Fortify Your Assets: A Guide to Fordefi's Transaction Policy Engine [Part 1/3]

Fordefi's transaction policy engine is a robust and user-friendly DeFi-native solution for establishing organizational controls and governance over transactions and wallets. It serves to protect organizational assets from insider threats, compromised devices, unauthorized actions, and mistakes. The policy engine screens every outgoing transaction, and the policy determines the approval process the transaction has to undergo before being eligible for signing.

When setting up a policy, administrators need to balance security with operational efficiency. Specifically, while a policy that would require three approvers for every transaction would definitely be secure, it would create untenable friction and delay for users and put an overwhelming burden on approvers. It is also bound to cause alarm fatigue, which would eventually hurt security.

The flexibility and expressiveness of Fordefi’s policy engine solves this problem by allowing administrators to create fine-grained rules that balance risk and the need for operational efficiency. A good policy minimizes the friction for routine low-risk transactions, while keeping the guard up for higher-risk transactions.

Here are some tips on how to improve your organization security and policies.

Set a secure baseline

1. Default action: The default action applies to all transactions that have not been handled by a previous rule. We recommend setting the default action to be restrictive, either by blocking transactions altogether or requiring several approvers. This ensures that any transaction that has not been explicitly permitted will require extra scrutiny.

• Change the admin quorum threshold: Although the transaction policy provides protection against malicious transactions, there is still a risk of a malicious administrator or malware on an administrator's device disabling the transaction policy and gaining full control over all assets. To address this threat, policy changes (as well as other sensitive administrative actions) necessitate the approval of a quorum of administrators. The quorum must consist of more than two administrators, which prevents any individual administrator from becoming a single point of failure.
  

Whitelist protocols with Fordefi’s dApp directory

• If users in your organization frequently interact with a DeFi protocol that you trust, you can whitelist the protocol to reduce the number of approvals required for each interaction. However, protocols often consist of multiple contracts, which makes manually whitelisting each contract a time-consuming and error-prone task. Additionally, new contracts are regularly deployed, necessitating constant updates to the whitelist. Fordefi's dApp directory offers a simpler and safer alternative. The dApp directory is a database that contains a comprehensive list of contracts for thousands of DeFi protocols. Users can whitelist protocols based on their names instead of their addresses by utilizing the directory. Fordefi consistently updates the dApp directory to ensure that your policies are always aligned with the latest protocol information.

Limit amounts for any transaction type

•  Varying the number of approvers based on the amount of the transaction is a good risk-mitigation tactic. Indeed, most institutional wallets allow setting amount limits on token transfers. However, other wallets fall short of enforcing such limits when it comes to interactions with smart contracts. The limitation stems from the fact that whereas the amount for a transfer (whether it is native currency or a standard token such as ERC20) is evident in the transaction, it is less clear how to extract the amount, or even define what the amount is, for an arbitrary contract interaction. Fordefi solves this problem by simulating every transaction and observing the effects of the transaction on the wallet. The simulation can show any tokens transferred out of the wallet and any tokens received. The policy engine then allows setting limits based on those amounts for any type of transaction.

   

Stay tuned for the next part of our blog series, where we will explore additional tips on using groups, limiting allowances, and enhancing security for programmatic transactions. Don't miss out on valuable insights to further strengthen your asset security with Fordefi's transaction policy!