Original author: Haotian (Twitter: @tmel0211), blockchain security practitioner
This article was first published in October 2022. Today, the zkSync ecological DEX Merlin ran out of Liquidity, and hackers stole 1.82 million US dollars of funds. Later, some readers discovered that this Merlin had just completed the audit conducted by CertiK before going online. Although CertiK pointed out in the report that there was a centralization problem in the Merlin project, it still failed to avoid security problems and eventually lost funds.
So why are projects that pass the audit still attacked, rugged, or have various vulnerabilities? Haotian (@tmel0211), a practitioner in the field of blockchain security, answers some audit-related questions in this article.
At the end of the year, security incidents followed one after another. Hackers probably feared that the market would run out of money, so they first claimed the year-end bonus in units of 100 million. Someone has to ask, the attacked projects like Rabby, TempleDAO, and Mango have all been audited for security, why are they still attacked? Some people even use this to criticize the meaninglessness of security audits. As practitioners in the blockchain security industry for many years, let me simply say a few words:
1. All judges have to adjust their expectations first. Safety audit is indispensable, but it is impossible to settle once and for all after the audit. Attacks and fortifications are not of the same order of magnitude. When we look at the audit report of security companies, we will find that almost every project can find 1 serious vulnerability, 2-4 high-risk vulnerabilities, and several medium and low-level vulnerabilities. Can you say that these vulnerability discoveries are meaningless? Yes, but more to reduce security risks!
2. Some people will say after the Dongchuang incident, the loophole is so simple, why was it not discovered? This issue is very complicated. Security audits are based on existing tools and experience to conduct logical reviews, eliminate code defects, and troubleshoot routine vulnerabilities such as overflow, replay, and signature verification. However, what is difficult for protocols such as defi is not the code, but the complex financial business logic, such as process control, external combination nesting, market manipulation, etc., which are beyond the business scope of security companies.
3. There are all kinds of combinations in the blockchain ecology, open source + non-open source, audited projects + non-audited projects, off-chain validator + on-chain execution, etc. The audits of many projects for security companies are only modularized, such as auditing open source What about the part that is not open source? Does the off-chain process affect the execution on the chain, or the market is manipulated due to the depth of market transactions? If something goes wrong, it is impossible to blame the security company for everything.
4. The frightening thing is that many project parties do not seek security audits for pure purposes. They just hope to get a so-called "safety endorsement". If they do projects with this mentality, their investment in their own security defenses can be imagined. Know. When something goes wrong, it is another innocent face that I have audited with xx head security company. How much does the project itself invest in security defense + reinforcement + emergency response? I think this is the root cause of frequent security incidents;
5. In fact, the biggest threat to the industry ecology is not all hacker attacks, but more "man-made disasters" caused by weak security awareness. For example, once some projects are attacked, there will be rug news, and we are familiar with phishing scams, etc. , There is no way to count these at all. What if a series of security losses such as man-made rugs, phishing, cyber extortion, and fund fraud are all counted? Its security threats are no less than hackers;
6. In my opinion, the security issues in the encryption industry have a long way to go. Our expected ecology is that the project's own security protection + third-party security audit prevention assistance + everyone has security awareness. The industry has fundamentally become safer". But in fact, the security company is not the identity of the security builder at all. The security company can be a repairman, repairing bridges when bridges collapse, and repairing broken roads. The security ecology needs to be guarded by every participant.
