Prevention Policies for Platforms
Below is a list of prevention policies for platforms such as wallet providers, cryptocurrency exchanges, or other financial services. Each of these policies is a standard template which can be included in the applicable case studies. We also have Prevention Policies for Individuals and Prevention Policies for Regulators.
To add a template to an article's Prevention section, select Insert > Template and Type "Prevention:Platforms:" followed by the title below. You can also use "Prevention:Platforms:No Platform Funds Lost" if no platform funds were lost.
Regular Audit Procedures
All aspects of any platform should undergo a regular validation/inspection by experts. This validation should include a security audit of any smart contracts, reporting any risks to the backing (of any customer assets, ensuring treasuries or minting functions are properly secured under the control of a multi-signature wallet, and finding any inadequacies in the level of training or integrity of the team. The recommended interval is twice prior to launch or significant system upgrade, once after 3 months, and every 6 months thereafter. It is recommended that the third party performing the inspection not be repeated within a 14 month period.
Implement Multi-Signature
All wallets, minting functions, and critical infrastructure should be implemented with a multi-signature requirement, with a recommended minimum of 3 signatures required. This means that making important changes or approving spending will require the keys held by at least 3 separate individuals within the organization to approve. The multi-signature should be implemented at the lowest layer possible, all key holders should have security training, and all key holders should be empowered and encouraged to exercise diligence.
Cryptocurrency Safety Quiz
Never take for granted the limited knowledge of users of your service and their tendency to skip past provided information. It is recommended to design a simple tutorial and quiz for new users which explains the basics of seed phrases, strong password generation, secure two-factor authentication, common fraud schemes, how ponzi schemes work, as well as other risks which are unique to the cryptocurrency space. This tutorial and quiz should ensure their understanding and be a standard part of the sign-up or download process which is difficult or impossible to skip.
Supply Chain Assessment
All points along the communication and supply chain should be inspected for vulnerabilities. Common vulnerability points may include DNS, Discord, and customer information. What steps are required to access and/or modify the component? Do any third party companies or organizations implement a proper multi-signature approach? What additional security options are available?
Establish Industry Insurance Fund
Work with other industry platforms to set up a multi-signature wallet with private keys held separately by delegate signatories from seven prominent platforms and services within the industry. Establish requirements for contributions by all platforms and services, designed to be affordable for small platforms yet large enough to cover anticipated breach events. Any breach event can be brought forth by a member platform or a petition of 100 signatures for consideration by the delegate signatories. A vote of 4 or more delegate signatures is required to release any funds, which could partially or fully restore lost funds based on their assessment.
Avoid Large Cash Transactions
Keeping a large amount of cash in one area and improperly secured allows for theft to occur. The risk level can be minimized by reducing the amount of cash transferred at one time, performing the transfer in a more secure location, conducting the transaction with more individuals present, and retaining more identifying information about the counterparty. Alternatives with lower risk of physical theft such as credit, debit, or eTransfer should also be considered.