{"id":198,"date":"2024-02-16T09:55:42","date_gmt":"2024-02-16T09:55:42","guid":{"rendered":"https:\/\/rubic.exchange\/blog\/?p=198"},"modified":"2024-02-16T09:55:43","modified_gmt":"2024-02-16T09:55:43","slug":"rubics-new-security-architecture","status":"publish","type":"post","link":"https:\/\/rubic.exchange\/blog\/rubics-new-security-architecture\/","title":{"rendered":"Rubic\u2019s New Security Architecture"},"content":{"rendered":"\n

<\/a>Security is one of the most critical considerations for any blockchain-related project. Rubic\u2019s goal is to deliver a smooth trading experience to our users around the world, so it\u2019s our job to keep users\u2019 funds and our products secure.<\/em><\/p>\n\n\n\n

To accomplish this goal, we have been putting a lot of effort into significantly enhancing Rubic\u2019s security measures over the past few months, like never before. We\u2019ve engaged with top-notch security engineers, <\/em>completely rewritten our smart contracts<\/em><\/a>, which have been <\/em>scrutinized by audits<\/em><\/a>, and we are about to start a brand new <\/em>bug bounty campaign<\/em><\/a>.<\/em><\/p>\n\n\n\n

But before diving into Rubic\u2019s safety architecture, let\u2019s take a broader look at market security!<\/em><\/p>\n\n\n\n

\"\"\/<\/figure>\n\n\n\n

Cross-Chain Swap Security Overview<\/strong><\/p>\n\n\n\n

2022 was the worst year ever for crypto hacking, with $3.8 Billion stolen from cryptocurrency businesses. Hacking activity varied throughout the year, with huge spikes in March and October, with the latter becoming the worst single month ever for cryptocurrency hacking, as $775.7 Million was stolen in 32 separate attacks. DeFi protocols<\/em><\/strong> as victims accounted for 82.1% of all cryptocurrency stolen by hackers, a total of $3.1 Billion, up from 73.3% in 2021. Of that $3.1 Billion, 64% came from cross-chain bridge protocols<\/em><\/strong> specifically. (Source: <\/em>2023 Crypto Crime Report by Chainalysis<\/em><\/a>)<\/em><\/p>\n\n\n\n

As we see, cross-chain bridges, as a way to transfer tokens between different blockchains, raise many concerns regarding security. The question on everyone\u2019s mind is if there is a better alternative.<\/p>\n\n\n\n

Fortunately, cross-chain technology has progressed beyond just cross-chain bridges to now include cross-chain aggregators, ushering in a highly interoperable future. In comparison to cross-chain bridges, cross-chain aggregators combine a huge number of bridges and DEXs, enabling users to transfer assets between blockchains with less time and effort.<\/p>\n\n\n\n

The security of cross-chain swaps depends on several factors, including the safety of the underlying blockchains, the design of the cross-chain swap protocol, and the security measures implemented by the exchange platform.<\/p>\n\n\n\n

Blockchain Security: <\/em><\/strong>The security of the blockchains involved in the swap is a critical factor. If a blockchain is vulnerable to hacking or theft, then the funds stored on that blockchain may be at risk.<\/p>\n\n\n\n

Protocol Security:<\/em><\/strong> The security of the cross-chain swap protocol is also important. The protocol should be designed to prevent double-spending, ensure the integrity of the swap, and protect users\u2019 funds from theft or fraud.<\/p>\n\n\n\n

Exchange Security:<\/em><\/strong> The security measures implemented by the exchange platform play a key role in guaranteeing the security of cross-chain swaps. At the least, this includes regular security audits.<\/p>\n\n\n\n

The fact that aggregators can integrate numerous systems and manage swaps through various providers influences their security architecture. They can switch off a provider that has stopped working and reroute the user to another functional provider, thanks to the integration of multiple bridges and DEXs.<\/em><\/strong><\/p>\n\n\n\n

Let\u2019s closely examine the Rubic cross-chain aggregator and its updated security design.<\/p>\n\n\n\n

Rubic Security Upgrade<\/strong><\/p>\n\n\n\n

In the last three months, taking into account all the security breaches, Rubic has significantly reformed its security practices.<\/p>\n\n\n\n

Let\u2019s explore what they are:<\/em><\/strong><\/p>\n\n\n\n

    \n
  1. New Position: Rubic\u2019s Chief Information Security Officer<\/em><\/strong><\/li>\n<\/ol>\n\n\n\n

    As part of the new security measures on Rubic.exchange, which include auditing new Rubic contracts, we have established the new position of CISO, and hired Alex<\/a> to assist with the development processes.<\/p>\n\n\n\n

    Alex has two Master\u2019s Degrees in Engineering and Innovation from HEC Paris. Before joining Rubic, Alex gained 15 years of great experience in IT and security engineering within big corporations like Yandex, QIWI, and Rakuten. He\u2019s been in crypto for the last 7 years, performing private audits for DeFi companies, as well as working for the Symbiosis project.<\/p>\n\n\n\n

    For now, the Rubic CISO\u2019s key purpose is to develop and implement a new InfoSec strategy.<\/p>\n\n\n\n

    2. Updated Information Security Strategy<\/em><\/strong><\/p>\n\n\n\n

    Information security refers to the continuous practice of protecting digital information and systems from unauthorized access. The goal of InfoSec is to ensure the confidentiality, integrity, and availability of digital information by:<\/p>\n\n\n\n

      \n
    1. Identification of actual threats<\/li>\n\n\n\n
    2. Development and implementation of mitigation measures<\/li>\n\n\n\n
    3. Confirmation of \u200cthreat mitigation (by internal and independent audits)<\/li>\n<\/ol>\n\n\n\n

      We put a lot of effort to ensure the security of user funds throughout the entire development process as per the new InfoSec strategy. To achieve an optimal level of security, we\u2019ve explored:<\/p>\n\n\n\n

        \n
      1. Smart Contract Logic<\/li>\n\n\n\n
      2. Smart Contract Management Models<\/li>\n\n\n\n
      3. Server Infrastructure<\/li>\n<\/ol>\n\n\n\n

        3. Rubic\u2019s New Contracts<\/em><\/strong><\/p>\n\n\n\n

        After the above-mentioned research was carried out, Rubic\u2019s development team, along with the CISO, took all appropriate actions to improve the security levels of Rubic\u2019s contracts.<\/p>\n\n\n\n

        First and foremost, we\u2019ve changed the contract architecture to make user funds fully secure and invulnerable.<\/p>\n\n\n\n

        As a result, we secured all smart contract management interfaces with multisig using Gnosis Safe<\/a>. Thus, multiple signatures or approvals are required before a critical transaction can be executed. For example, 3 of 6 private keys are now requested to be used to sign and broadcast a transaction. This means that an attacker needs to gain access to at least 3 private keys.<\/em><\/p>\n\n\n\n

        Also, we\u2019ve enhanced the security of the production (with frontend and APIs) servers by setting two-factor authentication (OTP + SSHKey). To boost our monitoring system, we\u2019ve also configured Audits and launched alerts for suspicious behavior.<\/em><\/p>\n\n\n\n

        The new contracts are being launched on the 3rd of April. Audits have been completed, and all potential threats that were detected are now fixed.<\/p>\n\n\n\n

        Since transactions are now implemented through Rubic\u2019s contracts, we\u2019ve switched Rubic\u2019s fees back on. Currently, our platform charges $2 for every cross-chain swap and $1 for on-chain ones.<\/p>\n\n\n\n

        Rubic\u2019s New Contracts Audit Report:<\/em><\/strong><\/p>\n\n\n\n

        Rubic\u2019s latest audit<\/a> was performed by the MixBytes<\/a> company. All vulnerabilities discovered during the audit are classified based on their potential severity:<\/p>\n\n\n\n

        \"\"\/<\/figure>\n\n\n\n

        During the audit process, 2 critical, 2 medium and 1 low severity findings were found and confirmed by the developers. After the revision performed by the developers, 2 critical and 1 medium findings were fixed, 1 medium (medium.2) was demoted to low severity, and low severity findings were acknowledged. The demoted and remaining findings have low severity and do not affect the overall security of the project.<\/p>\n\n\n\n

        You can read the detailed report here:<\/p>\n\n\n\n

        \nhttps:\/\/docs.rubic.finance\/legal-documentation\/mixbytes-audit\n<\/div><\/figure>\n\n\n\n

        4. Bug Bounty<\/em><\/strong><\/p>\n\n\n\n

        Rubic aims to operate as a secure, sustainable Cross-Chain Tech Aggregator that anyone can rely on to exchange and move cryptocurrencies across chains. In the interest of further security improvement, soon we are launching the Rubic Bug Bounty Program with <\/em>Immunefy<\/em><\/a> (link will start working after the launch).<\/em><\/p>\n\n\n\n

        Rubic strongly believes in the value of security professionals\u2019 and developers\u2019 assistance in keeping our products and users safe. Thus, Rubic is establishing and encouraging coordinated vulnerability disclosure via our Bug Bounty Program.<\/p>\n\n\n\n

        The program is focused on our smart contracts, with a primary interest in the prevention of user fund loss and the provision of protocol stability.<\/p>\n\n\n\n

        We encourage anyone interested to review the code and find bugs or vulnerabilities which bad actors could exploit. The only eligible level is Critical, <\/em><\/strong>we will specify the award amount later together with the start of the program.<\/p>\n\n\n\n

        We look forward to anyone engaging with us to improve the protocol and build the best Cross-Chain Tech Aggregator in the industry.<\/p>\n","protected":false},"excerpt":{"rendered":"

        Security is one of the most critical considerations for any blockchain-related project. Rubic\u2019s goal is to deliver a smooth trading experience to our users around the world, so it\u2019s our job to keep users\u2019 funds and our products secure. To accomplish this goal, we have been putting a lot of effort into significantly enhancing Rubic\u2019s […]<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_vp_format_video_url":"","_vp_image_focal_point":[],"footnotes":""},"categories":[6],"tags":[],"class_list":["post-198","post","type-post","status-publish","format-standard","hentry","category-about-rubic"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/posts\/198","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/comments?post=198"}],"version-history":[{"count":1,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/posts\/198\/revisions"}],"predecessor-version":[{"id":199,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/posts\/198\/revisions\/199"}],"wp:attachment":[{"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/media?parent=198"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/categories?post=198"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rubic.exchange\/blog\/wp-json\/wp\/v2\/tags?post=198"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}