As Aptos Mainnet was launched several hours ago, the question becomes valuable: what should be done to keep funds safe in Aptos Blockchain?
Aptos is a new Layer 1 Blockchain with a Safe, Scalable, and Upgradeable Web3 Infrastructure. It is based on verifiable Move Language using resource objects as the main valuable items.
Aptos Resources
The main feature of Aptos is resources: objects that are not possible to drop or copy. In such a way, wasting important resources during module (contract) calls is impossible. However, resources are mostly immutable, module (contract) that manages the resources may provide the functionality of creating/destroying, merging/splitting them.
Every user stores resources under his account, and in such a way, blockchain storage is decentralized. Only the user can register any resource on his account. It makes spam of tokens impossible. However, the user first needs to approve each resource type he wants to receive.
Move Modules & Signer Object
A module is a code deployed to the blockchain. It does not have storage, but it may modify user resources. In such a way, it is essential to remember that modules are only scripts and may call other modules directly without signing a transaction.
The signer object is a resource created on the user transaction signing. It is needed for registering resources under the account. It is used to prove that the user can do the action. However, as was mentioned, modules call each other directly, so the signer object is kept and may be used by any module dependency.
Aptos Coin
The Aptos Coin standard is a truthful example of how resources could be used. Every user needs firstly to register in each coin, and then he can receive/send transfers, use modules (contracts) that need some funds provided, etc.
Aptos coin is not ERC20 compatible. For example, there is no allowances functionality. Instead of it, any script may call the coin module, providing a signer object to withdraw funds.
In such a way, if a malefactor module receives the signer object, it may withdraw all coins stored on the account.
Keeping funds safe
Always follow the rules below in Aptos Blockchain. You may lose all funds in case of neglect them!
- Refrain from calling untrusted contracts from an account with many coins stored. You may join the Discord community to ask if the module (contract) is a scammer or not.
- Read transaction simulation info attentively. Check if the resource changes on your account are what you expect exactly.
- Check module (and its dependencies) upgrades policy. It could be immutable (no code changes are possible) or compatible — be careful (functions code could be updated, and new features may be added).
- You may use trusted coin wrappers to keep funds in a safe place during interactions with new projects. For example, the CoinStorage I wrote is safe: any script can deposit funds there, and only the owner may withdraw funds by direct call outside of the blockchain.
And remember that Smart-Contract Security Audit and passed Bug Hunting stage are one of the best code safety proofs.
