| title |
Offchain Security |
| description |
Offchain Security page in the Web3 Security Resources 2026 hub. |
Smart contract security is only one part of Web3 risk. Users reach protocols
through domains, frontends, wallets, APIs, RPCs, docs, governance portals,
support flows, analytics, bridges, and cloud infrastructure.
| Area |
Why it matters |
| DNS and domains |
Domain takeover can redirect users, wallets, docs, governance, and support flows. |
| Frontend builds |
A compromised deploy can turn a safe contract into a wallet-draining interface. |
| Wallet UX |
Users sign typed data, approvals, permits, and chain switches based on UI context. |
| APIs and admin panels |
Offchain authz bugs can change protocol state, leak data, or bypass rate limits. |
| CI/CD and secrets |
Build pipelines often hold deploy keys, RPC keys, package tokens, and cloud credentials. |
| Dependencies |
Malicious packages and install scripts can compromise builds and frontends. |
| Cloud and hosting |
Storage buckets, CDN rules, serverless functions, and WAF policies affect user trust. |
| Support and comms |
Fake support, compromised Discord/Telegram/X accounts, and phishing links drive losses. |
| Tool |
Tier |
Use |
| Burp Suite |
Must learn |
Web/API proxying, authz testing, replay, and tampering. |
| OWASP ZAP |
Use in real audits |
Open-source proxy and scanner. |
| Semgrep |
Use in real audits |
Custom source-code rules for frontend, API, IaC, and CI. |
| Socket |
Use in real audits |
JavaScript supply-chain risk. |
| OpenSSF Scorecard |
Use in real audits |
Dependency and repository health checks. |
| Sigstore |
Situational / advanced |
Artifact signing and provenance. |
| SLSA |
Situational / advanced |
Supply-chain integrity maturity model. |
- Verify contract addresses, chain IDs, spender addresses, and typed-data domains.
- Detect frontend asset drift and unauthorized deploys.
- Review third-party scripts, analytics, chat widgets, and wallet SDKs.
- Confirm DNS, TLS, CDN, registrar, and hosting ownership with phishing-resistant MFA.
- Test APIs for broken object-level authorization and tenant isolation.
- Review CI/CD secrets, branch protections, deploy tokens, and release provenance.
- Monitor domain lookalikes, phishing kits, wallet-drainer infrastructure, and support impersonation.