Learn how to bolster the security of your applications on the Sui blockchain and mitigate risks for users and developers in this article.
In the realm of application development on the Sui blockchain, the foundation of security stands as a pivotal cornerstone. Guarding against potential exploits and nefarious attacks isn't just a necessity; it's a responsibility that developers bear to safeguard user assets and insulate their own reputation from harm.
Best Practices for Augmented Security
The folks from the Sui security and cryptography team have put together some really useful tips for app developers to keep in mind while they're working on their creations. Some of these tips are specific to Sui, but a lot of them are relevant to any blockchain app out there.
Tiered Addresses for Network Segmentation
Amid the landscape of Devnet, Testnet, and Mainnet, a strategic segmentation of addresses takes precedence. The non-monetary nature of assets on Devnet and Testnet differentiates them from the high-stake assets residing on Mainnet. To mitigate the risk of inadvertent access by unauthorized entities on Mainnet, a robust approach involves using separate credentials for Devnet/Testnet and Mainnet. The act of address reuse across networks introduces unnecessary exposure, amplifying the probability of operational errors that can have detrimental consequences.
Safeguarding Keys and Mnemonics
The allure of storing crucial account keys and mnemonics within a public GitHub repository can be tempting. However, this practice is a potential minefield. These confidential credentials wield the power to regulate access to on-chain assets and should be granted only to those with legitimate authorization. Even erasing these sensitive elements from the repository doesn't suffice—historic repository data can still unveil them. The preferred approach is to generate keys programmatically rather than relying on hardcoded ones, thus reinforcing the security fabric.
Dual Asserts: On-Chain and Off-Chain
A critical facet of blockchain applications is the ability to access on-chain smart contract functions directly from external sources. This opens a doorway to potential vulnerabilities if essential conditions aren't consistently validated both within the smart contract code and the frontend. Neglecting this synchronization could render the application susceptible to exploitation, a risk that can be mitigated through the comprehensive assertion of conditions across both interfaces.
Prudent Handling of Object IDs
Sui's object IDs are a testament to uniqueness and consistency, having been assigned by validators during object creation. However, relying on them as sources of randomness or entropy is imprudent. Applications dependent on randomness, such as lotteries or cryptography, warrant careful consideration. Counting on object IDs for these scenarios can lead to vulnerabilities. It's wise to circumvent fields with predictable bytes during repeated dryRun RPC calls and to eschew clock-based randomness due to its susceptibility to manipulation.
Gatekeeping VRF and Signatures
Verifiable Randomness Functions (VRFs) bear the responsibility of introducing unpredictability to various applications. However, granting unbridled access to a VRF external to an application can empower malicious actors. They could premeditate lottery outcomes or even wield unauthorized power over cryptographic signatures. A fortified approach entails locking down VRFs within the application's boundaries, thereby curbing unauthorized utilization and bolstering overall security.
Adherence to these advanced security practices stands as a testament to your commitment to the integrity of on-chain applications. The resulting robustness, enhanced security, and establishment of trust among end users reverberate through the blockchain ecosystem. For a deeper dive into tailoring these practices to secure your Sui applications, consider enrolling in engineering office hours—an opportunity for in-depth technical consultations. As the blockchain landscape evolves, your role in maintaining its security becomes increasingly pivotal, shaping the foundation of the digital future.
Be sure to check out Suipiens' website and social media channels to stay up-to-date on all things about Sui Blockchain!