DON’T GET REKT 🤡
Configure Your Wallet Securely
- Enforce Multi-Signature Requirements: Ensure critical operations (ex fund transfers, ownership changes, upgrades) require a 70% threshold consensus. Incorporating external tiers, such as a security firm, can also significantly enhance security by providing impartial oversight and mitigating risks. A 5-out-of-7 multisig setup with one external tier achieves the 70% threshold while adding this extra layer of protection.
- Role-Based Access: Use role-based access control to limit permissions to execute sensitive actions.
- Regular Security Reviews: Periodically review and update operational thresholds for sensitive actions to ensure they align with current organizational needs.
- Simulate Scenarios & Transactions: Run simulations and tests transactions for critical operations.
Ensure Secure Private Key Management
- Make Hardware Wallets Mandatory: Require all key holders to use hardware wallets for secure key storage. Ledger Nano S Plus, Trezor Model One, Trezor Safe 3 (avoid Ledger Nano X for its battery issues).
- Key Rotation Policies: Establish and enforce private key rotation policies to mitigate risks from compromised keys.
- Secure Communication Channel: Multisig signers should coordinate via a restricted and encrypted communication channel (signal/telegram).
- Access Logging/Monitoring: Maintain logs of private key usage to detect unauthorized access attempts.
- Least Privilege Principle: Assign the minimum necessary access rights to individuals based on their roles.
- Access Reviews: Regularly review privileged access to identify and remove inactive or unnecessary accounts.
- Separation of Duties: Separate responsibilities for private key generation, use, and storage to reduce insider threats.
- Establish Backup: Use secure, offline methods such as physical backups (writing on paper, metal plates, or storing in fireproof safes) to store private keys and seed phrases. Ensure these backups are protected against physical damage and unauthorized access.
- Shamir’s Secret Sharing: Divide seed phrases into multiple shares using Shamir’s Secret Sharing. Require a minimum threshold of shares (example 3 out of 5) to reconstruct the phrase, reducing the risk of a single point of failure while maintaining security if some shares are lost or compromised.
- Disaster Recovery Plan: Define a clear and tested plan for key recovery in case of facing the unexpected.
Fortify Your Infrastructure and Devices
- Enforce Secure Configuration of Company Assets: Require the use of hardware security keys (YubiKeys). Impose as a standard at least two-factor authentication (security keys, OTP or passkeys for all accounts and services). If you use passkeys, they must be unique and you must have one per device, never store it online (ex: for Apple do not store it on iCloud). NEVER use a phone number as 2FA (unless you have to => cold phone number). Ensure all devices have encrypted disks, up-to-date antivirus software, and password managers configured with strong master passwords.
- Enhance DNS Security: Properly secure your DNS, here is a great article from CANTINA.
- Protect Social Media and Digital Assets: Secure all social media accounts with strong passwords and properly configure 2FA. Restrict access to social media platforms to authorized personnel only.
Recommendations:
Regularly train team members on security best practices, including key management, phishing awareness, and multi-sig configurations.
Conduct regular security audits.
And have good security practices 😊.
Thanks for reading, Souilos.
