Security checklist
Please ensure the following security suggestions are followed during the configuration process to maximize the safety and integrity of your organization’s operations.
Risk controls
Cobo Portal offers a variety of risk control mechanisms designed to address the challenges in storing, managing, and transferring digital assets.
User roles and permissions
User roles consist of predefined sets of rules that enable you to assign specific permissions to designated members within your organization.
- Configure at least two Admins to ensure cross-verification and mutual backup. Other roles can be assigned appropriately based on actual needs.
- It is not recommended to assign multiple roles to the same member.
For more details, see User roles and permissions.
Transaction policies
You can effortlessly create and edit both on-chain and off-chain transaction policies, and automate how each transaction will be handled by setting up an approval action.
Transaction policies are an important security measure for your organization. It is recommended to strictly configure these policies, especially for large withdrawal scenarios, to avoid high-risk situations, such as:
- having no transaction policies
- having transactions that are not covered by a transaction policy
- automatically approving all transactions
- allowing the same role to both withdraw and approve transactions
For more details, see Introduction to transaction policies.
Governance policies
Governance policies determine the approval rules under which an operation will be approved or rejected.
The following table lists crucial operations in Cobo Portal, and it is recommended to configure two or more Admins for their approval.
- Invite Members
- Change Members’ User Roles
- Edit Governance Policies
- Authorize App
- Change App Permissions
- Change App Workflow
- Manage Transaction Policies
- Manage Addresses in Address List
- Manage API Keys
- Edit Custom User Roles
For more details, see Introduction to governance policies.
MPC Wallets-related configurations
Key share holder groups
With MPC technology, private key shares are individually generated within separate secure environments, encrypted, and divided amongst multiple parties. A set of key shares is referred to as a holder group.
- To ensure the safety and recoverability of your assets, create at least one Signing Group and one Recovery Group in addition to the Main Group.
- The same private key share holder (the same TSS Node ID) should not belong to different types of key share holder groups simultaneously, such as both the Main Group and the Signing Group. If this situation occurs, please ensure that there is more than one Signing Group.
For more details, see Holder group overview.
Key share backup and recovery
After you have successfully generated a key share, you can back it up to ensure its safety and recoverability. Securely store the recovery phrase and encrypted database password for key share backup. If lost, data cannot be recovered.
For more details, see Mobile signer backup key share instructions and Server signer backup key share instructions.
API key settings
Admins and Operators can register API keys on the Developer Console and assign specific user roles, permissions, and IP whitelists.
- Use permanent API keys, set up the IP whitelist and configure the callback endpoint.
- Assign the wallet scope properly, and avoid selecting any type wallet.
For more details, see Register API Key.
Was this page helpful?