The goal of this list is to have a common framework to view up and downstream projects' security. A good example of this would be interacting with an external partner. Each project isn't necessarily doing BD in isolation, there is an ecosystem of collaborative projects.
In the good case, Solana can show off network effects. In the negative case, many "points of failure" can be intimidating. This doc is here to lower that barrier.
- Bug bounties clear and explicit
- Open source, published ABI
- Audit Docs
- Upgrade Authority Best practices
- Squads multisig - Stepan Simkin (guide?)
- Devnet implementation
- Client SDKs, if front end gets hacked, need to be able to execute through sdk
- Verifiabile builds. Example from Eclipse
- Paths to immutable/soft frozen
- Pager duty
- Circuit breaker, freeze ability on attack
- Treasury abstracted away
- Airgapped signing
((request for checklist, here's some inspo ))
neodyme's audit prep
neodyme's common pitfalls
- Text searches for any private keys
- Sec3 tools with CI/CD
- Econ vulnerabilities
- Gauntlet
- 20 squares (not yet Solana)
Open a github issue with the checklist
- Formal verification (https://twitter.com/squadsprotocol/status/1618671630359887873?s=46&t=-oVDphlUuRY-yldrtuWokQ)
Jiri had a great suggestion
- Turn this into a community driven discussion
- risks - security theater. Wastes time and doesn't actually increase secruity
- Who reviews authentically?
- v0 - self review with informal signoff
- v1 - some sort of DAO vote? POA? Just need some display of certification, would be great if it's communal.
TODO
- external "approvals"
- explore putting it as a standard template
- Part of anchor init?
- Part of the explorer verification process
- Client/user side best practices
- cold-hot wallet with top ups and time delay