Building on Bitcoin: Stacks, Hacks, & Security Best Practices

On April 16, I had the pleasure of joining The Stacks DeFi Show on X Spaces with Stacks ecosystem builders and security experts, including founders from DeFi protocols like Zest, ALEX, and Arkadiko. The discussion was timely — just a few days earlier on April 11, Zest Protocol suffered a hack shortly after it was deployed on the Stacks mainnet. Zest is the first lending and borrowing protocol on Stacks, a Bitcoin L2 solution that is, among other things, known for its security.

The discussion touched on how projects can respond to hacks, the security of projects built on Stacks, and how we can learn from these experiences to help strengthen the security of growing and maturing ecosystems.

These topics offer important and relevant lessons for all projects and builders, ecosystem notwithstanding. I distill some of them below to serve as a reminder and guide for all of us working to broaden the adoption of decentralized tech.

Responding to Hacks

Hacks are a devastating and all too common reality. But like adversity more generally, how a project responds to a hack is incredibly important by shaping the perception of the teams who suffer them and providing the necessary assurances to users, investors, and the community.

In the case of the Zest hack, the Zest Protocol team acted swiftly and transparently as soon as the attack was identified. The protocol was frozen, the hack was publicly communicated, a clear action plan was laid out, users were protected through effective application of the Zest Protocol treasury, and efforts on potentially identifying and taking legal action against the hacker are underway.

Zest then partnered with several reputable security auditors with demonstrable experience and expertise in the Stacks ecosystem and with Clarity, the smart contract programming language used to build on Stacks — including Thesis Defense. While security auditors cannot guarantee the security of a protocol, auditing regularly and diversifying the auditors reviewing a project’s codebase, in addition to choosing highly qualified auditors, adheres to security best practices, vastly increases the possibility of discovering critical vulnerabilities, and improves a protocol’s overall security.

Thesis Defense auditors were some of the first to review Clarity smart contracts and to serve the Stack ecosystem since its v2 launch in 2021. Our audit for the Zest Protocol team is already underway and we look forward to delivering the findings of our report in the coming weeks, ahead of their projected relaunch in early May.

Ecosystem Maturity

This three-pronged approach — quick action, clear communication, and risk mitigation and management by engaging security auditors — demonstrates the necessary and appropriate due diligence and responsibility that should be taken by a project team. Furthermore, this incident underscores the importance of adhering to security best practices and not rushing the development and launch process. We’ve learned repeatedly through the multitude of hacks that haste makes waste and that even a slow and steady approach like the one taken by the Zest Protocol team may result in unfortunate circumstances. This is where the role of ecosystem maturity comes in.

Regular and comprehensive security audits, coupled with significant investments in tooling, education, and community engagement are critical. These efforts not only support and educate developers and enhance the security infrastructure, but they also help mitigate potential security incidents effectively. Emphasizing these foundational practices and learning from each experience, good or bad, are essential steps toward achieving maturity in securing protocols and ensuring the longevity of blockchain projects.

Leveraging a Secure Foundation: Bitcoin and Clarity

In the course of the discussion, the excellent point was raised on how a hack could still occur given the robust underbelly of Stacks — namely Bitcoin and Clarity. This point deserves some consideration.

Stacks is known for its security due to its unique design and consensus mechanism. First, it’s built on Bitcoin, which is widely recognized as the most secure, reliable, and decentralized blockchain. By leveraging Bitcoin’s security, Stacks enables developers to create dApps and smart contracts while taking advantage of Bitcoin’s security.

Furthermore, Stacks benefits from the use of Clarity. As a decidable language, Clarity allows developers to fully understand what a program will do before it’s executed. This predictability is vital for preventing unexpected behavior that could lead to security breaches or loss of funds.

Clarity also doesn’t require a compiler so code is interpreted directly on the blockchain. This removes a layer of complexity leading to potential errors since the code written by developers is exactly what gets executed. This feature simplifies the audit process, making it easier for auditors to analyze and reason about the code. I want to emphasize this last point, reduced complexity is imperative for security, especially when trying to identify errors in logic.

So how do hacks still occur in systems with robust foundations? Well, to put it bluntly, security is hard. In a fast-paced space and unprecedented innovation, we’re building the plane while flying it. Ecosystem maturity takes time and we’re learning about attack surface areas and vulnerabilities as we build. This is why it’s absolutely imperative to learn from these incidents and integrate security from day one.

The good news is that as an ecosystem expands, so should its capability to support builders with a wealth of security tooling, libraries, and community forums that reduce the learning curve and bolster robust development. This also requires investment and should be considered in every project’s roadmap from design to development to deployment. With longevity and an evolving support system, builders are aided and the overall security and efficiency of the technological landscape is enhanced.

Final Thoughts

Hacks are devastating but are an inevitable part of the maturation process. However, the way in which we deal with their aftermath leads to a better grasp of the attack surface and broadens knowledge about potential vulnerabilities. This experience contributes to a more developed, predictable, and mature ecosystem and the broader adoption of security best practices.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit our website and our blog.