The Stacks network, much like the ecosystem that supports it, follows a decentralized model with regard to its overall security. Stacks’ security is achieved through a combination of protocol and technology design, programs and processes, community participation, and individual responsibility.Protocol and Technology Design
At the protocol level, security is baked directly into the design of the Stacks blockchain, employing the proof-of-transfer
(PoX) consensus mechanism, which leverages the security of the Bitcoin blockchain as a settlement layer. By anchoring to Bitcoin, the Stacks blockchain benefits from the robustness and immutability of Bitcoin's security. Another great example of security through design, is the Clarity smart contract language
, which takes a very different approach (turning incomplete, decidable, interpreted, and predictable) to most smart contract languages as to better protect developers and their users from detrimental smart contract bugs
.Programs and Processes
Another key layer of overall security are the processes by which work happens. An example here: After the launch of Stacks 2.1, core developers learned a lot about where the network had some weaknesses related to release processes and demanded adjustments to these processes. There is now a dedicated Testing and Hardening Working Group
taking on these improvements that include more automated testing and increased requirements on code reviews. In terms of programs, there are two we run here at the Stacks Foundation that contributes to overall security: Immunefi Bug Bounties (more below
) and our audit program. Our audit program includes prior efforts to train agencies in Clarity, educational efforts teams to get audits, and matchmaking to affordable and qualified audit providers. We’ve also recently struck a deal with a go-to auditor, so if you’re looking for one, please contact [email protected]
No surprise here, the Stacks ecosystem relies on community contributors to enhance security. And, it’s not only technical folks, at times a simple observation of a transaction or strange behavior can help avoid bigger issues. Further, the Stacks ecosystem is open-source, with all code openly available meaning many, many eyes have been over any given repo. Notably, Clarity is a human-readable language, so eagle-eyed community contributors have been able to spot smart contracts that could have spurred unexpected results. Another great aspect of community involvement has been that, historically, community contributors take an active approach not just in the identification of bugs or disclosures, but also in their resolution. They have done this via code commits, but also by simply being available to test and re-test as core developers triage. And, last but not least, contributing entities like Hiro and Trust Machines have made dedicated security hires that have not only contributed to increased security of the tools and apps those organizations support, but have also contributed at the network level.Individual Responsibility
In crypto, we’d be remiss in not pointing out that individual responsibility is an important aspect of security for any system that deals with user funds, and the same goes for Stacks. Users are responsible for securing their private keys and practicing good security hygiene to protect their digital assets and data. The use of hardware wallets or secure software wallets is encouraged to safeguard private keys.
Overall, the Stacks ecosystem embraces a collaborative approach to security, with a combination of protocol design, community involvement, and individual responsibility working together to maintain the security of the network and its participants.