7Block Labs
Contact Us
Blockchain Technology

ByAUJay

title: "Serviceplan Web3 Solutions: What Enterprises Should Ask About Security" description: "A practical, 2025-ready security due‑diligence playbook for evaluating agency‑led Web3 programs (including Serviceplan’s Web3 offerings)—covering account abstraction (EIP‑7702/4337), wallets and MPC, L2s and bridges, MEV privacy, audits, and compliance (MiCA, DORA, PCI, FATF)."

Who this is for—and why now

If you’re a decision‑maker exploring an agency partner for Web3 (e.g., Serviceplan’s Web3/DCNTRL offering), your biggest risk isn’t creative—it’s security and operational resilience. Serviceplan launched a dedicated Web3/metaverse studio (“Serviceplan DCNTRL”) led by Nina Matzat and Yves Bollinger to help brands from strategy through execution; that raises the bar for security questions procurement and engineering teams must ask up front. (healthreminder.de)

Below is a concrete, security‑first checklist and implementation blueprint you can apply to any enterprise Web3 engagement in 2025.

1) Start with the 2025 threat model (with hard numbers)

  • Stolen funds accelerated again in 2025: over $2.17B was stolen by mid‑year, driven by the $1.5B Bybit breach attributed to DPRK actors. Personal wallet compromises account for ~23% of stolen funds, a rising share that should influence wallet and onboarding choices. (chainalysis.com)
  • 2024 ended at ~$2.2B in hacked funds, with centralized services and private‑key compromise dominating loss mechanisms. Treat key custody and infra security as primary risk domains. (chainalysis.com)

What this means for you:

  • Budget more time for key management design (not just smart‑contract audits).
  • Require runbooks for “user‑level theft” scenarios (SIM‑swap, device malware), not just protocol exploits.

2) Accounts and wallets: precise questions to ask in the EIP‑7702/4337 era

2.1 EIP‑7702 (live on mainnet since May 7, 2025)

EIP‑7702 shipped in the Pectra upgrade and lets EOAs temporarily delegate execution to contract logic via a Type‑4 “set‑code” transaction with an authorization_list (chain_id, address, nonce, y_parity, r, s). Ask vendors exactly how they will constrain and revoke these authorizations. (blog.ethereum.org)

Enterprise questions:

  • What is your 7702 “least privilege” policy? Do you bind authorizations to specific dapps/contracts and rate‑limit value?
  • How do you store and track the authorization_list nonces to prevent replay across chains?
  • Do you simulate 7702 flows in CI with up‑to‑date test vectors and reject unsafe opcodes in delegated code paths?

Reference points:

  • Pectra mainnet activation: May 7, 2025, at epoch 364032. Design and testing should reference “prague” EVM targets. (blog.ethereum.org)
  • 7702 serialization details and gas constants are public—build your test harnesses against them. (eips-wg.github.io)

2.2 ERC‑4337 account abstraction (AA): versioning and mempools

Even if you use 7702, 4337 still matters (bundlers, paymasters, shared mempool). Press for specifics: Which EntryPoint version? What bundler(s)? What RPCs and shared mempool behavior?

  • EntryPoint v0.7 is widely supported; v0.8 is rolling out (different packing semantics, penalties, validation tweaks). Vendors must pin and disclose compatibility. (github.com)
  • Some platforms still operate bundlers that only support v0.6/v0.7—confirm migration windows and cross‑version fallbacks. (alchemy.com)
  • Baseline spec resources remain the EIP and docs—vendors should map changes (e.g., 
    PackedUserOperation
    ) to their telemetry. (eips.ethereum.org)

Ask for:

  • A matrix of wallet account implementations vs. EntryPoint versions and networks.
  • Evidence that their bundlers simulate via the correct EntryPoint and respect ERC‑7562 validation rules. (etherspot.io)
  • A rollback plan if shared mempool behavior regresses.

2.3 Passkeys (WebAuthn) for workforce and consumers

Phishing‑resistant sign‑ins reduce wallet theft. In 2024–2025, NIST published a supplement explicitly allowing “syncable authenticators” (passkeys) for federal zero‑trust programs; the FIDO Alliance reports enterprise adoption surging. If your agency recommends passkeys, insist on policy and recovery clarity. (csrc.nist.gov)

What to require:

  • Passkey enrollment, rotation, and recovery SLOs; device‑bound vs. synced policies; and guidance for mixed OS fleets.
  • A tested path for consumer wallets that use passkeys (e.g., Coinbase Smart Wallet) including cloud backup trade‑offs. (help.coinbase.com)

2.4 MPC and threshold signatures: don’t hand‑wave

If a vendor proposes MPC/TSS custody or WaaS:

  • Demand algorithm lineage, implementation transparency, and third‑party review history. Fireblocks open‑sourced MPC‑CMP; Coinbase published an MPC whitepaper and library. (fireblocks.com)
  • Ask how they monitor TSS‑library CVEs and crypto‑protocol changes, and to show incident postmortems (e.g., the 2023 BitGo TSS vulnerability disclosure and patch). (cointelegraph.com)

NIST’s threshold cryptography workstream and PQC standards (FIPS 203/204/205; HQC selection in 2025) should shape your long‑term key agility roadmap. Ask for a PQC migration plan (ML‑KEM, ML‑DSA, SLH‑DSA) even if signatures on‑chain remain ECDSA/EdDSA for now. (nist.gov)

3) Smart‑contract security: “show me the pipeline,” not just the PDF

Don’t accept a single audit badge. Require a reproducible, evidence‑rich pipeline:

  • Static analysis and linting: Slither integrated into CI on every PR; break builds on critical detectors. (blog.trailofbits.com)
  • Property‑based fuzzing: Echidna/Medusa with invariants and corpus‑to‑Foundry test generation; publish seeds and coverage. (github.com)
  • Differential testing and invariants in Foundry; include stateful “chaos” scenarios (oracle failure, paused bridges, fee spikes). (github.com)
  • Formal verification where it matters (e.g., governance, vault accounting), with solver configs and human reviews (e.g., Certora case studies). (certora.com)

Upgrades and proxies:

  • If they use UUPS/transparent proxies, insist on storage‑layout diffs, proxiable UUID checks, and timelocked/role‑based upgrades. Reference OZ upgrade plugins and docs in their runbook. (docs.openzeppelin.com)

4) L2s and cross‑chain: fault proofs, bridges, and rate limits

Rollups:

  • Optimism activated fault proofs on OP Mainnet June 10, 2024, reaching “Stage 1”; demand proof‑aware withdrawal runbooks and challenge monitoring. (cointelegraph.com)
  • Arbitrum shipped BoLD to enable permissionless validation in 2025—ask how the vendor monitors validator sets, disputes, and any “training wheels.” (theblock.co)

Bridges:

  • If they propose Chainlink CCIP, ask for a security walk‑through of the Risk Management Network (independent RMN, anomaly detection “curse,” rate limits, timelocked upgrades) and how your app handles a CCIP “pause” signal. (blog.chain.link)
  • Require explicit service‑responsibility allocations (node ops, gas bumping, versioning) and soak‑test plans within CCIP limits. (docs.chain.link)

Cross‑domain policy:

  • Document withdrawal liveness assumptions and operational thresholds—e.g., “If exit proofs are unavailable >N hours, trigger circuit breaker X and customer communications Y.”

5) MEV and privacy: protect user flows in production

For swaps/mints and other sensitive flows, your vendor should route via private orderflow to reduce frontrun/sandwich risk:

  • Flashbots Protect RPC supports private transactions (no public mempool) and cancellation APIs; require a concrete RPC config, fallback behavior, and refund handling. (docs.flashbots.net)
  • Ask for dashboards showing protect‑vs‑public inclusion, revert rates, and MEV refunds earned under your hint strategy. (docs.flashbots.net)

6) Compliance you can actually verify (EU, U.S., global)

  • MiCA is fully applicable since Dec 30, 2024 (stablecoin provisions since Jun 30, 2024). DORA applies since Jan 17, 2025. Your vendor should map each obligation (e.g., incident reporting, ICT risk management) to controls and evidence. (finance.ec.europa.eu)
  • FATF: 2025 targeted update shows progress but gaps; regulators push for stronger Travel Rule supervision. If your program touches VASPs, require Travel Rule interoperability testing. (finreg.aoshearman.com)
  • U.S. sanctions landscape changed: Tornado Cash addresses were removed from the SDN List on Mar 21, 2025. Regardless, your vendor must maintain sanctions screening and on‑chain risk tooling. (ofac.treasury.gov)
  • PCI DSS v4.0 future‑dated controls are mandatory since Mar 31, 2025; if you process card data in any Web3‑adjacent flow, ask for a PCI strategy. (bdo.com)
  • ISO/IEC 27001:2022: ensure the vendor’s ISMS transition (deadline Oct 31, 2025) and scope includes blockchain infra, keys, and build systems. (blog.ansi.org)

7) A 20‑question security RFP checklist for agency‑led Web3 programs

Use this verbatim in vendor evaluations (Serviceplan or otherwise):

  1. Which accounts/wallets will be 7702‑enabled, and how are authorization_list entries scoped, logged, and revoked? What nonce/chain replay mitigations are in place? (eip7702.io)
  2. ERC‑4337 versions supported (v0.6/0.7/0.8)? Bundlers used? EntryPoint addresses and network coverage? Migration plan? (github.com)
  3. Do you test against ERC‑7562 rules and publish per‑version validation diffs in CI? (etherspot.io)
  4. Passkeys: Which authenticators (device‑bound vs. synced)? Recovery and “break‑glass” procedures? Alignment to NIST SP 800‑63B supplement? (csrc.nist.gov)
  5. MPC/TSS: Which protocols (papers/commits)? Open‑source references? Past vuln response (e.g., BitGo 2023 lessons)? (fireblocks.com)
  6. PQC roadmap: when and how will ML‑KEM/ML‑DSA be phased into key exchanges/signatures relevant to custody backends? (nist.gov)
  7. Rollup security: withdrawal liveness SLOs, proof monitoring, and “training wheels” disclosures (OP, Arbitrum BoLD). (cointelegraph.com)
  8. Bridges: justify CCIP (or alternative) with RMN, rate limits, and pause handling in app logic. (blog.chain.link)
  9. MEV privacy: default to Protect RPC; define fallback to public mempool and cancellation policy. (docs.flashbots.net)
  10. Static analysis: Slither in CI with fail‑on‑high rules and custom detectors for your codebase. (github.com)
  11. Fuzzing: Echidna/Medusa configs, seeds, and coverage; invariant suites published. (github.com)
  12. Formal methods: identify critical components, tools (e.g., Certora), specs, and proof artifacts. (certora.com)
  13. Upgrades: OZ upgrade plugins, storage‑layout checks, timelocks, separate proposer/executor roles. (docs.openzeppelin.com)
  14. Incident response: 24/7 on‑call, chain‑specific playbooks, forensics partners, and public comms templates.
  15. Secrets and HSM/TEEs: KMS policies, enclave attestations (e.g., SGX/Nitro), key ceremonies, audit trails. (fireblocks.com)
  16. Compliance mapping: MiCA/DORA/PCI/FATF to specific controls and evidence repositories. (finance.ec.europa.eu)
  17. Sanctions/risk screening: list data providers and blocking logic post‑Tornado Cash delisting. (ofac.treasury.gov)
  18. Telemetry: in‑app and on‑chain metrics for 7702/4337 (success, revert reasons, bundler health, shared‑mempool inclusion).
  19. Supply chain: node client versions, RPC providers, oracles, and their attestations (SOC2/ISO for third parties). (chain.link)
  20. DR/BCP: cross‑region replicas, RPC/provider failover, cold‑start runbooks, RTO/RPO.

8) Implementation blueprint: one concrete pattern to copy

Scenario: a loyalty program with on‑chain rewards, 7702‑powered batched actions, and cross‑chain redemptions.

  • Accounts and auth

    • Consumer wallets: passkeys with synced authenticators and opt‑in recovery; device checks block known‑bad environments. Enterprise admins: FIDO2 hardware‑bound passkeys. (nist.gov)
    • 7702 authorizations scoped to app contracts with value caps and 24h expiry; nonces tracked per chain; revocation triggers on anomaly. (eip7702.io)
    • AA path: EntryPoint v0.7 today; v0.8 staging with version‑aware telemetry. (github.com)

  • Contracts and audits

    • OZ upgradeable contracts with UUPS, timelocked upgrades, governance roles split (proposer/executor/guardian). Slither + Echidna in CI; critical vault logic verified. (docs.openzeppelin.com)

  • L2s and bridging

    • Target OP Stack chain (fault proofs on) for UX; document withdrawal delays. Cross‑chain via CCIP with RMN and rate limits; app can “pause redemptions” if CCIP sends a curse signal. (docs.optimism.io)

  • MEV/privacy

    • Default to Flashbots Protect for swaps/mints; expose refunds metric and cancellation path in UI. (docs.flashbots.net)

  • Compliance and logging

    • Travel Rule checks when assets traverse VASP rails; MiCA/DORA control mapping stored in your GRC. PCI scope analysis if any card flows touch Web3 surfaces. (finreg.aoshearman.com)

  • Observability and SLOs

    • Dashboards for: 7702 authorization create/revoke; 4337 UserOps by outcome/version; bridge latency and RMN events; Protect RPC inclusion vs. public mempool; sanctions/risk hits.

9) Red flags (walk away if you hear these)

  • “We support AA” but no EntryPoint version matrix or bundler SLAs. (alchemy.com)
  • “We use MPC” without a paper/implementation link, audit trail, or incident handling history. (fireblocks.com)
  • “We built our own bridge” without independent security layers (e.g., RMN‑style redundancy, rate limits, and upgrade timelocks). (blog.chain.link)
  • “We’ll use public mempool—MEV isn’t an issue for us.” It is. Use private orderflow and prove it with metrics. (docs.flashbots.net)

10) What good looks like (a vendor checklist to sign)

  • We design 7702 with least privilege, revocable authorizations, and chain‑scoped nonces; we pin ERC‑4337 EntryPoint versions and publish our bundler compatibility table. (eip7702.io)
  • We run Slither+Echidna on every PR; publish coverage and seeds; verify critical paths formally. (github.com)
  • Our rollup and bridge runbooks include withdrawal liveness, CCIP pause handling, and customer comms. (cointelegraph.com)
  • We align to MiCA/DORA, operate sanctions screening post‑Tornado Cash delisting, and meet PCI v4.0 obligations where applicable. (finance.ec.europa.eu)

Bottom line

Agencies like Serviceplan can bring world‑class brand and product execution to Web3—but in 2025 the differentiator is provable security: version‑pinned AA, least‑privilege 7702, MPC transparency, rollup/bridge operational maturity, MEV privacy, and auditable compliance. Use this checklist to turn “security theater” into verifiable practice.

If you want a second set of eyes, 7Block Labs can pressure‑test any proposal with a 2‑week, evidence‑based security assessment and hand you a prioritized remediation plan.

Like what you're reading? Let's build together.

Get a free 30‑minute consultation with our engineering team.

Talk to usView services

Related Posts

7BlockLabs

Full-stack blockchain product studio: DeFi, dApps, audits, integrations.

7Block Labs is a trading name of JAYANTH TECHNOLOGIES LIMITED.

Registered in England and Wales (Company No. 16589283).

Registered Office address: Office 13536, 182-184 High Street North, East Ham, London, E6 2JA.

© 2025 7BlockLabs. All rights reserved.