41. Security Update March 2022: Illuvium is committed to improving user security across our ecosystem.
Illuvium continues to invest in increased security measures across our ecosystem. Improving our security systems, mechanisms, and techniques throughout our platforms and services is how we work to stay ahead of evolving threats and take immediate action to protect our community. For context, read article “38. Update on sILV Exploit and Discord Security Incident.”
What Illuvium is doing now
We have expanded our security capabilities by building out both the cyber security team and the incident response team and establishing relevant security processes.
Our Communications Policy
Please be aware that we do not communicate like many other projects. We do this for your safety. Please read and learn the ways that we interact with the community.
- Before posting a promotion on social media (including Discord) we will update our website’s promotions page (which will be live soon) and the #🔗│helpful-links channel on our Discord, so that you can verify the promotion. Promotions are always announced in advance so that you don’t need to rush.
- We ask that you bookmark our website, or use the #🔗│helpful-links channel on our Discord. Do not visit any Illuvium page any other way. Always use safe methods.
- We don’t operate flash sales or giveaways. If you see one, report it. Do not connect your wallet to anything that claims to be a limited sale.
- We will sometimes use social media to post general links, such as to Youtube, or a Medium article.
- Read the announcements. Read the white paper. This will help keep you informed and stop the spread of misinformation.
Heading our security team is Core Contributor Cag, who joins us with extensive experience in offensive and defensive security domains. Notably, he has worked at Mozilla and Atlassian, where he completed numerous technical security assessments, responded to security incidents and escalations, and ran bug bounty programs. His experience in security reviews, risk assessments and operational security makes him a valuable addition to our security team. At Illuvium, he primarily works on securing our infrastructure and applications.
We have implemented security practices uniformly with our Core Contributors and Community Moderators.
We provide all internal team members with:
- Increased phishing alerts and reminders, and will conduct phishing exercises
- Antivirus software
- Security Awareness Training (currently in development)
- Guidelines on fundamental security concepts
In addition to existing requirements such as:
- Multi-Factor Authentication for all Illuvium services
- Use of a password manager
We have engaged with external cybersecurity platform Zerofox to disrupt phishing attacks, impersonations, malicious domains and data leakage across the public, deep, and dark web. Their robust suite of capabilities in detecting and deterring malware, scams, and counterfeit attempts on social media and digital channels, allows us to vigorously take down phishing websites and social accounts posing as Illuvium or Illuvium-affiliated.
We have added additional security audits for our smart contracts:
- Quantstamp: Security Assessment Certificate (Illuvium Part 4 — Staking v2)
- PeckShield: Smart Contract Audit Report for Illuvium Protocol (Staking Contracts v2)
- Samczun (Security Researcher and external auditor) is a white hat who is very selective about the projects he conducts vulnerability research on. He performed an analysis on the most critical parts of the contract.
We are launching a Bug Bounty Program through Immunefi.
A Bug Bounty Program encourages security research and rewards those who report security issues ethically to help secure software projects, platforms, and services. Immunefi is the leading and largest bug bounty and security services platform for Web3 and blockchain projects. Immunefi already works with big-name projects like Synthetix, Chainlink, SushiSwap, PancakeSwap.
Immunefi will help us connect with the security researchers by giving them a platform to ethically find and report vulnerabilities in our assets. Enabling this communication will increase our security posture.
Be vigilant in protecting yourself from scams.
Keep your personal information safe and private. Only you can ensure this. Never give out your seed phrase to anyone, just like your passwords. Illuvium will never ask you to authorise your wallet for a promotion. We will never ask for your passwords or wallet seed phrase, even to help troubleshoot issues you are facing. Do not ever give out your seed phrase! It is your responsibility to check every time you connect your wallet and authorise any transaction.
Always triple check the exact spelling and domain of web addresses you interact with. Illuvium’s official website ends in .io, not .com, .org, or other domain suffixes. We recommend you bookmark the Illuvium website and only access it through your bookmarks. Never through links.
Metamask users — verify that you have the correct version of Metamask installed in Chrome. (eg. Namespace: nkbihfbeogaeaoehlefnkodbefgpgknn.) If you don’t know how to verify Metamask or verify your blockchain transactions, do not use Metamask nor make blockchain transactions until you fully understand how to.
Use a “hot wallet”, which includes only as many funds as you can afford to lose. Your “cold wallet” should be where most of your funds are, and they are never touched.
Illuvium will never launch stealth mints or flash giveaways — ever.
We don’t give away anything that will be usable in the game. We announce Illuvium events in advance to allow users time to prepare for the airdrop, sale, or contest. We always ensure a very long lead time between announcements and giveaways for your safety.
Check our official social channels to confirm that Illuvium communicated the offering with identical information and instructions, like our verified Twitter account.
If it’s too late and you have collected a prize from a potential scam, please don’t touch any NFTs in your wallet until you have verified them with the project.
Safety tips and reminders when on Discord:
The Illuvium Discord server is the central hub of our community activity. While enjoying this interactive space where you can connect and get to know our project, we ask that you remain as vigilant about safety here as you must in all online activities.
Every community member currently on our server, and all future members, must read and agree to the conditions of entry. These conditions acknowledge that Illuvium will never DM you first. If you receive a message claiming to be a Core Contributor, even if their name and profile picture appear to match, assume it is illegitimate.
- Community Mods don’t have the Illuvium suffix in their usernames in DMs.
- Nobody from the Illuvium team will ever direct-message you to announce a giveaway or claim that you have won in a giveaway. We encourage users to turn off allowing DMs from the server in their Privacy Settings for their protection.
- Never click on links from a user you don’t know and haven’t verified the identity of, especially if the link points to an unfamiliar destination, downloadable file, or executable app.
- Never enter a screen-share with a person you don’t know and haven’t verified the identity of. Illuvium will never request screen-share.
- When in doubt, confirm it in the Illuvium Discord. Read our channels to see if the information is accurate or a known, previously reported scam. Post about the potential scam in an official channel to report it to a Community Mod or Core Contributor, such as #report-scammers.
- Scammers are always lurking and pounce on users who appear open to being contacted by a stranger. If you ask something in #💁help, you might get a scammer messaging you. Just block them. Or better yet, turn off DMs from the server. Please wait for a Community Mod or Core Contributor to respond and verify their role/identity within the channel.
Illuvium is committed to your security.
We take all security issues very seriously. We continuously invest in increased security protocols and measures to stay ahead of threats as they evolve. Alongside our ongoing efforts to bolster security is our ongoing effort to maintain transparency with our DAO.
Keeping you informed provides security assurance of our methods and response actions and empowers our community to protect themselves and each other. We thank our Illuvium community for joining our collective effort to safeguard our DAO.