The use of this site and the content contained therein is governed by the Terms of Use. When you use this site you acknowledge that you have read the Terms of Use and that you accept and will be bound by the terms hereof and such terms as may be modified from time to time.
All text, graphics, audio, design and other works on the site are the copyrighted works of nasscom unless otherwise indicated. All rights reserved.
Content on the site is for personal use only and may be downloaded provided the material is kept intact and there is no violation of the copyrights, trademarks, and other proprietary rights. Any alteration of the material or use of the material contained in the site for any other purpose is a violation of the copyright of nasscom and / or its affiliates or associates or of its third-party information providers. This material cannot be copied, reproduced, republished, uploaded, posted, transmitted or distributed in any way for non-personal use without obtaining the prior permission from nasscom.
The nasscom Members login is for the reference of only registered nasscom Member Companies.
nasscom reserves the right to modify the terms of use of any service without any liability. nasscom reserves the right to take all measures necessary to prevent access to any service or termination of service if the terms of use are not complied with or are contravened or there is any violation of copyright, trademark or other proprietary right.
From time to time nasscom may supplement these terms of use with additional terms pertaining to specific content (additional terms). Such additional terms are hereby incorporated by reference into these Terms of Use.
Disclaimer
The Company information provided on the nasscom web site is as per data collected by companies. nasscom is not liable on the authenticity of such data.
nasscom has exercised due diligence in checking the correctness and authenticity of the information contained in the site, but nasscom or any of its affiliates or associates or employees shall not be in any way responsible for any loss or damage that may arise to any person from any inadvertent error in the information contained in this site. The information from or through this site is provided "as is" and all warranties express or implied of any kind, regarding any matter pertaining to any service or channel, including without limitation the implied warranties of merchantability, fitness for a particular purpose, and non-infringement are disclaimed. nasscom and its affiliates and associates shall not be liable, at any time, for any failure of performance, error, omission, interruption, deletion, defect, delay in operation or transmission, computer virus, communications line failure, theft or destruction or unauthorised access to, alteration of, or use of information contained on the site. No representations, warranties or guarantees whatsoever are made as to the accuracy, adequacy, reliability, completeness, suitability or applicability of the information to a particular situation.
nasscom or its affiliates or associates or its employees do not provide any judgments or warranty in respect of the authenticity or correctness of the content of other services or sites to which links are provided. A link to another service or site is not an endorsement of any products or services on such site or the site.
The content provided is for information purposes alone and does not substitute for specific advice whether investment, legal, taxation or otherwise. nasscom disclaims all liability for damages caused by use of content on the site.
All responsibility and liability for any damages caused by downloading of any data is disclaimed.
nasscom reserves the right to modify, suspend / cancel, or discontinue any or all sections, or service at any time without notice.
For any grievances under the Information Technology Act 2000, please get in touch with Grievance Officer, Mr. Anirban Mandal at data-query@nasscom.in.
Are you planning to create a dedicated AppChain for your dApp? Are you aware of the security considerations? Appchains or application-specific blockchains have recently grown in popularity with their ability to provide web3 organizations greater freedom over economic structure, governance, and consensus mechanism for dApps. Considering all the advantages, many enterprises are building AppChain for dApps. Talking about the web3 startups, who have not yet invested in AppChains, they are transitioning their applications to the AppChain ecosystem. However, for successful adoption, AppChain security is critical. If you don’t abide by the best AppChains security practices, your dApp security and integrity are always at stake, which can cause serious issues like data breach and hacking. Therefore, this guide talks about the security vulnerabilities and best practices of AppChains. Based on your use cases, you can choose relevant security implications to enforce on your custom blockchain.
A Dive into Appchain’s advantages and Adoption
AppChains have unique advantages, such as enhanced customizability, performance, and ownership management. Within less time, AppChains has grown in popularity that has encouraged popular blockchains like Polkadot, Binance, Cosmos, Avalanche, and Polygon to build Polkadot Parachains, Binance Smart Chain, Cosmos Zones, Avalanche Subnets, and Polygon Supernets, respectively. These AppChains enable organizations to build application-specific blockchains with unparalleled AppChain security, custom features, functionalities, and performance, along with the freedom to do upgrades as required. There is much to learn about AppChains, AppChain security, use cases, and its working. Want to cover all those details?
Security concerns and best practices of top-four AppChains
AppChains, like every other blockchain network, are prone to security risks. As we know, AppChains are custom blockchains that facilitate and manage every component, such as wallets, bridges, explorers, and various nodes, which demand reliable security and encryption. To date, many blockchains have suffered security challenges such as resource/energy inefficiency, poor performance, unauthorized access, and unsophisticated governance mechanisms. Hence, let’s look into the AppChains security implications of the previously discussed top four AppChains; Polkadot Parachains, Cosmos Zones, Avalanche Subnets, and Polygon Supernets, so that you can understand how you can conceal network security for your AppChains abiding by the best AppChain security practices of prominent AppChain networks.
Substrate Parachains
Parachains are built using the Substrate framework, hence let’s explore the security implications of Substrate and Parachains to understand how AppChains can avoid security threats:
Smart contract security
On Substrate, WebAssembly and Solidity contracts are the standard smart contract that provides reliable security. Regarding ideal libraries, use FRAME library and C++ (with support for C++17) compiler. For Solidity-based smart contracts, use the Solidity library and the Solang Solidity compiler.
Account and keys management
Parachains allow you to build security into on-chain operations such as the security of funds through:
Cold- Stash account key
warm- Controller account key
Hot- Session keys.
Likewise, this AppChain maintains security of offline devices to limit the permission of multi-signature accounts. Following are the components that Substrate Parachain uses for this:
Multi-signature accounts
Proxy accounts
Ledger hardware wallet management
Parachains use Ledger Hardware wallet to encrypt private keys and sign the desired transactions online, preventing the risks of threats and security shredding. You can use this hardware wallet to Ledger Live App to buy cryptos, invest in assets, and manage digital assets. With Ledger Live, you can easily collect rewards and parachain tokens from two ledger accounts; Legacy and Crowdloan.
Validators security
Validators are responsible for keeping the consensus secure and verifying the state transitions. Hence, validators should strictly fulfill the below criteria:
Must disable RPC access from external machines.
Must ensure high availability.
Must have enough stake from themselves and nominators.
Must have a powerful infrastructure setup to protect validators’ signing keys so that attackers cannot breach the network security to perform slashable activities.
Must control the reward wallet and its private key by themselves, even when third-party providers like Zeeve manage nodes. However, Zeeve offers a purely non-custodial wallet for transparency and privacy.
Gas fee configuration
Parachain allows users to configure Gas or transaction fees by adjusting the WeightToFee calculation from the Pallet Transaction Payment Configuration.
Precompiled contracts security
Parachains (like Moonbeam) offers precompiled contracts to enhance developer experience, but it has some security concerns, including the following:
Whitelisting safe contracts: Controls what calls are safe and allow only whitelisted contracts to be safe.
Whitelisting safe function selectors: Controls various functions and allows only safe functions to be executed.
Bypassing Sender vs Origin checks: Compares the addresses of the tx.origin and msg.sender and ensures that both are the same address to call the functions.
Blockchain metrics monitoring
By putting a Blockchain Metrics Monitoring feature in place, AppChains can keep track of the real-time performance and health of the network. On top of that, the system should be able to produce alerts on the possible issues of AppChains, including downtime, high CPU usage, and memory running out to ensure high performance.
Cosmos Zones
Smart contracts security
Comos Zones offers a reliable smart contract platform— CosmWasm, which focuses highly on security, performance, and inter-chain interoperability. CosmWasm’s architecture is optimized to prevent all the malicious activities and risks associated with WebAssembly smart contracts.
Validators security
Validators for Cosmos are allowed to participate in the consensus after they get authorized through broadcasting cryptographic signatures, which guarantees no bad actors join the Cosmos network’s validator set.
Gas limit
Cosmos network uses Block Gas Meter to track gas usage and ensure that the block does not consume too much gas on a transaction.
Forking
Cosmos Zones implements fork-accountability as a guarantee to identify the reason for consensus failure and to penalize the responsible parties i.e., validators or other participating nodes. Further, long rage attacks on Cosmos are eliminated through Tendermint Light Clients.
Ledger hardware wallet management
Cosmos supports Ledger Nano — a hardware wallet to store private keys and allows transactions to be signed offline, preventing attacks and threats. The wallet can also be connected with Ledger Live App, allowing you to stake, earn passive income, track balance in real-time, transaction history, and more.
Avalanche Subnets
Validators security
Subnets maintains AppChain security by only granting validation permission to nodes that meet the below criteria:
Should Maintain online presence 100% of the time.
Should frequently call API method – info.uptime to check node uptime and ensure it is close to 100%. Further validator node-related information is provided via Validator Health dashboard.
Should specify essential information to the validator set- Node’s ID, Start and stop validation time, staking amount of AVAX tokens, wallet address, and delegation fee.
Should maintain a minimum of 80% uptime and weightage for validators.
Should manage and secure their Staking Key, as losing this will jeopardize their validation reward.
Smart contract security
Smart contracts transactions on Avalanche Subnets are executed in line with the “optimistic rollup” feature, which ensures AppChain security. ORU further boosts the transaction speed, lowers the gas fee consumption, and thus boosts overall security for Subnets contracts.
Precompiles
Subnets offer Subnet-EVM with custom functionalities in precompiled contracts. AppChains developers can activate their application-specific precompiles through ChainConfig while setting up Genesis or during upgrades. The following are five important precompile parameters to consider:
Controlling who can deploy smart contracts: If you want to control who can deploy smart contracts on Subnet or your AppChain, use AllowList configuration with the genesis file, or you can also upgrade the file.
Controlling who can submit transactions: To restrict which addresses can submit transactions, you need to activate precompile and provide AllowList configuration within the genesis file.
Minting the native tokens: Precompiled contract allows you to activate the feature to mint native tokens (coins) by providing nativeMinterConfig within the genesis file.
Configuring parameters of dynamic fee: You can activate the feature to configure the dynamic fee parameters by using FeeConfigManager within the genesis file.
Configuring fee reward mechanisms: You can configure the fee reward mechanism within the precompile contract– RewardManager. Configuration can be about burning fees, sending rewards to a predefined address, or allowing block producers to collect the fees.
Note: You can do configuration as per your use case requirements or upgrade it anytime.
In addition to Precompiled contract-based configurations, you can configure initial parameters like setting gas usage limits, custom fee tokens, and airdrops for your AppChains using the same Subnet-EVM, a fork of the Ethereum Virtual Machine.
Ledger hardware wallet management
Subnets support a range of hardware wallets— Ledger Stax, Ledger Nano X, Ledger Nano S Plus which are encrypted ledger devices to store the AVAX tokens offline to protect the network against emerging malicious activities , data breach, and digital hacking. Also, you can manage the tokens like buy, send/receive, check transactions history, and more by connecting your hardware wallet to any Avalanche-compatible third-party wallet.
Polygon Supernets
Transactions and peers
Supernets’s PolyBFT consensus is based on a libp2p protocol that offers identity management, peer discovery, and peer routing to ensure only valid peers can deploy smart contracts for the Supernets and complete their purpose, like building decentralized applications or running validators. Subnets also implement a peer-to-peer messaging protocol called Gossipsub that broadcasts new and Relay (smart contract) transactions across the nodes for reliable propagation of messages while reading the network’s overall bandwidth requirements.
Smart contracts
EVM is the Subnets’ core infrastructure to deploy and manage smart contracts on AppChain and ensure AppChain security. As discussed, the smart contract transactions must be validated as per libp2p protocol’s security parameters.
Validators
To become Polygon Supernets validator, participants must be authorized to set up signing nodes, synchronize the data, and stake their tokens on staking management contracts available on the Ethereum mainnet.
Access control lists
Avalanche Supernets provide comprehensive access control lists to maintain security. ACLs allow the ‘Admin(s)’ and the ‘Enabled’ to manage and control AppChain-specific configurations, contracts, resources, and more. Let’s look at a few major ACLs that ensure a highly secure and controlled environment to run applications:
Contract Deployer Allow/Block Lists: Determines the ideal participants to deploy smart contracts on the Subnets.
Transactions Allow/Block Lists: Determines the eligible addresses that can send transactions on the Sunsets
Bridge Allow/Block Lists: Manages and limits the access to the bridge and its various functionalities.
Gas configuration
Gas amount/gas price, transaction fee, and network functionalities on Polygon Supernets are also controlled and managed as per the configurations of the ACL-enabled contract. As such, AppChain developers must build a pre-compiled alternative ACL-enabled contract with customized parameters to restrict gas usage and transaction after a certain usage threshold.
Ledger hardware wallet management
Supernets support Ledger Nano — a hardware ledger wallet that securely stores tokens and private keys and manages transactions regularly while encrypting the sensitive information against hackers. You can choose between Nano S plus and Nano X ledger wallet based on your requirements.
Bridge security
Supernets offer a built-in bridge that facilitates cross-chain interaction. As the bridge mechanism requires communication with multiple EVM networks, it can become an entry point for hackers if security is not in place. Therefore Subnets allocate a highly configured token contact on both the root and the target chain. The contract tracks the asset transfer, identifies users’ authorization, and authenticates that tokens are minted and burned as expected. Moreover, the users of bridges are required to be an expert in utilizing cross-chain bridges.
A comparison of various AppChains’ security implications
About The Author
Dr. Ravi Chamria is co-founder CEO of Zeeve Inc, an Enterprise Blockchain company. He has an experience of 18+ years in IT consulting spanning across Fintech, InsureTech, Supply Chain and eCommerce. He is an executive MBA from IIM, Lucknow and a prolific speaker on emerging technologies like Blockchain, IoT and AI/ML.
Passionate About: Blockchain, Supply Chain Management, Digital Lending, Digital Payments, AI/ML, IoT
That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.
Zeeve is an enterprise-grade Blockchain Infrastructure Automation Platform. Join the growing list of clients that trust us with their Blockchain initiatives
Insurtech, a convergence of insurance and technology, represents the application of technology-driven innovations to the insurance value chain. In India, it is transforming the way insurance is bought, sold, and managed. According to the ICICI…
The world of blockchain has now an explosion in the number of active decentralized applications and users engaging with them. However, this surge in usage has also exposed the limitations of legacy blockchain architectures and gave birth to new…
Introduction to Blockchain Development for Supply Chain Management:
Blockchain technology has rapidly gained prominence in various industries, offering innovative solutions to longstanding challenges. In the realm of supply chain management,…
Whether you are building a dApp or you want to enhance the functionality of your existing web3 applications– you must need indexed on-chain data from a range of blockchains and decentralized networks. However, querying data out of the blockchain’…
Diving deep into the nuances of both Public blockchains
Polygon PoS and Polygon zkEVM are two different public blockchains within the Polygon ecosystem, each with its own characteristics and role. In this article, we will explore the main…
Rollups and Parachains– both are viable solutions for tackling the scalability issue from blockchain ecosystems. However, these two scaling solutions are designed differently to serve specific enterprise needs. As we know, Rollups uses the…