Page cover

Security Best Practices

Security is critical when dealing with blockchain interactions and potentially valuable assets managed by agents.

Security Components

  • Input Validation: Comprehensive input validation across all modules to prevent injection attacks and ensure data integrity.

  • Error Handling: Robust error handling with detailed error messages and graceful failure recovery.

  • Authentication: Support for API keys and token-based authentication for secure access to the system.

  • Authorization: Role-based access control for different operations and resources.

  • Secure Storage: Encrypted storage of sensitive information with secure key management.

  • Rate Limiting: Protection against abuse with configurable rate limits for API endpoints.

  • Logging: Detailed logging of security events for audit and troubleshooting.

  • User-Extensible Security: Customizable security policies and rules via configuration.

Key Management

  • NEVER commit private keys, seed phrases, or API secrets directly into the codebase or version control.

  • Use environment variables (.env file, ignored by git) or secure secret management systems (like HashiCorp Vault, AWS Secrets Manager, Doppler) for sensitive credentials.

  • For production systems handling significant value, strongly consider using hardware wallets (e.g., Ledger) or MPC (Multi-Party Computation) solutions for transaction signing, integrated via appropriate libraries or services.

  • Rotate API keys and credentials regularly.

Input Validation

  • Sanitize and validate all external inputs, especially those used in blockchain interactions (e.g., contract addresses, amounts, user addresses).

  • Validate data received from external APIs or oracles (e.g., price feeds) before agents act upon it.

  • Be cautious of user-provided configurations (e.g., agent/swarm JSON configs) and validate their structure and values.

Smart Contract Interaction

  • When interacting with smart contracts (especially external ones), verify the contract address and ABI.

  • Understand the potential risks of the contracts you interact with (e.g., reentrancy, access control issues).

  • Use well-audited libraries for contract interaction (e.g., Ethers.js, Web3.py).

  • Set appropriate gas limits and prices to avoid failed transactions or overspending.

Backend and API Security

  • Protect the Julia backend API endpoint. Use API keys or other authentication mechanisms if exposed externally.

  • Implement rate limiting on the backend API to prevent abuse.

  • Use HTTPS for all communication between frontend/clients and the backend.

  • Keep Julia, Node.js, Python, and all package dependencies updated to patch known vulnerabilities.

Agent & Swarm Security

  • Implement robust error handling within agent logic to prevent unexpected behavior due to market volatility or API failures.

  • Design agents with safety limits (e.g., maximum position size, stop-loss triggers, circuit breakers).

  • Be cautious when granting agents broad permissions, especially regarding fund transfers.

  • Regularly audit agent performance and decision-making logs for anomalies.

Cross-Chain Security

  • Understand the security model of the specific bridge being used (e.g., Wormhole's guardian network, Relay's trust assumptions).

  • Verify the authenticity of messages or proofs (like VAAs) before completing transfers on the target chain.

  • Monitor bridge operations for potential delays or failures.

Deployment Security

  • Follow secure deployment practices (see Deployment & Operations).

  • Restrict access to servers and databases.

  • Implement monitoring and alerting for suspicious activities.

Last updated