Security

Introduction

Liminal.market's security landscape is minimal, with an attack surface significantly smaller than that of other trading platforms. This is attributed to the fact that blockchain manages all the data, and since the information is publicly available, the security surface we need to maintain is much more manageable compared to other technology companies offering trading services.

The core of our system is compact, simply forwarding orders between the blockchain and the broker.

At present, Liminal.market stores only one piece of identifying information – the email address. As it is the sole data point, encryption is easily achievable. Consequently, all email addresses are encrypted in our database. We are currently working on eliminating the need for an email in our system altogether.

Our security approach is based on the principle of "when," not "if," the database is compromised. Adopting this mindset leads to design choices that enhance customer safety and security. Of course, we make every effort to prevent breaches from occurring.

The reduced attack surface also brings additional benefits. Unlike technology companies running trading platforms with hundreds of servers and vast corporate networks, which may harbor multiple vulnerabilities, Liminal.market relies on blockchain and smart contracts. This streamlined infrastructure allows us to focus on protecting each area thoroughly, thus minimizing the risk of breaches.

FAQ

What measures are in place to ensure the security of user funds during transactions?

Liminal.market employs several measures to ensure the security of user funds during transactions. One key aspect is utilizing blockchain technology, which provides transparency, immutability, and decentralized consensus. By leveraging smart contracts, Liminal.market automates transactions, reducing the risk of human errors and potential fraud.

Moreover, the platform's design focuses on a minimal attack surface. With a compact system forwarding orders between the blockchain and the broker, there are fewer vulnerabilities for malicious actors to exploit.

It is also essential to note that the Liminal.market system relies on licensed companies to handle off-chain activities, which are subject to oversight from governmental entities. This ensures a degree of trust and reliability in the transaction process.

How are private keys managed and secured within the Liminal.market platform?

Liminal.market takes the management and security of private keys seriously. The platform uses OpenZeppelin Defender, a leading industry solution, for writing to the blockchain. OpenZeppelin Defender offers robust key management and security features that help protect Liminal.market's private keys and ensure the integrity of transactions on the platform.

Additionally, Liminal.market stores its own private keys in cold storage using hardware keys. Cold storage involves keeping private keys offline and disconnected from the internet, significantly reducing the risk of unauthorized access or cyberattacks. Hardware keys provide an added layer of security, as they are dedicated devices designed for secure key storage and resistant to tampering.

By employing industry-leading solutions like OpenZeppelin Defender and using cold storage with hardware keys, Liminal.market ensures the secure management of private keys and protects user funds and sensitive data on the platform.

Are there any additional authentication measures, such as two-factor authentication, available for user accounts?

At this time, Liminal.market does not provide additional authentication measures like two-factor authentication (2FA) directly within the platform. The reason behind this decision is the belief that security measures like 2FA should be handled by the user's wallet, by using smart contract wallets.

Smart contract wallets allow users to define their own security measures according to their needs and preferences. By relying on the wallet's security features, Liminal.market ensures that users have full control over their funds and can apply the desired level of protection. This approach promotes flexibility and personalization in terms of security, as users can choose a wallet that best suits their requirements and risk tolerance.

How does Liminal.market protect itself against Distributed Denial of Service (DDoS) attacks?

Liminal.market utilizes Cloudflare to protect itself against Distributed Denial of Service (DDoS) attacks. Cloudflare is a reputable service that offers a comprehensive suite of security solutions, including advanced DDoS protection. By leveraging Cloudflare's global infrastructure and intelligent threat detection capabilities, Liminal.market can effectively mitigate DDoS attacks and maintain the availability and performance of its platform.

Cloudflare's DDoS protection works by filtering and absorbing malicious traffic before it reaches Liminal.market's servers, thus preventing service disruptions and ensuring a seamless user experience. This approach enables Liminal.market to maintain a secure and reliable platform for users, even in the face of sophisticated cyber threats.

What type of encryption methods are employed for communication between the blockchain and the broker?

Liminal.market employs the latest Transport Layer Security (TLS) protocols and robust authentication methods to ensure secure communication between the blockchain and the broker. Additionally, we utilize multiple providers to listen to events from the blockchain, further enhancing the security and reliability of our platform.

In the event of a security breach, how will users be notified, and what steps will be taken to mitigate the impact?

In the event of a security breach, Liminal.market will promptly notify affected users via email. Our action plan in response to a breach includes the following steps:

  • Detect: Identify the scope and nature of the breach.
  • Root cause analysis: Determine the underlying cause of the breach.
  • Implement fix: Apply appropriate measures to address the identified cause and prevent future occurrences.
  • Post-mortem: Conduct a thorough analysis of the incident to learn from the experience and improve our security protocols.

This comprehensive approach ensures that we effectively mitigate the impact of any security breach and continuously enhance the safety of our platform.

How are smart contracts audited and tested for vulnerabilities?

While Liminal.market does not currently have a formal security audit in place, we plan to conduct one before launching on the mainnet. In the meantime, our smart contracts are thoroughly tested and subjected to automatic security inspections using bots. This ensures that our code remains secure and vulnerabilities are identified and addressed in a timely manner.

Are there any bug bounty programs in place to encourage the identification and reporting of security issues?

Liminal.market does not currently have a bug bounty program in place. However, we recognize the value of such programs in identifying and addressing security issues. As a result, we intend to implement a bug bounty program in the future to encourage the identification and reporting of potential vulnerabilities within our platform.

How does Liminal.market handle user data privacy and comply with regulations such as GDPR?

Liminal.market is committed to ensuring user data privacy and compliance with regulations such as GDPR. We only store email addresses as personal data, and these are encrypted in our database. We do not track users or collect additional personal information. Instead, we rely on public data available on the blockchain for usage information.

We utilize external services, such as the broker and email service provider, which may store personal information. The majority of user data is stored with the broker, while the email service provider retains email addresses and first names. By minimizing the amount of personal data stored within our system, Liminal.market aims to maintain a high level of privacy and security for our users.

What measures are in place to monitor and detect suspicious activities or transactions on the platform?

Liminal.market actively monitors transactions and activities on the platform to detect and prevent suspicious activities or transactions. While it is crucial for users to maintain the security of their wallets, we also keep a close eye on server activity to identify any potential threats.

In case of suspicious activities or security concerns, Liminal.market has the ability to pause smart contracts and the system as a whole if necessary. This measure allows us to mitigate potential risks and maintain the integrity of our platform and user assets.

How does Liminal.market secure its infrastructure from potential insider threats?

Liminal.market secures its infrastructure from potential insider threats by implementing strict access control measures and maintaining a lean team. Access to critical systems is limited to a small number of trusted team members, reducing the risk of unauthorized access or misuse.

Since the platform runs on blockchain technology, it requires minimal system administration. This allows our team to focus on ensuring the security of the platform and maintaining a high level of vigilance against potential threats, both internal and external.

Are there any plans to integrate decentralized identity solutions for enhanced user privacy and security?

Liminal.market is actively exploring the integration of decentralized identity solutions for enhanced user privacy and security. We recognize the potential benefits of on-chain Know Your Customer (KYC) processes and are eager to implement such solutions when they become available. This approach aligns with our commitment to leverage cutting-edge technologies to provide a secure and user-friendly trading experience.

How does Liminal.market manage security updates and patches for its underlying technology stack?

Liminal.market is diligent in managing security updates and patches for its underlying technology stack. Our team actively monitors all software updates to ensure that the platform remains secure and up-to-date. Given the relatively small tech stack utilized by Liminal.market, thanks to our reliance on blockchain technology, this process is more manageable compared to larger, more complex systems. This allows us to efficiently maintain the security and stability of our platform.

What is the disaster recovery plan in place to ensure the continuity of services in case of unforeseen events or system failures?

Liminal.market has a comprehensive disaster recovery plan in place to ensure the continuity of services in the event of unforeseen events or system failures. Since our platform does not store any critical information, it can be wiped out and reestablished without causing significant disruption. In fact, we can have the system up and running within an hour and in the best case within minutes.

We regularly perform system-wide tests and reinstallations to ensure that our disaster recovery processes are effective and up-to-date. It is important to note that the disaster recovery for trades is handled by our partner broker service, which is a licensed broker. This ensures that user trades are protected and managed by a reliable and regulated entity, further enhancing the overall security and resilience of the Liminal.market platform.

How does Liminal.market handle potential collusion or manipulation by malicious actors within the blockchain ecosystem?

Liminal.market relies on its partner broker service to handle potential collusion or manipulation by malicious actors within the ecosystem. As our platform primarily serves as a bridge between the blockchain and the broker, forwarding user order requests, the responsibility of safeguarding against malicious activities falls on the broker service.

These broker services specialize in protecting against such threats, employing advanced security measures and monitoring tools to detect and prevent any attempts at market manipulation or collusion. By partnering with a trusted and experienced broker service, Liminal.market ensures that the trading experience remains secure and transparent for all users.