart Contracts (inkl. Upgrades/Proxies), AA‑Stack (EntryPoint/Paymaster/7702), Off‑Chain‑Dienste (Bundler/Relayer), Bridges/Messaging, ZK‑Komponenten (Circuits/zkVM). (github.com)
Methodik: OWASP SCSVS/Top 10 (2025) als Basis; Slither ≥0.11 für statische Analysen; Foundry‑Invariants und Scribble‑Properties; AA‑Spezialtests (UserOp‑Hashing, 7702‑Autorisierungen); L2‑Exit/BoLD‑Szenarien; ZK‑Sicherheitsprüfungen inkl. bekannter 2025‑Fixes. (scs.owasp.org)
Betrieb: Realtime‑Monitoring (Forta, Tenderly), Runbooks für Pausen/Upgrades, Migration weg von Defender‑SaaS bis 01.07.2026. (docs.forta.network)

Closing note for decision‑makers

Pentesting Web3 apps in 2026 means testing assumptions at every layer—AA, L2 proofs, bridges, and ZK circuits—not just scanning Solidity. If you want a scope that reflects today’s risks, anchor on the OWASP SCSVS/Top 10 (2025), factor in Dencun/BoLD/AA changes, and require runbooks and monitoring migrations as part of “done.” That’s how you turn a pentest into fewer incidents and faster recoveries. (scs.owasp.org)

Sources and further reading

OWASP Smart Contract Top 10 (2025) and SCSVS/SCSTG. (scs.owasp.org)
EIP‑4844 (Dencun) blob design and operational properties. (eip4844.com)
ERC‑4337 EntryPoint v0.8/v0.9 releases and addresses; AA vulnerability notes. (github.com)
Arbitrum BoLD activation, dates, and docs. (docs.arbitrum.io)
Slither releases and detectors; Foundry invariant testing references; Scribble annotations. (github.com)
LayerZero DVN‑AVS audit notes; bridge SoK and monitoring research; macro loss trends. (dedaub.com)
OpenZeppelin Contracts 5.x highlights; Defender sunset and docs. (openzeppelin.com)
Forta Attack Detector; Tenderly Monitoring; MEV protection docs. (docs.forta.network)

If you need a scoped proposal tailored to your protocol (AA wallet, DeFi, bridge, or zk rollup), 7Block Labs can turn the above into a concrete test plan in under a week, with clear KPIs and CI integration.