Smart Contract DevOps - Post Deployment

Support

**Follow along with this video:** --- ### Handling Bug Discoveries As a white hat or security researcher, finding a bug in production code requires careful handling. We discussed this topic with OpenZeppelin security expert Michael Lewin, who shared insights from his experience with live scenarios. You can watch the interview [here](https://www.youtube.com/watch?v=KhmRoF1NynM). ### Key Steps When You Find a Bug 1. **Do Not Exploit It**: Exploiting the bug can lead to legal consequences and unintended outcomes. Instead, follow responsible vulnerability disclosure practices. 2. **Contact the Team**: Your first step should be to reach out to the protocol's team. If you can't reach them, consider contacting Seal 911 or another smart contract emergency service. 3. **Secure Communication**: Once in contact, use a secure, encrypted channel like Signal to discuss the vulnerability. Share your audit write-up detailing the issue and its potential impact. 4. **Develop a Fix Plan**: Work with the protocol team to develop a plan to fix the bug. If there are complexities, such as governance windows or immutable code, seek additional help from Seal 911 or similar groups. Use MEV-proof RPC or MEV protection during the fix deployment to prevent exploitation. ### What If Scenarios - **No Security Contact or Bug Bounty**: If you can't find a responsible party, announce a window for users to exit the protocol before public disclosure. This should be a last resort. - **Ignored Bug**: If the protocol ignores the bug, give them a window to respond. If they still do nothing, consider public disclosure, allowing users to leave the protocol safely. - **No Compensation**: If the protocol refuses to pay for your findings, it reflects poorly on them. While you could publicize this, it may backfire. Ideally, protocols should act in good faith and reward security researchers. - **Active Exploitation**: If an attack is already in the mempool, front-running the exploit might be necessary. Legal implications still apply, but safe harbor agreements can provide some protection. ### Summary In an ideal scenario, do not exploit the bug. Instead, contact the protocol team, work with them to fix the issue, and hope for a reward. If complications arise, use the guidelines above to navigate the situation carefully. Responsible disclosure helps maintain security and trust in the web3 ecosystem. --- By following these steps, you can handle bug discoveries responsibly, ensuring the security and integrity of the affected protocol while minimizing potential legal and ethical issues.

What If I Find A Bug

In this lesson we discuss the ethical management of bugs found in the wild and how best to go about reporting them while minimizing legal risks and personal vulnerabilities.

Course Overview

About the course

What you'll learn

Introduction to best practices when working with wallets

Post-deployment security

Post-deployment monitoring

Smart contract DevOps

Course Description

Who is this course for?

Smart contract security researchers
Smart contract engineers
CTOs and CSOs
DevOps professionals

Potential Careers

Smart Contract Auditor

$100,000 - $200,000 (avg. salary)

Smart Contract Engineer

$100,000 - $150,000 (avg. salary)

Meet your instructors

Patrick Collins

Founder at Cyfrin

Web3 engineer, educator, and Cyfrin co-founder. Patrick's smart contract development and security courses have helped hundreds of thousands of engineers kickstarting their careers into web3.

Last updated on March 25, 2025

Thanks for checking us out

Start learning for free

Start for free

Solidity Developer

Smart Contract DevOps

Section 1: Intro

Duration: 17min

Section 2: Wallets

Duration: 1h 20min

Section 3: Post Deployment

Duration: 36min

1. Smart Contract Post Deployment

This lesson focuses on essential pre-and post-deployment steps for securing your protocol, such as setting up contacts and agreements, monitoring, and disaster recovery. Addresses responsible disclosure practices for security researchers, introduces bug bounty platforms, and blockchain investigation tools. Duration: 4min

2. Defi Security Summit

A nudge to watch the DeFi security summit video on the course's GitHub repo! Duration: 0min

3. Pre Deployment Steps

Patrick itemizes the steps that should be taken to best secure a protocol pre-deployment. Duration: 8min

4. Monitoring

In this video, Patrick covers various blockchain monitoring tools, such as Forta, Pessimistic Spotter, OpenZeppelin's Defender, highlighting key features of each tool to help secure protocols. Duration: 2min

5. Forta Bot

In this lesson we learn the high level process to create and deploy custom FortaBots for scanning blockchains and detecting suspicious transactions within a network. Duration: 1min

6. Incident Response

Patrick details best practices and how to respond when things go wrong, emphasizing the need for a plan of action and remaining calm. Duration: 4min

7. What If I Find A Bug

In this lesson we discuss the ethical management of bugs found in the wild and how best to go about reporting them while minimizing legal risks and personal vulnerabilities. Duration: 7min

8. Blockchain Sleuthing

In this tutorial, Patrick introduces tools like OpenChain, Falcon, and Tenderly to analyze transactions post-attack, with a focus on function calls and events. Duration: 5min

9. Recap

This lesson recaps the strategies and methodologies for post-deployment as discussed in this section. Duration: 5min