Crypto Wallet Security Checklist
Classification: Restricted
Stage: Publication stage (60)
Introduction:
The Web3 Security Framework Initiative is a collaborative effort to promote the adoption of best practices in web3 security. The initiative aims to minimize the risks associated with security vulnerabilities and hacks, which have become increasingly prevalent in the web3 space. Moreover, projects that demonstrate full compliance with our rigorous guidelines will earn an on-chain certificate recognized by all the AvengerDAO members on the BNB Chain ecosystem.
This document serves as a comprehensive checklist of the critical elements surrounding the secure management of crypto wallets.
| Item ID | Security Check | Criticality | Is Project Compliant? | Comments |
|---|---|---|---|---|
| 1 | General | |||
| 1.1 | Establish a dynamic policy for protecting cryptocurrency wallets, communicated to all employees and stakeholders and regularly updated. It mandates 2FA and secure storage for all wallets, double-checking of transactions, and tracking and monitoring of wallet access with prompt responses to any detected breaches. Regular staff training on cryptocurrency security is also prescribed. Such a document will contain the measures taken in the elements below: | High | ||
| 1.1.1 | Define clear purposes for the project's wallets such as treasury, development, testing, and payments, with set amount limits to mitigate potential losses from hacks or leaks. Regularly perform security risk evaluations to adjust these limits in response to changing threat situations. | high | ||
| 1.1.2 | Establish roles and responsibilities associated with managing wallet security topics as in a responsibility matrix. These are several roles and responsibilities that can be referenced: 1) Security Manager: This individual oversees the overall security of the cryptocurrency wallets. Their tasks may include ensuring the latest security measures are implemented, routinely auditing the wallets' security, and addressing any detected vulnerabilities. 2) Transaction Auditor: This role involves checking transactions for any irregularities or suspicious activities. They must monitor the transactions happening in real-time and report any unusual behavior immediately. 3) IT Support Staff: This team provides assistance for technical issues relating to the wallets. This could include issues with two-factor authentication or hardware wallet operation. 4) Training Coordinator: This individual is responsible for organizing and conducting regular staff training on wallet security. They must ensure all employees understand the security measures and how to apply them effectively. 5) Compliance Officer: This individual ensures that the organization's practices regarding wallet security are according to the industry regulations and standards. Their role involves keeping up to date with new regulations and ensuring that the organization implements them. | High | ||
| 2 | Education and Training | |||
| 2.1 | Provide team members with regular training around wallet security and best practices. | High | ||
| 2.2 | Maintain internal documentation of best practices to be followed by team members and new joiners. | High | ||
| 2.3 | Ensure team members are fully aware of new trends in phishing, ice phishing, and social engineering attacks. | High | ||
| 3 | Wallet Software and Hardware Selection | |||
| 3.1 | Certify to use a wallet that uses secure/audited cryptographic libraries. | High | ||
| 3.2 | The wallet development team should ensure the secure integration of third-party solutions, this includes creating mechanisms to switch solutions without impacting the business. | High | ||
| 3.3 | Certify the wallet software is continually updated by the team to integrate any security patch. This action includes incorporating any available security patches, which should be prioritized and integrated according to a pre-defined, consistent schedule, such as weekly or bi-weekly. Any critical patches addressing high-risk vulnerabilities should be applied immediately upon availability, outside of the regular update schedule, to guarantee continuous security. | High | ||
| 3.4 | Certify the wallet solution chosen has been thoroughly audited for security vulnerabilities and that they provide vulnerability remediation in a timely manner. Ensure the wallet solution is continuously audited such as bi-annually, and audited by at least 1 or more companies. | High | ||
| 3.5 | Hardware wallets should be purchased through formal channels to avoid supply chain attacks. This involves cross-checking the device's security features, verifying its serial number with the manufacturer, and confirming tamper-evident packaging upon arrival. Additionally, a secure procurement process should be in place, which includes verifying the supplier's reliability through reviews and validation of their authenticity before carrying out any transactions. Any received hardware wallets should undergo a stringent security checkup before being deployed for use. | High | ||
| 4 | Operations | |||
| 4.1 | Incorporate routine audits and surveillance of wallet usage for early detection of anomalies, potential security breaches, or unauthorized activities, with the involvement of specialized teams or external auditors for unbiased observation. | High | ||
| 5 | Wallet Sharing | |||
| 5.1 | Define secure processes for sharing wallet sensitive information among developers. | High | ||
| 6 | Single point of failure | |||
| 6.1 | To mitigate risks from stolen or leaked keys, wallets need robust access control and redundancy. This can be achieved through Multi-signature Smart Contract Wallets, Multi-party Computation Wallets, and Multi-Factor Authentication mechanisms. Multisig and MPC wallets, with built-in redundancy, are particularly favored. Constant security testing is essential to locate and address any vulnerabilities quickly. Additionally, maintaining an updated disaster recovery plan ensures swift recovery and limited losses in case of a breach or system failure. | High | ||
| 6.2 | Ensure the minimum threshold for a Multisig Wallet should be at least 50% of all wallet owners, this empowers the majority to control transactions. For instance, in an organization with 5 key leaders, the Multisig Wallet's threshold should be at least 3, ensuring decisions around transactions are made by the majority. | High | ||
| 6.3 | Privileged smart contract accounts should have redundancy to avoid single failure points. This can be achieved using solutions like Multi-signature Smart Contract Wallets. Redundancy ensures there are multiple holders of each role to prevent over-dependence on one account. Strict guidelines including multiple approvals for large transactions, transaction limits, and frequent access rights reviews ensure security and reliability. | Critical | ||
| 6.4 | Make sure to implement mechanisms for the redundancy of wallets so that they are not lost in case of unexpected events. | High | ||
| 7 | Phishing attacks | |||
| 7.1 | Define guidelines for developers when working with wallets with funds—using a secure environment and tools, such as secure and up-to-date tools, browsers, and usage of only secure extensions to prevent known phishing attacks. A secure environment should be separated from other systems to limit potential security threats. Developers should use secure, updated browsers that have built-in security features and strong privacy settings while accessing wallets with funds. Additionally, the use of browser extensions should be limited and monitored. Only secure, trusted extensions should be used to prevent known phishing attacks. | High | ||
| 7.2 | Ensure tools used for development are strictly used for that purpose and have no 3rd party extensions or dependencies unrelated to web3 development. Further, a sandboxed development environment should be employed as a security mechanism. It provides a controlled setting in which programs can run, containing any bugs, vulnerabilities, or system failures within the sandbox, thereby preventing such adversities from propagating into the system. Such sandboxed development reduces the impact of flaws and enhances overall security. | High | ||
| 7.3 | Employ email verification and domain monitoring to combat phishing attacks effectively. They should adhere standards such as: 1) Email Verification Standards: Adopt secure identity confirmation practices like the Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting & Conformance (DMARC) protocols. 2) Multi-Factor Authentication (MFA): MFA adds an extra layer of security by requiring users to provide at least two forms of identification before accessing accounts. 3) Secure Email Gateway (SEG): Employ SEG to scan incoming and outgoing emails for threats and filter out phishing attempts before they reach user inboxes. 4) Domain Monitoring Standards: To prevent domain phishing, use security solutions that comply with the Domain Name System Security Extensions (DNSSEC). DNSSEC provides origin authority, data integrity, and authenticated denial of existence. | High | ||
| 8 | Development Lifecycle | |||
| 8.1 | Define a list of secure wallet software that can be used by team members and ensure they are used. | High | ||
| 8.2 | Define access control measures, following the principle of least privileges, for team members to use the private keys and access project funds. Add access control measures like multi-factor authentication (MFA) and strong authentication protocols. | High | ||
| 8.3 | Define rules for saving encrypted private keys in the local environment, avoiding any plain text storage or sharing. Widely-used encryption standards include Advanced Encryption Standard (AES) and RSA. Secure key management systems like HashiCorp Vault provide layers of access control, auditing capacities, and automation abilities. | High | ||
| 8.4 | To prevent indiscriminate usage and manipulation of wallets in an environment not controlled by the project, define the process and access control for users to use wallets in defined environment. | High | ||
| 9 | Wallets and Servers | |||
| 9.1 | Use secure solutions to store private keys on test and production servers such as Hardware security modules and Key Management Systems. | High | ||
| 9.2 | Define secure guidelines for storing private keys associated with the production testing environment encrypted on test servers and ensure secure access control. Detailed access control requirements should be set in place: 1) Role-Based Access Control (RBAC): Access to sensitive information, such as private keys, should be strictly based on the individual's role within the organization. Individuals should only have the necessary permissions required to fulfill their job responsibilities. This principle is known as the 'Least Privilege Principle'. 2) Two-Factor Authentication (2FA): Implement 2FA for all users attempting to access the test servers. This adds a second layer of security, requiring the user to verify their identity using a second method, alongside the standard username and password. 3) Auditing and Monitoring: Regularly audit and monitor access logs to prevent and identify any unauthorized access attempts. Unusual behavior or access patterns should trigger automated alerts. 4) Change Management: Implement a strict change management protocol. Any changes to user access rights, particularly those that might grant access to private keys on the test servers, should be formally requested, reviewed, approved, and documented. 5) Secure Session Controls: Implement automatic session timeout policies to minimize the risk in case a user's session remains open and unattended. | High | ||
| 9.3 | Certify the usage of at least one different wallet for testing environments and for production environments. Implement address separation between testing and production wallets. | High | ||
| 10 | Treasury | |||
| 10.1 | Implement monitoring and alerting mechanisms to detect moving funds. | High | ||
| 10.2 | Ensure tracking wallet usage and implement alerting mechanisms for abnormal transactions. | High | ||
| 10.3 | Create a straightforward process for the management of such wallets, authorized users, process steps, and usage use cases. | High | ||
| 10.4 | Clearly define the standard for secure wallet solutions for treasury wallets for the project combining some of the following solutions: cold wallet solutions or hardware wallets, multisig, and MFA. | High | ||
| 10.5 | Create a structured and straightforward procedure for when migrating funds.. This procedure includes the following steps: 1) Request Initiation: The user or department that needs to transfer funds to another wallet should initiate a formal request. This request should include the reason for the transfer, destination wallet address, and the amount to be transferred. 2) First Level Approval: The initial request should be reviewed by a designated individual or team within the organization–this could be the individual's direct supervisor or a member of the risk or security team. This person or team should verify the need for the transfer and the correctness of the details within the request. 3) Second Level Approval: For significant fund transfers or those that exceed a predetermined threshold, a second level of approval should be required. This could come from higher management or executives within the organization. 4) Validation: Prior to the actual transfer, a third-party verification or internal validation step should be added, wherein the transaction details are independently verified for accuracy. 5) Transfer Execution: Only after passing through all the previous stages should a fund transfer be executed. The execution should be conducted by a designated individual or machine depending on the safety protocol. 6) Audit and Document: Finally, every transaction and approval should be documented and stored securely for auditing purposes. | High | ||
| 10.6 | Create a process for when changing any software or hardware associated with the treasury wallets. | High | ||
| 11 | Incident Management | |||
| 11.1 | Create an incident response plan to secure funds for the different scenarios where private keys are compromised - The process could be different for each type of wallet - Treasury wallets, wallets with elevated roles in smart contracts, etc. In the scenario where: 1. Physical Theft of Device: If the device storing the private key (like an employee's laptop or backup drive) gets stolen. Response Procedure: Initiate an immediate alert to the security and IT teams. Oversee the remote wiping of the stolen device if this functionality exists. The compromised private keys should be rotated, and all assets associated with the stolen key should be moved to a new secure account, if possible. 2. Phishing Attacks: An employee might be tricked into revealing private keys through a phishing attack. Response Procedure: If identified, inform the cybersecurity team immediately, conduct an internal investigation to understand the extent of the breach, and educate employees about phishing avoidance. Private keys should be rotated and corresponding public keys updated across services. 3. Malware or Keylogging Software: The key might be compromised due to the presence of malware or keylogging software on either the server or employee's device. Response Procedure: Once discovered, quarantine the infected device or server to avoid spreading the malware. Conduct an immediate system sweep, remove the malware, and consider a full system restore from a secure backup. Rotate the keys and ensure all systems have up-to-date anti-malware software. 4. Accidental Exposure: Situations like an employee unknowingly publishing the keys in a code repository, email, etc, which become publicly accessible. Response Procedure: Once the exposure is detected, remove the exposed keys from public view immediately. Rotate the exposed keys, conduct an audit to understand the extent of the exposure, and train staff regarding the proper handling of sensitive information like private keys. 5. Insider Threats: An employee or insider deliberately misusing their access could compromise the keys. Response Procedure: If an insider threat is detected, revoke the compromised keys immediately and terminate the user's access rights. Perform a full security audit, involve law enforcement if necessary, and verify the integrity of other systems that the insider had access to. | High | ||
| 11.2 | Rehearse the incident response protocol to ensure its effectiveness. This practice of continuous testing and refinement is crucial for maintaining an up-to-date and robust response mechanism to security incidents. It ensures that all involved parties are well-versed in their responsibilities, reinforces response procedures, reduces reaction times, and ultimately helps to minimize damage when a real incident occurs. | High |