SlowMist Presents | Web3 Project Security Handbook

SlowMist
7 min readSep 10, 2024

--

As Web3 continues its rapid growth, blockchain technology and cryptocurrency have become integral parts of the global financial system. However, this progress brings with it significant security challenges. In response, the SlowMist Security Team has developed the Web3 Project Security Handbook (also known as the “Red Handbook”) to provide comprehensive security guidance and practical skills to Web3 projects and developers. This bilingual handbook (Chinese/English) consists of four major sections:

Web3 Project Security Practice Requirements

Attacks on Web3 projects are becoming more frequent and complex, especially as project interactions often introduce new security risks. Many Web3 development teams lack direct experience with real-time security measures and often focus more on business viability and functionality rather than building a robust security framework. Without a solid security foundation, it’s challenging to ensure the project’s safety throughout its lifecycle.

To address this, many teams hire reputable blockchain security firms to audit their code. While valuable, these audits are typically short-term solutions and do not help teams build their own security frameworks. SlowMist aims to bridge this gap by providing an open-source Web3 Project Security Practice Requirements to continuously empower teams in the blockchain ecosystem with the skills necessary to establish and maintain their own security systems.

The Web3 Project Security Practice Requirements is currently in version v0.1. You can read the full content via: Web3 Project Security Practice Requirements.

Smart Contract Security Auditing Skill Tree

This skill tree outlines the essential skills required by SlowMist’s smart contract security auditors. It is designed to foster a self-driven research and engineering mindset, pushing team members to continuously evolve. The skill tree is divided into four stages:

For a detailed guide on each stage, visit: SlowMist Learning Roadmap for Becoming a Smart Contract Auditor

Blockchain-Based Cryptocurrency Security Audit Guide

Cryptocurrency, as an asset with inherent value, is characterized by its irreversible nature and difficulty in traceability. These factors make it a prime target for hackers. This section of the Red Handbook not only addresses common security vulnerabilities but also provides in-depth security research on various topics, including:

Cryptocurrency Threat Modeling

The SlowMist Security Team utilizes multiple models to identify potential threats within cryptocurrency systems. These include:

- CIA Triad (Confidentiality, Integrity, Availability)

- STRIDE Model (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege)

- DREAD Model (Damage Potential, Reproducibility, Exploitability, Affected Users, Discoverability)

- PASTA Model (Process for Attack Simulation and Threat Analysis)

Testing Methods

In black-box and gray-box testing, we employ techniques like fuzz testing and script-based testing. These methods involve supplying random or specifically structured data to assess the robustness of interfaces or components, helping us uncover system anomalies such as bugs or performance issues under edge conditions. In white-box testing, we conduct thorough code reviews, analyzing object definitions and logic implementations. Drawing on the security team’s extensive experience with known blockchain vulnerabilities, we ensure that key logic and critical components are free from any recognized flaws. Additionally, we adopt new approaches for vulnerability detection in emerging technologies and environments, aiming to identify potential zero-day vulnerabilities.

Vulnerability Severity

Based on the CVSS (Common Vulnerability Scoring System) framework, the SlowMist security team has developed a blockchain-specific vulnerability severity classification.

Public Blockchain Security Research

SlowMist’s Blockchain Threat Intelligence System actively monitors ongoing security incidents, using this intelligence to inform its security consulting and audit services.

The SlowMist Security Team also conducts detailed analysis on publicly known blockchain security vulnerabilities and has compiled a comprehensive Common Vulnerabilities List for blockchain systems. You can access it here: Blockchain Common Vulnerability List

Public Blockchain Security Audits

SlowMist employs a combination of black-box, gray-box, and white-box testing methods for public blockchain security audits. Depending on the audit’s needs, they provide several solutions:

- Mainnet Security Audits and Layer 2 Audits, primarily using black-box and gray-box methods.

- Source Code Security Audits, focusing on white-box testing.

- Customized Security Audits for application chains and specific development frameworks.

Blockchain Application Audits

These audits cover:

- Smart Contract Security Audits

- Other Blockchain Applications

For the full details, visit the audit guide: Cryptocurrency Security Audit Guide

Crypto Asset Security Solutions

Drawing from years of frontline service experience, SlowMist has developed comprehensive security solutions for participants in the cryptocurrency space. These solutions are categorized into five key areas, each with detailed explanations of associated risks and mitigation strategies.

Online Hot Asset Security Solutions

Online hot assets refer to assets where the cryptocurrency private keys are stored on online servers and frequently used for signing transactions. Examples include hot and warm wallets used by exchanges. Because these private keys are stored online, they are significantly more vulnerable to attacks, making them a high-priority target for protection. To safeguard these assets, it’s essential to improve the security level of storage (e.g., hardware encryption chips) and eliminate single points of failure. SlowMist recommends enhancing the security of online hot assets through two primary approaches:

1. Collaborative Custody Solutions

2. Private Key/Mnemonic Phrase Security Configuration Solutions

Cold Asset Security Solutions

Cold assets in the cryptocurrency world refer to large holdings that are not frequently traded, with private keys stored in an offline, air-gapped environment. In principle, the “colder” the asset, the better — ensuring that private keys never touch the internet and minimizing transactions to avoid exposing address information. SlowMist suggests focusing on two main areas:

1. Ensuring the security of private key storage by keeping it as isolated as possible.

2. Implementing robust management procedures to prevent private key leaks or unauthorized transfers.

DeFi Asset Security Solutions

A significant number of blockchain participants engage in DeFi projects, such as mining, lending, or yield farming. Participating in DeFi essentially involves transferring or authorizing your assets to DeFi project teams, which introduces substantial risks that may be beyond the user’s control. This solution outlines key risk points in DeFi projects and provides strategies to mitigate these risks.

Asset Ownership Security Backup Solutions

In the context of cryptocurrency, backing up private keys or mnemonic phrases is critical, as these represent complete ownership of the assets. If the private keys or mnemonic phrases are stolen or lost, all assets are permanently lost. Properly backing up private keys and mnemonic phrases is an often-overlooked aspect of asset security, making it a vulnerability in the crypto space.

Asset Anomaly Monitoring and Tracking Solutions

Even after implementing comprehensive asset security measures, it’s important to monitor and track wallet addresses for anomalies. This is particularly useful in case of “black swan” events, ensuring that every asset transfer is verified and confirmed by the internal team.

This complete security solution is the culmination of SlowMist’s years of frontline experience in blockchain security operations and is designed to provide a holistic approach to securing crypto assets.

For the full content, visit: Cryptocurrency Security Solutions

Conclusion

The Web3 Project Security Handbook is a well-structured, comprehensive guide designed for all Web3 projects and developers. In this rapidly evolving landscape, security is a crucial pillar. Mastering these skills and knowledge will help build a safer and more reliable Web3 ecosystem. SlowMist remains committed to providing cutting-edge security research and solutions to ensure the blockchain ecosystem can thrive securely.

You can also download the PDF version at: Red Handbook PDF.

About SlowMist

At SlowMist, we pride ourselves on being a frontrunner in blockchain security, dedicating years to mastering threat intelligence. Our expertise is grounded in providing comprehensive security audits and advanced anti-money laundering tracking to a diverse clientele. We’ve established a robust network for threat intelligence collaboration, positioning ourselves as a key player in the global blockchain security landscape. We offer tailor-made security solutions that span from identifying threats to implementing effective defense mechanisms. This holistic approach has garnered the trust of numerous leading and recognized projects worldwide, including names like Huobi, OKX, Binance, imToken, Crypto.com, Amber Group, Klaytn, EOS, 1inch, PancakeSwap, TUSD, Alpaca Finance, MultiChain, and Cheers UP. Our mission is to ensure the blockchain ecosystem is not only innovative but also secure and reliable.

We offers a variety of services that include but are not limited to security audits, threat intelligence, defense deployment, security consultants, and other security-related services. We also offer AML (Anti-money laundering) solutions, Vulpush (Vulnerability monitoring) , SlowMist Hacked (Crypto hack archives), FireWall.x (Smart contract firewall) , Safe Staking and other SaaS products. We have partnerships with domestic and international firms such as Akamai, BitDefender, FireEye, RC², TianJi Partners, IPIP, etc.

By delivering a comprehensive security solution customized to individual projects, we can identify risks and prevent them from occurring. Our team was able to find and publish several high-risk blockchain security flaws. By doing so, we wish to help spread awareness and raise the security standards in the blockchain ecosystem.

💬Website 🐦Twitter ⌨️GitHub

--

--

SlowMist

SlowMist is a Blockchain security firm established in 2018, providing services such as security audits, security consultants, red teaming, and more.