Found Academy useful? A $5 donation by May 14 helps us ship more, faster. Every donor counts (QF matching).

Donate
Zealynx AcademyZealynx Academy
eMBA/Security from Day One
Module 3

Security from Day One

Security is not a checkbox before launch. It is a business function that runs from first commit to mainnet and beyond. This module teaches technical founders how to manage security strategy, budgets, auditor relationships, and incident response, not how to write secure code.

Chapter 01

0 of 4 lessons completed

Think Like an Attacker

Lesson 1

Threat Modeling for Protocol Founders

  • +Identify the six categories of DeFi threat actors.
  • +Map trust assumptions for every external dependency.
  • +Calculate maximum extractable value at risk per function.
Lesson 2

The Security Budget

  • +Size a security budget by TVL tier and protocol complexity.
  • +Allocate across audits, bounties, monitoring, and response.
  • +Identify the highest-ROI security investment for each stage.
Lesson 3

Design-Level Vulnerabilities

  • +Distinguish design flaws from code bugs using real exploits.
  • +Identify the pattern of 'harmless' functions that enable catastrophic attacks.
  • +Evaluate your own protocol design for economic attack surfaces.
Lesson 4

The Audit Paradox

  • +Understand why audited protocols still get exploited.
  • +Identify the five structural limitations of traditional audits.
  • +Shift from 'get audited' to continuous security posture.

Chapter 02

0 of 4 lessons completed

The Security Stack

Lesson 5

Choosing and Managing Auditors

  • +Compare private audits, competitive audits, and hybrid approaches.
  • +Evaluate auditor fit for your protocol type and complexity.
Lesson 6

Bug Bounty Program Design

  • +Design a bug bounty program with appropriate severity tiers and payout levels.
  • +Apply the 10% rule and understand why critical bounties must be credible.
  • +Avoid the common mistakes that make bounty programs ineffective.
Lesson 7

Post-Deployment Monitoring

  • +Set up monitoring that catches attacks before they drain your protocol.
  • +Choose the right monitoring stack for your protocol's risk profile.
  • +Design alert thresholds that catch real threats without drowning in noise.
Lesson 8

Incident Response

  • +Build an incident response playbook before you need it.
  • +Learn from the Euler recovery, the gold standard of post-exploit response.
  • +Know when and how to contact SEAL 911 and coordinate with the security community.

Chapter 03

0 of 4 lessons completed

Security as Culture

Lesson 9

Team OpSec and Key Management

  • +Quantify the gap between on-chain and off-chain attack vectors using 2024 data.
  • +Identify the specific techniques used by DPRK-linked attackers to compromise protocol teams.
  • +Design a key management architecture matched to your treasury size.
  • +Implement SEAL multisig best practices: signer diversity, hardware diversity, no blind signing.
Lesson 10

From Audit to Continuous Security

  • +Understand why periodic audits alone fail to prevent exploits over time.
  • +Learn the Aave model: how a 6-year auditor relationship produces compound security returns.
  • +Evaluate the security triad: continuous monitoring, periodic re-audits, and ongoing bug bounties.
  • +Assess your protocol's security maturity level and identify the next step up.
Lesson 11

The Regulatory Security Landscape

  • +Understand the Tornado Cash precedent: what it means for protocol founders' personal liability.
  • +Evaluate DeFi insurance products and their actual coverage scope.
  • +Navigate OFAC compliance obligations for protocol frontends.
  • +Design a responsible disclosure framework using SEAL and Immunefi models.
Lesson 12

Module Capstone: Security Audit of Alex's Protocol

  • +Evaluate a protocol's complete security posture.
  • +Apply all Module 3 concepts in a scored assessment.
0 of 12 lessons completed

Key Terms

Key terms are concepts that deserve special attention when studying this module. Each term links back to the lesson where it was introduced.

Chapter 1 | Lesson 1

Threat Modeling for Protocol Founders

Threat Model

A structured analysis of who might attack your protocol, what they would target, and what resources they would use. The foundation of every security decision.

Trust Assumption

Something your protocol assumes to be true but cannot verify on-chain. Every external dependency (oracle, bridge, governance) introduces a trust assumption.

Maximum Extractable Value at Risk

For every external function in your protocol, the maximum value an attacker could extract if that function misbehaves. Your threat model should quantify this for every entry point.

Attack Surface

The total set of entry points an attacker could use to interact with your protocol. Includes external functions, governance, oracles, and any off-chain dependencies.

Chapter 1 | Lesson 2

The Security Budget

Security Budget

The total allocation for all security activities: audits, bug bounties, monitoring, incident response, and internal review. Typically 5-15% of development budget for DeFi protocols.

Bug Bounty

A program that pays external researchers for discovering and responsibly disclosing vulnerabilities. The largest DeFi bounties exceed $10M.

Continuous Security

The practice of maintaining security activities (monitoring, bounties, re-audits) after launch, rather than treating security as a one-time pre-launch event.

Chapter 1 | Lesson 3

Design-Level Vulnerabilities

Design-Level Vulnerability

A flaw in protocol logic or economic design that cannot be caught by code analysis alone. The code works exactly as written, but the design allows value extraction.

Composability Risk

The risk that your protocol behaves unexpectedly when combined with other protocols in ways you did not anticipate. Flash loans are the canonical enabler.

Economic Attack

An exploit that uses the protocol's own rules to extract value, without any code bugs. Often involves oracle manipulation, governance capture, or incentive gaming.

Chapter 1 | Lesson 4

The Audit Paradox

Audit Paradox

The observation that most exploited protocols were audited, yet most unaudited protocols account for the majority of value lost. Audits reduce risk but do not eliminate it.

Snapshot Problem

An audit reviews code at a single point in time. Any changes after the audit, including deployment parameters, are unreviewed.

Security Posture

The overall strength of a protocol's security across all dimensions: code quality, audit coverage, monitoring, incident response, bounties, and team practices.

Chapter 2 | Lesson 1

Choosing and Managing Auditors

Competitive Audit

An audit format where multiple independent auditors review the same codebase simultaneously, competing for rewards based on findings. Platforms like Code4rena and Sherlock use this model.

Private Audit

A traditional audit engagement where one firm reviews your code exclusively. Deeper context but limited to one team's perspective.

Chapter 2 | Lesson 3

Post-Deployment Monitoring

War Room

An emergency response session where the core team coordinates real-time actions during an active exploit or incident.

Circuit Breaker

An automated mechanism that pauses protocol functions when anomalous activity is detected, such as unusually large withdrawals or price deviations.

Chapter 2 | Lesson 4

Incident Response

Incident Response Plan

A pre-written, rehearsed set of procedures for responding to security incidents. Covers detection, triage, containment, communication, and recovery.

Post-Mortem

A structured analysis conducted after an incident to document what happened, why, and what changes will prevent recurrence.

Chapter 3 | Lesson 2

From Audit to Continuous Security

Defense in Depth

Layering multiple security controls so that failure of one layer does not compromise the system. No single security measure is sufficient alone.

Chapter 3 | Lesson 4

Module Capstone: Security Audit of Alex's Protocol

Security Maturity Model

A framework for evaluating how advanced a protocol's security practices are, from ad-hoc to continuous and automated.

Assigned Reading

Every lesson references real sources: whitepapers, governance proposals, research papers, and protocol documentation. Tap any link to verify or go deeper.

Chapter 3 | Lesson 3

The Regulatory Security Landscape

Tornado Cash Sanctions: Fifth Circuit Decision and Implications
Mayer Brown
https://www.mayerbrown.com/en/insights/publications/2024/12/tornado-cash-and-ofac-the-fifth-circuits-decision-and-its-implications
OFAC Lifts Tornado Cash Sanctions After Court Ruling
Venable LLP
https://www.venable.com/insights/publications/2025/03/ofac-lifts-tornado-cash-sanctions
Chainalysis: Tornado Cash Sanctions and Compliance
Chainalysis
https://www.chainalysis.com/blog/tornado-cash-ofac-designation-update/
Nexus Mutual: DeFi Insurance and Claims Data
Nexus Mutual
https://nexusmutual.io/
Sherlock: Audit and Smart Contract Coverage
Sherlock
https://docs.sherlock.xyz/
OpenCover: DeFi Insurance Comparison Guide
OpenCover
https://opencover.com/
Immunefi: Bug Bounty Program Is Law
Immunefi
https://immunefi.com/

Module Highlights

  • *Build threat models that catch design-level vulnerabilities before code exists.
  • *Size and allocate a security budget by TVL tier.
  • *Navigate the audit paradox: why audited protocols still get hacked.
  • *Choose, manage, and get maximum value from security auditors.
  • *Build monitoring, incident response, and continuous security culture.

Quick Links

Explore Key Terms Assigned Reading

Resources

SEAL 911 Security FrameworksTrail of Bits: Building Secure ContractsImmunefi Bug Bounty PlatformRekt News Leaderboard

Related Modules

protocol designComing soon
building teamComing soon

Credits

Content Design
Subject Matter Experts
Carlos Vendrell (Zealynx Security, 30+ protocol audits)