With the rapid development of Web3, blockchain technology and cryptocurrency have gradually become an important part of the global financial system. However, the accompanying security issues have also brought many challenges to this emerging field. Therefore, the SlowMist Security Team has specially launched the "Web3 Project Security Handbook" (https://www.slowmist.com/redhandbook/), referred to as the "Red Handbook", which aims to provide comprehensive security guidance and practical skills for Web3 projects and developers. The Red Handbook is a bilingual version in Chinese and English, and mainly includes four parts: Web3 project security practice requirements, SlowMist smart contract audit skill tree, blockchain-based cryptocurrency security audit guide, and crypto asset security solutions.
Web3 Project Security Practice Requirements
Nowadays, there are endless attacks on Web3 projects, and the interactions between projects are becoming more and more complex. The interactions between projects often introduce new security issues. Most Web3 project development teams generally lack front-line security attack and defense experience. When developing Web3 projects, they focus on the overall business justification of the project and the realization of business functions, but do not have more energy to complete the construction of the security system. Therefore, it is difficult to ensure the security of Web3 projects throughout their life cycle without a security system.
Usually, in order to ensure the security of the Web3 project, the project team will hire an excellent blockchain security team to conduct a security audit on its code. However, the audit by the blockchain security team is only a short-term guide and cannot allow the project team to establish its own security system.
Therefore, the SlowMist Security Team open-sources the Web3 project security practice requirements to continuously help project teams in the blockchain ecosystem master the corresponding security skills. It is hoped that project teams can establish and improve their own security systems based on the Web3 project security practice requirements, and have certain security capabilities after the audit.
Web3 project security practice requirements include the following:
The Web3 project security practice requirements are currently in version v0.1, and the full content can be read through this link:
https://github.com/slowmist/Web3-Project-Security-Practice-Requirements。
Smart Contract Security Audit Skill Tree
This skill tree is a skill set for the smart contract security audit engineers of the SlowMist Security Team. It aims to list the skills required for smart contract security audits for team members and drive them to form self-evolutionary thinking in research, creation, and engineering. It is mainly divided into four parts: finding the door to enter, singing by the door, integrating and understanding, and breaking out of the door. It lists the professional skills that need to be mastered at each stage from shallow to deep, as shown in the following figure:
You can read the full content at this link: https://github.com/slowmist/SlowMist-Learning-Roadmap-for-Becoming-a-Smart-Contract-Auditor
A Guide to Security Auditing of Blockchain-Based Cryptocurrencies
As an asset with intrinsic value, crypto assets are irreversible and difficult to trace, which gives hackers a strong motivation to commit crimes. This section of the Redbook not only covers common security vulnerabilities, but also provides detailed security research, including the following:
Cryptocurrency Threat Modeling
The SlowMist security team uses multiple models to identify threats to cryptocurrency systems, such as the CIA triplet, the STRIDE model, the DREAD model, and PASTA.
Test Method
In black-box testing and gray-box testing, we use fuzz testing, script testing and other methods to test the robustness of interfaces or components by providing random data or building data of specific structures, and to explore abnormal system behaviors under some boundary conditions, such as bugs or performance anomalies. In white-box testing, we analyze the object definition and logic implementation of the code through methods such as code review, and combine the security team's relevant experience in known blockchain security vulnerabilities to ensure that there are no known vulnerabilities in the key logic and key components of the code; at the same time, we enter the vulnerability mining mode of new scenarios and new technologies to discover possible 0day errors.
Vulnerability Severity
Based on the CVSS methodology, the SlowMist security team developed a blockchain vulnerability severity level:
Public chain security research
SlowMist Technology's blockchain threat intelligence system (https://bti.slowmist.com/) continuously tracks ongoing security incidents and applies threat intelligence to security consulting and audit services.
The SlowMist Security Team analyzed and studied publicly known blockchain security vulnerabilities and compiled a list of common blockchain vulnerabilities (https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide/blob/main/Blockchain-Common-Vulnerability-List.md).
Public chain security audit
The public chain security audit of the SlowMist security team uses a combination of black box, gray box, and white box testing methods. According to different audit requirements, it launches main network security audits based on black and gray box audits, layer2 security audits, and source code security audits based on white box audits. At the same time, it also customizes application chain security audit solutions for some development frameworks.
Blockchain application audit
Smart Contract Security Audit
Other applications
You can read the full content at this link: https://github.com/slowmist/Cryptocurrency-Security-Audit-Guide.
Crypto asset security solutions
This solution is the result of many years of practical experience of the SlowMist security team in frontline service to Party A, and is designed to provide a full range of asset security solutions for participants in the crypto world. We divide the security of crypto assets into the following five parts, and provide a detailed interpretation of each part, including various risks and related solutions.
Online hot asset security solutions
Online hot assets mainly refer to the assets corresponding to the cryptocurrency private keys placed in online servers, which need to be frequently used to perform operations such as signing transactions. For example, the hot and warm wallets of exchanges are all online hot assets. Since these assets are placed in online servers, the possibility of being attacked by hackers is greatly increased, and they are assets that need to be protected. Due to the importance of private keys, improving the security storage level (such as hardware encryption chip protection) and removing single point risks are important means to prevent attacks. SlowMist recommends improving the security of online hot assets from two directions: "cooperative custody plan" and "private key/mnemonic security configuration plan".
Cold Asset Security Solutions
Cold assets in the crypto world mainly refer to large assets that are not frequently traded, and the private keys are kept in an isolated state without Internet access. In theory, the colder the cold assets are, the better, that is, to ensure that the private keys never touch the Internet, and to minimize transactions, and to avoid exposing address information, etc. We recommend that on the one hand, attention should be paid to the security of private key storage, making it as "cold" as possible; on the other hand, attention should be paid to the management process of use, to avoid private key leakage, unexpected transfers or other unknown behaviors as much as possible.
DeFi Asset Security Solutions
Currently, most blockchain participants participate in DeFi projects, such as mining, lending, and financial management. Participating in DeFi projects essentially means transferring or authorizing assets in your hands to DeFi project parties, which poses a great degree of security risks that are beyond personal control. This plan lists the risk points of DeFi projects and sorts out ways to avoid these risks.
Asset ownership security backup solution
Crypto asset ownership backup is the backup of private keys or mnemonics. Private keys or mnemonics carry the complete ownership of cryptocurrencies. Once stolen or lost, all assets will be lost. For the field of crypto assets, the backup of private keys/mnemonics is a shortcoming.
Asset Abnormal Monitoring and Tracking Solutions
After implementing a series of measures to safely deposit crypto assets, in order to deal with unexpected situations such as "black swans", it is also necessary to monitor the relevant wallet addresses and issue abnormal alarms, so that every asset transfer can be confirmed and verified by the internal team.
This solution is the first complete solution for crypto asset security launched by SlowMist Technology after years of frontline security attack and defense practices in the blockchain ecosystem. You can read the full content through this link: https://github.com/slowmist/cryptocurrency-security.
Final Thoughts
The "Web3 Project Security Manual" is a detailed and clearly structured security guide suitable for all Web3 projects and developers. In this rapidly developing field, security is always a crucial link. Mastering these security knowledge and skills will help build a more secure and reliable Web3 ecosystem. In the future, SlowMist will continue to output security research content, focus on blockchain ecosystem construction, and strive to build a safe area in the "dark forest" for the blockchain ecosystem.
P.S. If you want to purchase the limited edition commemorative red handbook, please go to https://1337.slowmist.io/redhandbook.html and click to read the original text to jump directly; if you need a PDF version, please go to https://www.slowmist.com/redhandbook/RedHandbook.pdf to download.