Start your day with intelligence. Get The OODA Daily Pulse.

A collaborative group of security researchers with Web3 expertise has produced a 12 question guide to the basics of Web3 security. This report captures those 12 questions and provides context around their optimal use. 

Blockchain technologies are central to the future of what is often referred to as Web3. Web3 represents the next evolution of the internet, characterized by decentralized and user-centric principles. It envisions a more open, privacy-focused, and user-controlled online environment that aims to address some of the limitations and challenges of the current centralized web (Web2).

These Web3 design principles are the foundation for digital-self sovereignty – which holds the potential to completely reframe the individual users relationship to privacy, ownership of personal data, as well as the long term and real-time personal digital footprint and “presence” we all generate online (which is currently devoid of any digital-self sovereignty, legal protections or inidividual agency relative to the vast amount of information available about every user on the network)

In our blockchain series, we have been exploring best in class case studies in a variety of industry sectors – exploring:

  1. How the blockchain has been successfully deployed to date; 
  2. Successful innovation, business models and value proposition designs which are exciting  – and point to the promise of the web3 infrasctructure based on blockchain technologies; and 
  3. Blockchain security which, of course, will also figure prominently in this web3 future. 

Last week, Circle announced the release of what will be a series of initiatives “aimed at preventing, mitigating, and responding to security exploits on-chain.” This announcement felt accessible yet robust – so we share it here as the inaugural post in our blockchain series dedicated to an analysis of the the implications of blockchain security on the web3 development workflow.  

The RektTest: 12 Questions to Guide Basic Principles for Web3 Security

“The intent of the Rekt Test is not to establish rigid benchmarks but to stimulate meaningful conversations about security in the blockchain community. Thus, consider this interpretation as a stepping stone in this critical dialogue.”

Earlier this year, Circle  joined a group of blockchain security and policy experts from across the industry to identify ways we can work together to help protect our customers and work with developers to prevent hacks and security exploits. 

We’re excited to join Anchorage Digital, Fireblocks, Immuenfi, Ribbit Capital, Solana Foundation and Trail of Bits in support of the RektTest, the first of a series of initiatives aimed at preventing, mitigating, and responding to security exploits on-chain. 

The RektTest is a simple, 12 question tool that blockchain projects and developers can use to assess their vulnerability based on industry best practices. Developers can use it to form an initial assessment and get a gut check on whether their project:

  • Is ready for launch
  • Contains basic safeguards against hackers and scammers
  • Complies with best practices for access control, custody and key management, and safety against other vectors for hacker exploits

The RektTest focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress. The more an organization can answer “yes” to these questions, the more they can trust the quality of their operations. This is not a definitive checklist for blockchain security teams, but it’s a way to start an informed discussion about important security controls.

The landscape of blockchain technology is diverse, extending beyond blockchains to include decentralized protocols, wallets, custody systems, and more, each with unique security nuances. The subsequent explanations of the RektTest questions reflect the consensus of best practices agreed to by this group, and are by no means exhaustive or absolute. The intent of the Rekt Test is not to establish rigid benchmarks but to stimulate meaningful conversations about security in the blockchain community. Thus, consider this interpretation as a stepping stone in this critical dialogue. 

Can you pass the Rekt test?

“The Rekt Test focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress.”

From the intro to the test: 

“One of the biggest challenges for blockchain developers is objectively assessing their security posture and measuring how it progresses. To address this issue, a working group of Web3 security experts, led by Trail of Bits CEO Dan Guido, met earlier this year to create a simple test for profiling the security of blockchain teams. We call it the Rekt Test.

The Rekt Test is modeled after The Joel Test. Developed 25 years ago by software developer Joel Spolsky, The Joel Test replaced a Byzantine process for determining the maturity and quality of a software team with 12 simple yes-or-no questions. The blockchain industry needs something similar because today’s complex guidance does more to frustrate than to inform.

The Rekt Test focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress. The more an organization can answer “yes” to these questions, the more they can trust the quality of their operations. This is not a definitive checklist for blockchain security teams, but it’s a way to start an informed discussion about important security controls.

The 12 questions explored in the Rekt Test are:

  1. Do you have all actors, roles, and privileges documented?
  2. Do you keep documentation of all the external services, contracts, and oracles you rely on?
  3. Do you have a written and tested incident response plan?
  4. Do you document the best ways to attack your system?
  5. Do you perform identity verification and background checks on all employees?
  6. Do you have a team member with security defined in their role?
  7. Do you require hardware security keys for production systems?
  8. Does your key management system require multiple humans and physical steps?
  9. Do you define key invariants for your system and test them on every commit?
  10. Do you use the best automated tools to discover security issues in your code?
  11. Do you undergo external audits and maintain a vulnerability disclosure or bug bounty program?
  12. Have you considered and mitigated avenues for abusing users of your system?

OODA Assessment

Collaboration among defenders in the Web3 space is increasing and that is a good thing. OODA has been working with several cryptocurrency related projects and stands by to assist with meeting your needs, reach out for more information. 

What to Read Next

Tracking The Cryptocurrency Revolution: A guide to OODA Loop Research and Reporting on Bitcoin and Ethereum

What CEOs Need To Know About Bitcoin: Including potential new business models to consider

 

 

Daniel Pereira

About the Author

Daniel Pereira

Daniel Pereira is research director at OODA. He is a foresight strategist, creative technologist, and an information communication technology (ICT) and digital media researcher with 20+ years of experience directing public/private partnerships and strategic innovation initiatives.