The Web3 team is most likely to overlook not product vulnerabilities, but rather "minor issues" such as accounts, devices, and permissions.
Article author: OneKey Jonas C
Article source: Wu Blockchain
The Web3 team is most likely to overlook not product vulnerabilities, but rather "minor issues" such as accounts, devices, and permissions.
There should be clear boundaries regarding who can access the backend, who can post announcements, and who can perform on-chain operations.
The following basic safety guide can help you fill in these blind spots.
Account Management
Account security boils down to three things: who can access it, where can they access it, and whether permissions can be controlled at any time.
If you manage these three points well, there's no need to do any other fancy operations.
Multiple Validation (MFA)
Add a second layer of verification during login, such as an authenticator app, hardware key, or Passkey, to prevent account hijacking due to credential leakage. Ideally, the boss should mandate that everyone must have MFA (Master Authentication and Verification) enabled; anyone without it should be barred from logging into the system.
Enterprise Password Manager
Use professional password management tools (such as 1Password) to generate strong passwords and securely share them within the team. Password strength is automatically generated, sharing is controllable, and operations are logged, eliminating the need to rely on "who remembers the backend password" to maintain order.
Role-based access control
Access permissions should be assigned according to job roles. Developers should manage the code, operations should manage the backend, and finance should manage the wallet; avoid situations where "anyone can access everything at a glance." Once a person leaves the company, their permissions should be revoked promptly.
"Device and Network Security"
Security is more than just account security. The computer you use and the network you connect to also determine your ability to protect your assets. All devices that can access company resources should be secure, trustworthy, and traceable.
Device permissions
Every work computer should be encrypted, unlocked with a password or fingerprint, and automatically locked when the user leaves the desk. If a device malfunctions or is lost, the administrator can remotely lock the machine and erase the data, preventing a laptop from becoming an information gateway.
Anyone who leaves their computer screen wide open should have their salary docked!
Code Management
Tiered update and review process: Security patch updates should be pushed out in a timely manner; major version upgrades, third-party installation packages and dependency library updates must undergo compatibility and security reviews to prevent risks caused by automatic updates or supply chain poisoning.
Network & physical environment security
Never log into the backend or operate your wallet on a coffee shop's Wi-Fi. Access keys, deployment permissions, and fund accounts must be done on a trusted device and confirmed with a hardware key signature. If you need to carry a signing device, remember to make an encrypted backup and keep it separate from your daily computer; otherwise, you won't lose everything.
"On-Chain Management"
On-chain assets are a core resource for Web3 projects. Even Bybit stumbled; can you guarantee you'll do better? Here are a few tips.
Hardware wallet offline management
Always use a hardware wallet, and never leave critical wallets in hot environments. Private key generation and signing should be done using a hardware wallet, and it should be kept offline. High-privilege wallets should ideally have operation limits and alerts, and signatures must be traceable.
Multi-party computation (MPC) collaborative solution
Don't give your private key to one person: use a multi-party computation scheme to split the private key into several parts and have several people sign it together.
Signature thresholds can be set based on the amount of money involved: quick signatures for small amounts, multiple signatures for large amounts. Distributed collaboration ensures that if one person makes a mistake, the whole team can step in and recover.
Funding tiers and authority constraints
It's best to manage the team's wallets in layers. Small wallets for daily operations, funds for marketing activities, and long-term reserves should each be managed separately to prevent a complete wipeout in case of trouble.
Key operations should not be decided by one person alone. Actions such as transferring funds and deploying contracts should be confirmed by multiple people, and permissions should be based on job positions and tasks—whoever is responsible signs, and permissions are automatically revoked when the task is completed.
"Company Unified Login System (SSO)"
The right approach is to manage all company accounts in a unified manner; small workshops should never operate as makeshift operations.
Using SSO allows employees to access all connected services within the organization (such as email, Notion, Slack, GitHub, etc.) with a single authentication, avoiding the risks associated with decentralized management.
Common solutions include Google Workspace, Okta, and Azure AD. These are sufficient if you don't want to build your own system, especially lightweight unified login systems like Google Workspace, which have benefited many teams.
"Awareness Training"
Improve company safety guidelines
The duties and permissions of each position must be clearly defined so that responsibility can be assigned when problems arise. Unauthorized access, granting unauthorized permissions, and sharing with external parties must be met with zero tolerance.
Safety awareness training
Training shouldn't be too bureaucratic. Use AI tools or existing B2B platforms to create interactive question banks or simulation exercises, and regularly test everyone's anti-phishing responses. It's always better to anticipate and avoid pitfalls like phishing emails, fake airdrops, and fake customer service beforehand than to do a post-incident review.
There are already mature enterprise-level solutions on the market, such as Riot (@tryriotdotcom), which can be used in conjunction with tools like Slack and Gmail to help employees develop good habits in their daily work.
"End"
Want to shed the "makeshift" label? Master the basics first, from accounts and permissions to devices and wallets.
Safety isn't sexy, but it can help you live longer.
