Why We Need to Start Using ERC-7512: Onchain Audit Representation Right Now

92 out of 157 protocols listed on Rekt resulted in being hacked because of Unaudited or Out of Scope while often having “audited by” logos on the website. This makes the auditing process untrustworthy, not only for the users. Both users and auditors suffer from intermediate audit representations that misinterpret the results. Enter ERC-7512: A standard to store auditing information on-chain.

The enables users to verify not just who audited a protocol but also whether the audit is up-to-date or valid. Let’s deep dive into ERC-7512.

The Problems

As highlighted, the auditing flow doesn’t really work for end users who often rely only on interpreted information:

1. Trusting the logo, users use the protocol, putting in their funds.
2. Funds Lost: Users lose their funds, which were considered safe.
3. Trust Broken: This experience makes users think “audits don’t work.”

But it doesn’t work for the auditors as well. See the auditor’s perspective:

1. Protocol Evolution: Changes or new versions are introduced to the protocol, altering the audited codebase.
2. Hack and Blame Game: In the event of a security breach, the first thing is to blame the auditing company, particularly if their logo is still displayed on the protocol’s website.
3. Reputation Management: Clearing an auditing firm’s name is difficult because of the first Tweet / Article / Blog.

The ERC-7512 Solution

The solution is to remove any intermediate representation and offer a verified and easy way for the user to check the validity of the audit report. To be valid, the audit process must include:

ERC-7512 addresses these criteria by submitting all audit parameters on-chain in a standardized format that is verified and signed by the auditing company. This will allow anyone to use a simple RPC call to get all the information instead of downloading a PDF, searching for an executive summary, and verifying the audit scope against the code base by hand.

The ERC-7512 flow is simple as:

1. The protocol implements ERC-7512 and adds a first “audit summary” item (there can be many of them).
2. The auditor signs the audit summary, the property of ERC-7512.
3. The user (or any website such as Rekt) queries the protocol to get this signed audit summary.

So, in the age of ERC-7512, don’t check the logo on the website. Just look for ERC-7512. Ackee Blockchain will pioneer this by encouraging our clients to implement ERC-7512 in all future audit reports.

In the next articles, we will talk about:

• integration into tooling for mass adoption,
• automation of the on-chain data submission, leading to minimal overhead and only benefits,
• use cases in smart contract flow to strengthen the ecosystem.

Originally published at https://ackeeblockchain.com on September 19, 2023.