docs: add security best practices guide#171
Open
DrGalio wants to merge 1 commit intoANAVHEOBA:mainfrom
Open
Conversation
Comprehensive user-facing guide covering: - Note management (backup strategies, recovery impossibility) - Privacy practices (timing, address separation, network privacy) - Operational security (wallet, transaction privacy, browser fingerprinting) - Common mistakes (address reuse, immediate withdrawals, small anonymity sets) - Threat model (what is/isn't protected, known attack vectors) - Emergency procedures (lost note, compromised wallet, contract paused) Closes ANAVHEOBA#47
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a comprehensive Security Best Practices guide for PrivacyLayer users, addressing the bounty in #47.
What's Included
The guide covers all six required sections from the bounty:
Note Management — Backup strategies (encrypted USB, password manager, paper, encrypted cloud), why notes must never be shared, and the hard truth that recovery is impossible.
Privacy Practices — Recommended wait times between deposit/withdrawal based on pool size, address separation strategy, pattern avoidance, and network privacy tools (Tor, VPN, own node).
Operational Security — Hardware wallet usage, transaction metadata awareness, browser fingerprinting mitigation, and smart contract interaction hygiene.
Common Mistakes — Five documented anti-patterns with visual diagrams: address reuse, immediate withdrawals, small anonymity sets, address linking, and insufficient backups.
Threat Model — Clear breakdown of what PrivacyLayer does and does NOT protect against, plus five known attack vectors (timing analysis, denomination fingerprinting, relayer centralization, frontend compromise, trusted setup compromise).
Emergency Procedures — Practical steps for lost notes, compromised wallets, paused contracts, and suspected vulnerabilities.
Acceptance Criteria Met
Notes
pause()function and admin role.Closes #47