Security
A Comprehensive Overview of Our Safeguarding Features
It's Our Priority
The protection and security of customer funds stand at the forefront of our priorities. To ensure this, we have implemented state-of-the-art security measures that permeate every layer of our software development lifecycle and the infrastructure underpinning our application. Our commitment to maintaining the highest standards of safety has led us to engage with independent experts for an unbiased evaluation of our systems.
Prior to Spindle going live on mainnet our operational procedures and internal controls will be thoroughly reviewed and endorsed by an external security advisor. Additionally our solidity code and deployment will be audited thoroughly.
Smart Contract Security
Our core smart contract code is based on well-known and well-audited Ethereum money market protocols. In addition to this, we will commission a thorough audit from a leading audit firm prior to our Botanix mainnet launch.
Our Solidity development team has smart contract security experience. We employ in-house security review as a part of our development process, and do not rely solely on external experts.
Frontend Security
At Spindle Finance we employ advanced methodologies and trusted cloud-based infrastructure services to fortify our frontend security. Our approach integrates cutting-edge DevOps practices and utilizes premier tools such as Sentry for real-time monitoring and instant alerting, ensuring the highest level of operational security. Our Defense-in-Depth strategy serves as a multifaceted safeguard against potential breaches. This layered security approach enhances our resilience, providing an additional line of defense that is crucial for maintaining the integrity of our platform.
Proactive Infrastructure Monitoring
Recognizing the importance of proactive measures, we will develop with the help of a security advisor custom monitoring solutions specifically designed to scrutinize the configurations of our cloud infrastructure, including DNS records and the Content Delivery Network (CDN). This bespoke software enables immediate detection and notification of any unauthorized modifications. Such monitoring will ensure that we can swiftly respond to and neutralize threats, potentially taking our website offline to prevent any compromised interactions, thereby safeguarding our users from engaging in unintended or fraudulent transactions.
Public Security Reports
Website and infrastructure security reports for our domains can be generated on demand using public auditing tools. Those include, for example: Mozilla Observatory and SSL Labs.
Security Posture
Comprehensive Internal Security Audit Protocols
In preparation for our launch, Spindle Finance instituted a rigorous program of internal audits and verification to affirm that all team members adhere to our security protocols. This comprehensive review encompassed:
Thorough Inventory and Secure Ownership of Protocol Secrets: Ensuring that all critical protocol secrets are accounted for and securely managed.
Enforcement of Master Passwords and Two-Factor Authentication (2FA): Mandating the use of robust master passwords and 2FA for all essential accounts, including email, social media, and GitHub, to bolster account security.
Controlled Access to Smart Contracts and Multisig Wallets: Regulating access to smart contracts and multisig wallets to prevent unauthorized use.
Safeguarded Ownership and Key Access: Maintaining strict control over the ownership and access rights to sensitive keys.
Secure Transmission of Secrets: Implementing protocols for the safe exchange of secrets and sensitive information among team members, ensuring data integrity.
Adherence to Security Best Practices
Spindle Finance is committed to the highest standards of security, guided by the following non-negotiable policies:
Robust Password Management: Utilizing machine-generated, complex passwords for all services, securely stored within a password manager.
Two-Factor Authentication (2FA) Protection: Extending the use of 2FA to our password manager and all cloud-based services, including project and team social media accounts, to enhance security measures.
Secure Handling of Secrets: Prohibiting the storage of secrets in version control systems or their insecure distribution, to prevent potential breaches.
Rigorous Code Review Process: Enforcing a policy where no code changes are deployed to production without undergoing a thorough internal review to ensure quality and security.
Automated Testing and Deployment: Leveraging automation for testing and deployment processes, with strict policies in place to block merges to the master branch until all code reviews are satisfactorily completed.
Additionally, Spindle Finance prioritizes ongoing internal training to reinforce security principles, share insights from recent security incidents, and foster a culture of continuous improvement and vigilance. This proactive approach ensures that our team remains at the forefront of security practices, safeguarding our platform and protecting our users' interests.
Last updated