Blockchain exploits can be extremely costly; with poorly designed smart contracts, decentralized apps and bridges are attacked time and time again.
For example, the Ronin Network experienced a $625-million breach in March 2022 when a hacker was able to steal private keys to generate fake withdrawals and transferred hundreds of millions out. The Nomad Bridge later that year in August experienced a $190-million breach when hackers exploited a bug in the protocol that allowed them to withdraw more funds than they had deposited.
These vulnerabilities in the underlying smart contract code, coupled with human error and lapses of judgment, create significant risks for Web3 users. But how can crypto projects take proactive steps to identify the issues before they happen?
There are a couple of major strategies. Web3 projects typically hire companies to audit their smart contract code and review the project to provide a stamp of approval.
Another approach, which is often used in conjunction, is to establish a bug bounty program that provides incentives for benign hackers to use their skills to identify vulnerabilities before malicious hackers do.
There are major issues with both approaches as they currently stand.
Web3 auditing is broken
Audits, or external evaluations, tend to emerge in markets where risk can rapidly scale and create systemic harm. Whether a publicly traded company, sovereign debt or a smart contract, a single vulnerability can wreak havoc.
But sadly, many audits – even when done by an external organization – are neither credible nor effective because the auditors are not truly independent. That is, their incentives might be aligned toward satisfying the client over delivering bad news.
“Security audits are time-consuming, expensive and, at best, result in an outcome that everything is fine. At worst, they can cause a project to reconsider its entire design, delaying the launch and market success. DeFi project managers are thus tempted to find another, more amenable auditing company that will sweep any concerns under the carpet and rubber-stamp the smart contracts,” explains Keir Finlow-Bates, a blockchain researcher and Solidity developer.
“I have had first-hand experience with this pressure from clients: arguing with developers and project managers that their code or architecture is not up to scratch receives push-back, even when the weaknesses in the system are readily…
Click Here to Read the Full Original Article at Cointelegraph.com News…
