You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: development-guidelines/incident_response.md
+6-5Lines changed: 6 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,19 +3,20 @@
3
3
How you respond during an incident is a direct reflection of your preparatory efforts. Shift from a reactive approach to a **proactive** one by planning with the assumption that incidents are inevitable. To fully leverage the following guidelines, consider them during the application development, and not at the final stage.
4
4
5
5
## Application design
6
+
6
7
-**Identify the components that should/should not to be**
7
8
-**Pausable**. While pausing a component can be beneficial during an incident, you must assess its potential impact on other contracts.
8
9
-**Migrable or upgradeable**. Discovering a bug might necessitate a [migration strategy](https://blog.trailofbits.com/2018/10/29/how-contract-migration-works/) or contract upgradeable to fix the issue. However always be aware that upgradeability has its own [sets of risks](https://blog.trailofbits.com/2020/12/16/breaking-aave-upgradeability/). Making all contracts upgradeable might not be the best approach.
9
-
-**Decentralized**. Using decentralized components can sometimes restrict rescue measures.
10
+
-**Decentralized**. Using decentralized components can sometimes restrict rescue measures.
10
11
-**Evaluate what events are needed**. A missed event in a critical spot might result in unnoticed incidents.
11
-
-**Evaluate what components must be on-chain and off-chain**. On-chain components are generally more at risk, but off-chain components push the risks to the off-chain owner.
12
+
-**Evaluate what components must be on-chain and off-chain**. On-chain components are generally more at risk, but off-chain components push the risks to the off-chain owner.
12
13
-**Use an access control that allows fine-grained access**. Avoid setting all access controls to be available to an EOA. Opt for multisig wallets/MPC, and segregate access (e.g., the key responsible for setting fees shouldn't have access to the upgradeability feature).
13
14
14
15
## Documentation
15
16
16
17
-**Document how to interpret abnormal events emission**. Only emitting events isn't sufficient; proper documentation is crucial, and users should be empowered to decode them.
17
18
-**Document how to access the wallets**. Clearly outline how to access wallets. Both the location and access procedures for every wallet should be clear and straightforward.
18
-
-**Document the deployment and upgrade process**. Deployment and upgrade are risky processes, and must be thoroughly documented. This should include how to test the deployment/upgrade (ex: using fork testing) and how to validate it.
19
+
-**Document the deployment and upgrade process**. Deployment and upgrade are risky processes, and must be thoroughly documented. This should include how to test the deployment/upgrade (ex: using fork testing) and how to validate it.
19
20
-**Document how to contact the users and external dependencies**. Define guidelines regarding which stakeholders to contact, including the timing and mode of communication in case of incidents.
20
21
21
22
## Process
@@ -30,7 +31,7 @@ How you respond during an incident is a direct reflection of your preparatory ef
30
31
## Threat Intelligence
31
32
32
33
-**Identify similar protocols, and stay informed of related compromises**. Being aware of vulnerabilities in similar systems can help preemptively address potential threats in your own.
33
-
-**Identify dependencies, and monitor their behaviors to be alerted in case of compromise.**Follow twitter, discord, newsletter, etc.
34
+
-**Identify dependencies, and monitor their behaviors to be alerted in case of compromise.** Follow twitter, discord, newsletter, etc.
34
35
-**Maintain open communication lines with your dependencies owners**. This will help you to stay informed if one of your dependency is compromised.
35
36
-**Subscribe to https://newsletter.blockthreat.io/**. Block threat will help you to know about recent incidents
36
37
@@ -42,6 +43,6 @@ Additionally, consider conducting a threat modeling exercise. This will identify
0 commit comments