State of DeFi Audits
Taking a look at the auditing space and its importance in onboarding users by properly securing new DeFi protocols.
2020 has proven a critical year of growth for the DeFi ecosystem. Significant milestones include reaching $1 billion USD in total locked value across DeFi and more than 5x returns on DEX tokens compared to centralized exchange tokens. However, the industry has proven to be vulnerable to several minor, yet significant security breaches across both new and established DeFi protocols. In April alone, there were millions of dollars lost due to security vulnerabilities. Even across some of the biggest decentralized exchanges in the space such as Uniswap or Curve, bugs in smart contracts were discovered post-audit, and hundreds of thousands of USD was stolen through a reentrancy attack. Beyond Uniswap and Curve, Lendf.me experienced a $25M drain, Hegic lost locked liquidity through expired options contracts, and PegNet suffered a 51% attack.
The majority of these security breaches can be traced back to the underlying code reviewed through an audit and then deployed. The problem is many protocols are looking for the quickest way around this process as it is costly and time-consuming. It is putting not only the user’s funds at risk but also the adoption of DeFi. In order to solve this issue, we have to emphasize the importance of audits to developers and look to a sustainable solution for how to be most efficient when auditing DeFi protocols.
What Is An Audit
For developers looking to build DeFi DApps on Conflux Network — providing users the ability to lock millions of dollars — the evaluation of the security and tools offered becomes a necessity. A smart contract security audit is used for examining the code behind a decentralized application, searching for potential security exploits, violations of programming conventions, reentrancy attacks, and bugs. Usually overseen by a third-party, these audits play a vital role in not only the security of the applications we invest with but also for maintaining a healthy growth of the DeFi ecosystem.
In the simplest sense, a smart contract audit is a third-party review of the source code of a smart contract. Although a completed audit means that the code was reviewed, the rigorousness of the audit may vary substantially. For instance, a DApp may promote on their landing page that no errors were found during the audit process, but it is still difficult to determine whether this means that the quality of the code was extremely high or whether the auditor was substandard.
There are many different threats and attacks that audits can mitigate against, including market attacks, front-running, and reentrancy:
The average process for an audit can range from 1 to 12 months, depending on the size of the project according to our auditing partners Quanstamp. The technique varies for each firm but usually starts with project consultation and technical architecture design, followed by implementation and integration. The process ends with one last rigorous auditing analysis.
Value of Security Audits in DeFi
As smart contracts are a new innovation, the security standards for these types of instruments remain in their infancy. In the past few years, several different auditing firms have gained popularity. For new protocols, it has become somewhat key to get the assistance of auditors to make sure their DApp is secure for handling and transacting large sums of crypto assets. Even with the industry gaining more credibility private firms are still taking their own approach to audit platforms. Customers have to rely on the reputation of these companies and the team members conducting the audit. In the current market, many protocols are still choosing to opt-out of the audit process because of either:
● Lack of knowledge regarding security audits importance
● The time it takes to complete the full audit
● Users feel overtasked reading through full audit reports
Because protocols are not auditing their protocol or allocating enough budget to do it properly, they are hurting everyone involved in the community; DeFi adoption cannot continue to grow without more users onboarding and security. A survey from DeFi platform Gossamer asked users about their worries of being hacked and why they are reluctant to invest in DeFi platforms, they found the following:
“Many of our respondents share the same story: someone they know lost their money because the exchange or wallet was hacked. People who don’t know much about technology tend to confuse all the money-losing events in the ecosystem (exchanges are hacked, smart contracts are hacked)… It is difficult for these people to assess the risk of a hacker like an ecosystem like Compound, and hope to get advice from trusted third parties on security. Participants who know more about technology can analyze the security of smart contracts more specifically — they know that bugs often occur during normal development, and therefore do not trust smart contracts that hold a lot of value.”
Because DeFi continues to produce more complex systems that have interconnected parts (lego blocks, cross-chain interoperability), this creates the opportunity to take advantage of these new systems in creative ways that builders don’t necessarily expect. Of the 104 project submissions at this year’s ETHDenver 2020 hackathon, 92% of the projects depend on either an external protocol or blockchain to function. The landscape of DeFi has become quite complicated and it has become more necessary than ever to make sure that new protocols have a third-party set of eyes on it with every iteration if developers want to keep users and liquidity secure from potential breaches.
Shortcoming of Current Auditing Methods
Even though the industry is progressing, there are still several issues with the market that are not publicized enough. Currently, after putting a protocol through an audit, the DApp receives a digital badge with a QR code, which will lead to the full audit. From there, users are overwhelmed with deep technical language that is not painting a clear picture of whether the DApp is truly safe to invest in or how much effort was put into scan and fix bugs in the DApp, this was proven with the reentrancy drain of several DeFi protocols which had already completed their audit prior to the hack and publicized that they were secure. Here is an example of the assessment summary that was conducted on Hegic before the bugs in their contract being exploited in April this year.
To the average user, who is looking to create a simple Option order and wants to have a quick check on the security of this open protocol, being faced with all these different hashes and solidity contracts is overwhelming. In fact, it is so painstaking that it is easy to miss the key points in just this one screenshot of the 3-page security audit.
● Only one engineer reviewed the bugs in math/typos, reentrancy attacks, financial/economic impacts, malicious internal and external actors
● The entire audit was completed over two days (16 hours)
● The eleven critical system bugs were fixed and reviewed again in five days
This is not to say that all audits are not being conducted properly, or that it is the auditor’s fault. Without these audits, there is the potential for even more loss. The market had a big wake-up call after this and users and developers were inexplicably reminded of the importance of security when transacting large sums of money over an open-source smart contract. ConsenSys Diligence has done an excellent job of simplifying this process by making sure that their audits are easy to digest for the average user, here is an example of their 0x audit:
This is a step in the right direction, but not all auditing firms are on the same page. Every auditing firm is approaching its security checks differently and the key security risks are not being articulated properly, this has affected the overall DeFi market severely in terms of breaches and drains of highly liquid protocols.
Standardization of Auditing
Leaders in the space also feel like the growth of DeFi is hindered by the disregard of auditing in the community. Scott Lewis from DeFi Pulse proposed a concept of audit standardization in the space, wherein each audit it is made clear the engineering hours spent on a project, the number of bugs found, the bugs ranked on a scale of how high or low the risk is, and an outgoing opinion which is easy to read for those who are not tech-savvy but want to interact with DApps and make sure their funds are safe.
Creating an auditing standard should be the next key development in securing DeFi and would benefit both users and developers to encourage adoption in the space. After the recent history of hacks, new developments have been made to promote knowledge of auditing importance in the community such as DeFi Score, “a single, consistently comparable value for measuring platform risk”. Apps like this help inform the users of DApp key security metrics such as audit history, centralization index, and financial risks. They also help promote security in the space and entice inexperienced users to test out decentralized platforms to invest in.
Conflux Network Security
Here at Conflux Network, we value our audits immensely. All of our protocols and underlying infrastructure are audited by leaders in the space such as Quanstamp, Slowmist, Beosin, and Peckshield so that developers looking to build on Conflux Network can trust that our network is secure from the several potential attacks that other blockchains have faced in the past.
We spoke with CertiK, an auditing firm based out of Manhattan to get a better understanding of how developers can get the most out of their auditing experience. They have worked on several projects such as Kava, THORChain, and Hyundai and more. Once again, the big takeaway was that the auditing standard concept was easier said than done. Being that each segment of code is unique in its own right, and can be coded in numerous programming languages, it would be somewhat naive to state that an auditing standard can be effectively applied as a catch-all solution for DeFi projects. However, certain principles should be adhered to when reviewing a project, particularly with regards to the four-eye principle as well as the examination of a codebase on a line-by-line basis. Finally, each project’s architecture and integrations must be taken into consideration to identify areas with higher risk profiles and then designing ways to stress test them.
As a developer looking to deploy DApps on our blockchain, they should always look to discover new ways to additionally protect a protocol from breaches and to make sure that the proper steps are taken to get the most out of third party security checks. CertiK recommends taking the time to write thorough documentation, applying the latest security practices, apply strong code ethics to the repository, write full test coverage, and stress test the DApp in a testnet. The majority of the time, these security breaches actually are beyond the power of an audit, and even with the concept of audit standardization, poor code ignoring these basic functions is beyond repair from an audit.
At Conflux Network we work closely with developers to ensure that they have a smooth experience developing DApps on our network. It is important to emphasize to them the importance of auditing a DeFi platform so that developers and users are safe from being drained of funds. We can ensure developers looking to build on Conflux Network that on the blockchain level, all of our protocols and technology have been rigorously tested and deployed safely so that all parties can enjoy a safe experience and encourage protocols to do the same for layer-2 applications so that we can develop the growth of DeFi together.
Future Recommendations
Based off of experts opinions on the topic, the next step to eliminating DeFi breaches and gain user adoption comes down to putting more emphasis on informing users of security risks, encouraging developers to code wisely and in detail, and to put forth new auditing standards in reports that make clear to readers not only the effort put forth in their audits, but also summarize key security attack vectors such as audit history, centralization index, and financial risks in an easy-to-digest manner.
Despite the recent wave of security breaches and the questions arising around audits for DeFi protocols, the industry is still overwhelmingly positive about the opportunities of DeFi. DeFi statistics support positive growth in the market even after extremely costly drains. The audit industry is slowly adapting to this new landscape and work closely with the community to aim towards a future where an auditing standard is in place, developers build wisely, and raise awareness of security risk to help DeFi users invest funds safely, keeping the security of the codebase as transparent and secure as ever to help propel the market towards its next milestone.
Special thanks to Scott Lewis of DeFi Pulse and DEX.AG, John Mardlin of ConsenSys Diligence, and the auditing team at CertiK for their insights, feedback, and input for this post.
Written by Conflux Network’s DeFi Analyst, Sami Tannir
