strategic/docs/SECURITY_BEST_PRACTICES.md

Security Best Practices

Smart Contract Security

Executor Contract

1. Multi-Sig Ownership: Always use multi-sig for executor ownership

   • Minimum 3-of-5 signers
   • Separate signers for different functions
   • Regular key rotation

2. Allow-List Management: Strictly control allowed targets

   • Only add verified protocol addresses
   • Regularly review and update
   • Remove unused addresses
   • Document all additions

3. Flash Loan Security:

   • Only allow verified Aave Pools
   • Verify initiator in callback
   • Test flash loan scenarios thoroughly

4. Pausability:

   • Keep pause functionality accessible
   • Test emergency pause procedures
   • Document pause/unpause process

Strategy Security

Input Validation

1. Blind Values: Never hardcode sensitive values

   • Use blinds for amounts, addresses
   • Validate blind values before use
   • Sanitize user inputs

2. Address Validation:

   • Verify all addresses are valid
   • Check addresses match target chain
   • Validate protocol addresses

3. Amount Validation:

   • Check for zero amounts
   • Verify amount precision
   • Validate against limits

Guard Usage

1. Always Use Guards:

   • Health factor checks for lending
   • Slippage protection for swaps
   • Gas limits for all strategies
   • Oracle sanity checks

2. Guard Thresholds:

   • Set conservative thresholds
   • Review and adjust based on market conditions
   • Test guard behavior

3. Guard Failure Actions:

   • Use "revert" for critical checks
   • Use "warn" for informational checks
   • Document guard behavior

Operational Security

Key Management

1. Never Store Private Keys:

   • Use hardware wallets
   • Use key management services (KMS)
   • Rotate keys regularly
   • Never commit keys to git

2. Access Control:

   • Limit access to production systems
   • Use separate keys for different environments
   • Implement least privilege

Monitoring

1. Transaction Monitoring:

   • Monitor all executions
   • Alert on failures
   • Track gas usage
   • Review unusual patterns

2. Guard Monitoring:

   • Log all guard evaluations
   • Alert on guard failures
   • Track guard effectiveness

3. Price Monitoring:

   • Monitor oracle health
   • Alert on stale prices
   • Track price deviations

Incident Response

1. Emergency Procedures:

   • Pause executor immediately if needed
   • Document incident response plan
   • Test emergency procedures
   • Have rollback plan ready

2. Communication:

   • Notify stakeholders promptly
   • Document incidents
   • Post-mortem analysis
   • Update procedures based on learnings

Development Security

Code Review

1. Review All Changes:

   • Require code review
   • Security-focused reviews
   • Test coverage requirements

2. Dependency Management:

   • Keep dependencies updated
   • Review dependency changes
   • Use dependency scanning

Testing

1. Comprehensive Testing:

   • Unit tests for all components
   • Integration tests for flows
   • Security-focused tests
   • Fork testing before deployment

2. Penetration Testing:

   • Regular security audits
   • Test attack vectors
   • Review access controls

Best Practices Summary

✅ Do:

• Use multi-sig for ownership
• Validate all inputs
• Use guards extensively
• Monitor all operations
• Test thoroughly
• Document everything
• Keep dependencies updated
• Use hardware wallets

❌ Don't:

• Hardcode sensitive values
• Skip validation
• Ignore guard failures
• Deploy without testing
• Store private keys in code
• Skip security reviews
• Use untested strategies
• Ignore monitoring alerts

Security Checklist

Before deployment:

• Security audit completed
• Multi-sig configured
• Allow-list verified
• Guards tested
• Monitoring configured
• Emergency procedures documented
• Incident response plan ready
• Dependencies updated
• Tests passing
• Documentation complete