What Is a Rekt Test and How to Pass It?
The Rekt Test is a specialized questionnaire developed by a team of web3 security experts, spearheaded by Dan Guido, the CEO of Trail of Bits. Trail of Bits is a cybersecurity company whose clientele includes notable organizations like Facebook and the Pentagon's Defense Advanced Research Projects Agency (DARPA).
The Philosophy Behind the Rekt Test
Prominent figures in designing this new safety benchmark include Mitchell Amador from Immunefi, a bug-bounty platform; Nick Shalek from Ribbit Capital, an investment company; Nathan McCauley of Anchorage Digital, a crypto services platform; Lee Mount of Euler Labs, known for developing financial applications; Shahar Madar from Fireblocks, an institutional-grade digital asset storage service, among others.
At its core, the Rekt Test is philosophically rooted in the Joel Test, a renowned questionnaire conceived by programmer Joel Spolsky nearly 25 years ago. Comprising 12 straightforward questions, it expects clear-cut "yes" or "no" answers and offers a quantitative measure of a software development team's competence and maturity. The blockchain sphere demanded a similar evaluative tool—one that could assess a project's security robustness. There was a consensus that existing guides were more mystifying than clarifying and often left people more bewildered than enlightened.
“The global web3 space was valued at over $934 billion in 2022. That capital represents an unparalleled and attractive opportunity for blackhat hackers. We have reviewed all instances where blackhat hackers have exploited various crypto protocols, as well as cases of protocols that have allegedly performed a rug pull in 2022...In total, we have seen a loss of $3,948,856,037 across the web3 ecosystem in 2022,” Immunefi pointed out the scale of the issue.
The Rekt Test aims to provide blockchain teams with a streamlined approach to evaluate their project’s security status and developmental stage. Much like the Joel Test, the Rekt Test questions demand clear-cut positive or negative responses. Affirmative answers serve as a testament to the reliability of the project's security governance, and the generated results can act as a springboard for team-wide discussions on refining security measures.
The Rekt Test Structure
- Do you have all actors, roles, and privileges documented?
- Do you keep documentation of all the external services, contracts, and oracles you rely on?
- Do you have a written and tested incident response plan?
- Do you document the best ways to attack your system?
- Do you perform identity verification and background checks on all employees?
- Do you have a team member with security defined in their role?
- Do you require hardware security keys for production systems?
- Does your key management system require multiple humans and physical steps?
- Do you define key invariants for your system and test them on every commit?
- Do you use the best automated tools to discover security issues in your code?
- Do you undergo external audits and maintain a vulnerability disclosure or bug bounty program?
- Have you considered and mitigated avenues for abusing users of your system?
Of course, merely monitoring these points is no panacea. Nonetheless, the creators believe that regular scrutiny through the Rekt Test can notably bolster both the software and operational security of any blockchain venture.
«Answering “yes” to these questions doesn’t mean you will completely avoid a security incident, but it can empower you and your team to steer clear of the worst label in the industry: getting rekt,» note the professionals at Trail of Bits. (Here, "rekt" is shorthand for the slang term "wrecked." Initially used to describe a gamer who is overwhelmingly defeated, the term has been co-opted by the crypto community to refer to investors and projects that have suffered severe losses).
Despite the rapid technological advancements in blockchain, this structured questionnaire is expected to maintain its relevance for the foreseeable future. It essentially serves as a roadmap that can guide both newcomers and industry veterans.
