├── SUMMARY.md ├── coding ├── abi-encode-call.md ├── adhere-to-eip-712.md ├── avoid-arbitrary-external-calls.md ├── avoid-low-level-calls.md ├── avoid-unlimited-erc20-approvals.md ├── avoid-vendoring.md ├── careful-vetting-of-unchecked-blocks.md ├── code-conservatism.md ├── code-dependencies-security.md ├── nft-front-running.md ├── non-sequential-nonces.md ├── plugin-for-safe-upgrades.md ├── reentrancy-guards.md ├── revert-return-early.md ├── revert-vs-return.md ├── round-in-favor-of-protocol.md ├── safe-cast-library.md ├── safe-erc20-library.md ├── security-driven-development.md ├── security-oriented-ci.md ├── unstructured-storage.md ├── use-cryptographic-libs.md ├── use-spell-checker.md ├── use-up-to-date-compiler-version.md └── vetting-process-for-external-tokens.md ├── deployment ├── bug-bounty.md ├── never-deploy-without-review.md ├── post-deployment-verification.md └── soft-launch.md ├── design ├── actor-based-threat-modeling.md ├── circuit-breakers.md ├── core-periphery-design.md ├── funds-isolation.md ├── global-registry.md ├── gradual-immutability-path.md ├── least-privilege.md └── rbac.md ├── emergency-response ├── handling-security-incident.md └── post-incident-actions.md ├── gitbook-README.md ├── ongoing-operations ├── credential-stuffing.md ├── denial-of-service.md ├── head-of-security.md ├── periodic-permissions-revocation.md ├── personnel-security.md ├── phishing-attacks.md ├── regression-tests-for-vulns.md ├── secured-treasury.md ├── securing-daos.md ├── securing-privileged-accounts.md ├── security-council.md ├── sim-swapping.md ├── social-media-takeovers.md └── web3soc-review.md ├── ongoing-upgrades ├── handling-comms-upgrade.md ├── handling-migrations.md ├── key-considerations-upgrade-reviews.md ├── prevent-regression-bugs.md └── upgrade-backwards-compatibillity.md ├── pre-deployment ├── configuration-risk-management.md ├── dns-poisioning.md ├── establish-contingency-plan.md ├── external-security-reviews.md ├── importance-of-code-freeze-before-an-external-review.md ├── importance-of-code-freeze-before-deployment.md ├── internal-security-reviews.md ├── monitoring-security-rules.md ├── setting-the-mainnet-deployment-date.md ├── solvency-audit.md ├── tailor-made-security-rules.md ├── types-of-security-reviews.md └── web2-security-reviews.md └── testing ├── e2e-tests-testnet.md ├── fork-tests.md ├── fuzzing-tests.md ├── integration-tests.md ├── optimize-test-coverage.md └── unit-tests.md /SUMMARY.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/SUMMARY.md -------------------------------------------------------------------------------- /coding/abi-encode-call.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/abi-encode-call.md -------------------------------------------------------------------------------- /coding/adhere-to-eip-712.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/adhere-to-eip-712.md -------------------------------------------------------------------------------- /coding/avoid-arbitrary-external-calls.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/avoid-arbitrary-external-calls.md -------------------------------------------------------------------------------- /coding/avoid-low-level-calls.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/avoid-low-level-calls.md -------------------------------------------------------------------------------- /coding/avoid-unlimited-erc20-approvals.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/avoid-unlimited-erc20-approvals.md -------------------------------------------------------------------------------- /coding/avoid-vendoring.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/avoid-vendoring.md -------------------------------------------------------------------------------- /coding/careful-vetting-of-unchecked-blocks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/careful-vetting-of-unchecked-blocks.md -------------------------------------------------------------------------------- /coding/code-conservatism.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/code-conservatism.md -------------------------------------------------------------------------------- /coding/code-dependencies-security.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/code-dependencies-security.md -------------------------------------------------------------------------------- /coding/nft-front-running.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/nft-front-running.md -------------------------------------------------------------------------------- /coding/non-sequential-nonces.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/non-sequential-nonces.md -------------------------------------------------------------------------------- /coding/plugin-for-safe-upgrades.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/plugin-for-safe-upgrades.md -------------------------------------------------------------------------------- /coding/reentrancy-guards.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/reentrancy-guards.md -------------------------------------------------------------------------------- /coding/revert-return-early.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/revert-return-early.md -------------------------------------------------------------------------------- /coding/revert-vs-return.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/revert-vs-return.md -------------------------------------------------------------------------------- /coding/round-in-favor-of-protocol.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/round-in-favor-of-protocol.md -------------------------------------------------------------------------------- /coding/safe-cast-library.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/safe-cast-library.md -------------------------------------------------------------------------------- /coding/safe-erc20-library.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/safe-erc20-library.md -------------------------------------------------------------------------------- /coding/security-driven-development.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/security-driven-development.md -------------------------------------------------------------------------------- /coding/security-oriented-ci.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/security-oriented-ci.md -------------------------------------------------------------------------------- /coding/unstructured-storage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/unstructured-storage.md -------------------------------------------------------------------------------- /coding/use-cryptographic-libs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/use-cryptographic-libs.md -------------------------------------------------------------------------------- /coding/use-spell-checker.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/use-spell-checker.md -------------------------------------------------------------------------------- /coding/use-up-to-date-compiler-version.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/use-up-to-date-compiler-version.md -------------------------------------------------------------------------------- /coding/vetting-process-for-external-tokens.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/coding/vetting-process-for-external-tokens.md -------------------------------------------------------------------------------- /deployment/bug-bounty.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/deployment/bug-bounty.md -------------------------------------------------------------------------------- /deployment/never-deploy-without-review.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/deployment/never-deploy-without-review.md -------------------------------------------------------------------------------- /deployment/post-deployment-verification.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/deployment/post-deployment-verification.md -------------------------------------------------------------------------------- /deployment/soft-launch.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/deployment/soft-launch.md -------------------------------------------------------------------------------- /design/actor-based-threat-modeling.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/actor-based-threat-modeling.md -------------------------------------------------------------------------------- /design/circuit-breakers.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/circuit-breakers.md -------------------------------------------------------------------------------- /design/core-periphery-design.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/core-periphery-design.md -------------------------------------------------------------------------------- /design/funds-isolation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/funds-isolation.md -------------------------------------------------------------------------------- /design/global-registry.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/global-registry.md -------------------------------------------------------------------------------- /design/gradual-immutability-path.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/gradual-immutability-path.md -------------------------------------------------------------------------------- /design/least-privilege.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/least-privilege.md -------------------------------------------------------------------------------- /design/rbac.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/design/rbac.md -------------------------------------------------------------------------------- /emergency-response/handling-security-incident.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/emergency-response/handling-security-incident.md -------------------------------------------------------------------------------- /emergency-response/post-incident-actions.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/emergency-response/post-incident-actions.md -------------------------------------------------------------------------------- /gitbook-README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/gitbook-README.md -------------------------------------------------------------------------------- /ongoing-operations/credential-stuffing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/credential-stuffing.md -------------------------------------------------------------------------------- /ongoing-operations/denial-of-service.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/denial-of-service.md -------------------------------------------------------------------------------- /ongoing-operations/head-of-security.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/head-of-security.md -------------------------------------------------------------------------------- /ongoing-operations/periodic-permissions-revocation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/periodic-permissions-revocation.md -------------------------------------------------------------------------------- /ongoing-operations/personnel-security.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/personnel-security.md -------------------------------------------------------------------------------- /ongoing-operations/phishing-attacks.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/phishing-attacks.md -------------------------------------------------------------------------------- /ongoing-operations/regression-tests-for-vulns.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/regression-tests-for-vulns.md -------------------------------------------------------------------------------- /ongoing-operations/secured-treasury.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/secured-treasury.md -------------------------------------------------------------------------------- /ongoing-operations/securing-daos.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/securing-daos.md -------------------------------------------------------------------------------- /ongoing-operations/securing-privileged-accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/securing-privileged-accounts.md -------------------------------------------------------------------------------- /ongoing-operations/security-council.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/security-council.md -------------------------------------------------------------------------------- /ongoing-operations/sim-swapping.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/sim-swapping.md -------------------------------------------------------------------------------- /ongoing-operations/social-media-takeovers.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/social-media-takeovers.md -------------------------------------------------------------------------------- /ongoing-operations/web3soc-review.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-operations/web3soc-review.md -------------------------------------------------------------------------------- /ongoing-upgrades/handling-comms-upgrade.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-upgrades/handling-comms-upgrade.md -------------------------------------------------------------------------------- /ongoing-upgrades/handling-migrations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-upgrades/handling-migrations.md -------------------------------------------------------------------------------- /ongoing-upgrades/key-considerations-upgrade-reviews.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-upgrades/key-considerations-upgrade-reviews.md -------------------------------------------------------------------------------- /ongoing-upgrades/prevent-regression-bugs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-upgrades/prevent-regression-bugs.md -------------------------------------------------------------------------------- /ongoing-upgrades/upgrade-backwards-compatibillity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/ongoing-upgrades/upgrade-backwards-compatibillity.md -------------------------------------------------------------------------------- /pre-deployment/configuration-risk-management.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/configuration-risk-management.md -------------------------------------------------------------------------------- /pre-deployment/dns-poisioning.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/dns-poisioning.md -------------------------------------------------------------------------------- /pre-deployment/establish-contingency-plan.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/establish-contingency-plan.md -------------------------------------------------------------------------------- /pre-deployment/external-security-reviews.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/external-security-reviews.md -------------------------------------------------------------------------------- /pre-deployment/importance-of-code-freeze-before-an-external-review.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/importance-of-code-freeze-before-an-external-review.md -------------------------------------------------------------------------------- /pre-deployment/importance-of-code-freeze-before-deployment.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/importance-of-code-freeze-before-deployment.md -------------------------------------------------------------------------------- /pre-deployment/internal-security-reviews.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/internal-security-reviews.md -------------------------------------------------------------------------------- /pre-deployment/monitoring-security-rules.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/monitoring-security-rules.md -------------------------------------------------------------------------------- /pre-deployment/setting-the-mainnet-deployment-date.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/setting-the-mainnet-deployment-date.md -------------------------------------------------------------------------------- /pre-deployment/solvency-audit.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/solvency-audit.md -------------------------------------------------------------------------------- /pre-deployment/tailor-made-security-rules.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/tailor-made-security-rules.md -------------------------------------------------------------------------------- /pre-deployment/types-of-security-reviews.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/types-of-security-reviews.md -------------------------------------------------------------------------------- /pre-deployment/web2-security-reviews.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/pre-deployment/web2-security-reviews.md -------------------------------------------------------------------------------- /testing/e2e-tests-testnet.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/e2e-tests-testnet.md -------------------------------------------------------------------------------- /testing/fork-tests.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/fork-tests.md -------------------------------------------------------------------------------- /testing/fuzzing-tests.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/fuzzing-tests.md -------------------------------------------------------------------------------- /testing/integration-tests.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/integration-tests.md -------------------------------------------------------------------------------- /testing/optimize-test-coverage.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/optimize-test-coverage.md -------------------------------------------------------------------------------- /testing/unit-tests.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/optimumsec/the-complete-guide-to-securing-web3-projects/HEAD/testing/unit-tests.md --------------------------------------------------------------------------------