Blockchain exploits can be extremely costly; with poorly designed smart contracts, decentralized apps and bridges are attacked time and time again.<\/strong><\/p>\n For example, the Ronin Network experienced a $625-million breach in March 2022 when a hacker was able to steal private keys to generate fake withdrawals and transferred hundreds of millions out. The Nomad Bridge later that year in August experienced a $190-million breach when hackers exploited a bug in the protocol that allowed them to withdraw more funds than they had deposited.<\/p>\n These vulnerabilities in the underlying smart contract code, coupled with human error and lapses of judgment, create significant risks for Web3 users. But how can crypto projects take proactive steps to identify the issues before they happen?<\/p>\n There are a couple of major strategies. Web3 projects typically hire companies to audit their smart contract code and review the project to provide a stamp of approval.<\/p>\n Another approach, which is often used in conjunction, is to establish a bug bounty program that provides incentives for benign hackers to use their skills to identify vulnerabilities before malicious hackers do.<\/p>\n There are major issues with both approaches as they currently stand.\u00a0<\/p>\n Audits, or external evaluations, tend to emerge in markets where risk can rapidly scale and create systemic harm. Whether a publicly traded company, sovereign debt or a smart contract, a single vulnerability can wreak havoc.<\/p>\n But sadly, many audits \u2013 even when done by an external organization \u2013 are neither credible nor effective because the auditors are not truly independent. That is, their incentives might be aligned toward satisfying the client over delivering bad news.<\/p>\n \u201cSecurity audits are time-consuming, expensive and, at best, result in an outcome that everything is fine. At worst, they can cause a project to reconsider its entire design, delaying the launch and market success. DeFi project managers are thus tempted to find another, more amenable auditing company that will sweep any concerns under the carpet and rubber-stamp the smart contracts,\u201d explains Keir Finlow-Bates, a blockchain researcher and Solidity developer.<\/p>\n \u201cI have had first-hand experience with this pressure from clients: arguing with developers and project managers that their code or architecture is not up to scratch receives push-back, even when the weaknesses in the system are readily apparent.\u201d<\/p>\n<\/blockquote>\n Principled behavior pays off in the long run, but in the short term, it can come at the cost of profitable clients who are eager to get to market with their new tokens.\u00a0<\/p>\n \u201cI can\u2019t help noticing that lax auditing companies quickly build up a more significant presence in the auditing market due to their extensive roster of satisfied customers\u2026 satisfied, that is, until a hack occurs,\u201d Finlow-Bates continues.<\/p>\n One of the leading companies in Web3 auditing, CertiK, provides \u201ctrust scores\u201d to projects that they evaluate. However, critics point out they have given a stamp of approval to projects that failed spectacularly. For example, while CertiK was quick to share on Jan. 4, 2022, that a rug pull had occurred on the BNB Smart Chain project Arbix, they \u201comitted that they had issued an audit to Arbix 46 days earlier,\u201d according<\/a> to Eloisa Marchesoni, a tokenomics specialist, on Medium.\u00a0<\/p>\n But the most notable incident was CertiK\u2019s full-scope audit\u00a0of Terra, which later collapsed and brought half the crypto industry down with it. The audit has since been taken down as they have taken a more reflective approach, but bits and pieces remain online.\u00a0<\/p>\n Zhong Shao, co-founder of CertiK, said<\/a> in a 2019 press release:<\/p>\n \u201cCertiK was highly impressed by Terra\u2019s clever and highly effective design of economy theory, especially the proper decoupling of controls for currency stabilization and predictable economic growth.\u201d<\/p>\n He added, \u201cCertiK also found Terra\u2019s technical implementation to be of one of the highest qualities it has seen, demonstrating extremely principled engineering practices, mastery command of Cosmos SDK, as well as complete and informative documentations.\u201d\u00a0<\/p>\n This certification played a major role in Terra\u2019s increased international recognition and receipt of investment. The recently arrested Do Kwon, co-founder of Terra, said<\/a> at the time:<\/p>\n \u201cWe are pleased to receive a formal stamp of approval from CertiK, who is known within the industry for setting a very high bar for security and reliability. The thorough audit results shared by CertiK\u2019s team of experienced economists and engineers give us more confidence in our protocol, and we are excited to quickly roll out our first payment dApp with eCommerce partners in the coming weeks.\u201d<\/p>\n For its part, CertiK argues its audits were comprehensive and the collapse of Terra was not down to a critical security flaw but human behavior.\u00a0Hugh Brooks, director of security operations at CertiK, tells Magazine:<\/p>\n \u201cOur Terra audit did not come up with any findings that would be considered critical or major because critical security bugs that could lead a malicious actor to attacking the protocol were not found. Nor did this happen in the Terra incident saga.\u201d <\/p>\n<\/blockquote>\n \u201cAudits and code reviews or formal verification can\u2019t prevent actions by individuals with control or whale\u2019s dumping tokens, which caused the first depeg and subsequent panicked actions.\u201d<\/p>\n Giving a stamp of approval for something that later turned out to be dodgy is not confined to the blockchain industry and has repeated itself throughout history, ranging from top five public accounting firm Arthur Anderson giving the nod to Enron\u2019s books (later destroying parts of the evidence) to rating agency Moody\u2019s paying out $864 million for its dodgy optimistic bond ratings that fueled the housing bubble of 2008\u20132009 and contributed to the Global Financial Crisis.<\/p>\n So, it\u2019s more that Web3 audit companies face similar pressures in a much newer, faster-growing and less regulated industry. (In the past week, CertiK released its new \u201cSecurity Scores\u201d for 10,000 projects \u2014 see right for details). <\/p>\n The point here is not to throw CertiK under the bus \u2013 it is staffed with well-intentioned and skilled workers \u2013 but rather that Web3 audits don\u2019t look at all of the risks to projects and users and that the market may need structural reforms to align incentives.<\/p>\n \u201cAudits only check the validity of a contract, but much of the risk is in the logic of the protocol design. Many exploits are not from broken contracts, but require review of the tokenomics, integration and red-teaming,\u201d says Eric Waisanen, tokenomics lead at Phi Labs.<\/p>\n \u201cWhile audits are generally very helpful to have, they are unlikely to catch 100% of issues,\u201d says Jay Jog, co-founder of Sei Networks. \u201cThe core responsibility is still on developers to employ good development practices to ensure strong security.\u201d<\/p>\n Stylianos Kampakis, CEO of Tesseract Academy and tokenomics expert, says projects should hire multiple auditors to ensure the best possible review.<\/p>\n \u201cI think they probably do a good job overall, but I\u2019ve heard many horror stories of audits that missed significant bugs,\u201d he tells Cointelegraph. \u201cSo, it\u2019s not only down to the firm but also the actual people involved in the audit. That\u2019s why I wouldn\u2019t ever personally trust the security of a protocol to a single auditor.\u201d<\/p>\n zkSync agrees on the need for multiple auditors and tells Magazine that before it launched its EVM compatible zero knowledge proof rollup Era on mainnet on March 24, it was thoroughly tested in seven different audits from Secure3, OpenZeppelin, Halburn and a fourth auditor yet to be announced. <\/p>\n Rainer B\u00f6hme, professor for security and privacy at the University of Innsbruck, wrote <\/a>that basic audits are \u201chardly ever useful, and in general, the thoroughness of security audits needs to be carefully tailored to the situation.\u201d\u00a0<\/p>\n Instead, bug bounty programs can provide better incentives. \u201cBug bounties offer an established way to reward those who find bugs\u2026 they would be a natural fit for cryptocurrencies, given they have a built-in payment mechanism,\u201d B\u00f6hme continued<\/a>.<\/p>\n White hat hackers are those who leverage their talents to identify a vulnerability and work with projects to fix them before a malicious (\u201cblack hat\u201d) hacker can exploit it.\u00a0<\/p>\n Bug bounty programs have become essential to discovering security threats across the web, generally curated by project owners who want talented programmers to vet and review their code for vulnerabilities. Projects reward hackers for identifying new vulnerabilities and upkeep and integrity maintenance on a network. Historically, fixes for open-source smart contract languages \u2014 e.g., Solidity \u2014 have been identified and fixed thanks to bug bounty hackers.<\/p>\n \u201cThese campaigns began in the \u201890s: there was a vibrant community around the Netscape browser that worked for free or for pennies to fix bugs that were gradually appearing during development,\u201d wrote<\/a> Marchesoni.<\/p>\n \u201cIt soon became clear that such work could not be done in idle time or as a hobby. Companies benefited twice from bug bounty campaigns: in addition to the obvious security issues, the perception of their commitment to security also came by.\u201d<\/p>\n Bug bounty programs have emerged across the Web3 ecosystem. For example, Polygon launched a $2-million bug bounty program in 2021 to root out and eliminate potential security flaws in the audited network. Avalanche Labs operates its own bug bounty program, which launched in 2021, via the HackenProof bug bounty platform.<\/p>\n However, there is tension between the extent of the security gaps they believe they have found and how significantly the issue is taken by projects.\u00a0<\/p>\n White hat hackers have accused various blockchain projects of gaslighting community members, as well as withholding bug-bounty compensation for white hat services. While it goes without saying, actually following through with the payment of rewards for legitimate service is essential to maintain incentives.<\/p>\n A team of hackers recently claimed<\/a> that it was not compensated for its bug bounty services to the Tendermint application layer and Avalanche.<\/p>\n On the other side of the fence, projects have found some white hat hackers are really black hats in disguise.<\/p>\n Read also<\/p>\n How to resurrect the \u2018Metaverse dream\u2019 in 2023<\/p>\n <\/a>\n <\/div>\n You don\u2019t need to be angry about NFTs<\/p>\n <\/a>\n <\/div>\n<\/div>\n<\/div>\n Tendermint is a tool for developers to focus on higher-level application development without having to deal directly with the underlying communication and cryptography. Tendermint Core is the engine that facilitates the P2P network via proof-of-stake (PoS) consensus. The Application BlockChain Interface (ABCI) is the tool with which public blockchains link to the Tendermint Core protocol.<\/p>\n In 2018, a bug bounty program<\/a> for the Tendermint and Cosmos communities was created. The program was designed to reward community members for discovering vulnerabilities with rewards based on factors such as \u201cimpact, risk, likelihood of exploitation, and report quality.\u201d\u00a0<\/p>\n Last month, a team of researchers claimed to have found a major Tendermint security exploit, resulting in a services crash via remote API \u2013 a Remote Procedure Call (RPC) Tendermint vulnerability was discovered, impacting over 70 blockchains. The exploit would have a severe impact and could potentially include over 100 peer-to-peer and API vulnerabilities since the blockchains share similar code. Ten blockchains in the top 100 of CertiK\u2019s \u201cSecurity Leaderboard\u201d are based on Tendermint.<\/p>\n However, after going through the proper channels to claim the bounty, the hacker group said it was not compensated. Instead, what followed was a string of back-and-forth events, which some claim was a stalling attempt for Tendermint Core, while it quickly patched the exploit without paying the bounty hunter their dues.\u00a0<\/p>\n This, among others that the group has supposedly documented, is known as a zero-day exploit.<\/p>\n \u201cThe specific Tendermint denial-of-service (DoS) attack is another unique blockchain attack vector, and its implications aren\u2019t yet fully clear, but we will be evaluating this potential vulnerability going forward, encouraging patches and discussing with current customers who may be vulnerable,\u201d said CertiK\u2019s Brooks.<\/p>\n He said the job of security testing was never finished. \u201cMany see audits or bug bounties as a one-and-done scenario, but really, security testing needs to be ongoing in Web3 the same way it is in other traditional areas,\u201d he says.\u00a0<\/p>\n Bug bounties that rely on white hats are far from perfect, given how easy it is for black hats to put on a disguise. Ad hoc arrangements for the return of funds are a particularly problematic approach.<\/p>\n \u201cBug bounties in the DeFi space have a severe problem, as over the years, various protocols have allowed black hat hackers to turn \u2018white hat\u2019 if they return some or most of the money,\u201d says Finlow-Bates.<\/p>\n \u201cExtract a nine-figure sum, and you may end up with tens of millions of dollars in profit without any repercussions.\u201d\u00a0<\/p>\n The Mango Markets hack in October 2022 is a perfect example, with a $116-million exploit and only $65 million returned and the rest taken as a so-called \u201cbounty.\u201d The legality of this is an open question, with the hacker responsible charged over the incident, which some have likened more to extortion than a legitimate \u201cbounty.\u201d<\/p>\n The Wormhole Bridge was similarly hacked for $325 million of crypto, with a $10-million bounty offered in a white hat-style agreement. However, this was not large enough to attract the hacker to execute the agreement.<\/p>\n \u201cCompare this to true white hat hackers and bug bounty programs, where a strict set of rules are in place, full documentation must be provided, and the legal language is threatening, then failure to follow the directions to the letter (even inadvertently) may result in legal action,\u201d Finlow-Bates elaborates.\u00a0<\/p>\n Organizations that enlist the support of white hats must realize that not all of them are equally altruistic \u2013 some blur the lines between white and black hat activities, so building in accountability and having clear instructions and rewards that are executed matter.\u00a0<\/p>\n \u201cBoth bug bounties and audits are less profitable than exploits,\u201d Waisanen continues, remarking that attracting white hat hackers in good faith is not easy.<\/p>\n Read also<\/p>\n \u2018Deflation\u2019 is a dumb way to approach tokenomics\u2026 and other sacred cows<\/p>\n <\/a>\n <\/div>\n Asia Express: China\u2019s NFT market, Moutai metaverse popular but buggy\u2026<\/p>\n <\/a>\n <\/div>\n<\/div>\n<\/div>\n Security audits are not always helpful and depend crucially on their degree of thoroughness and independence. Bug bounties can work, but equally, the white hat might just get greedy and keep the funds.\u00a0<\/p>\n Are both strategies just a way of outsourcing responsibility and avoiding responsibility for good security practices? Crypto projects may be better off learning how to do things the right way in the first place, argues Maur\u00edcio Magaldi, global strategy director for 11:FS.<\/p>\n \u201cWeb3 BUIDLers are generally unfamiliar with enterprise-grade software development practices, which puts a number of them at risk, even if they have bug bounty programs and code audits,\u201d he says.\u00a0<\/p>\n \u201cRelying on code audit to highlight issues in your application that aims to handle millions in transactions is a clear outsourcing of responsibility, and that is not an enterprise practice. The same is true for bug bounty programs. If you outsource your code security to external parties, even if you provide enough monetary incentive, you\u2019re giving away responsibility and power to parties whose incentives might be out of reach. This is not<\/em> what decentralization is about,\u201d said Magaldi.<\/p>\n An alternative approach is to follow the process of the Ethereum Merge.\u00a0<\/p>\n \u201cMaybe because of the DAO hack back in the early days of Ethereum, now every single change is meticulously planned and executed, which gives the whole ecosystem a lot more confidence about the infrastructure. DApp developers could steal a page or two from that book to move the industry forward,\u201d Magaldi says.<\/p>\n Let\u2019s take stock. Here are five broad philosophical lessons we can take away.<\/p>\n First, we need more transparency around the successes and failures of Web3 cybersecurity. There is, unfortunately, a dark subculture that rarely sees the light of day since the audit industry often operates without transparency. This can be countered by people talking \u2013 from a constructive point of view \u2013 about what works and what does not work.\u00a0<\/p>\n When Arthur Anderson failed to correct and flag fraudulent behavior by Enron, it suffered a major reputational and regulatory blow. If the Web3 community cannot at least meet those standards, its ideals are disingenuous.<\/p>\n Second, Web3 projects must be committed to honoring their bug bounty programs if they want the broader community to obtain legitimacy in the world and reach consumers at scale. Bug bounty programs have been highly effective in the Web1 and Web2 landscapes for software, but they require credible commitments by projects to pay the white hat hackers.<\/p>\n Third, we need genuine collaborations among developers, researchers, consultancies and institutions. While profit motives may influence how much certain entities work together, there has to be a shared set of principles that unite the Web3 community \u2013 at least around decentralization and security \u2013 and lead to meaningful collaborations.<\/p>\n There are already many examples; tools like Ethpector are illustrative because they showcase how researchers can help provide not only careful analysis but also practical tools for blockchains.<\/p>\nWeb3 auditing is broken<\/strong><\/h2>\n
\n
![\"Terra-Luna](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/Terra-Luna-as-envisaged-by-Cointelegraphs-art-department.jpeg\")
Terra-fied<\/strong><\/h2>\n
\n
![\"Certik\"](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/Certik-security-scores.jpg\")
White hat hackers and bug bounties<\/strong><\/h2>\n
![\"White](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/White-hat-hackers-find-the-bugs-before-the-black-hat-hackers-do.jpeg\")
\n Features<\/span><\/p>\n
\n Features<\/span><\/p>\nTendermint, Avalanche and more<\/strong><\/h2>\n
![\"Tendermint](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/Tendermint-remote-API-crash-from-Padillacs-desktop.png\")
Are they even white hats?<\/strong><\/h2>\n
![\"White](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/White-hat-and-black-hat-hackers-sometimes-play-the-same-game.jpeg\")
\n Features<\/span><\/p>\n
\n Asia Express<\/span><\/p>\nWhere do we go from here?<\/strong><\/h2>\n
![\"Rather](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2023\/04\/Rather-than-outsource-your-security-projects-need-to-take-full-responsibility-themselves.jpeg\")
Five lessons for cybersecurity in crypto<\/strong><\/h2>\n
![\"Subscribe](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2022\/10\/reading-copy.png\")
![\"Christos](\"https:\/\/cointelegraph.com\/magazine\/wp-content\/uploads\/2022\/02\/Portrait_about_us_ChristosMakridis.jpg\")