"Just because you're paranoid doesn't mean they aren't after you."
This is an incomplete, definitely non-exhaustive set of security guidelines for securing DeFi protocols. Every protocol is different and even if you follow every single rule in here to the letter, you may still get hacked. The job of this guide is to reduce the chance of getting hacked by North Korea.
This guide is meant to be used in combination with other guidance.
This guide is a work in progress and will be updated as I learn more.
(If you'd like to see more of what we do, check out our website.)
Securing your contracts
Formally verify your code. It's not that hard unless your devs suck.
Get audited by a good auditing firm that isn't CertiK.
Test rigorously. Aim for 99% code coverage, with fuzz, integration and invariant tests.
Use circuit breakers to slow down or pause any suspiciously large outflows.
Securing the process
Development process, bug bounties, war rooms, multisigs, et cetera.
Use VS Code dev containers to sandbox your development environment.
DevPod or any homebrew Docker solution is acceptable. Just ensure it has no way to escape the sandbox.
Another benefit of this is that tooling across all developers is the same, so no more "works on my machine"
Or use a separate machine entirely for your dev work and connect to it via SSH. Maybe even GitHub Codespaces (ew).
Fucking use Linux.
An immutable distribution of Linux is preferred. MacOS is acceptable.
They don't usually build malware for Linux.
It's just generally a better experience for development.
Force all your devs to stay up to date with all system updates.
Always set ownership in your contract initializers to a protocol DAO or multisig.
Never reuse a deployment key for a different purpose.
Never put deployment keys in environment variables.
Or you could use Truffle Dashboard.
Unmaintained
From my experience, has some compatibility issues with Foundry
Ensure all developer git commits are signed. I prefer SSH keys, but you can use GPG.
Open-source all code running in production.
Pay out your bug bounties.
It's not rational at all to refuse to pay or be stingy, it's just retarded. You're setting up incentives for grayhats or whitehats to become blackhats.
Always do the Kim Jong-Un test.
This is how you identify a North Korean engineer.
I asked him to say something negative about North Korea and Kim Jong Un and he immediately deleted the chat.
Keep your development machine as minimal as possible. Browser, VSC, Docker, that's it.
If you must install apps, use Flatpak.
Make an incident response plan for what exactly to do in case of a hack.
Add your contact details to crytic/blockchain-security-contacts.
9,003
Securing the frontend
You can't treat building a financial app in the same way you build any other web app. NORTH KOREA IS YOUR ADVERSARY. Therefore.
Set up an IPFS instance of your dapp.
Recommend not to set it up using Fleek or any managed provider
Test every frontend update before it goes live using multiple wallets and browsers.
You want to induce malicious behavior if it's present before it gets shipped out.
Watch for network requests to any domains you don't recognize.
Watch for any behavior you don't recognize, such as asking for infinite approvals to suspicious contracts.
Don't test using dev wallets.
Make yourself look like a new user every test.
Nudge your users away from MetaMask.
Don't block VPNs. Please.
This isn't technically a security concern, it's just very harmful to us anons
Make your web app immutable
This reduces the impact of a successful domain hijack only to new users or to those who have cleared cache
Ensure there is a way to update the frontend from inside
Onchain is better than offchain. Hold your domains in a multisig using 3DNS.
Gives additional protection against having to trust 1 dev with domain ownership
![[object Object]](/_next/image?url=https%3A%2F%2Fstorage.googleapis.com%2Fpapyrus_images%2F1f9a2277b6658a368db9ef9c0a811fcb.jpg&w=384&q=75)
