Monad Co-founders Release 10 Protocol Security Self-Inspection Checklists, Emphasizing Key Risks in Multi-Signature and Permission Management

ME News message, on April 3 (UTC+8), Monad co-founder Keone Hon posted on the X platform a protocol security self-checklist, focusing on core issues such as administrative privileges, fund security, and multisig mechanism design. It mainly includes ten points: 1. Clarify which administrator functions could potentially lead to loss of funds; 2. Ensure that all relevant operations are set with a timelock; 3. Establish a real-time monitoring mechanism; 4. Provide timely alerts when administrator functions are called; 5. Review all privileged accounts and use multisig as much as possible (k-of-n) structures; 6. Specify the signature threshold parameters; 7. Multisig signers should use dedicated cold devices solely for signing operations and follow best practices (such as independently verifying transaction hashes); 8. Apply rate limits to withdrawals and avoid them being controlled by the same multisig; 9. Ensure that employee devices have malicious software detection and management capabilities; 10. Pre-set extreme scenarios in which multisig signers are compromised, reverse-engineer potential attack paths from the attacker’s perspective, and optimize the system design accordingly to increase the cost and complexity of attacks. In a prior report, one week before the Drift Protocol suffered a $285 million hack, it adjusted the multisig mechanism to “2/5” (1 old signer + 4 new signers) and did not set a timelock. The attacker then gained administrative privileges, forged CVT tokens, manipulated oracles, shut down security mechanisms, and transferred high-value assets from the treasury. (Source: PANews)