The overlap is empty
We crosswalked NRDAX against MITRE AADAPT. Twenty-two NRDAX techniques touch AADAPT. None of them are reproduced.
MITRE AADAPT (July 2025) covers the economic layer: flash loans, channel wormholing, double-spend, chain reorganisation, smart-contract implementation, counterfeit tokens. Eleven tactics, thirty-eight techniques, drawn from more than 150 sources.
NRDAX covers the layer underneath: malformed packets that force multi-gigabyte allocations, four-hundred-byte requests that cost a validator a second of CPU, decompression bombs, exhausted connection tables, non-terminating gossip loops. Mechanisms at the transport and node-resource boundary, reproduced on instrumented infrastructure and recorded with the capture that proves them.
Two registries, adjacent territory. We mapped the seam.
What the data shows
Twelve AADAPT techniques have any NRDAX counterpart. Twenty-two NRDAX techniques sit on the other side of those twelve rows. Every one of those twenty-two is unreproduced.
NRDAX currently holds 102 reproduced techniques. None of them appear in AADAPT. Every technique that does touch AADAPT was catalogued from public disclosure and never put on a wire.
Everything we have reproduced sits where MITRE does not model. Everything MITRE models, we have only read about.
The empty column is the finding.
Two rows that carry the argument
ADT3012 (Exploit Smart Contract Implementation) maps to seven NRDAX techniques. All seven are tombstoned: out of scope, permanently resolvable, and pointed at AADAPT. Contract logic is not our ground.
ADT3016 (Generate Counterfeit Tokens) is ceded. It is an outcome. AADAPT files outcomes.
ADT3016.001 (Cryptographic Protocol Analysis) is retained. Three NRDAX techniques remain in scope. NRDAX classifies by causal mechanism: analysing a cryptographic protocol is something done to a node, at the boundary, with packets. What the adversary gains may be a counterfeit token or a signature check that never runs. AADAPT files under what it produces. We file under what it does. Same technique, two axes. The crosswalk is where they cross.
Using it
Hold an ADT id and ask NRDAX what it knows:
GET https://api.nrdax.com/aadapt/ADT3012
Every NRDAX technique on that row, in scope or tombstoned, reproduced or not. The full index is at api.nrdax.com/aadapt. Human version at nrdax.com/aadapt.
Tombstoned techniques still resolve. An ID we issue answers forever, including when the answer is "not ours, go to MITRE".
The pin
The crosswalk is pinned to MITRE AADAPT at commit cd6a74ca (retrieved 2025-10-31) from github.com/mitre/AADAPT. Not a floating mirror. A specific ref, stated on the page, with a build check that fails if any mapping points at an ADT id that no longer exists.
The division of labour
MITRE cites. NRDAX reproduces. The crosswalk measures the difference rather than describing it: twenty-two rows of overlap, zero reproduced.
AADAPT covers the economic layer from source review. The transport and node-resource boundary is a different class of object. The evidence is a capture, and the capture only exists if the infrastructure to take it is built.
NRDAX is the registry for the network-boundary and node-resource attack class: 102 techniques reproduced on instrumented infrastructure, 274 catalogued from public disclosure, 17 out of scope. Every technique carries a permanent citable ID.
Crosswalk: nrdax.com/aadapt.
Related Posts
NRDAX: browsable by chain and family, readable by machines
NRDAX now holds 623 techniques across 64 chains, 162 reproduced with bundles. New per-chain and per-family landing pages, a pretty Atom feed, JSON and STIX 2.1 and knowledge-pack distributions surfaced for machines, and a fix for the first_seen date bug.
NRDAX now includes known-but-not-reproduced techniques
NRDAX v0.1-import now contains 368 techniques across 21 chains: 140 with reproduced instances and bundles, and 228 known from public disclosures (CVEs, GHSAs, vendor advisories) but not yet reproduced in the lab. A CVE maps to its technique even when no bundle exists yet.
NRDAX: the canonical technique registry for decentralized infrastructure attacks
We have published NRDAX, the NullRabbit Decentralised Attack indeX, at nrdax.com. It is the reference registry for attack techniques against decentralized infrastructure: 135 chain-agnostic techniques, grouped into mechanism families, with a coverage matrix across 21 chains.
