By now, you hopefully have read about our overall approach to our work here at the Stacks Foundation in the first post of the series. This post will provide a closer look at how the Stacks Foundation views the security of the Stacks network as well as our own supportive approaches. We believe security is of utmost importance and treat our work, to support and improve the overall security profile of the chain, as a top-level consideration.

With the recent months of momentum of building on Bitcoin, there has been an increased level of attention on Stacks. This includes action in the market, but more importantly, attention from developers, builders, and the broader industry. Most of this is extremely positive, as we’ve seen app usage grow plus new entrepreneurs and funding enter the ecosystem, along with the feeling of camaraderie and new life in the world of Bitcoin. Along with that attention and growth, however, are also new issues to face. A great example is the Bitcoin MEV issue, where a major Bitcoin miner is censoring other Stacks miners. This was something early contributors posited could happen if Stacks became popular enough and well, that day has come. And while this particular issue is getting addressed in the next upgrade, it’s a good reminder the network is likely to see more attempts to extract value, potentially in nefarious ways, as its profile continues to rise.

Beyond that reality, we must also remember that security is a primary value proposition of the Stacks network. Stacks prioritizes safety for builders and users over other elements and the builders that are here count on that. In other words, Stacks has to do it better (more securely) than your other favorite blockchains.

With that context, let’s take a look at how the Stacks Foundation views the overall security model of Stacks.

The Stacks network, much like the ecosystem that supports it, follows a decentralized model with regard to its overall security. Stacks’ security is achieved through a combination of protocol and technology design, programs and processes, community participation, and individual responsibility.

Protocol and Technology Design
At the protocol level, security is baked directly into the design of the Stacks blockchain, employing the proof-of-transfer (PoX) consensus mechanism, which leverages the security of the Bitcoin blockchain as a settlement layer. By anchoring to Bitcoin, the Stacks blockchain benefits from the robustness and immutability of Bitcoin's security. Another great example of security through design, is the Clarity smart contract language, which takes a very different approach (turning incomplete, decidable, interpreted, and predictable) to most smart contract languages as to better protect developers and their users from detrimental smart contract bugs.

Programs and Processes
Another key layer of overall security are the processes by which work happens. An example here: After the launch of Stacks 2.1, core developers learned a lot about where the network had some weaknesses related to release processes and demanded adjustments to these processes. There is now a dedicated Testing and Hardening Working Group taking on these improvements that include more automated testing and increased requirements on code reviews. In terms of programs, there are two we run here at the Stacks Foundation that contributes to overall security: Immunefi Bug Bounties (more below) and our audit program. Our audit program includes prior efforts to train agencies in Clarity, educational efforts teams to get audits, and matchmaking to affordable and qualified audit providers.

Community Participation
No surprise here, the Stacks ecosystem relies on community contributors to enhance security. And, it’s not only technical folks, at times a simple observation of a transaction or strange behavior can help avoid bigger issues. Further, the Stacks ecosystem is open-source, with all code openly available meaning many, many eyes have been over any given repo. Notably, Clarity is a human-readable language, so eagle-eyed community contributors have been able to spot smart contracts that could have spurred unexpected results. Another great aspect of community involvement has been that, historically, community contributors take an active approach not just in the identification of bugs or disclosures, but also in their resolution. They have done this via code commits, but also by simply being available to test and re-test as core developers triage. And, last but not least, contributing entities like Hiro and Trust Machines have made dedicated security hires that have not only contributed to increased security of the tools and apps those organizations support, but have also contributed at the network level.

Individual Responsibility
In crypto, we’d be remiss in not pointing out that individual responsibility is an important aspect of security for any system that deals with user funds, and the same goes for Stacks. Users are responsible for securing their private keys and practicing good security hygiene to protect their digital assets and data. The use of hardware wallets or secure software wallets is encouraged to safeguard private keys.

Overall, the Stacks ecosystem embraces a collaborative approach to security, with a combination of protocol design, community involvement, and individual responsibility working together to maintain the security of the network and its participants.

You may have an idea from some of the layers of security outlined above, but to put it even more directly, here is a concrete list of the security-related activities the ecosystem prioritizes:

• Immunefi Bug Bounty program: Up to $250,000 for critical network bugs. You can learn more about the program here!
• Audit training and matchmaking: We have ensured that numerous top agencies are trained in Clarity and are available to review not only critical infrastructure code as needed but also support teams that are building apps touching user funds. Get in touch if you need one!
• Communications around blockchain issues and releases: Key contributors are typically able to digest information from various channels and provide updates to the community through channels like the forum and @stacksstatus on Twitter. Well-timed updates can help protect developers and users, as well as being thoughtful about when and how to post about especially sensitive bugs when they arise.
• SIP stewardship: SIPs are how the Stacks blockchain progresses and the process by which the community can propose, discuss, and decide on the development direction of Stacks. We not only help organize the process with help from our SIP Resident, the one and only Hero Game, we also supplement the process with paid 3rd-party research (recent example) on key proposals when they may have an impact on security and tokenomics. These reports can cost upwards of $10-20k and sometimes more depending on the depth required but are needed for the community to make the best possible decisions.
• Support of Core Developers: We review releases for the Stacks blockchain to ensure they are tested, safe, and secure.
• Onboarding and engagement with experts: Firms like Asymmetric Research, Clarity Alliance, and other researchers work closely with core developers on a day to day basis, ensuring designs are being checked on well before even the audit stage.