Monocypher uses DJB's curves, which are naturally immune against pretty much anything (assuming constant time primitive operations). Invalid curves don't reveal anything (though one needs to check against non contributory behaviour in key exchange), and the whole thing is constant time whether the public key/point was on the curve or not.
Maybe I would take a look at invalid curves attack if I ever try my hand at ECDSA or something, but (i) I don't plan to in the first place, and (ii) even if I did, it would be quicker to just learn about those attacks and how to avoid them.
Same about GCM nonce repeat. Useless. I have read that nonce repeat is catastrophic for GCM, and I trust that. Chacha20/Poly1305 is also vulnerable to nonce reuse (reveals the authentication key and the XOR of 2 plaintext messages), but I don't need to mount an attack against it to learn anything useful. Sure, this might give me further insight about how Wegman-Carter hashes work, but I'm not inventing anything here, so I don't need to understand that part in depth.
Even if I was inventing anything, I still believe being able to mount relevant attacks would still be mostly useless. I don't want to attack flawed systems, I want to build a flawless system. I would have to prove the system is flawless. Making sure the proof doesn't have an error is different from mounting an attack if there is.
---
Some people may need to perform the attack to really believe in their core that it is possible after all. I don't. Seeing the math is enough to send shivers down my spine.
I see one thing for which I expect cryptanalysis is genuinely useful: inventing new primitives that we cannot prove secure. Symmetric cypher and hashes, elliptic curves… Those require a deeper understanding, and I do expect one has to know how to break the bad stuff to come up with good stuff. There's just no way I try to elevate myself up to that level. I have no comparative advantage, and I'm not going to spend the 10 years required to have one.
Me, I don't try to push the state of the art. I just try to protect against known attacks, and I trust we won't come up with new attacks too quickly, the same way I trust we won't break existing crypto too quickly.
From there, I just have to make sure a number of mathematical properties are followed, and voilà I have a secure system according to current standards. It will be guaranteed to hold out as long as no one comes up with some new unforeseen attack. And even then, I suspect everything has been pretty much worked out. The primitives themselves, with few exceptions, are still not proven secure, but the constructions have sound security models.
Which is why now, we don't need to do stuff like the cryptopal challenges to build secure systems. We just need to avoid the relevant pitfalls, which have already been figured out by smarter people.
---
Then there are side channels, but those are whole 'nother can of worm (except maybe timings, which are pretty well understood by now).
