Blockchain technologies are central to the future of what is often referred to as Web3. Web3 represents the next evolution of the internet, characterized by decentralized and user-centric principles. It envisions a more open, privacy-focused, and user-controlled online environment that aims to address some of the limitations and challenges of the current centralized web (Web2).

These Web3 design principles are the foundation for digital-self sovereignty – which holds the potential to completely reframe the individual users relationship to privacy, ownership of personal data, as well as the long term and real-time personal digital footprint and “presence” we all generate online (which is currently devoid of any digital-self sovereignty, legal protections or inidividual agency relative to the vast amount of information available about every user on the network)

In our blockchain series, we have been exploring best in class case studies in a variety of industry sectors – exploring:



OODA Loop Sponsor



How the blockchain has been successfully deployed to date; Successful innovation, business models and value proposition designs which are exciting – and point to the promise of the web3 infrasctructure based on blockchain technologies; and Blockchain security which, of course, will also figure prominently in this web3 future.

Last week, Circle announced the release of what will be a series of initiatives “aimed at preventing, mitigating, and responding to security exploits on-chain.” This announcement felt accessible yet robust – so we share it here as the inaugural post in our blockchain series dedicated to an analysis of the the implications of blockchain security on the web3 development workflow.

Following is the press release from Circle (“Circle Internet Financial, LLC”) announcing The Rektest – “a simple, 12 question tool that blockchain projects and developers can use to assess their vulnerability based on industry best practices” (1) – followed by some additional analysis which fleshs out the stakeholders and development process behind this blockchain security initiative specific to the blockchain development process and workflows.

The RektTest: 12 Questions to Guide Basic Principles for Web3 Security

“The intent of the Rekt Test is not to establish rigid benchmarks but to stimulate meaningful conversations about security in the blockchain community. Thus, consider this interpretation as a stepping stone in this critical dialogue.”

Earlier this year, Circle joined a group of blockchain security and policy experts from across the industry to identify ways we can work together to help protect our customers and work with developers to prevent hacks and security exploits.

We’re excited to join Anchorage Digital, Fireblocks, Immuenfi, Ribbit Capital, Solana Foundation and Trail of Bits in support of the RektTest, the first of a series of initiatives aimed at preventing, mitigating, and responding to security exploits on-chain.

The RektTest is a simple, 12 question tool that blockchain projects and developers can use to assess their vulnerability based on industry best practices. Developers can use it to form an initial assessment and get a gut check on whether their project:

Is ready for launch

Contains basic safeguards against hackers and scammers

Complies with best practices for access control, custody and key management, and safety against other vectors for hacker exploits

The RektTest focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress. The more an organization can answer “yes” to these questions, the more they can trust the quality of their operations. This is not a definitive checklist for blockchain security teams, but it’s a way to start an informed discussion about important security controls.

The landscape of blockchain technology is diverse, extending beyond blockchains to include decentralized protocols, wallets, custody systems, and more, each with unique security nuances. The subsequent explanations of the RektTest questions reflect the consensus of best practices agreed to by this group, and are by no means exhaustive or absolute. The intent of the Rekt Test is not to establish rigid benchmarks but to stimulate meaningful conversations about security in the blockchain community. Thus, consider this interpretation as a stepping stone in this critical dialogue. (1)

Can you pass the Rekt test?

“The Rekt Test focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress.”

Trail of Bits released the Rekt Test on their blog, which can be found at this link.

From the intro to the test:

“One of the biggest challenges for blockchain developers is objectively assessing their security posture and measuring how it progresses. To address this issue, a working group of Web3 security experts, led by Trail of Bits CEO Dan Guido, met earlier this year to create a simple test for profiling the security of blockchain teams. We call it the Rekt Test.

The Rekt Test is modeled after The Joel Test. Developed 25 years ago by software developer Joel Spolsky, The Joel Test replaced a Byzantine process for determining the maturity and quality of a software team with 12 simple yes-or-no questions. The blockchain industry needs something similar because today’s complex guidance does more to frustrate than to inform.

The Rekt Test focuses on the simplest, most universally applicable security controls to help teams assess security posture and measure progress. The more an organization can answer “yes” to these questions, the more they can trust the quality of their operations. This is not a definitive checklist for blockchain security teams, but it’s a way to start an informed discussion about important security controls.

At the Gathering of Minds conference earlier this year, a group of industry leaders were challenged to address the lack of cybersecurity standards in the blockchain ecosystem. One of these discussions was led by Dan Guido, CEO of Trail of Bits. Other participants included Nathan McCauley (Anchorage Digital), Lee Mount (Euler Labs), Shahar Madar (Fireblocks), Mitchell Amador (Immunefi), Nick Shalek (Ribbit Capital), and others. Through their discussions, the Rekt Test was created.” (2)

Further Context (Generated by OpenAI’s ChatGPT 3.5)

“What do Circle, Anchorage Digital, Fireblocks, Immuenfi, Ribbit Capital, Solana Foundation and Trail of Bits have to do with blockchain security?”

Circle Internet Financial, LLC, commonly known as Circle, is a financial technology company that focuses on various aspects of digital currency and blockchain technology. Circle offers a range of products and services related to cryptocurrencies, stablecoins, and blockchain-based financial solutions, Some key aspects of Circle include: Stablecoins: Circle is known for launching and developing USD Coin (USDC), a popular stablecoin pegged to the U.S. dollar. Stablecoins aim to provide the stability of traditional fiat currencies while utilizing the efficiency and security of blockchain technology. Payments and Money Transfers: Circle provides solutions that enable individuals and businesses to make cross-border payments and money transfers using digital currencies, which can be faster and more cost-effective than traditional methods. Crypto Wallets and Trading: Circle offers a cryptocurrency wallet that allows users to securely store and manage their digital assets. The company has also been involved in cryptocurrency trading and exchange services. Blockchain and Financial Infrastructure: Circle has been actively engaged in developing blockchain-based financial infrastructure to facilitate various financial operations, including payments, settlements, and tokenized assets. Regulatory Compliance: Circle places an emphasis on regulatory compliance and works closely with regulatory bodies to ensure that its products and services adhere to applicable laws and regulations. Investment and Funding: The company has received funding from various investors and has been involved in the cryptocurrency and blockchain space since its early days.

commonly known as Circle, is a financial technology company that focuses on various aspects of digital currency and blockchain technology. Circle offers a range of products and services related to cryptocurrencies, stablecoins, and blockchain-based financial solutions, Some key aspects of Circle include: Anchorage Digital is a company that provides institutional-grade custody solutions for digital assets. Their focus is on security and compliance for managing and safeguarding cryptocurrencies. They are likely to emphasize the importance of robust security measures, such as multi-signature wallets and hardware security modules (HSMs), to protect digital assets from unauthorized access.

is a company that provides institutional-grade custody solutions for digital assets. Their focus is on security and compliance for managing and safeguarding cryptocurrencies. They are likely to emphasize the importance of robust security measures, such as multi-signature wallets and hardware security modules (HSMs), to protect digital assets from unauthorized access. Fireblocks is a platform designed to secure digital assets in transit. They provide solutions for securing the transfer of cryptocurrencies between different parties, such as exchanges, wallets, and other services. Fireblocks would likely stress the importance of secure key management, encryption, and preventing unauthorized access during asset transfers.

is a platform designed to secure digital assets in transit. They provide solutions for securing the transfer of cryptocurrencies between different parties, such as exchanges, wallets, and other services. Fireblocks would likely stress the importance of secure key management, encryption, and preventing unauthorized access during asset transfers. Immutable is known for its work in building decentralized applications (DApps) and games on the Ethereum blockchain. They may discuss the challenges and strategies related to securing smart contracts and DApps against potential vulnerabilities and exploits.

is known for its work in building decentralized applications (DApps) and games on the Ethereum blockchain. They may discuss the challenges and strategies related to securing smart contracts and DApps against potential vulnerabilities and exploits. Ribbit Capital is a venture capital firm that has invested in various fintech and blockchain-related companies. While not exclusively focused on security, they might share insights into trends and innovations within the blockchain security space from an investment perspective.

is a venture capital firm that has invested in various fintech and blockchain-related companies. While not exclusively focused on security, they might share insights into trends and innovations within the blockchain security space from an investment perspective. The Solana Foundation supports the development of the Solana blockchain platform, known for its high throughput and scalability. They could provide information about the security measures they have in place to ensure the integrity of their blockchain, as well as any best practices they recommend for developers building on Solana.

supports the development of the Solana blockchain platform, known for its high throughput and scalability. They could provide information about the security measures they have in place to ensure the integrity of their blockchain, as well as any best practices they recommend for developers building on Solana. Trail of Bits is a cybersecurity company that specializes in blockchain security and smart contract audits. They likely have a wealth of expertise in analyzing blockchain protocols, smart contracts, and other cryptographic systems. They may offer insights into best practices for secure development and auditing in the blockchain space.

“What do blockchain security and policy experts say about preventing, mitigating, and responding to blockchain security exploits on-chain?”

General insights that blockchain security and policy experts would likely recommend for preventing, mitigating, and responding to blockchain security exploits on-chain include the following challenges:

Preventing Blockchain Security Exploits

Code Audits and Reviews: Blockchain projects should undergo thorough code audits and reviews by security experts to identify vulnerabilities and potential exploits before deployment. Secure Development Practices: Following secure coding practices and using established frameworks can help reduce the likelihood of introducing vulnerabilities during the development process. Smart Contract Best Practices: Smart contracts are a common target for exploits. Developers should adhere to best practices for writing secure smart contracts, such as using standard libraries, avoiding complex logic, and minimizing attack surfaces. Consensus Mechanism Security: Different blockchains use various consensus mechanisms (e.g., Proof of Work, Proof of Stake). Ensuring the security of these mechanisms is crucial to prevent attacks that could compromise the network’s integrity.

Mitigating Blockchain Security Exploits

Bug Bounty Programs: Many blockchain projects establish bug bounty programs that incentivize security researchers to identify and report vulnerabilities in exchange for rewards. Regular Updates and Patches: Swiftly addressing and releasing updates for known vulnerabilities is essential to prevent further exploitation. Network Upgrades: When vulnerabilities are discovered, blockchain networks might need to undergo a hard fork or network upgrade to address the issue and prevent future exploits. Network Monitoring: Continuous monitoring of network activities can help identify unusual behavior or potential attacks in real-time, allowing for quicker responses.

Responding to Blockchain Security Exploits

Incident Response Plan: Blockchain projects should have a well-defined incident response plan in place to guide actions in the event of a security breach or exploit. Communication: Transparent and timely communication with the community, stakeholders, and the broader public is crucial to maintain trust and keep users informed about the situation. Rollbacks: Depending on the severity of the exploit, some blockchain networks might consider rolling back transactions to a previous state to undo the effects of the attack. However, this can be a contentious decision and requires careful consideration. Coordination with Exchanges: If a vulnerability affects a cryptocurrency’s value or trading, coordination with exchanges to halt trading temporarily might be necessary to prevent further harm.

Please remember that the specifics of preventing, mitigating, and responding to blockchain security exploits can vary widely based on the blockchain’s architecture, consensus mechanism, and the nature of the exploit.

“What are some of the risk mitigation efforts for blockchain security?”

Risk mitigation efforts for blockchain security are essential to minimize the potential vulnerabilities, threats, and attacks that could compromise the integrity and functionality of blockchain networks and applications. Here are some key risk mitigation strategies for enhancing blockchain security:

Secure Development Practices: Follow secure coding practices when developing smart contracts, applications, and blockchain protocols. Regularly audit and review code for vulnerabilities. Penetration Testing and Audits: Conduct regular penetration testing and security audits to identify vulnerabilities and weaknesses in blockchain systems. Engage third-party experts to perform thorough assessments. Multi-Signature Wallets: Implement multi-signature (multisig) wallets, which require multiple authorized parties to sign off on transactions. This reduces the risk of unauthorized access. Consensus Mechanism Selection: Choose a consensus mechanism that aligns with your security requirements. Consider using proof of stake (PoS) or other advanced mechanisms that provide security benefits. Token Standards and Auditing: When creating new tokens or tokens based on existing standards (e.g., ERC-20, ERC-721), ensure that the code is secure and audited to prevent vulnerabilities and exploits. Regular Updates and Patching: Keep blockchain software, nodes, wallets, and applications up to date with the latest security patches and updates to address known vulnerabilities. Private Key Management: Employ robust private key management practices, such as using hardware security modules (HSMs) and cold storage, to protect against unauthorized access. Network Segmentation and Firewalls: Segregate sensitive components of the blockchain network and deploy firewalls to prevent unauthorized access and attacks. Decentralized Identity (DID): Implement DID solutions to enhance user authentication and identity management, reducing the risk of identity-related attacks. Regular Monitoring and Intrusion Detection: Deploy real-time monitoring solutions and intrusion detection systems to detect and respond to unusual activities promptly. Secure Smart Contracts: Write smart contracts with security in mind, avoiding common vulnerabilities like reentrancy, integer overflow, and unhandled exceptions. Education and Training: Educate developers, users, and stakeholders about best security practices in blockchain to prevent common mistakes and social engineering attacks. Regulatory Compliance: Stay informed about relevant regulatory requirements and ensure that your blockchain implementations adhere to them. Collaboration and Information Sharing: Engage in information sharing with the broader blockchain community to learn about emerging threats and mitigation strategies. Incident Response Plan: Develop a clear incident response plan to address security breaches promptly and minimize their impact. Vendor Risk Assessment: If using third-party services or tools, conduct thorough risk assessments to ensure they meet security standards.

It’s important to tailor your risk mitigation efforts to your specific blockchain use case and stay informed about the latest security best practices and trends in the blockchain industry. Additionally, as the blockchain landscape evolves, continuously reassess and update your security measures to address new threats and vulnerabilities.

The OODA Loop News Brief Team is also consistently tracking the evolution of blockchain technologies. Search the archive at this link. Web3 Security tracking is found here.

The OODA Loop Blockchain Series: On Blockchain Security, Privacy and Interoperability