At the Gathering of Minds conference earlier this year, a group of blockchain industry leaders led by Trail of Bits CEO Dan Guido met to discuss and workshop a simple test for profiling the security of blockchain projects with a view to help address and reduce security failures and build trust in the ecosystem. Although the number of hacks decreased in 2022, the amount stolen cost users approximately $3.8 billion. The result was the Rekt Test.
As a blockchain version of the the Joel Test (a famous and very simple checklist created in 2000 by Joel Spolsky to determine the maturity and quality of a software team) the Rekt Test is designed to assist Web3 projects to objectively assess their security posture and measuring their risk profile against bad actors.
The test focuses on simple and universally applicable security controls to inform Web3 projects that otherwise may lack guidance and structure to their security operations.
The 12 questions comprising the Rekt Test are as follows:
Do you have all actors, roles, and privileges documented?
Do you keep documentation of all the external services, contracts, and oracles you rely on?
Do you have a written and tested incident response plan?
Do you document the best ways to attack your system?
Do you perform identity verification and background checks on all employees?
Do you have a team member with security defined in their role?
Do you require hardware security keys for production systems?
Does your key management system require multiple humans and physical steps?
Do you define key invariants for your system and test them on every commit?
Do you use the best automated tools to discover security issues in your code?
Do you undergo external audits and maintain a vulnerability disclosure or bug bounty program?
Have you considered and mitigated avenues for abusing users of your system?
Projects will need to consider these questions in depth and reflect on their current operations. Each question is a starting point to unpack into a range of more detailed questions applicable to a project and conducting a risk analysis. The list is of course not designed to be definitive, but a way to start informed discussions about important security controls.
Hacks, scams, social engineering, lack of documentation, and the absence of security roles are common points of risk in the blockchain ecosystem and industry participants need to go beyond just improving smart contract code or enlisting white hats to test systems as the industry matures.
Having a clear response to the Rekt test could be a great framework for blockchain projects and businesses, and even developers, to help ensure that aren't the victim of accidental loss or a cyber attack.
By Michael Bacina and Luke Misthos