diff --git a/pre-launch-security-checklist.md b/pre-launch-security-checklist.md index 4eeaf30..aee2836 100644 --- a/pre-launch-security-checklist.md +++ b/pre-launch-security-checklist.md @@ -5,7 +5,7 @@ - [ ] Make sure your UI links to your GitHub repo. - [ ] Respond to all recommended changes in your draft audit report and have the auditor publish the final version of the report including acknowledgement of your responses. - [ ] If you received a large number of recommended changes to your code during the audit, you should strongly consider getting a second audit after you make the changes, ideally from another auditor. Audits with long lists of issues often indicate that the auditors would have found even more issues given more time. -- [ ] [Verify](https://etherscan.io/verifyContract) your contracts on Etherscan. There are automated tools in [Foundry](https://book.getfoundry.sh/forge/deploying.html?highlight=verify#verifying), or [Hardhat](https://hardhat.org/plugins/nomiclabs-hardhat-etherscan.html) that help verify for you. +- [ ] [Verify](https://etherscan.io/verifyContract) your contracts on Etherscan. There are automated tools in [Foundry](https://book.getfoundry.sh/forge/deploying.html?highlight=verify#verifying) or [Hardhat](https://hardhat.org/plugins/nomiclabs-hardhat-etherscan.html) that help verify for you. - [ ] Set up a bug bounty program. [Immunify](https://immunefi.com/) or [HackerOne](https://www.hackerone.com/) can help coordinate it. Whatever you initially consider an appropriate an appropriate bounty for a High Severity issue should probably be increased by 2-10x (post-launch, the floor should be 1% of value at risk). - [ ] Set up monitoring and alerting. You want to be on top of what's happening with your project so you can respond quickly to security incidents. For example, you can have a script to monitor for new governance proposals and be alerted when they occur. Or, if you're using a TWAP, have a script that checks the TWAP every block, compares it against the price feed from a CEX, and alerts you if it's every different by more than 10%. Or an alert to let you know when more than 20% of the tokens in your contract have been removed in a single tx. There are a tools that you can use like [Check the Chain](https://github.com/fei-protocol/checkthechain) + [Grafana](https://grafana.com/), or use an off-the-shelf monitoring tool like [Tenderly](https://tenderly.co/alerting) or OpenZeppelin's [Defender Sentinels](https://www.openzeppelin.com/defender). - [ ] Prepare emergency action scripts to pause contracts or take other defensive actions in the event of an exploit.