Best Practices for BNB Chain Project Security

This article has been contributed by Salus Security, a portfolio company of Binance Labs.

The decentralized nature of Web3 technology, coupled with high-value transactions, makes security a critical aspect of any Web3 project. Hiring a reputable Web3 security team to conduct a security audit is only a short-term stop-gap. It is essential for BNB Chain’s project teams to establish their own security systems and follow best practices throughout the project’s lifecycle (namely, development, pre-audit, pre-launch, post-launch), to ensure ongoing security.

Best Practices During Development

Developing a Web3 project with security in mind from the outset can save significant human and financial resources in the long run. If security issues are discovered in the later stages of development, it could lead to additional workload for auditors, potential delays in launching the project, and costly remediation efforts. Therefore, it is essential for developers to have a fundamental understanding of security principles, which includes smart contract development, testing, and Web2 development.

Smart Contract Security Coding Recommendations

Smart contract security is crucial in Web3 projects. Ignoring security concerns or failing to prioritize security awareness during smart contract development can lead to significant setbacks, increased costs, and even complete project failure. We have prepared a cheat sheet to support you in developing a secure and dependable smart contract.

• Use the latest major version of Solidity, which contains fixes for known vulnerabilities.
• Using well-known libraries as much as possible can provide more security and a smaller audit scope, saving you money.
• Make sure to check the return value of external calls correctly, including transfer, transferFrom, send, call, delegatecall, etc.
• Use events to record the critical parameters change in privileged functions. This will help with security monitoring and emergency responses, as events can be used to track the changes.
• Use the Checks-Effects-Interactions pattern or reentrancy guards where possible to prevent reentrancy attacks. Treat all token and ether transfers as interactions.
• Ensure that the logic involved in arithmetic operations in the code fully considers the precision problem, avoiding the possibility of precision loss caused by rounding down.
• Use Chainlink VRF to obtain reliable randomness instead of using on-chain block data as a seed source.
• Avoid getting prices (or any sort of data) from any single source, as this can be easily manipulated using flash loans. One option is to retrieve from decentralized oracles.
• Avoid using long or unbounded loops to access storage variables to reduce gas costs and transaction fees.
• Name your functions and systems succinctly, which will greatly help others understand your code. It is suggested to follow the Solidity style guide.
• Reserve the switch for the emergency suspension of the global and core business to stop losses in time.

Testing Recommendations

Even if coding recommendations are followed, testing smart contracts is necessary to identify vulnerabilities before launching and to prevent significant financial losses. It ensures that the smart contract functions as intended, validates its security features, and verifies its compliance with business requirements. The following recommendations for comprehensive smart contract testing will help catch basic mistakes and improve the quality of your project.

• The unit test coverage rate should be close to 100% and the core code coverage rate must reach 100%.
• Include business process and function functional usability testing.
• Perform preliminary checks on the project code to quickly identify and resolve common vulnerabilities and errors by running an automated analysis tool. Salus provides an automated vulnerability detection service which makes the analysis easier and more efficient.

Web Front-End and Back-End Security Recommendations

While smart contracts are a critical part of a Web3 project, the Web2 components are equally important and also need to be secured properly. Even if the smart contract is free of vulnerabilities, neglecting security measures in Web2 components can still cause financial damage. Many best practices can be borrowed from Web2 applications, but there are some unique security considerations for Web3 projects.

Regularly conducting security tests on projects with professional institutions is needed for both Web2 and Web3 projects. However, traditional penetration testing techniques used for Web2 projects may not be sufficient for Web3 projects due to their unique architecture and decentralized nature. Salus offers Web3 penetration testing, which uncovers vulnerabilities in your network, applications and cloud services. It also focuses on middleware security and anti-tampering issues in the parts of your application where web2 and blockchain interact.

Pre-Audit Self-Checklist

The audit process is an important part of the Web3 project, especially for smart contracts, which are frequently targeted by attackers due to the significant amounts of money that can be transferred through them. However, audits are expensive, time-consuming and need to be scheduled months in advance.

We have organized a free checklist for you to make the most out of such services. Completing this checklist helps ensure a codebase ready for outside review and allows auditors to focus their time and attention on identifying deeper, more critical vulnerabilities.

• Halt the development of the contract code or provide a commit hash for the audit to target.
• Ensure contracts compile with no errors or warnings.
• Verify that all tests pass.
• Keep your code clean. Remove/edit old comments, unused functions, etc.
• All functions and parameters should be well-annotated.
• Any public function that can be made external should be made external. This is not only a gas consideration but also reduces the cognitive overhead for auditors.
• Document the use of unchecked, describing in detail why it’s safe to forego arithmetic checks.
• Make a list of the code blocks that you would like to emphasize for auditors.

It is essential to pre-screen the security team you intend to hire for your audit. Firstly, conduct thorough research on security incidents in your project’s field. Then compare the security firm’s audit reports with those of their competitors.

Let the audit results (vulnerabilities detected, compliance validation, post-audit recommendations) speak to the quality of their service. Finally, reach out to past clients to verify the process and the security team’s professionalism.

Pre-Launch Security Checklist

After completing the development and audit phases, your team should make sure they have taken the necessary security steps before launching the project.

• Respond to all recommended changes in the audit report.
• Consider getting a second audit after making the changes if the project received a large number of recommended changes.
• Set up a bug bounty program. Bug bounty platforms can help coordinate project teams in setting up bug bounty programs, such as code4rena, Immunefi, BugRap or HackenProof.
• Set up monitoring and alerting.
• Create an incident response plan.
• Prepare emergency action scripts to pause contracts in the event of an exploit.

Post-Launch Risk Monitoring & Emergency Response

Once a Web3 project is live, real-time monitoring is necessary to ensure that it continues to operate securely and efficiently. Additionally, having a well-prepared emergency response plan in place can greatly minimize the impact of security incidents and maintain user confidence in the project.

Runtime Security Monitoring

Risk monitoring allows for the early detection of security incidents, which enables project teams to respond quickly and mitigate the impact of the incident.

• Try to discover security problems through the events triggered by key processes.
• Often, reconciling events and transactions on the blockchain can help detect potential issues with business logic.

Emergency Response

Follow the recommendations below to create a well-executed emergency response plan. This plan is vital for responding to unexpected events and for mitigating damages.

• Stop the loss through the emergency pause switch according to the scope and the severity of the problem.
• Notify users and update regularly as meaningful new information or developments become available.
• Take a snapshot of the server in time to keep the hacked scene.
• Review exploit transactions to identify vulnerabilities and discuss the best fixes with a professional security team.
• Draft and post a full public post mortem. The post mortem needs to highlight the root cause and the scope of the problem, the specific loss, the problem repair progress, the tracking of the hacker and other related discoveries.
• Prepare the patch, following deployment best practices.
• Deploy the patch when ready.

As the Web3 ecosystem continues to evolve, security will remain a critical issue. Project teams should stay informed about the latest security threats and best practices, and be prepared to adapt their security measures accordingly. By following the best practices listed in this article, we hope that project teams can strengthen their security capabilities to protect their project and users from potential security risks.

About Salus Security

Salus Security is a well-rounded blockchain security company, providing services such as automated smart contract audits and vulnerability detection. The team is experienced in both traditional and blockchain security, and aims to make security services accessible for all.

For more information, follow Salus Security on Twitter.

About Binance Labs

As the venture capital arm and accelerator of Binance, Binance Labs has now grown to be worth over $9 billion. Its portfolio covers 200 projects from over 25 countries across 6 continents and has an over 10X rate of return on investments. Fifty of Binance Labs’ portfolio companies have been projects that had gone through our incubation programs.

For more information, follow Binance Labs on Twitter.