7.6 KiB
7.6 KiB
🔐 Security Best Practices
Comprehensive security checklist for DeFi integration.
🛡️ General Security Principles
🔒 1. Access Control
- ✅ Use access control modifiers for sensitive functions
- ✅ Implement owner/admin roles properly
- ✅ Never hardcode private keys or mnemonics
- ✅ Use environment variables for sensitive data
✅ 2. Input Validation
- ✅ Validate all user inputs
- ✅ Check for zero addresses
- ✅ Validate amounts (no zero, no overflow)
- ✅ Check token decimals
🔄 3. Reentrancy Protection
- ✅ Use ReentrancyGuard for external calls
- ✅ Follow checks-effects-interactions pattern
- ✅ Be extra careful with flash loans
⚠️ 4. Error Handling
- ✅ Use require/assert appropriately
- ✅ Provide clear error messages
- ✅ Handle edge cases
- ✅ Test error conditions
🏦 Protocol-Specific Security
🏦 Aave v3
⚡ Flash Loans
| Check | Status | Description |
|---|---|---|
| ⚠️ Critical | ✅ | Always repay flash loan + premium in executeOperation |
| ⚠️ Critical | ✅ | Verify msg.sender == pool in executeOperation |
| ⚠️ Critical | ✅ | Verify initiator == address(this) in executeOperation |
| ✅ | ✅ | Calculate premium correctly: amount + premium |
| ✅ | ✅ | Handle multi-asset flash loans carefully |
| ✅ | ✅ | Test repayment failure scenarios |
💰 Interest Rate Modes
| Check | Status | Description |
|---|---|---|
| ⚠️ Deprecated | ✅ | Stable rate borrowing is deprecated in v3.3+ |
| ✅ | ✅ | Always use variable rate (mode = 2) for new integrations |
| ✅ | ✅ | Understand interest rate risks |
🛡️ Collateral Management
- ✅ Check liquidation thresholds
- ✅ Monitor health factor
- ✅ Handle eMode/isolation mode restrictions
- ✅ Verify collateral can be enabled
🔄 Uniswap v3
🛡️ Slippage Protection
| Check | Status | Description |
|---|---|---|
| ⚠️ Critical | ✅ | Always set amountOutMinimum with slippage tolerance |
| ✅ | ✅ | Use TWAP oracles, not spot prices |
| ✅ | ✅ | Account for price impact in large swaps |
| ✅ | ✅ | Consider using UniswapX for better execution |
🔮 Oracle Security
| Check | Status | Description |
|---|---|---|
| ⚠️ Critical | ✅ | Never use spot prices for critical operations |
| ✅ | ✅ | Use TWAP with sufficient observation window |
| ✅ | ✅ | Verify observation cardinality |
| ✅ | ✅ | Protect against oracle manipulation |
🔐 Permit2
- ✅ Verify signature validity
- ✅ Check expiration (deadline)
- ✅ Verify nonce (prevent replay)
- ✅ Protect against signature theft (verify spender)
🔗 Protocolink
✅ Route Validation
- ✅ Verify all logics in the route
- ✅ Check token addresses
- ✅ Validate amounts
- ✅ Verify slippage settings
⚡ Execution
- ✅ Check gas estimates
- ✅ Handle execution failures
- ✅ Verify router address
- ✅ Monitor transaction status
🏛️ Compound III
💰 Borrowing
| Check | Status | Description |
|---|---|---|
| ⚠️ Important | ✅ | Understand base asset vs collateral |
| ✅ | ✅ | Check borrow limits |
| ✅ | ✅ | Monitor collateral ratio |
| ✅ | ✅ | Handle liquidation risks |
📜 Smart Contract Security
⚡ Flash Loan Receivers
// ✅ Good: Verify caller and initiator
function executeOperation(
address asset,
uint256 amount,
uint256 premium,
address initiator,
bytes calldata params
) external override returns (bool) {
require(msg.sender == address(pool), "Invalid caller");
require(initiator == address(this), "Invalid initiator");
// Your logic here
// ✅ Good: Approve repayment
IERC20(asset).approve(address(pool), amount + premium);
return true;
}
🔄 Reentrancy Protection
// ✅ Good: Use ReentrancyGuard
import "@openzeppelin/contracts/security/ReentrancyGuard.sol";
contract MyContract is ReentrancyGuard {
function withdraw() external nonReentrant {
// Safe withdrawal logic
}
}
🔒 Access Control
// ✅ Good: Use access control
import "@openzeppelin/contracts/access/Ownable.sol";
contract MyContract is Ownable {
function sensitiveFunction() external onlyOwner {
// Owner-only logic
}
}
🧪 Testing Security
🧪 Foundry Tests
- ✅ Test all edge cases
- ✅ Test error conditions
- ✅ Test reentrancy attacks
- ✅ Test flash loan scenarios
- ✅ Test with fork tests
- ✅ Test gas limits
📊 Test Coverage
- ✅ Unit tests for all functions
- ✅ Integration tests
- ✅ Fork tests on mainnet
- ✅ Fuzz tests for inputs
- ✅ Invariant tests
🚀 Deployment Security
🔍 Pre-Deployment
- ✅ Get professional security audit
- ✅ Review all dependencies
- ✅ Test on testnets extensively
- ✅ Verify all addresses
- ✅ Check contract sizes
🔐 Post-Deployment
- ✅ Monitor transactions
- ✅ Set up alerts
- ✅ Keep private keys secure
- ✅ Use multisig for admin functions
- ✅ Have an emergency pause mechanism
⚠️ Common Vulnerabilities
1. Reentrancy
❌ Bad: External call before state update
function withdraw() external {
msg.sender.call{value: balance}("");
balance = 0; // Too late!
}
✅ Good: State update before external call
function withdraw() external nonReentrant {
uint256 amount = balance;
balance = 0;
msg.sender.call{value: amount}("");
}
2. Integer Overflow
❌ Bad: No overflow protection
uint256 total = amount1 + amount2;
✅ Good: Use SafeMath or Solidity 0.8+
uint256 total = amount1 + amount2; // Safe in Solidity 0.8+
3. Access Control
❌ Bad: No access control
function withdraw() external {
// Anyone can call
}
✅ Good: Proper access control
function withdraw() external onlyOwner {
// Only owner can call
}
🔗 Resources
| Resource | Link |
|---|---|
| OpenZeppelin Security | docs.openzeppelin.com |
| Consensys Best Practices | consensys.github.io |
| Aave Security | docs.aave.com |
| Uniswap Security | docs.uniswap.org |
✅ Security Audit Checklist
Before deploying to production:
- 🔍 Professional security audit completed
- 📦 All dependencies reviewed
- 🔒 Access control implemented
- 🔄 Reentrancy protection added
- ✅ Input validation implemented
- ⚠️ Error handling comprehensive
- 🧪 Tests cover edge cases
- ⛽ Gas optimization reviewed
- ⏸️ Emergency pause mechanism
- 👥 Multisig for admin functions
- 📊 Monitoring and alerts set up
🚨 Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
- ⛔ DO NOT open a public issue
- 📧 Email security details to the maintainers
- ⏰ Allow time for the issue to be addressed
- 🔒 Follow responsible disclosure practices
⚠️ Disclaimer
This security guide is for educational purposes. Always get professional security audits before deploying to production.