Skip to content

Security: StarkMindsHQ/StrellerMinds-SmartContracts

Security

docs/security.md

Security Guidelines

Security-First Mindset

All development for StrellerMinds smart contracts must follow these security principles:

  1. Principle of Least Privilege: Contracts should request only the permissions they need.
  2. Input Validation: All inputs must be validated before processing.
  3. Error Handling: Proper error handling must be implemented for all operations.
  4. Access Control: Clear access control mechanisms must be in place.
  5. Audit Readiness: Code should be written with clarity for future audits.

Security Review Process

  1. All PRs must undergo security review before merging — see SECURITY_REVIEW_PROCESS.md for the full four-gate process.
  2. Run bash scripts/security_audit.sh locally before pushing any contract change.
  3. Static analysis tools must be run on all code (cargo clippy -D warnings).
  4. Test coverage must include security-focused test cases (see Gate 3 in the review process doc).

Release Verification

All releases include Software Bill of Materials (SBOM) and cryptographic signatures for verification.

SBOM Verification

Each release includes:

  • sbom.spdx.json - Complete repository SBOM in SPDX format
  • sbom-wasm.spdx.json - WASM artifacts specific SBOM
  • Corresponding .sig files for each SBOM

Artifact Verification

All release artifacts are signed using Cosign when signing keys are available:

Prerequisites for Verification

# Install Cosign
curl -O -L "https://github.com/sigstore/cosign/releases/latest/download/cosign-linux-amd64"
sudo mv cosign-linux-amd64 /usr/local/bin/cosign
sudo chmod +x /usr/local/bin/cosign

# Install Syft for SBOM validation
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin

Verify Release Artifacts

  1. Download release assets from the GitHub release page

  2. Verify WASM artifacts:

    # Verify each WASM file
    cosign verify-blob --key cosign.pub --signature <filename>.wasm.sig <filename>.wasm
  3. Verify SBOM files:

    # Verify main SBOM
    cosign verify-blob --key cosign.pub --signature sbom.spdx.json.sig sbom.spdx.json
    
    # Verify WASM-specific SBOM
    cosign verify-blob --key cosign.pub --signature sbom-wasm.spdx.json.sig sbom-wasm.spdx.json
  4. Validate SBOM content:

    # Validate SPDX JSON format
    syft validate sbom.spdx.json
    
    # Convert to human-readable format
    syft convert sbom.spdx.json -o table
  5. Verify checksums:

    # Verify SHA256 checksums
    sha256sum -c SHA256SUMS.txt

Public Key

The public key for verification is available at: https://github.com/StarkMindsHQ/StrellerMinds-SmartContracts/releases

Security Best Practices

  • Always verify signatures before using release artifacts
  • Check SBOM for known vulnerabilities
  • Use only officially signed releases in production
  • Report any signature verification failures immediately

Vulnerability Reporting

If you discover a security vulnerability, please do NOT open an issue. Email security@strellerminds.com instead.

There aren't any published security advisories