Mitigating Attack Vectors
This section highlights some of the primary threats developers and users may encounter along with recommended strategies to mitigate these risks. It’s important to recognize that this is not exhaustive; rather, it aims to outline key areas and proactive steps to bolster security.
Cross-site scripting (XSS) attacks
Dynamic mitigates XSS attacks by utilizing Content Security Policies (CSPs) and iFrames, preventing unauthorized scripts from accessing wallet shares or modifying user sessions.
Phishing and Social Engineering attacks
Phishing and social engineering are the most common threats in software and financial applications. While no single solution can fully prevent these attacks, Dynamic employs multiple strategies:
- Domain binding to restrict JWTs and wallet interactions to approved domains
- We do not allow SMS as a secondary MFA method
Recommendations to developers to mitigate phishing attacks
- Wherever possible warn users when performing sensitive actions for example, Dynamic includes a message in the developer console advising users to never copy and paste code into their browser; and requires active user acknowledgment during any export activity
- Leverage transaction simulation to prompt users before they transact
- Leverage transaction security checks which scans for malicious address involvement
- Add additional authentication layers like MFA, or require a Passcode for a user-share
Supply chain attacks
Dynamic uses automated tools for continuous monitoring and scanning of third-party packages for vulnerabilities and enforces integrity checks on all external dependencies. Additionally, for Dynamic powered Embedded Wallets, Trusted Execution Environments (TEE) are used to further ensure security and controls around sensitive user data. All secure enclave deployments are attested to guarantee integrity of the software running and ensure that only authorized code runs within our infrastructure. Multi-person reviews with scanned, signed, and verified artifacts are strictly enforced to prevent tampering in the software supply chain.
Brute-force attacks
Dynamic enforces rate limiting on authentication attempts and supports additional measures like hCAPTCHA and domain blocking. We have active monitoring on all endpoints and projects to alert us if we see increases above the norm.
Recommendations to protect against brute force attacks
- Notify us ahead of major traffic events. Dynamic will be able to add rate limit rules that help block bot traffic
- Place your entire site behind cloudflare turnstile
- Add hCAPTCHA during heavy traffic periods such as a network launch, airdrop, TGE or quest program
- Add email Domain Blocking if you determine a specific domain is carrying out an attack
- Enforce MFA such as TOTP
Man-in-the-Middle (MITM) attacks
Dynamic strictly enforces TLS/SSL encryption for all network traffic to prevent any unauthorized access to data in transit to or from Dynamics servers. CORS origin is a requirement for any web application using Dynamic.
For Dynamic powered Embedded wallets, we implement session key chaining, which requires a properly registered session key on sensitive authenticated requests. Dynamic powered Embedded wallets with TSS-MPC includes using a secure relay mechanism to apply an additional layer of encryption between parties involved in MPC ceremonies. This prevents unauthorized interception of key share material between devices and Dynamic servers.
Recommendations to protect against man-in-the-middle attacks
- Enable cookie-based authentication. When properly enabled, Dynamic will write an httpOnly cookie from the server response which helps prevent malicious hackers from stealing a legitimate user’s JWT
- Enforce MFA. This will help prevent a malicious actor from using a compromised email/social to impersonate a user, even if they are able to collect this information in a malicious way
Was this page helpful?