Open in app

Sign in

Write

Sign in

Why Crypto Needs Security Audits

Thesis Defense Team
Thesis Defense
Published in
6 min readFeb 1, 2024

--

One of the main features of Bitcoin and other cryptocurrencies is the fact that they’re decentralized — meaning they are managed by a network of computers (nodes) spread across different locations. From a security perspective, this setup has several benefits.

For one, it means there is no central point that can be attacked or compromised, like a central server or database, that would bring down the system. In other words, it reduces the single points of failure to the fullest extent possible.

Second, decentralization promotes network resilience. The idea is that if some parts of the network become compromised or go offline, the rest of the system continues to operate normally.

If the system is designed and built properly, this is the intended and expected outcome. Yet time after time, hackers are exploiting vulnerabilities in a project’s code for personal profit. In fact, according to researchers at Chainalysis, nearly $5.5 billion in crypto assets have been stolen by hackers in the past two years alone.

This is where security auditors come in.

In the following sections, we’ll reveal what exactly it is that security auditors do, answer common questions about security auditing, explain some of the different types of audits available, and when a project team should solicit them.

What is a Security Audit?

Simply put, a security audit is when one or a team of independent security experts (aka security auditors), who are not part of the project team that built the system, check and analyze how the system is built and functions. The role of the security auditor(s) is to look for any potential vulnerabilities or issues that could cause harm to the system or the people using it. They also check to see if the system was built in the correct way, in accordance with the best practice methodologies and standards for the kind of technology and programming language(s) in which it’s built.

What Security Audits Are Not

A security audit, like audits more generally, are not sure fire guarantees that a system is secure and that its code does not contain security vulnerabilities. Just as a physical security contractor might assess a building to make sure that it is designed to best practices and that its doors and windows are not easily breached, a security auditor cannot guarantee that a code’s defenses are impenetrable. If a security auditor or auditing company claims otherwise, beware.

Therefore, in order to maximize a project’s security, it is recommended (and imperative) to seek multiple audits by several different reputable auditing firms.

But Won’t That Be Expensive?

True. Security audits are not cheap. But they are hard jobs requiring a very high degree of specialization and expertise. And so the real question becomes, should a project risk not getting a security audit?

This depends on a project’s risk appetite. Many systems in web3 and crypto control highly valuable assets, including financial assets and sensitive data that could be worth tens to hundreds of millions of dollars. Not only that, if a project or a system is hacked, the reputational damage and consequent loss of potential customers could prove devastating. Even more, these events negatively impact the industry as a whole by disincentivizing the broad adoptions of decentralized technologies due to diminishing trust. When viewed from this perspective, the relative cost of a security audit is negligible.

Read: Crypto Audits Can Be Expensive. They’re A Lot Cheaper than Hacks.

Common Auditing Questions

Why Do We Need External Security Auditors to Audit Code?

Security auditing is a unique skill that’s distinct from software engineering — although most auditors have an engineering background. However, a good security auditor looks at a system like a potential attacker would, checking every part thoroughly and from the perspective of an adversary. They’re not just thinking like the engineers who built the system, but also looking for ways it might be broken into or compromised. Because they work on a large number of projects and across a variety of technologies, they’re better equipped at finding security problems than the teams who build the systems. Unlike engineering teams who have to focus on many things at once (e.g. system performance, features, user experience, etc.), auditors focus primarily on security.

Moreover, it’s imperative to hire an independent team to do security audits. They can check the system without any bias, identify potential security vulnerabilities, and provide a trustworthy report on the system’s security.

What Are Some Examples of Security Vulnerabilities?

A security vulnerability is an error in the design or implementation of a system that could permit a bad actor to cause harm to, or manipulate, the system, such that it undermines the system and its users. Some examples of security vulnerabilities include:

  • Incorrect or insufficiently secure use of cryptography.
  • Leakage of user-identifying, sensitive, or secret data.
  • Unprotected attack surfaces, lack of safeguards or protective measures.
  • Implementation errors.
  • Lack of adherence to best practice.
  • Incorrect use of dependency libraries or the use of vulnerable dependency libraries.
  • Inconsistencies between the system design documentation and the coded implementation.

The potential impacts of security vulnerabilities are plenty. They include wasting system resources, denial of service attacks (when a system is overwhelmed and it is made unavailable to its intended users), exposure of sensitive and secret user data, loss of system control, and the complete loss of user and system assets.

Which Systems or Components Should be Audited?

Systems that handle private or sensitive user data and assets should be audited to assess to what extent data and assets are handled in a secure, privacy-preserving manner. Distributed systems are usually composed of multiple components, all performing security-critical functionality and each component that performs security-critical functionality should be audited. Additionally, most systems make use of libraries that are built and maintained by third parties, which should also be audited for security vulnerabilities.

Read: The Security Audit Process at Thesis Defense

When Should a System be Audited?

Most security audits should be conducted in two phases.

First, a system’s security should be checked in the planning phase, when the system is still being designed. Incorporating a security perspective in a system’s design can help prevent security issues down the line, which are often more costly and time consuming to resolve once the implementation has been completed. Again, this makes sense when looking at a building analogy. It’s better to build strong foundation from the start, then have to reconstruct at a later date.

Second, once the system or its important components are built, another audit should be conducted of the implementation. For planning purposes, the team developing the system should seek to audit parts of the code where an exploit could be particularly damaging (i.e. security-critical components) as soon as they are built and before the system has been released to the public. This reduces the likelihood of security issues appearing between the time an audit takes place and when the system goes live.

How to Get a Security Audit

The security auditing space is small, comprising of a small number of expert teams. In order to get a security audit, it’s important to identify a reputable team with a demonstrated track record that has the expertise to audit a particular project language and technology.

In addition to subject matter expertise, budget and timeline are key considerations: the audit should be within the team’s allocated security budget and the auditing team needs to be available to carry out the audit at the desired time.

For optimal experience, it’s good practice to reach out to security auditing teams well in advance of a planned audit to book a time that lines up with a teams development and launch roadmap. Auditing companies may have significant lead times due to high demand compared to the limited supply of top tier security auditors. By contacting those auditing teams early, projects can define a scope within budget and schedule an audit that makes sense for the project and its milestones.

At Thesis Defense, we pride ourselves on our expertise. Our team of security auditors have carried out hundreds of security audits for decentralized systems across a number of technologies including smart contracts, wallets + browser extensions, bridges, node implementations, cryptographic protocols, and dApps. We offer our services within a variety of ecosystems including Bitcoin, Ethereum + EVMs, Stacks, Cosmos / Cosmos SDK, NEAR and more.

To learn more about our services and get a free quote, schedule a call or email us @ defense@thesis.co. For more information about Thesis Defense, visit our website and our blog.

Security Audit
Security Auditing
Cryoptocurrency
Web3
Crypto

--

--

Thesis Defense Team
Thesis Defense

Written by Thesis Defense Team

4 Followers

Help

Status

About

Careers

Blog

Privacy

Terms

Text to speech

Teams