Table of Contents
Salus Security, a portfolio company of Binance Labs, has contributed to this article.
The decentralized nature of Web3 technology and high-value transactions make security a critical aspect of any Web3 project. Hiring a reputable Web3 security team to conduct a security audit is only a short-term stop-gap. BNB Chain’s project teams must establish their security systems and follow best practices throughout the project’s lifecycle (namely, development, pre-audit, pre-launch, and post-launch), to ensure ongoing security.
Best Practices During Development
Developing a Web3 project with security in mind from the outset can save significant human and financial resources in the long run. If security issues are discovered in the later stages of development, it could lead to an additional workload for auditors, potential delays in launching the project, and costly remediation efforts. Therefore, developers need to have a fundamental understanding of security principles, which includes smart contract development, testing, and Web2 development.
Smart Contract Security Coding Recommendations
Smart contract security is crucial in Web3 projects. Ignoring security concerns or failing to prioritize security awareness during smart contract development can lead to significant setbacks, increased costs, and even complete project failure. We have prepared a cheat sheet to support you in developing a secure and dependable smart contract.
- Use the latest major version of Solidity, which contains fixes for known vulnerabilities.
- Using well-known libraries as much as possible can provide more security and a smaller audit scope, saving you money.
- Ensure that the return value of external calls is correct, including transfer, transferFrom, send, call, delegate-call, etc.
- Use events to record the critical parameters change in privileged functions. This will help with security monitoring and emergency responses, as events can be used to track the changes.
- Use the Checks-Effects-Interactions pattern or reentrancy guards where possible to prevent reentrancy attacks. Treat all token and ether transfers as interactions.
- Ensure that the logic involved in arithmetic operations in the code fully considers the precision problem, avoiding the possibility of precision loss caused by rounding down.
- Use Chainlink VRF to obtain reliable randomness instead of using on-chain block data as a seed source.
- Avoid getting prices (or data) from any single source, as flash loans can easily manipulate this. One option is to retrieve from decentralized oracles.
- Avoid using long or unbounded loops to access storage variables to reduce gas costs and transaction fees.
- Name your functions and systems succinctly, which will greatly help others understand your code. It is suggested to follow the Solidity style guide.
- Reserve the switch for the emergency suspension of the global and core business to stop losses in time.
Testing Recommendations
Even if coding recommendations are followed, testing smart contracts is necessary to identify vulnerabilities before launching and to prevent significant financial losses. It ensures that the smart contract functions as intended validates its security features, and verifies its compliance with business requirements. The following recommendations for comprehensive smart contract testing will help catch basic mistakes and improve the quality of your project.
- The unit test coverage rate should be close to 100%, and the core code coverage rate must reach 100%.
- Include business process and function functional usability testing.
- Perform preliminary checks on the project code to quickly identify and resolve common vulnerabilities and errors by running an automated analysis tool. Salus provides an automated vulnerability detection service, making the analysis easier and more efficient.
Web Front-End and Back-End Security Recommendations
While smart contracts are a critical part of a Web3 project, the Web2 components are equally important and must be secured properly. Even if the smart contract is free of vulnerabilities, neglecting security measures in Web2 components can still cause financial damage. Many best practices can be borrowed from Web2 applications, but some unique security considerations exist for Web3 projects.
Regularly conducting security tests on projects with professional institutions is needed for Web2 and Web3 projects. However, due to their unique architecture and decentralized nature, traditional penetration testing techniques used for Web2 projects may not be sufficient for Web3 projects. Salus offers Web3 penetration testing, which uncovers vulnerabilities in your network, applications, and cloud services. It also focuses on middleware security and anti-tampering issues in the parts of your application where web2 and blockchain interact.
Pre-Audit Self-Checklist
The audit process is an important part of the Web3 project, especially for smart contracts, which attackers frequently target due to the significant amounts of money that can be transferred. However, audits are expensive, time-consuming, and must be scheduled months in advance.
We have organized a free checklist for you to make the most out of such services. Completing this checklist helps ensure a codebase ready for outside review and allows auditors to focus their time and attention on identifying deeper, more critical vulnerabilities.
- Halt the development of the contract code or provide a commit hash for the audit to target.
- Ensure contracts compile with no errors or warnings.
- Verify that all tests pass.
- Keep your code clean. Remove/edit old comments, unused functions, etc.
- All functions and parameters should be well-annotated.
- Any public function that can be made external should be made external. This is not only a gas consideration but also reduces the cognitive overhead for auditors.
- Document unchecked use, describing in detail why it’s safe to forego arithmetic checks.
- Make a list of the code blocks you want to emphasize for auditors.
Pre-screening the security team you intend to hire for your audit is essential. Firstly, conduct thorough research on security incidents in your project’s field. Then compare the security firm’s audit reports with those of their competitors.
Let the audit results (vulnerabilities detected, compliance validation, post-audit recommendations) speak to the quality of their service. Finally, contact past clients to verify the process and the security team’s professionalism.
Pre-Launch Security Checklist
After completing the development and audit phases, your team should ensure they have taken the necessary security steps before launching the project.
- Respond to all recommended changes in the audit report.
- Consider getting a second audit after making the changes if the project received many recommended changes.
- Set up a bug bounty program. Bug bounty platforms can help coordinate project teams in setting up bug bounty programs, such as code4rena, Immunefi, BugRap, or HackenProof.
- Set up monitoring and alerting.
- Create an incident response plan.
- Prepare emergency action scripts to pause contracts in the event of an exploit.
Post-Launch Risk Monitoring & Emergency Response
Once a Web3 project is live, real-time monitoring is necessary to ensure it continues operating securely and efficiently. Additionally, having a well-prepared emergency response plan can greatly minimize the impact of security incidents and maintain user confidence in the project.
Runtime Security Monitoring
Risk monitoring allows for the early detection of security incidents, which enables project teams to respond quickly and mitigate the impact of the incident.
- Try to discover security problems through the events triggered by key processes.
- Often, reconciling events and transactions on the blockchain can help detect potential issues with business logic.
Emergency Response
Follow the recommendations below to create a well-executed emergency response plan. This plan is vital for responding to unexpected events and for mitigating damages.
- Stop the loss through the emergency pause switch according to the scope and the severity of the problem.
- Notify users and update regularly as meaningful new information or developments become available.
- Take a snapshot of the server in time to keep the hacked scene.
- Review exploit transactions to identify vulnerabilities and discuss the best fixes with a professional security team.
- Draft and post a full public post-mortem. The post-mortem needs to highlight the root cause and the scope of the problem, the specific loss, the problem repair progress, the tracking of the hacker, and other related discoveries.
- Prepare the patch, following deployment best practices.
- Deploy the patch when ready.
Security will remain a critical issue as the Web3 ecosystem continues to evolve. Project teams should stay informed about the latest security threats and best practices, and be prepared to adapt their security measures accordingly. By following the best practices in this article, we hope project teams can strengthen their security capabilities to protect their project and users from potential security risks.
About Salus Security
Salus Security is a well-rounded blockchain security company providing automated smart contract audits and vulnerability detection services. The team is experienced in both traditional and blockchain security and aims to make security services accessible for all.
For more information, follow Salus Security on Twitter.
About Binance Labs
As the venture capital arm and accelerator of Binance, Binance Labs has now grown to be worth over $9 billion. Its portfolio covers 200 projects from over 25 countries across 6 continents and has an over 10X rate of return on investments. Fifty of Binance Labs’ portfolio companies have been projects through our incubation programs.
For more information, follow Binance Labs on Twitter.