OVERVIEW
Security checklist
Please ensure the following security suggestions are followed during the configuration process to maximize the safety and integrity of your organizationās operations.
It is recommended to strictly configure transaction policies, especially for large withdrawal scenarios. Particular attention should be given to token transfer policies in off-chain transaction policies to avoid high-risk situations, such as:
To request a more comprehensive security assessment of your organizationās configuration, please contact our customer support team.
Risk controls
Cobo Portal offers a variety of risk control mechanisms designed to address the challenges in storing, managing, and transferring digital assets.User roles and permissions
User roles consist of predefined sets of rules that enable you to assign specific permissions to designated members within your organization.- Configure at least two Admins to ensure cross-verification and mutual backup. Other roles can be assigned appropriately based on actual needs.
- It is not recommended to assign multiple roles to the same member.
Transaction policies
You can effortlessly create and edit both on-chain and off-chain transaction policies, and automate how each transaction will be handled by setting up an approval action.On-chain transaction policies are governed by smart contracts on the blockchain networks, and only applies to Smart Contract Wallets. Off-chain transaction policies, on the other hand, are managed by the backend system of Cobo Portal and apply to all wallet types.
- having no transaction policies
- having transactions that are not covered by a transaction policy
- automatically approving all transactions
- allowing the same role to both withdraw and approve transactions
Governance policies
Governance policies determine the approval rules under which an operation will be approved or rejected. The following list includes crucial operations in Cobo Portal, and it is recommended to configure two or more Admins for their approval.- Invite members
- Change membersā user roles
- Edit governance policies
- Authorize Cobo Portal apps
- Change Cobo Portal appsās permissions
- Change Cobo Portal appsās workflows
- Manage transaction policies
- Manage addresses in Address List
- Manage API keys
- Edit custom user roles
Admin authentication
To enhance security and reduce the risk of account compromise, it is strongly recommended that all Admins enable at least two authentication methods, with Cobo Guard as one of them. Recommended combinations include:- Cobo Guard and Google Authenticator (GA)
- Cobo Guard and security key
Install GA on a different device than Cobo Guard to prevent loss of access if one device is lost.
API key settings
Admins and Operators can register API keys on the Developer Console and assign specific user roles, permissions, and IP whitelists.- Use permanent API keys, set up the IP whitelist and configure the callback endpoint.
- Assign the wallet scope properly, and avoid selecting any type wallet.
MPC Wallets-related configurations
Key share holder groups
With MPC technology, private key shares are individually generated within separate secure environments, encrypted, and divided amongst multiple parties. A set of key share holders is referred to as a holder group.- To ensure the safety and recoverability of your assets, create at least one Signing Group and one Recovery Group in addition to the Main Group.
- For Main and Recovery Groups, choose high-ranking executives in your organization as key share holders, preferably with Viewer roles to minimize their involvement in daily operations. For Signing Groups, key share holders can be selected from various organizational levels based on operational needs and security considerations.
- The same private key share holder (the same TSS Node ID) should not belong to different types of key share holder groups simultaneously, such as both the Main Group and the Signing Group. If this situation occurs, please ensure that there is more than one Signing Group.