Security Guidelines for Celo Partners

Greetings from the Celo Foundation Community Security Team! :cowboy_hat_face: We’re here to improve security within the Celo Ecosystem.

This post is in regards to Security Reviews & Celo Foundation Support. Every Partner must apply for and undergo a security review, unless exempt, in order to qualify for any level of support. The level of support depends on the size of the project and the proof of security provided. Although the Celo Foundation would like to support every project in the ecosystem, the Celo Foundation cannot guarantee support even if all requirements are met and all support is on a case-by-case basis.

Overview of the Tiers w/ Support

Tier 1
Project Type: Large, established ecosystem projects.
Support: Opportunity for formal partnership. Co-marketing promotion(s) from the Celo Foundation. Grants to accelerate ecosystem adoption.
Requirements: Extensive security audits. Community trust established. Mature development practices. No recent security breaches.

Tier 2
Project Type: Small to medium-sized organizations with quantifiable growth.
Support: Grants as deemed appropriate by the Celo Foundation. Marketing support from the Celo Foundation pre-launch, at launch, and/or at other important times.
Requirements: Security audit(s) performed on all solidity code, e.g. smart contracts. No connection to past breaches or organizations with a failing reputation. Active community management via telegram, discord, etc.

Tier 3
Project Type: Newly formed, or early stages of growth.
Support: Grants and promotion on Celo Foundation channels. Onboarding into the Celo ecosystem with access to the resources of the network.
Requirements: Audit in progress, or proof of contract security. If a fork, perform due diligence, to ensure no reused naming conventions within the codebase, unless necessary. Commitment to providing a secure environment and championing security matters, and bolstering the DeFi community.

Security Review Checks

Tier 3:

  1. SSH (Secure Shell Protocol) and other management methods are controlled by access list.
  2. Unneeded files are not hosted on the public website.
  3. Pre-made and/or “forked” naming conventions from other projects should not exist, unless specifically necessary.
  4. Implemented Denial of Service protections.
  5. Implemented redundancy of critical infrastructure.
  6. All encryption ciphers are up to date, and valid TLS certificates.
  7. VPN, Firewall, and network segmentation usage as necessary.
  8. Infrastructure with a positive security reputation is used.
  9. Willing to discuss industry best practices with partners.
  10. Lessons learned from audits are applied.
  11. All public-facing infrastructure has the latest security patches.

Tier 2 (Everything from Tier 3 plus):

  1. Separated and Restricted Development Environment.
  2. A security review of cloud permissions has been performed.
  3. No connection to any past exploited protocol or fraud.
  4. Active helpdesk/community management to provide assistance to newer users and others who have questions via telegram, discord, etc.
  5. Real-world identities of individuals are known to trusted partners.
  6. Proper implementation and appropriate scope of multi-sig technologies.
  7. Changes are reviewed for accuracy and completeness before being implemented.
  8. Security Audit Reports are available for all smart contracts and solidity code in production

Tier 1 (Everything from Tier 3 and Tier 2 plus):

  1. No egregious demerits on record of ‘staff’ or any custodian used.
  2. No security incidents in the past 6 months, and no moderate to major incidents in the past year.
  3. Controlled software development process.
  4. Willingness to meet quarterly or as often as needed to discuss the security posture of the protocol, and Celo’s terms.
  5. Front-end security is accounted for and have, or will have, a penetration test conducted from a reputable 3rd party.
  6. Security Vetting or background checks are performed on personnel.
  7. Reputable auditor(s) used, and ongoing assessments/audits of smart contract changes that are made. (e.g. agreement/relationship with an auditor to audit any moderate or major changes to the platform)
  8. Process for handling vulnerabilities/incident response mechanisms in place to address potential major security incidents.
  9. History of reduction in a number of critical vulnerabilities.
  10. If code is forked from another protocol; the organization should be able to explain the ‘patches’ taken if there was a vulnerability found in the original fork.
  11. OpenZeppelin or other contract templates are used in their entirety, or as a base.
  12. Any DAO is associated with a legal entity.
  13. No personal or unidentified addresses used in smart contract calls, and Ownership either revoked or managed with tight multi-sig and/or locker security (e.g. Gnosis Safe).

Process for requesting a Security Review :teacher:

To request a security (smart contract) audit, the prospective DeFi Partner can contact and furthermore work closely with the Community Security team. Help in acquiring and finalizing a security audit can not be guaranteed for all partners, as there is a significant bottleneck in smart contract auditors– creating huge delays and price spikes. The Community Security team is also helping partners obtain expert quality web-application penetration tests, in order to ensure the community is able to have peace-of-mind when entrusting their digital assets to Celo ecosystem partners.

Please feel free to reach out to the team to initiate the security review process. :handshake:



Thanks for this initiative!

I’m Ruben and I’m part of Talent Protocol core team. We recently had to change our smart contracts and it would be great to be part of this security review from you.

I believe you already know well our product. We have ~150k registered users and from those ~123k connected their wallet and added Celo network!

What are the next steps? In which tier Talent Protocol should be considered?

-Ruben Dinis


Hi @RubenSousaDinis

Thank you for the message! Had your smart contracts been reviewed prior to the change?

I will chat with the Community Security team to determine next steps, but my initial thoughts would be complete the checks for Tier 2 and Tier 3. Watch for a pm!


Hi @Dave_CommSec

Yes, they were audited and we run bug bounty programs. One with Whitejar and another (still ongoing) with Immunefi.

I believe we have all the checks for tier 2 and 3 and also tier 1, but we can discuss.