Sales

Walk-through: A Journey With Us to Secure Your Hyperledger Fabric Project

QuillAudits WhiteLabel Partnership Program

Walk-through: A Journey With Us to Secure Your Sui Smart Contract

Walk-through: A Journey With Us to Secure Your Polkadot Smart Contract

Walk-through: A Journey With Us to Secure Your Wallet

Pre-Launch Security Checklist for web3 Projects

Development-Process Checklist

Walk-through: A Journey With Us to Secure Your Starknet Smart Contract

Walk-through: A Journey With Us to Secure Your ZKSync Smart Contracts

Walk-through: A Journey With Us to Secure Your L1 Blockchain

Walk-through: A Journey With Us to Secure Your Smart Contracts

Walk-through: A Journey With Us to Assure Your Users and Gain the Trust You Deserve

Walk-through: A Journey With Us to Build Secure and Scalable Dapp Architecture

Walk-through: a journey with us to secure your dApp

Walk-through: a journey with us to secure Solana Smart Contracts.

Audit Readiness Checklist

QuillAudits Periodic On-Chain Analysis of your web3 Project

Miscellaneous

← Back to home

✓ Security Checklist for Pre-Launch (Web3)

📑 Smart Contract Security

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" /> Smart Contract security is crucial in web3 projects to ensure the integrity of decentralized applications and prevent exploits.

</aside>

• [ ] Conduct a thorough security audit of smart contracts using reputable audit firms.
• [ ] Implement proper access controls for smart contracts to prevent unauthorized access.
• [ ] Ensure that smart contract code is open-source and publicly available for review.
• [ ] Ensure that smart contract code follows industry-standard security practices like the OpenZeppelin library.
• [ ] Implement checks and balances for smart contract upgrades to prevent unauthorized modifications.

💳 Wallet Security

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" /> Wallet security is essential for protecting the private keys used to access digital assets and transact in web3 environments.

</aside>

• [ ] Provide clear instructions for users to secure their wallets and private keys.
• [ ] Recommend the use of hardware wallets for added security.
• [ ] Implement multi-signature functionality to require multiple approvals for transactions.
• [ ] Implement time-based withdrawal limits for wallets to prevent large withdrawals quickly.

🌐 Web3 API Security

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" /> Web3 API security is necessary to prevent unauthorized access to sensitive user data and ensure the confidentiality and integrity of interactions with decentralized applications.

</aside>

• [ ] Implement rate limiting to prevent DDoS attacks on the API.
• [ ] Implement API authentication and authorization to prevent unauthorized access.
• [ ] Implement encryption for all data in transit using HTTPS.
• [ ] Implement input validation and sanitization to prevent injection attacks.

CI/CD Pipeline Implementation

• [ ] Configure automated build system
• [ ] Set up linting and code formatting checks
• [ ] Implement static code analysis tools (Slither, QuillShield)
• [ ] Configure automated unit and integration testing
• [ ] Set up gas usage reports and monitoring
• [ ] Implement code coverage reports
• [ ] Configure deployment to test networks
• [ ] Set up notifications for build/test failures
• [ ] Implement contract verification automation
• [ ] Configure security scanning for dependencies

🗃️ Node and Infrastructure Security

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" /> Node and infrastructure security is vital to protect the underlying infrastructure and prevent attacks on the network and its participants.

</aside>

• [ ] Ensure that all infrastructure components are up-to-date with the latest security patches.
• [ ] Implement firewall rules to restrict access to the server to only necessary IP addresses or ranges.
• [ ] Implement secure communication protocols such as SSH and TLS for all infrastructure components.
• [ ] Implement proper access controls for all infrastructure components to prevent unauthorized access.

Maintain dedicated air-gapped hardware for deployments

• [ ] Use a clean OS installation for deployment machines
• [ ] Implement full disk encryption on deployment machines
• [ ] Install only required software on deployment machines
• [ ] Establish secure boot protocols and verified boot chains
• [ ] Use hardware wallets for all private key operations
• [ ] Configure hardware wallet with multi-signature requirements
• [ ] Store backup seeds/recovery phrases in secure locations (multiple physical vaults)
• [ ] Implement strict physical access controls for deployment environments
• [ ] Create secure network environment (isolated or airgapped network)
• [ ] Establish chain of custody procedures for deployment hardware
• [ ] Implement logging for all access to deployment environments
• [ ] Disable unnecessary I/O ports and wireless connections
• [ ] Regularly update firmware on hardware wallets
• [ ] Scan all devices for tampering before critical operations
• [ ] Use one-time deployment machines for critical projects when possible

Pre-Deployment Phase

• [ ] Create detailed deployment scripts
• [ ] Prepare constructor parameters and initial state
• [ ] Verify contract bytecode matches audited source code
• [ ] Test deployment scripts on testnets
• [ ] Document contract addresses on testnets
• [ ] Conduct user acceptance testing on testnet deployments
• [ ] Prepare formal documentation for deployment
• [ ] Create deployment runbook with contingency plans
• [ ] Set up monitoring infrastructure
• [ ] Prepare emergency response plan

Deployment Phase

• [ ] Execute final pre-deployment checklist
• [ ] Secure private keys for deployment
• [ ] Use multi-signature wallets for critical deployments
• [ ] Deploy contract through CI/CD pipeline or secure process
• [ ] Verify deployed bytecode against compiled bytecode
• [ ] Record deployed contract addresses and transaction hashes
• [ ] Verify contracts on block explorers
• [ ] Run post-deployment validation tests
• [ ] Initialize contract state if required
• [ ] Transfer ownership/admin roles to proper entities

Post-Deployment Phase

• [ ] Set up on-chain monitoring for contract events
• [ ] Implement alerting for anomalous activities
• [ ] Configure dashboards for contract metrics
• [ ] Archive deployment artifacts and documentation
• [ ] Conduct post-deployment security review
• [ ] Update documentation with production details
• [ ] Implement a bug bounty program
• [ ] Establish standard operating procedures for contract maintenance
• [ ] Create incident response playbooks
• [ ] Schedule regular security reviews and audits.

Upgrade Process (if applicable)

• [ ] Document upgrade requirements and procedures
• [ ] Develop upgrade contracts following the same process
• [ ] Test upgrades thoroughly on testnets
• [ ] Audit upgrade contracts and migration scripts
• [ ] Announce upgrade plans to users and stakeholders
• [ ] Execute upgrades in a controlled manner
• [ ] Verify upgrades were successful
• [ ] Update documentation and monitoring for new contracts

💽 Data Security and Privacy

<aside> <img src="/icons/info-alternate_blue.svg" alt="/icons/info-alternate_blue.svg" width="40px" /> Data security and privacy are critical to protect user information and prevent data breaches, especially given the decentralized nature of web3 applications.

</aside>