Start the year securely with these development checklists

Start the year securely with these development checklists

The exploit landscape is forever changing, to help you ensure you make a safe start to 2026 we are releasing some security checklists for you to use when developing in Web3. The first looks at architecture and procedures in general.
Join our Discord server and let us know if you find these useful, and above all stay safe in 2026.

Web3 Development General Security Checklist

This checklist is derived from the critical findings and recommendations from our 2025 End-of-Year Security Review.

1. Defensive Architecture & Fail-Safe Engineering

• On-Chain Invariant Enforcement: Have you implemented automated checks that revert state transitions if fundamental economic properties (e.g., total supply, collateral ratios, or reward balances) are violated?
• Algorithmic Circuit Breakers: Are there automated pause mechanisms triggered by abnormal volatility, suspicious outflow patterns, or internal state desynchronisation?
• Formal Verification for Logic Safety: Have you transitioned from simple unit testing to property-based testing and formal verification to prove protocol maths remains sound under extreme edge-case conditions?
• Implicit vs. Explicit Failure: Is the system architected to degrade gracefully or halt entirely when core invariants are threatened, rather than assuming ideal behaviour?
• Upgrade Safety Is there an upgrade path that has been tested. Can an attacker force an upgrade ? Are upgrades monitored ?

2. Precision Access Control & Authority Management

• Scoped Capability Management: Have you moved away from monolithic admin roles toward granular, time-locked capabilities?
• Separation of Duties: Are critical tasks and privileges distributed among distinct individuals to prevent single points of failure?
• Whitelisted Governance Execution: Is all governance-led interaction restricted to a pre-approved registry of contracts and function signatures, eliminating arbitrary low-level calls?
• Operational Security (OpSec) Hygiene: Is "Least Privilege" access enforced for dev-ops pipelines and deployment environments?

3. Identity Integrity & Cross-Chain Security

• Domain Separation & Replay Protection: Do all off-chain messages mandate EIP-712 (or equivalent) domain separation, cryptographically binding signatures to a specific Chain ID, contract address, and unique user nonce?
• Resolver-Contract Synchronisation: For hybrid or ZK-powered systems, is the off-chain resolver state a perfect mirror of the on-chain source of truth?
• Cryptographic Handshakes: Do backends require a cryptographically verified handshake from the smart contract before updating local state?
• Contextual Identity Verification: Does the code clearly distinguish between a Signer (initiator) and an Object Owner (asset holder) to eliminate "Confused Deputy" vulnerabilities?

4. User Protection & Behavioural Security

• Simulation-First UX: Does the user interface integrate transaction simulation to provide "clear-signing" transparency, preventing blind-signing of malicious requests?
• Adversarial UX Testing: Has the user interaction flow been stress-tested against phishing, wallet compromise, and transaction misdirection?
• Incident Response Readiness: Is there a documented and tested recovery plan for compromised keys, including pre-deployed emergency pause contracts?