Learn five essential questions every Web3 founder should ask themselves to increase the security of their project without incurring additional costs. By addressing these questions, you can proactively enhance your project's robustness and ensure better protection for your users.

Which external components can have a significant impact on my project?

Understanding your resources and the external components influencing your project is crucial for system security. You must comprehend and manage the risks associated with third-party components rather than blindly trusting them. For example, if your project relies on an external bridge or oracle, consider the potential consequences if their teams make a mistake.

  • Identify each component and assess its influence on your project.
  • Consider the impact of individual smart contracts on overall security.
  • Map all potential threats through threat modeling and prepare for potential hacks.

Accepting the risk for external components

What do I need to prove that our solution works?

Be precise in what you are building and avoid unnecessary features that complicate your protocol. A streamlined codebase reduces the attack surface and improves security. Every line of code adds to the workload of developers, auditors, and users who must pay extra gas fees for each instruction.

  • Focus on essential features to keep your codebase small.
  • Analyze user needs instead of predicting them. Avoid "nice to have" features that don't add real value.
  • Minimize code complexity to reduce development, auditing, and user costs.

Files in scope

How much risk am I willing to take?

Accepting responsibility for your project includes managing risks effectively. While aiming for success, you must also be prepared to handle potential failures and their consequences. Trust is hard to build and easy to lose, so consider the long-term implications of your security decisions.

  • Balance your risk appetite with responsibility to users.
  • Consider starting with a lower TVL (Total Value Locked) and a limit on deposits to manage risk better. For example, beginning with 10% of your target TVL can help you raise funds while allocating part of it to security.
  • Implement limits and long-term security measures to ensure stability.

Files in scope

Has anyone built something similar?

Leverage existing, well-audited projects to save time and resources. Reusing proven code and integrating composable smart contracts can enhance your project's security and efficiency. For instance, if you've added several features to an existing project, ask the original audit team to focus only on the changes and their impact.

  • Utilize existing solutions to avoid reinventing the wheel.
  • Focus audits on new features and their impact on the whole if your budget is limited.
  • Save time and resources by building on proven foundations, ensuring inherited features and responsibilities are well understood.

Files in scope

Have I done everything I could to protect myself and my users?

Thoroughly review your security measures and seek feedback. Continuous improvement and vigilance are key to maintaining a secure project environment. Seek professional advice early on, peer-review your code internally, and prepare for all possible scenarios.

  • Try to break the code internally and conduct regular peer-reviews.
  • Ensure comprehensive testing for all usage scenarios.
  • Consult with security professionals at the early stages to get expert insights.

Files in scope


By asking and addressing these critical questions, Web3 founders can significantly enhance the security of their projects for free. Identifying and managing external components, focusing on essential features, balancing risk, leveraging existing solutions, and continuously reviewing security measures are vital steps. Proactive security management not only protects your project but also builds trust with your users, ensuring long-term success and stability.

For further guidance and in-depth strategies on securing your Web3 project, consider exploring our Security Guide. This comprehensive resource provides detailed insights and practical advice to help you navigate the complex landscape of Web3 security.

Want to increase the security of your project?

Let's engage in a conversation. Share details about your current security strategies and measures. This will enable us to provide professional advice on potential enhancements and additional actions that could be beneficial for your security framework.

Composable Security 🛡️⛓️ is a small team with a holistic approach that goes beyond the code. A combination of expertize in Solidity smart contract security and experience gained through 6+ years securing global fintechs and Polish banks help comprehensively take care of DApp security. Learn more about us. Creators of the Smart Contract Security Verification Standard and the first Security Guide for DApps CTOs, Lead Developers, and Security Enthusiasts.

Paweł Kuryłowicz

Paweł Kuryłowicz

Managing Partner & Smart Contract Security Auditor

About the author

Co-author of SCSVS and White Hat. Professionally dealing with security since 2017 and since 2019 contributing to the crypto space. Big DeFi fan and smart contract security researcher.

View all posts (15)