This section highlights some of the primary threats developers and users may encounter along with recommended strategies to mitigate these risks. It’s important to recognize that this is not exhaustive; rather, it aims to outline key areas and proactive steps to bolster security.
Dynamic mitigates XSS attacks by utilizing Content Security Policies (CSPs) and iFrames, preventing unauthorized scripts from accessing wallet shares or modifying user sessions.
Phishing and social engineering are the most common threats in software and financial applications. While no single solution can fully prevent these attacks, Dynamic employs multiple strategies:
Domain binding to restrict JWTs and wallet interactions to approved domains
Recommendations to developers to mitigate phishing attacks
Wherever possible warn users when performing sensitive actions for example, Dynamic includes a message in the developer console advising users to never copy and paste code into their browser; and requires active user acknowledgment during any export activity
Leverage transaction simulation to prompt users before they transact
Leverage transaction security checks which scans for malicious address involvement
Add additional authentication layers like MFA, or require a Passcode for a user-share
Dynamic uses automated tools for continuous monitoring and scanning of third-party packages for vulnerabilities and enforces integrity checks on all external dependencies.
Additionally, for Dynamic powered Embedded Wallets, Trusted Execution Environments (TEE) are used to further ensure security and controls around sensitive user data. All secure enclave deployments are attested to guarantee integrity of the software running and ensure that only authorized code runs within our infrastructure. Multi-person reviews with scanned, signed, and verified artifacts are strictly enforced to prevent tampering in the software supply chain.
Dynamic enforces rate limiting on authentication attempts and supports additional measures like hCAPTCHA and domain blocking. We have active monitoring on all endpoints and projects to alert us if we see increases above the norm.
Dynamic strictly enforces TLS/SSL encryption for all network traffic to prevent any unauthorized access to data in transit to or from Dynamics servers. CORS origin is a requirement for any web application using Dynamic.For Dynamic powered Embedded wallets, we implement session key chaining, which requires a properly registered session key on sensitive authenticated requests. Dynamic powered Embedded wallets with TSS-MPC includes using a secure relay mechanism to apply an additional layer of encryption between parties involved in MPC ceremonies. This prevents unauthorized interception of key share material between devices and Dynamic servers.
Recommendations to protect against man-in-the-middle attacks
Enable cookie-based authentication. When properly enabled, Dynamic will write an httpOnly cookie from the server response which helps prevent malicious hackers from stealing a legitimate user’s JWT
Enforce MFA. This will help prevent a malicious actor from using a compromised email/social to impersonate a user, even if they are able to collect this information in a malicious way