We are well aware of many cases where security breaches or code loopholes caused material damage to investors and projects:
- $160 mn Parity eternal freeze,
- $1.3 bn cumulative loss from cryptocurrency exchange hacks,
- Tezos $230 mn conflict,
- DAO $70 mn smart contract theft and many more.
These multiple incidents brought two conclusions:
First, there are no absolutely unhackable IT systems in the world
Our honest intention is to get as much feedback as possible from any parties: our community, shareholders, partners, token buyers, exchanges, independent consultants, testers, white hat hackers, lawyers, fiat financial professionals. So if you have anything to recommend, or noticed a problem/weak spot in our security design, please let us know openly via this blog comments, or email us at firstname.lastname@example.org
Second, the system and its policies shall have the maximum possible level of security with human factor reduced to minimum and transparency of all operations increased to a level we prefer calling "paranoid".
We don't want potential attackers to have all our protection measures on their displays, and that is why there is a number of secret layers in our defense system — some traps we don't show publicly, yet deploy them from the very beginning. In addition to that, DGems' security system will evolve over time to address new threats and employ best new technologies available.
General thoughts and basic principles
It is generally acknowledged that the blockchain technology per se is the biggest opportunity and the biggest risk for any data driven company. Its inability to process reverse transactions eliminates risks of window dressing and data manipulation, yet it makes impossible any voluntary repairs by the system architects in case something goes wrong.
Therefore, cybersecurity is one of our most important priorities in the design and development of IT systems. When drafting the project's roadmap, we laid down the mandatory audit and configuration of the entire IT system (especially critical systems for the emission and storage of tokens) together with professionals in this industry. As a result, we are to obtain a certificate from a trusted and respected cybersecurity agency, and also close all security holes and approve a protection strategy.
Token storage security is based on the following approaches and levels of protection (please note that the list is far from complete):
Maximum security and closure of the network management of tokens and cryptocurrencies from the outside world. Management of tokens — their release and transfer from cold storage — takes place in a secure closed network, which will be audited and attacked in test mode from cybersecurity teams with a world name. In addition to the fact that the system components are protected, all events in this network are recorded and monitored. In case of unauthorized events, the network is to be completely turned off and the work is to be switched to the backup network, thus even the hacked network cannot be used because of inactivity.
The network for working with critical cold storage wallets will only be launched upon request. The network is disconnected when it is not needed for conducting transactions. Off-grid will not allow hacking it during the time when specialists conduct security works. Unplugged equipment is harder to crack.
Any transactions on withdrawal of tokens from wallets must be confirmed by the multisignature system in N of M (e.g. 2 of 3) independent wallets that are managed independently of each other and are geographically isolated in very remote areas. We are planning to introduce a multi-level system for checking codes and addresses of wallets for maximum secure transaction.
Smart contracts and tokens will be created on the basis of the proven Ethereum blockchain technology, which has passed numerous security tests and continues to be constantly tested for vulnerabilities and is currently the most secure and technically developed one among all public blockchains, to the best of our knowledge.
The network for managing tokens will undergo regular security audits by the best teams in this area, during which test attacks on the infrastructure will be regularly conducted and new approaches and security software will be integrated.
Protection and encryption of employee devices, encryption of email and corporate chats, multi-level protection of their accounts is to be imposed.