Prevention Policies for Platforms

From Quadriga Initiative Cryptocurrency Hacks, Scams, and Frauds Repository
Revision as of 23:32, 9 April 2023 by Azoundria (talk | contribs) (Crosslinking.)
Jump to navigation Jump to search

Below is a list of prevention policies for platforms such as wallet providers, cryptocurrency exchanges, or other financial services. Each of these policies is a standard template which can be included in the applicable case studies. We also have Prevention Policies for Individuals and Prevention Policies for Regulators.

To add a template to an article's Prevention section, select Insert > Template and Type "Prevention:Platforms:" followed by the title below.

Implement Multi-Signature

All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.

Cryptocurrency Safety Quiz

Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.

Supply Chain Assessment

All points along the communication and supply chain should be inspected for vulnerabilities. Common vulnerability points may include DNS, Discord, and customer information. What steps are required to access and/or modify the component? Do any third party companies or organizations implement a proper multi-signature approach? What additional security options are available?