Security audit services are a systematic project. Any changes in the combination of contracts, contract upgrades, etc. may cause the original audit work to become "meaningless."
Original author: @tmel0211
Original source: X
Note: The original text comes from a Twitter threads posted by @tmel0211 .
You may have noticed that some security experts such as OpenZeppelin and Safe jointly launched the ERC-7512 standard, which introduced a method of disclosing Audit Reports in an on-chain environment and provided a unified interface for on-chain calls, aiming to improve Overall security of the blockchain industry. How should this be interpreted?
In my opinion, what the security industry lacks is not transparent reporting, but standardized audit processes and a consensus on business rights and responsibilities. To put it simply:
1) Intuition found that only some security companies are participating, such as Openzepplin, Safe, etc. The well-known domestic security companies SlowMist, BlockSec, Certik, PeckShield, etc. have not expressed their stance. After a brief chat with several security tycoons, they all said that currently There is no unified consensus to advance this, and we will wait for the follow-up.
2) The security audit report is stored on the chain based on unified standards. Compared with the current storage on Github, the only function may be to prevent tampering, but this requirement is not rigid. The reports given by auditing companies are usually bound by the terms of the cooperation legal contract, and are unlikely to be maliciously tampered with, and there is no need to do so.
3) I think the purpose of this standard is to guide security companies to output unified format and standardized audit report content on the chain, mainly to facilitate subsequent third-party companies to provide plug-in analysis and other services (parsability). The overall purpose is to increase the multi-scenario exposure of the audit report through the transparent form of contract invocation. For example, developing a plug-in can automatically parse the content of the security audit report when checking contracts on Etherscan. Similarly, the visual content of the report can also be integrated in transaction front-ends such as Uniswap. However, the content of audit reports usually lags behind. When users use the product, it is not so rigid to check a number of problems that have been solved. Moreover, if a project is found to have many problems, it will affect the interaction psychology to some extent.
4) Overall, it is a meaningful attempt. Taking this as a starting point, we gradually explore a security audit exposure path such as audit report - three-party analysis call - plug-in front-end exposure. It is best to derive a set of effective " "Accountability" system , if there are many projects involved and there are many security companies, it will effectively improve the current chaos in the audit industry after reaching a certain degree of popularity.
In short, security audit services are a systematic project. Any changes in the combination of contracts, contract upgrades, etc. may cause the original audit work to become "meaningless."
In essence, security audit is a third-party security company using its professionalism to help the project party troubleshoot pre-launch problems, solve emergencies during the operation process, and supplement it with other tools, services and other help to improve the security of the project. But after all, it is an "outsourcing" service, not a lifetime all-inclusive, worry-free guarantee.
We cannot rely solely on security companies to identify more security risks and risks. The market should pay attention to security audits, but we cannot rely too much on security audits, especially if audits are introduced to the market as an endorsement, it will completely change the flavor.
