Security Best Practices
Essential security guidelines for developing and deploying secure applications on Tetreum Testnet.
Follow these essential practices when developing smart contracts:
Input Validation
- • Always validate function parameters
- • Use require() statements for preconditions
- • Check for zero addresses and empty values
- • Implement proper bounds checking
Access Control
- • Implement role-based permissions
- • Use OpenZeppelin's AccessControl
- • Follow principle of least privilege
- • Secure admin functions properly
Reentrancy Protection
- • Use ReentrancyGuard modifier
- • Follow checks-effects-interactions pattern
- • Be cautious with external calls
- • Update state before external calls
Protect your private keys and sensitive information:
✅ Do This
- • Use hardware wallets for production
- • Store keys in encrypted formats
- • Use environment variables
- • Implement multi-signature wallets
- • Regular security audits
❌ Never Do This
- • Hardcode private keys in code
- • Share keys via email/chat
- • Store keys in version control
- • Use weak passwords
- • Ignore security updates
Critical: Never commit private keys to repositories. Use .env files and add them to .gitignore.
Secure your dApp frontend against common vulnerabilities:
Input Sanitization
- • Validate all user inputs client-side
- • Sanitize data before blockchain submission
- • Use proper encoding for special characters
- • Implement CSRF protection
Wallet Integration
- • Always verify wallet connections
- • Check network ID before transactions
- • Display transaction details clearly
- • Handle wallet errors gracefully
Content Security
- • Implement Content Security Policy
- • Use HTTPS for all communications
- • Validate smart contract addresses
- • Protect against XSS attacks
Be aware of these common attack vectors and how to prevent them:
Reentrancy Attacks
Malicious contracts calling back into your contract before state changes complete.
Prevention: Use ReentrancyGuard, checks-effects-interactions pattern
Integer Overflow/Underflow
Mathematical operations exceeding variable limits causing unexpected behavior.
Prevention: Use SafeMath library or Solidity 0.8+ built-in protection
Front-Running
Attackers observing pending transactions and submitting competing transactions with higher gas.
Prevention: Commit-reveal schemes, time locks, MEV protection
Access Control Issues
Unauthorized access to admin functions or missing permission checks.
Prevention: Proper role management, multi-signature requirements
Essential security checks before deploying to mainnet:
Security First Approach
Security should be integrated into every phase of development, not added as an afterthought.