STAB3L
12px

Security Guide

Security best practices and considerations for the STAB3L platform

Security Guide

Security is a core principle of the STAB3L platform. This guide outlines the security measures implemented in the platform and provides best practices for users, providers, and developers.

{% hint style="info" %} STAB3L undergoes regular security audits by independent third-party firms. Audit reports are available in the Security section of our website. {% endhint %}

{% hint style="warning" %} Important: CU tokens are NOT tradable assets. They are temporary tokens that are burned immediately when exchanged for sSTB. This burning mechanism is crucial for maintaining the peg and ensuring that each sSTB is backed by real compute resources. {% endhint %}

Platform Security Architecture

STAB3L implements a multi-layered security architecture to protect user assets, data, and the integrity of the platform.

Smart Contract Security

The STAB3L smart contracts form the foundation of the platform's security:

  1. Formal Verification: All critical smart contracts undergo formal verification to mathematically prove their correctness.

  2. Multi-signature Governance: Contract upgrades require approval from 7 out of 11 governance signers with a 21-day timelock period.

  3. Circuit Breakers: Automatic pause mechanisms are triggered if suspicious activity is detected, such as:

    • Unusual trading volume (>50% increase in 1 hour)

    • Large bridge transfers (>$1M equivalent)

    • Rapid price fluctuations (>20% in 1 hour)

  4. Access Control: Granular role-based access control using OpenZeppelin's AccessControl library.

  5. Secure Randomness: VRF (Verifiable Random Function) for any randomness requirements.

Verification Security

The verification of compute resources is secured through:

  1. Zero-Knowledge Proofs (ZKP): Cryptographic proofs that verify compute resources without revealing sensitive information.

  2. Trusted Execution Environments (TEE): Secure enclaves that isolate computation from the host system.

  3. Attestation: Remote attestation to verify the integrity of TEE environments.

  4. Benchmark Integrity: Tamper-proof benchmarking processes with cryptographic verification.

Cross-Chain Security

The cross-chain bridge implements multiple security measures:

  1. Message Verification: Cryptographic verification of cross-chain messages.

  2. Confirmation Thresholds: Minimum confirmation requirements before processing transactions.

  3. Value Limits: Maximum transfer limits to mitigate the impact of potential exploits.

  4. Relayer Redundancy: Multiple independent relayers to ensure availability and consensus.

  5. Monitoring: Real-time monitoring of bridge activity with automated alerts.

Security Best Practices

For Users

{% tabs %} {% tab title="Wallet Security" %}

  1. Use Hardware Wallets: Store significant assets in hardware wallets like Ledger or Trezor.

  2. Separate Wallets: Use different wallets for different purposes (trading, holding, etc.).

  3. Secure Recovery Phrases: Store recovery phrases offline in secure, multiple locations.

  4. Check Transactions: Always verify transaction details before signing.

  5. Use Multisig: Consider using multisig wallets for large holdings. {% endtab %}

{% tab title="Account Security" %}

  1. Strong Passwords: Use unique, complex passwords for your STAB3L account.

  2. Two-Factor Authentication: Enable 2FA using an authenticator app.

  3. Regular Monitoring: Check your account activity regularly.

  4. Authorized Devices: Review and manage devices authorized to access your account.

  5. Phishing Awareness: Be vigilant about phishing attempts and always verify URLs. {% endtab %}

{% tab title="Transaction Security" %}

  1. Start Small: Test new features with small amounts first.

  2. Set Limits: Use transaction limits to minimize potential losses.

  3. Verify Addresses: Double-check recipient addresses before confirming transactions.

  4. Gas Settings: Understand gas settings to avoid transaction failures.

  5. Slippage Protection: Set appropriate slippage tolerance for trades. {% endtab %} {% endtabs %}

For Providers

  1. Secure Infrastructure: Implement robust security measures for your compute infrastructure:

    • Network segmentation
    • Firewall rules
    • Regular security updates
    • Intrusion detection systems

  2. Key Management: Secure management of private keys:

    • Hardware security modules (HSMs)
    • Key rotation policies
    • Principle of least privilege

  3. Monitoring and Alerting: Implement comprehensive monitoring:

    • Resource utilization
    • Unusual access patterns
    • System integrity
    • Automated alerts for anomalies

  4. Backup and Recovery: Regular backups and tested recovery procedures:

    • Offsite backups
    • Encrypted backups
    • Regular recovery testing

  5. Compliance: Adhere to relevant security standards and regulations:

    • ISO 27001
    • SOC 2
    • GDPR (if applicable)

For Developers

  1. Secure Development Lifecycle:

    • Threat modeling
    • Security requirements
    • Code reviews
    • Security testing
    • Vulnerability management

  2. API Security:

    • TLS encryption
    • API key rotation
    • Rate limiting
    • Input validation
    • Output encoding

  3. Smart Contract Development:

    • Follow established patterns

    • Use audited libraries (OpenZeppelin)

    • Comprehensive testing

    • Gas optimization without security compromises

    • Formal verification when possible

  4. Dependency Management:

    • Regular dependency updates

    • Vulnerability scanning

    • Dependency pinning

    • Software composition analysis

Security Incident Response

STAB3L has a comprehensive security incident response plan:

Reporting Security Issues

If you discover a security vulnerability, please report it through our bug bounty program or email security@stab3l.com.

{% hint style="warning" %} Please do not disclose security vulnerabilities publicly until they have been addressed by the STAB3L team. {% endhint %}

Incident Response Process

  1. Detection and Reporting: Security incidents can be detected through monitoring systems or reported by users, providers, or security researchers.

  2. Assessment and Triage: The security team assesses the severity and impact of the incident.

  3. Containment: Immediate actions to contain the incident, which may include:

    • Pausing affected contracts

    • Restricting access to affected systems

    • Isolating compromised components

  4. Eradication: Removing the cause of the incident and addressing vulnerabilities.

  5. Recovery: Restoring systems to normal operation.

  6. Post-Incident Analysis: Comprehensive review to prevent similar incidents.

  7. Disclosure: Transparent communication about the incident, impact, and remediation.

Security Audits and Compliance

STAB3L undergoes regular security audits by leading blockchain security firms:

Smart Contract Audits

Comprehensive audits of all smart contracts

View Reports

Bridge Security Audits

Specialized audits of cross-chain bridge components

View Reports

Verification System Audits

Audits of ZKP and TEE verification systems

View Reports

Bug Bounty Program

STAB3L maintains an active bug bounty program to incentivize the responsible disclosure of security vulnerabilities:

  • Platform: HackerOne
  • Rewards: Up to $250,000 depending on severity
  • Scope: Smart contracts, bridge, verification systems, API, and web applications

View Bug Bounty Program

Security FAQs

{% accordion %} {% accordion-item title="How are funds secured in the STAB3L platform?" %} STAB3L secures funds through multiple mechanisms:

  1. Formally verified smart contracts
  2. Multi-signature governance
  3. Time-locked upgrades
  4. Regular security audits
  5. Circuit breakers for emergency situations
  6. Insurance fund for unexpected events

Note that sSTB tokens, not CU tokens, are the tradable assets in the STAB3L ecosystem. CU tokens are temporary and are burned immediately when exchanged for sSTB. {% endaccordion-item %}

{% accordion-item title="What happens if a security incident occurs?" %} In the event of a security incident:

  1. Affected systems may be paused
  2. The security team will investigate and address the issue
  3. Users will be notified through official channels
  4. A post-incident report will be published
  5. If applicable, the insurance fund may be used to compensate affected users {% endaccordion-item %}

{% accordion-item title="How is the verification process secured?" %} The verification process is secured through:

  1. Zero-Knowledge Proofs that don't reveal sensitive information
  2. Trusted Execution Environments for secure computation
  3. Cryptographic attestation of compute resources
  4. Multiple independent verifiers
  5. Regular security audits of the verification system {% endaccordion-item %}

{% accordion-item title="How secure is the cross-chain bridge?" %} The cross-chain bridge implements multiple security measures:

  1. Message verification using cryptographic proofs
  2. Required confirmations before processing transactions
  3. Value limits to mitigate potential exploits
  4. Multiple independent relayers
  5. Real-time monitoring and alerts
  6. Regular security audits

Note that the bridge is designed to transfer sSTB tokens between chains, not CU tokens, as CU tokens are not tradable assets. {% endaccordion-item %} {% endaccordion %}

Security Resources

Documentation

Tools

External Resources

Conclusion

Security is a shared responsibility between the STAB3L platform, providers, developers, and users. By following the best practices outlined in this guide and staying informed about security updates, you can help maintain the security and integrity of the STAB3L ecosystem.

For security-related questions or concerns, please contact security@stab3l.com.