To Improve Crypto Security Audits And Bug Bounties, Some Changes Are Necessary

Blockchain Exploits

The occurrence of costly blockchain exploits is common due to poorly designed decentralized apps, smart contracts, and bridges that are repeatedly attacked. For instance, in March 2022, the Ronin Network suffered a $625 million breach, where a hacker stole private keys and transferred hundreds of millions by generating fake withdrawals.

Likewise, in August of the same year, the Nomad Bridge experienced a $190 million breach, with hackers exploiting a bug in the protocol to withdraw more funds than deposited. These vulnerabilities arising from errors in the smart contract code, coupled with human errors and judgment lapses, pose significant risks to Web3 users.

However, there are proactive steps that crypto projects can take to identify and mitigate the risks. One strategy is to hire firms that audit their smart contract code and assess the project to obtain a stamp of approval. Another approach is to establish a bug bounty program that incentivizes ethical hackers to use their skills to identify vulnerabilities before malicious hackers exploit them. Nonetheless, both approaches have significant issues that need to be addressed.

In Web3, auditing is problematic as external evaluations tend to arise in markets where risk can quickly escalate and cause systemic harm. Whether it’s a smart contract, sovereign debt, or a publicly traded company, a single vulnerability can cause chaos. However, external audits, even when performed by a third-party organization, are often not credible or effective since the auditors lack true independence.

trading robot

Their incentives may be aligned towards pleasing the client rather than delivering unpleasant news. According to Keir Finlow-Bates, a blockchain researcher and Solidity developer, “Security audits are time-consuming, expensive, and, at best, result in an outcome that everything is fine. At worst, they can prompt a project to reconsider its entire design, causing delays in launch and market success. As a result, DeFi project managers are tempted to seek another auditing firm that will be more accommodating and overlook any concerns to rubber-stamp the smart contracts.”

Top 5 Cryptocurrencies Today:

Name Price24H (%)
Bitcoin (BTC)
Ethereum (ETH)
Tether (USDT)
Cardano (ADA)

>> Invest In Cryptocurrencies Now!

Acting with principles can lead to long-term benefits, but it may come at the expense of lucrative clients who are eager to launch their tokens in the short term. Keir Finlow-Bates observes that auditing firms with lax standards rapidly gain popularity in the market as they attract a large clientele who are satisfied until a security breach occurs.

CertiK, a leading auditing company in Web3, provides “trust scores” to the projects they review. However, some critics argue that they have granted approval to projects that failed spectacularly. For instance, Eloisa Marchesoni, a tokenomics specialist, notes that CertiK neglected to disclose that they had audited Arbix 46 days before a rug pull occurred on the BNB Smart Chain project, which they reported on January 4, 2022.

The most significant case was CertiK’s complete audit of Terra, which subsequently collapsed and had an impact on half the crypto industry. The audit has since been taken down, and CertiK has taken a more contemplative approach, but remnants of it remain online.

Learning From History

trading robot

Throughout history, there have been instances where organizations gave their approval to something that turned out to be problematic. This pattern is not unique to the blockchain industry, as evidenced by examples such as Arthur Anderson’s approval of Enron’s books or Moody’s bond ratings that contributed to the Global Financial Crisis.

However, in the newer, rapidly growing, and less regulated Web3 industry, audit companies face similar pressures. CertiK recently released its new “Security Scores” for 10,000 projects, but this highlights the need for structural reforms to align incentives and address all the risks to projects and users. Audits only evaluate the validity of a contract, but much of the risk lies in the logic of the protocol design.

Exploits often require a review of the tokenomics, integration, and red-teaming, according to Eric Waisanen, tokenomics lead at Phi Labs. It is not to criticize CertiK, which has well-intentioned and skilled workers, but rather to point out the limitations of Web3 audits.

To ensure the best possible review, projects should consider hiring multiple auditors, according to Stylianos Kampakis, CEO of Tesseract Academy and tokenomics expert. While many Web3 audit firms may do a good job overall, there have been horror stories of audits that missed significant bugs, and it’s not only down to the firm but also the actual people involved in the audit.

Therefore, Kampakis recommends not trusting the security of a protocol to a single auditor. zkSync agrees on the need for multiple auditors and thoroughly tested its EVM compatible zero knowledge proof rollup Era in seven different audits before launching it on mainnet on March 24.

According to Rainer Böhme, professor for security and privacy at the University of Innsbruck, basic audits are “hardly ever useful,” and the thoroughness of security audits needs to be tailored to the situation. Instead, bug bounty programs provide better incentives, as they reward those who find bugs and would be a natural fit for cryptocurrencies since they have a built-in payment mechanism. White hat hackers can identify vulnerabilities and work with projects to fix them before a malicious “black hat” hacker can exploit them.

Bug bounty programs have become a crucial tool for identifying and fixing security threats across the internet. Typically, these programs are curated by project owners who want talented programmers to vet and review their code for vulnerabilities. In return, hackers are rewarded for identifying new vulnerabilities and for maintaining the upkeep and integrity of the network. In fact, historically, bug bounty hackers have identified and fixed security issues with open-source smart contract languages such as Solidity. Bug bounty campaigns have been around since the 1990s when there was a community of programmers working for free or for pennies to fix bugs during the development of the Netscape browser.

As Eloisa Marchesoni notes, “Companies benefited twice from bug bounty campaigns: in addition to the obvious security issues, the perception of their commitment to security also came by.” Bug bounty programs have also emerged across the Web3 ecosystem. For example, in 2021, Polygon launched a $2-million bug bounty program to eliminate potential security flaws on the audited network. Similarly, Avalanche Labs operates its own bug bounty program through the HackenProof bug bounty platform, which launched in 2021.

Are The Audits Helping?

Some blockchain projects have been accused by white hat hackers of downplaying the severity of security gaps they found and withholding compensation for bug bounty services. It’s important for projects to follow through on their promises to maintain incentives for hackers. However, there have also been cases of white hat hackers who were actually malicious actors in disguise. Recently, a team of hackers claimed they were not compensated for their bug bounty services to the Tendermint application layer and Avalanche.

Avalanche, on the other hand, is a blockchain platform that uses a consensus protocol called Avalanche-X. Avalanche-X is a variant of the Avalanche consensus algorithm that enables high transaction throughput and low latency. Avalanche launched its own bug bounty program in 2021 via the HackenProof bug bounty platform. The program is aimed at detecting and mitigating vulnerabilities on the Avalanche network, and rewards are paid out in AVAX, the native cryptocurrency of the Avalanche network. In February 2021, a group of white hat hackers discovered and reported a critical vulnerability in the Avalanche network that could have allowed an attacker to manipulate the network’s supply of AVAX tokens.

Avalanche quickly patched the vulnerability and paid out a bounty to the hackers who discovered it. However, in March 2021, a different group of hackers claimed that Avalanche had not compensated them for their bug bounty services, leading to accusations of gaslighting and withholding compensation. Avalanche denied the allegations and stated that the hackers had not followed the proper procedures for reporting vulnerabilities. The situation highlighted the need for clear communication and protocols between blockchain projects and bug bounty hunters.

In the DeFi space, protocols have sometimes allowed black hat hackers to turn “white hat” by returning some or most of the money, according to Finlow-Bates. This creates a problem for bug bounties, as it can be difficult to determine the motivations of those claiming to be white hats. Furthermore, some white hat hackers have accused blockchain projects of gaslighting community members and withholding bug bounty compensation. Projects, on the other hand, have found some white hat hackers to be black hats in disguise. Ongoing security testing is necessary to maintain the integrity and security of Web3, according to CertiK’s Brooks.

The Mango Markets and Wormhole Bridge hacks are two examples of the flaws in bug bounty programs. In the case of Mango Markets, a $116 million exploit resulted in only $65 million being returned, with the rest being taken as a so-called “bounty.” This has raised questions about the legality of such arrangements, with some likening them to extortion rather than legitimate bug bounties. Similarly, the Wormhole Bridge hack resulted in a $325 million loss, with a $10 million bounty being offered in a white hat-style agreement. However, the bounty was not large enough to attract the hacker to execute the agreement.

According to Finlow-Bates, bug bounties in the DeFi space have a severe problem, as various protocols have allowed black hat hackers to turn “white hat” if they return some or most of the money. This blurs the line between white and black hat activities. To address this, organizations must build in accountability and have clear instructions and rewards that are executed. Both bug bounties and audits are less profitable than exploits, which makes attracting white hat hackers in good faith a challenging task.

What is The Solution?

It seems that there is no perfect solution for ensuring the security of blockchain protocols, and both security audits and bug bounties have their limitations. Some experts argue that relying solely on these strategies can be a way of outsourcing responsibility and avoiding the implementation of proper security practices from the outset. Maurício Magaldi suggests that blockchain projects could benefit from adopting enterprise-grade software development practices and meticulously planning and executing changes, as seen in the Ethereum Merge process. This could potentially give more confidence to the industry and reduce the risk of vulnerabilities and exploits. Ultimately, it seems that ongoing security testing and improvements are necessary to ensure the safety of blockchain networks.

Maurício Magaldi suggests that crypto projects should prioritize learning good security practices in the first place, rather than relying solely on security audits and bug bounty programs. He argues that outsourcing code security to external parties is not an enterprise practice and is not in line with the decentralized nature of the industry.

Instead, Magaldi suggests an alternative approach based on the process of the Ethereum Merge. This involves meticulously planning and executing every change, which gives the ecosystem more confidence in the infrastructure. DApp developers could adopt similar practices to move the industry forward. In summary, it is important for crypto projects to take responsibility for good security practices and not rely solely on external parties such as auditors and bug bounty programs. By following best practices and implementing a thorough and meticulous approach to changes, the industry can improve its security posture and build greater confidence in its infrastructure.

In the realm of cryptocurrency, cybersecurity is of utmost importance, and the Web3 community has learned some valuable lessons. Firstly, there is a need for greater transparency surrounding successes and failures in Web3 cybersecurity. Unfortunately, the audit industry often operates without transparency, leading to a dark subculture. To counter this, people should talk constructively about what works and what does not work. This will prevent reputational and regulatory blowbacks, as seen with Arthur Anderson and Enron. Secondly, bug bounty programs have been effective in the Web1 and Web2 landscapes for software, and Web3 projects must honor them to obtain legitimacy and reach consumers at scale.

However, credible commitments by projects to pay the white hat hackers are crucial. Thirdly, genuine collaborations among developers, researchers, consultancies, and institutions are necessary, which require a shared set of principles that unite the Web3 community. Examples of successful collaborations, such as Ethpector, demonstrate how researchers can provide practical tools and analysis for blockchains. Fourthly, regulators should work collaboratively with developers and entrepreneurs, rather than against them or independently of them. Regulators can provide guiding principles that developers of DeFi interfaces can account for, and ways to reward developers of good interfaces and punish poor interface designers.

Finally, DeFi projects should strive towards a middle-ground where users undergo some level of KYC/AML verification to prevent malicious actors from exploiting Web3 infrastructure. Although the DeFi community has opposed these requirements, every community requires some degree of structure, and there should be a process for ensuring unambiguously malicious users are not exploiting DeFi platforms. Building a thriving ecosystem and market for cybersecurity in the Web3 community requires good-faith efforts from every stakeholder. Decentralization is valuable in finance, and DeFi is recognized as having greater security benefits. However, more work needs to be done for DeFi to be accessible. With collaboration, transparency, and good-faith efforts, the Web3 community can achieve this goal.