Skip to main content

Blockchain security

Smart contracts

Smart contracts are integral to the functionality and security of blockchain-based systems. They enhance the product by automating, securing, and optimizing processes, thereby improving operational efficiency and fostering trust among stakeholders. However, smart contracts are also vulnerable to malicious attacks, such as fund theft and data manipulation. To mitigate these risks, we employ a range of countermeasures.

Standards

API-Verse follows a range of established standards to enhance security and reliability. These include guidelines such as Solidity Language Best Practices, standards from OpenZeppelin, and Ethereum Improvement Proposals (EIPs), as well as key Ethereum Request for Comments (ERC) standards like ERC-20, ERC-721, and ERC-1155. These benchmarks help to ensure robust security and minimize common vulnerabilities.

Roles and responsibilities

To minimize the risk of unauthorized activities, API-Verse implements Role-Based Access Control (RBAC). This approach ensures that each participant has access only to resources necessary for their role. We leverage OpenZeppelin’s RBAC libraries to define and enforce secure, community-tested role and permission structures, fortifying our security architecture. The most common and basic form of access control is the concept of ownership: there’s an account that is the owner of a contract and can do administrative tasks on it. This approach is perfectly reasonable for contracts that have a single administrative user. Additional safeguards in the form of transferOwnership and renounceOwnership mechanisms are used to avoid error during the role assignment process. This prevents a situation in which an existing smart contract administrator indicates an incorrect address for the new administrator. Implementation of the mechanism is possible in the standard proposed by OpenZepellin https://docs.openzeppelin.com/contracts/2.x/api/ownership#Ownable

While the simplicity of ownership can be useful for simple smart contracts or quick prototyping, different levels of authorization are often needed. An account may be able to ban users from a system, but not create new tokens. Role-Based Access Control (RBAC) offers flexibility in this regard. In essence, we will be defining multiple roles, each allowed to perform different sets of actions. Instead of onlyOwner everywhere - you will use, for example, onlyAdminRole in some places, and onlyModeratorRole in others. Separately, you will be able to define rules for how accounts can be assigned a role, transfer it, and more. Most software development uses access control systems that are role-based: some users are regular users, some may be supervisors or managers, and a few will often have administrative privileges. Implementation of RBAC mechanism is possible in the standard proposed by OpenZepellin https://docs.openzeppelin.com/contracts/2.x/api/access#Roles

Static code analysis

Given the immutable nature of blockchain transactions, detecting vulnerabilities before deployment is critical. API-Verse employs static code analysis as a proactive measure to identify potential security flaws and logical errors in smart contracts. By utilizing a variety of automated tools, we detect common issues such as re-entrancy attacks, integer overflows, and unauthorized access—ensuring a secure development process. Static code analysis is a type of proactive approach to bug detection and helps to not only ensure that the code complies with security best practices, but also significantly reduces the risk of implementing faulty contracts. Incorporating static code analysis into the product development pipeline solidifies the robustness and reliability of the blockchain project, providing a solid foundation for secure and trustworthy execution of smart contracts.

Auditing

In the landscape of blockchain technology, ensuring the security and reliability of smart contracts is paramount. Audits conducted by reputable external entities play a crucial role in this process. These independent and specialized firms possess the expertise to meticulously examine the code, identify vulnerabilities, and recommend necessary improvements. Their impartial assessment not only helps in uncovering potential flaws that internal teams might overlook but also enhances the credibility and trustworthiness of the smart contracts.

As the field of cybersecurity continually evolves, new types of vulnerabilities and attack vectors are constantly being discovered. External auditors stay abreast of the latest developments and emerging threats, applying their up-to-date knowledge to the audit process. This continuous adaptation and vigilance are essential to mitigating the risks associated with novel exploits and sophisticated attacks. Engaging renowned external auditors demonstrates a commitment to security and transparency, significantly mitigating risks and reinforcing confidence among users and stakeholders in the integrity of the blockchain project. By leveraging the expertise of these external entities, projects can better safeguard their systems against both known and emerging threats.

Bug bounty program

Despite rigorous security audits, undiscovered vulnerabilities may still exist. To address this risk, API-Verse employs a bug bounty program, incentivizing security researchers to identify and report potential vulnerabilities. This proactive approach enhances the platform’s security by encouraging continuous improvement and ensuring a safer environment for users and stakeholders.

Vulnerability detection

API-Verse employs both active and passive vulnerability scanning. Active scanning simulates attacks to detect weaknesses such as unencrypted data and flawed authentication processes. Passive scanning monitors network traffic to identify potential vulnerabilities without actively probing systems. These measures provide comprehensive protection against known and emerging threats. Passive scanning, also called credentialed scanning, involves unobtrusively analyzing (without actively probing) network traffic to detect vulnerabilities that attackers can leverage to spread malware or steal/manipulate data.

Multi-signature technology and collaborative custody

To enhance transactional security, API-Verse utilizes multi-signature wallets, requiring multiple private keys for transaction authorization. This collaborative custody approach ensures that no single entity has unilateral control, reducing the risk of unauthorized transactions. Multi-signature wallets also provide transparency and an audit trail, strengthening overall platform security.