This document outlines security best practices for running a dAPINet operator safely.

NEVER:

• ❌ Commit .env files to Git
• ❌ Share private keys via email, Slack, Discord, etc.
• ❌ Store keys in plain text files outside of .env
• ❌ Hardcode keys in source code
• ❌ Use production keys on testnet (or vice versa)
• ❌ Take screenshots showing private keys
• ❌ Copy-paste keys in public channels

ALWAYS:

• ✅ Use .env files (already in .gitignore)
• ✅ Store keys in password managers (1Password, LastPass, Bitwarden)
• ✅ Use environment variables or secret management systems
• ✅ Create separate wallets for testnet and mainnet
• ✅ Keep operator wallet separate from personal wallet

# Generate a NEW wallet specifically for operating
cast wallet new

# Output:
# Address:     0x1234...5678
# Private key: 0xabcd...ef01

# ⚠️ SAVE THIS SECURELY!

Why? If your operator wallet is compromised, only operator funds are at risk (not your personal funds).

# Keep only what you need for gas
# Recommended: 0.05-0.1 ETH

# Transfer from your main wallet
cast send YOUR_OPERATOR_ADDRESS \
  --value 0.05ether \
  --private-key YOUR_MAIN_WALLET_KEY \
  --rpc-url $RPC_URL

Why? If compromised, attacker can only steal a small amount.

# Check operator balance
cast balance YOUR_OPERATOR_ADDRESS --rpc-url $RPC_URL

# If > 0.1 ETH, withdraw to cold storage
cast send YOUR_COLD_WALLET \
  --value 0.08ether \
  --private-key $OPERATOR_PRIVATE_KEY \
  --rpc-url $RPC_URL

Why? Don't accumulate large balances in hot wallets.

# Set restrictive permissions (Linux/Mac)
chmod 600 .env

# Verify
ls -la .env
# Should show: -rw------- (owner read/write only)

dapinet-operator/
├── .env.development  # Local testing
├── .env.staging      # Pre-production
├── .env.production   # Live system
└── .env.template     # Template (no secrets)

# Load environment-specific config
export NODE_ENV=production
npm start

# Verify .env is ignored
cat .gitignore | grep "\.env"

# Should include:
# .env
# .env.local
# .env.*.local
# !.env.template
# !.env.example

• Run operator on secure VPS/cloud (not personal computer)
• Use firewall (block all ports except SSH)
• Enable SSH key auth (disable password login)
• Keep system updated (apt update && apt upgrade)
• Use separate user for operator (don't run as root)
• Enable fail2ban for brute-force protection

• Set up balance alerts (< 0.02 ETH)
• Monitor error logs (operator-error.log)
• Track settlement success rate
• Enable uptime monitoring (UptimeRobot, Pingdom)
• Set up log rotation (logrotate)

• Limit SSH access (use bastion/jump host)
• Use VPN for administrative access
• Enable 2FA on cloud provider accounts
• Audit who has access to servers
• Rotate SSH keys regularly

Immediate Actions:

1. STOP the operator service

   sudo systemctl stop dapinet-operator
   # or
   pm2 stop dapinet-operator

2. Transfer remaining funds

   # Send all ETH to safe wallet
   cast send YOUR_SAFE_WALLET \
     --value $(cast balance YOUR_OPERATOR_ADDRESS) \
     --private-key $COMPROMISED_KEY \
     --rpc-url $RPC_URL

3. Create new wallet

   cast wallet new

4. Update registrations

   # Re-register APIs with new operator address
   cast send $CONTRACT_ADDRESS \
     "registerApi(bytes32,uint256)" \
     $(cast keccak "your-api-id") \
     $PRICE \
     --private-key $NEW_OPERATOR_KEY \
     --rpc-url $RPC_URL

5. Update .env with new key

1. Isolate the server (disconnect from network)
2. Audit access logs (/var/log/auth.log)
3. Check for unauthorized transactions (Arbiscan)
4. Rebuild server from scratch (don't reuse compromised system)
5. Rotate ALL credentials (SSH keys, API keys, private keys)

# 1. Check file permissions
ls -la .env
# Should be: -rw------- (600)

# 2. Audit Git history for leaked secrets
git log --all --full-history --source -- **/.env

# 3. Check open ports
sudo netstat -tulpn | grep LISTEN

# 4. Review recent logins
last -a | head -20

# 5. Check for suspicious processes
ps aux | grep -E "(node|tsx|npm)"

# Install security tools
npm install -g snyk audit-ci

# Scan for vulnerabilities
npm audit
snyk test

Keep a record of security events:

# Security Incident Log

## [Date] - Incident Type

**Severity:** Critical / High / Medium / Low
**Status:** Detected / In Progress / Resolved

### Description
[What happened]

### Impact
[What was affected]

### Actions Taken
1. [Step 1]
2. [Step 2]

### Prevention
[How to prevent in future]

For high-value operations, consider HSM for key storage:

# AWS CloudHSM, Google Cloud HSM, Azure Key Vault
# or hardware like Ledger, Trezor

Use Gnosis Safe for operator wallet:

# Require 2-of-3 signatures for withdrawals
# Even if one key is compromised, funds are safe

Generate keys on offline machine:

# On air-gapped machine (never connected to internet)
cast wallet new > operator-wallet.txt

# Transfer via USB (encrypt with GPG first)
gpg --symmetric operator-wallet.txt

# Only allow operator to connect from specific IPs
# Configure in firewall or at RPC provider level

• OWASP Top 10: https://owasp.org/www-project-top-ten/
• Node.js Security: https://nodejs.org/en/docs/guides/security/
• Ethereum Security: https://ethereum.org/en/security/
• CIS Benchmarks: https://www.cisecurity.org/cis-benchmarks/

If you discover a security vulnerability in dAPINet:

1. DO NOT open a public GitHub issue
2. Email: security@dapinet.io
3. Include: Detailed description and reproduction steps
4. PGP Key: Available at https://dapinet.io/security-pgp

We aim to respond within 24 hours.

Before going to production, verify:

• .env file has 600 permissions
• Private key is NOT in Git history
• Dedicated operator wallet (not personal wallet)
• Minimum ETH balance in operator wallet (≤0.1 ETH)
• Firewall configured and enabled
• SSH password login disabled
• Monitoring and alerts configured
• Backup of private key in secure location
• Incident response plan documented
• Regular security audits scheduled

Security is not a one-time task. Review this guide regularly! 🔒