Blockchain exploits can be extremely costly; with poorly designed smart contracts, decentralized apps and bridges are attacked time and
Blockchain exploits can be extremely costly; with poorly designed smart contracts, decentralized apps and bridges are attacked time and time again.
For example, the Ronin Network experienced a $625-million breach in March 2022 when a hacker was able to steal private keys to generate fake withdrawals and transferred hundreds of millions out. The Nomad Bridge later that year in August experienced a $190-million breach when hackers exploited a bug in the protocol that allowed them to withdraw more funds than they had deposited.
These vulnerabilities in the underlying smart contract code, coupled with human error and lapses of judgment, create significant risks for Web3 users. But how can crypto projects take proactive steps to identify the issues before they happen?
There are a couple of major strategies. Web3 projects typically hire companies to audit their smart contract code and review the project to provide a stamp of approval.
Another approach, which is often used in conjunction, is to establish a bug bounty program that provides incentives for benign hackers to use their skills to identify vulnerabilities before malicious hackers do.
There are major issues with both approaches as they currently stand.
Web3 auditing is broken
Audits, or external evaluations, tend to emerge in markets where risk can rapidly scale and create systemic harm. Whether a publicly traded company, sovereign debt or a smart contract, a single vulnerability can wreak havoc.
But sadly, many audits – even when done by an external organization – are neither credible nor effective because the auditors are not truly independent. That is, their incentives might be aligned toward satisfying the client over delivering bad news.
“Security audits are time-consuming, expensive and, at best, result in an outcome that everything is fine. At worst, they can cause a project to reconsider its entire design, delaying the launch and market success. DeFi project managers are thus tempted to find another, more amenable auditing company that will sweep any concerns under the carpet and rubber-stamp the smart contracts,” explains Keir Finlow-Bates, a blockchain researcher and Solidity developer.
“I have had first-hand experience with this pressure from clients: arguing with developers and project managers that their code or architecture is not up to scratch receives push-back, even when the weaknesses in the system are readily apparent.”
Principled behavior pays off in the long run, but in the short term, it can come at the cost of profitable clients who are eager to get to market with their new tokens.
“I can’t help noticing that lax auditing companies quickly build up a more significant presence in the auditing market due to their extensive roster of satisfied customers… satisfied, that is, until a hack occurs,” Finlow-Bates continues.
One of the leading companies in Web3 auditing, CertiK, provides “trust scores” to projects that they evaluate. However, critics point out they have given a stamp of approval to projects that failed spectacularly. For example, while CertiK was quick to share on Jan. 4, 2022, that a rug pull had occurred on the BNB Smart Chain project Arbix, they “omitted that they had issued an audit to Arbix 46 days earlier,” according to Eloisa Marchesoni, a tokenomics specialist, on Medium.
But the most notable incident was CertiK’s full-scope audit of Terra, which later collapsed and brought half the crypto industry down with it. The audit has since been taken down as they have taken a more reflective approach, but bits and pieces remain online.
Terra-fied
Zhong Shao, co-founder of CertiK, said in a 2019 press release:
“CertiK was highly impressed by Terra’s clever and highly effective design of economy theory, especially the proper decoupling of controls for currency stabilization and predictable economic growth.”
He added, “CertiK also found Terra’s technical implementation to be of one of the highest qualities it has seen, demonstrating extremely principled engineering practices, mastery command of Cosmos SDK, as well as complete and informative documentations.”
This certification played a major role in Terra’s increased international recognition and receipt of investment. The recently arrested Do Kwon, co-founder of Terra, said at the time:
“We are pleased to receive a formal stamp of approval from CertiK, who is known within the industry for setting a very high bar for security and reliability. The thorough audit results shared by CertiK’s team of experienced economists and engineers give us more confidence in our protocol, and we are excited to quickly roll out our first payment dApp with eCommerce partners in the coming weeks.”
For its part, CertiK argues its audits were…
cointelegraph.com