diff --git a/pre-launch-security-checklist.md b/pre-launch-security-checklist.md index c519124..a6636f6 100644 --- a/pre-launch-security-checklist.md +++ b/pre-launch-security-checklist.md @@ -9,4 +9,4 @@ - [ ] Set up a bug bounty program. [Immunify](https://immunefi.com/) or [HackerOne](https://www.hackerone.com/) can help coordinate it. Whatever you initially consider an appropriate an appropriate bounty for a High Severity issue should probably be increased by 2-10x (post-launch, the floor should be 1% of value at risk). - [ ] Set up monitoring and alerting. You want to be on top of what's happening with your project so you can respond quickly to security incidents. For example, you can have a script to monitor for new governance proposals and be alerted when they occur. Or, if you're using a TWAP, have a script that checks the TWAP every block, compares it against the price feed from a CEX, and alerts you if it's every different by more than 10%. Or an alert to let you know when more than 20% of the tokens in your contract have been removed in a single tx. There are a tools that you can use like [Check the Chain](https://github.com/fei-protocol/checkthechain) + [Grafana](https://grafana.com/), or use an off-the-shelf monitoring tool like [Tenderly](https://tenderly.co/alerting) or OpenZeppelin's [Defender Sentinels](https://www.openzeppelin.com/defender). - [ ] Prepare emergency action scripts to pause contracts or take other defensive actions in the event of an exploit. -- [ ] Create an incident response plan. In the event of a hack, know ahead of time who will be in the war room, which platform(s) (e.g., Discord, Signal, etc) and which channels you'll use to communicate. For the core response group, having voice comms is very helpful. Know who you will reach out to for help. Know what your first steps will be (e.g.: pause contracts, reach out to security partners, alert users that an issue is happening via Twitter/Discord, etc). Know who will take on what roles: Who will communicate with the public and outside partners? Who will start digging into the attacker's txs to find the vulnerability that was exploited? Who will be responsible for submitting the txs to (for example) pause the contracts? Having this all in a doc somewhere will be helpful so you can rely on it when the adrenaline is clouding your judgment. +- [ ] Create an incident response plan. In the event of a hack, you want to know ahead of time who will be in the war room, which platform(s) (e.g., Discord, Signal, etc) and which channels you'll use to communicate, and how to enact defensive actions. Having this all in a doc somewhere will be helpful so you can rely on it when the adrenaline is clouding your judgment. You can use [this template](https://github.com/nascentxyz/simple-security-toolkit/incident-response-plan-template.md) to prepare.