Committing to Responsible Disclosure

Hind Kurhan
Thesis Defense
Published in
5 min readDec 15, 2023

For all its transformative capabilities, decentralized tech suffers from a serious credibility problem. Years of high-profile hacks, losses, and outright fraud have left many in the wider public with the impression that their money just isn’t safe in crypto.

Perception may not be reality — but it can shape it. That’s why, if we want decentralized finance (DeFi) and crypto more broadly to thrive and grow, we must give people confidence that their assets won’t be lost or stolen.

I know from experience that the only way large numbers of people will invest in Web3 projects is for those projects to be held accountable for doing the hard, sustained work necessary to build out secure and transparent systems and processes. That’s why I am co-founding Thesis Defense. Our goal is nothing less than to establish a new gold standard for Web3 security audits.

A big part of that goal is a firm commitment to responsible disclosure. Here’s what that means in practical terms.

Our Commitment to Responsible Disclosure.

Thesis Defense will publicly disclose any meaningful security vulnerabilities our audits uncover if — and this “if” is crucial — the subject of the audit refuses to disclose and/or remedy these vulnerabilities themselves, and the vulnerabilities are live, thus putting users at risk.

This approach may sound severe, but my colleagues and I are confident it is essential to fostering a culture of security and transparency across crypto. Without that, the broader crypto mission — to transform the world’s financial system into something open and free from centralized control — will remain out of reach.

It’s Time for Crypto to Grow Up.

We recognize that responsible disclosure is tricky and can involve trade-offs. That’s why it is critical for us to get it right.

Crypto was not unusual in being marked by a no-holds-barred, “wild west” atmosphere when it first emerged. But that early ferment cannot, and should not, last forever. Part of being a mature industry is making mature choices, and building systems of accountability — ones that will benefit individual users and the space as a whole. That’s why Thesis Defense is committed to both parts of the phrase: responsible and disclosure.

This is a unique challenge for crypto, whose novelty means it cannot rely on the well-worn pathways or long-established regulations familiar to traditional financial auditors. In most jurisdictions, regulators will deal directly with the firm under audit, not with the auditor that surfaced them. In decentralized tech, we must play a more direct role.

Because crypto auditing is a new concept, standards can vary widely. And it’s an unfortunate fact that not all crypto auditors are operating above board. Some are all too willing to collect high fees in exchange for a clean bill of health their clients can display to the world, without applying the kind of rigorous and consistent standards necessary to justify that validation.

And while the vast majority of projects turn to auditors for the best of reasons, likewise some development teams are merely going through the motions: seeking an auditor’s stamp of approval with no real intention of taking the action necessary to correct any vulnerabilities.

I know this because I’ve lived it. In February 2022, Least Authority, where I was Director of Security Consulting, published a blog warning users of flaws in the design of Atomic Wallet that put their assets at risk.

“We strongly recommend that the Atomic Wallet team immediately notify users of the existing security vulnerabilities,” the blog post said. “In addition, until the issues and suggestions outlined in the report have been sufficiently remediated and the Atomic Wallet has undergone subsequent security audits, we strongly recommend against the Atomic Wallet’s deployment and use.”

This was a necessary and significant step — and a last resort. Before publishing, we tried every tactic we could think of to get the Atomic Wallet team to address or disclose the vulnerabilities we found — and they refused. Atomic Wallet was not in beta. It was already up and running and managing the assets of thousands of users, and the weaknesses we identified were important ones. We had a responsibility to act. To minimize the risk that we would inadvertently spur hackers to try to exploit the system, we did not specify the nature of the issues we uncovered.

This June, nearly a year and a half after our warning, hackers breached Atomic Wallet and stole more than $100 million. Investors are now suing the project over the hack, with plaintiffs citing the Least Authority warning and saying the development team did nothing to fix the vulnerabilities identified. By ignoring the results of the audit, Atomic Wallet set itself up for disaster. But through responsible disclosure, I believe Least Authority gave people the choice to avoid being part of that disaster.

Audits Have a Crucial Role to Play.

At Thesis Defense we believe auditors play a critical role in the security of the entire space. It is our responsibility to hold development teams accountable when a project may be putting users or funds at risk. This may cause some short-term discomfort, but in the long term it will strengthen good projects and flush out those that just want a quick, easy windfall.

We Owe it to the Users. We Owe it to Decentralized Technology as a Whole.

Here I must again stress: public disclosure is a last resort. And it is not a step we expect to take often. In all my time in the industry, Atomic Wallet was the only instance I was involved in where responsible disclosure became necessary.

Prior to disclosure comes a full and fair report, and set of recommendations, to development teams. Auditors must be willing to give customers the time and support they need to address any problems, and to work with development teams to verify that the security issues are addressed.

We believe that strong and consistent auditing standards, coupled with a pledge that users will be told when a live project refuses to disclose or address serious vulnerabilities, will ultimately strengthen the space and make it possible to deliver more innovation and benefits.

Perhaps more importantly, once users realize that crypto is dominated by responsible, good-faith actors, not those in it just to ride hype to profit, the reputation of the entire industry will strengthen.

And if strong and consistent audit standards are widely adopted and sustained, mainstream institutions and ordinary retail users will be able to enter the space with confidence and take advantage of all that it has to offer.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit our website and our blog.

--

--

Hind Kurhan
Thesis Defense

Co-Founder @ Thesis Defense, Founder-in-Residence @ Thesis