# Start the year securely with these development checklists The exploit landscape is forever changing, to help you ensure you make a safe start to 2026 we are releasing some security checklists for you to use when developing in Web3. The first looks at architecture and procedures in general. Join our [Discord server](https://discord.gg/kpTY3xFby6) and let us know if you find these useful, and above all stay safe in 2026. ## Web3 Development General Security Checklist This checklist is derived from the critical findings and recommendations from our 2025 End-of-Year Security Review. ## 1. Defensive Architecture & Fail-Safe Engineering * **On-Chain Invariant Enforcement:** Have you implemented automated checks that revert state transitions if fundamental economic properties (e.g., total supply, collateral ratios, or reward balances) are violated? * **Algorithmic Circuit Breakers:** Are there automated pause mechanisms triggered by abnormal volatility, suspicious outflow patterns, or internal state desynchronisation? * **Formal Verification for Logic Safety:** Have you transitioned from simple unit testing to property-based testing and formal verification to prove protocol maths remains sound under extreme edge-case conditions? * **Implicit vs. Explicit Failure:** Is the system architected to degrade gracefully or halt entirely when core invariants are threatened, rather than assuming ideal behaviour? * **Upgrade Safety** Is there an upgrade path that has been tested. Can an attacker force an upgrade ? Are upgrades monitored ? ## 2. Precision Access Control & Authority Management * **Scoped Capability Management:** Have you moved away from monolithic admin roles toward granular, time-locked capabilities? * **Separation of Duties:** Are critical tasks and privileges distributed among distinct individuals to prevent single points of failure? * **Whitelisted Governance Execution:** Is all governance-led interaction restricted to a pre-approved registry of contracts and function signatures, eliminating arbitrary low-level calls? * **Operational Security (OpSec) Hygiene:** Is "Least Privilege" access enforced for dev-ops pipelines and deployment environments? ## 3. Identity Integrity & Cross-Chain Security * **Domain Separation & Replay Protection:** Do all off-chain messages mandate EIP-712 (or equivalent) domain separation, cryptographically binding signatures to a specific Chain ID, contract address, and unique user nonce? * **Resolver-Contract Synchronisation:** For hybrid or ZK-powered systems, is the off-chain resolver state a perfect mirror of the on-chain source of truth? * **Cryptographic Handshakes:** Do backends require a cryptographically verified handshake from the smart contract before updating local state? * **Contextual Identity Verification:** Does the code clearly distinguish between a Signer (initiator) and an Object Owner (asset holder) to eliminate "Confused Deputy" vulnerabilities? ## 4. User Protection & Behavioural Security * **Simulation-First UX:** Does the user interface integrate transaction simulation to provide "clear-signing" transparency, preventing blind-signing of malicious requests? * **Adversarial UX Testing:** Has the user interaction flow been stress-tested against phishing, wallet compromise, and transaction misdirection? * **Incident Response Readiness:** Is there a documented and tested recovery plan for compromised keys, including pre-deployed emergency pause contracts?