Wednesday, 18 August 2021

Let's talk about security!

Good news everyone! We are advancing with our plans to move the KoingFu Smart Bitcoin Cash decentralized exchange from testnet into mainnet. The main challenge for any team working with smart contracts is security, so we want to share some details of what we call our security framework, or in other words what we are doing to keep funds safe.

There are 4 parts to having a secure smart contract platform, contract security, infrastructure security, key handling, and a bug bounty program. Let's go over some detail for each one of them.

1.- Contract security. This is the contract code that users can verify online. To make sure the code is safe, we will be getting audits of our code that will be public. While we are basing our project on the Uniswap contract code that already received audits and the test of time, we need to take into account that there are certain changes for BCH (https://docs.smartbch.org/smartbch/smartbch-evolution-proposals-seps/sep-206), it is always possible that this created new attack vectors, so we need to study these changes.

Here is an example of an audit, in this case for Uniswap: https://uniswap.org/audit.html , the costs for an audit from a reputable company start at 20k and takes a couple of weeks.

2.- Infrastructure security, these are the servers where the platform runs as well as the services that the servers depend on. How are they handled and secured, services we depend on like DNS and actual physical access to the boxes. We are hiring expert help to review our security and fix any issues early on.

Here is an example of a related DNS attack to Pankakeswap on Ethereum:

https://twitter.com/PancakeSwap/status/1371471934999777281?ref_src=twsrc%5Etfw%7Ctwcamp%5Etweetembed%7Ctwterm%5E1371471934999777281%7Ctwgr%5E%7Ctwcon%5Es1_&ref_url=https%3A%2F%2Fwww.altcoinbuzz.io%2Fcryptocurrency-news%2Ffinance-and-funding%2Fpancakeswap-and-cream-finance-suffer-dns-attack%2F

3.- Multisig Key handling is a vital part of the security of smart contracts. By making it necessary for calls to the smart contracts to be signed by multiple keys under the control of different persons we greatly reduce the risk of attacks. You can read more about Multisig here: https://medium.com/unidocore/what-is-multisig-what-is-key-management-in-crypto-6d08b6ffbeaealso a great video explanation here: https://www.youtube.com/watch?v=yeLqe_gg2u0&ab_channel=TheFederalistSociety

4.- Bug bounty program, even while all the previous work there is still the possibility of vulnerabilities to code and infrastructure, by creating an incentive for hackers to alert us of attack vectors and vulnerabilities we can mitigate any remaining issues before they become a problem. We are setting aside 10% of our Flipstarter funds available for this.

Every smart contract team gets only one chance at getting security right and maintaining the trust of the community. We are doing a great deal of effort to make sure that people's funds are always safe. This is a BIG challenge as we are still in the early days of decentralized computing, but we are ready to take on this challenge!

We are soon to officially announce our Flipstarter (waiting for the SmartBCH Bridge announcement first)! It is already online at http://flipstarter.koingfu.com , the funds we get will help us pay the costs of our security framework. If you can, please consider making a donation. As part of our Flipstarter, we are giving away the Ki token! You can find more details on it at our telegram channel: https://t.me/koingfu . Please keep in mind before submitting to our Flipstarter that you are making a DONATION and that the Ki token may not receive any value. Please, do not make a donation with the expectation of making a profit with the Ki token. We will include more details of our project and the Ki token on our official announcement, Thank you!

Some more information on what we are working on:

Let's talk about Bridges.- https://www.reddit.com/r/btc/comments/osynga/lets_talk_about_bridges/

Let´s talk about DAOS.- https://www.reddit.com/r/btc/comments/oyrgxi/lets_talk_about_daos/

submitted by /u/estebansaa
[link] [comments]

source https://www.reddit.com/r/btc/comments/p6dr02/lets_talk_about_security/

No comments:

Post a Comment