Policies and procedures in the context of security of DeFi projects. Think about possible situations and be prepared in case they arise. Act consciously and efficiently in accordance with a well-thought-out strategy.
Ensure that your project satisfies the following high-level requirements:
- Security procedures and policies are thought out and ready to use,
- Procedures and policies cover known and common threats from the past of other DeFi projects,
- Employees are familiar with the policies and procedures, and they know what they are responsible for.
Category “G2” lists requirements related to the policies, and procedures in the context of security of DeFi projects.
| # | Description |
|---|---|
| G2.1 | Verify that the system's security is under constant monitoring (e.g. the expected level of funds). |
| G2.2 | Verify that there is a policy to track new security bugs and to update the libraries to the latest secure version. |
| G2.3 | Verify that the contact to the security department is publicly disclosed and the procedure for handling reported bugs (e.g., thorough BugBounty platform) is defined. |
| G2.4 | Verify that the process prior to adding new components to the system is defined. |
| G2.5 | Verify that the process of major system changes involves threat modeling by an external company. |
| G2.6 | Verify that the process of adding and updating components to the system includes a security audit by an external company. |
| G2.7 | Verify that there is a clear and known procedure in place in the event of a hack. |
| G2.8 | Verify that the procedure in the event of hack have defined individuals to execute required actions. |
| G2.9 | Verify that the procedure includes alarming other projects about the hack through trusted channels. |
| G2.10 | Verify that a procedure is defined in case one of the project's private keys is leaked. |
| G2.11 | Verify that the project has an emergency contact with the external company that conducted the last audit. |
| G2.12 | Verify that the team monitors and is notified about large TVL changes. |
| G2.13 | Verify that team monitors and is notified about multisig transactions. |
| G2.14 | Verify that team monitors and is notified about new governance votes. |
| G2.15 | Verify that frontline employees are trained for emergency situations and know what to do, they will be the ones that community will approach with questions. |
For more information, see also:
- Emergency Procedures - Yearn Finance
- Emergency tools - Yearn Finance
- Emergency checklist - Yearn Finance
Consult your policies with the SCSVS authors. Contact a specialist.