Common Web3 Vulnerabilities
- Reentrancy - Recursive calls allowing multiple withdrawals
- Integer Overflow - Math errors in token calculations
- Front-Running - MEV bots extracting value
- Access Control - Unauthorized function calls
- Oracle Manipulation - Fake price feeds
API Security Best Practices
1. Never Expose Private Keys
Use environment variables, never commit secrets to git.
2. Rate Limiting
Implement API rate limits to prevent abuse.
3. Input Validation
Validate all user inputs and on-chain data.
4. Use Multi-Sig
Require multiple approvals for sensitive operations.
Smart Contract Security
- Checks-Effects-Interactions - Update state before external calls
- Pull Over Push - Let users withdraw rather than sending
- Timelocks - Delay critical parameter changes
- Pausable - Emergency stop functionality
Security Tools
- Slither - Static analyzer for Solidity
- Hardhat - Contract testing framework
- Tenderly - Transaction simulation
- OpenZeppelin - Battle-tested contracts
- Certik - Security audits
Never Store Private Keys in Frontend Code
Always use wallet browsers extensions or mobile wallets for signing. Never embed seed phrases or private keys in your application code.
Security Audit Checklist
- Code review by multiple developers
- Automated static analysis
- Formal verification (if possible)
- Testnet deployment and testing
- Bug bounty program
- Timelock on mainnet changes