As the attacks against DeFi protocols become more sophisticated than ever, the effectiveness of audits from major security firms is in turn coming under scrutiny – and some members of the DeFi community have already begun to build local alternatives.
“I think now, after all the hacks we’ve had, we basically understand that if you have two audits, and three audits, it doesn’t mean you’re safe,” said co-founder of DeFi Italy, Emiliano Bonassi. An interview with Cointelegraph. “This does not mean that audits have no value at this moment, but they are not silver bullets.”
This new reality is what prompted Bonaci to form DAO Reviews. A simple forum connecting security experts and projects looking for an additional set of eyes, in the three days since its launch, ReviewsDAO has already attracted four volunteer reviewers (including Bonassi), and has matched two reviewers with a project.
Skin in the game is one of the implicit rules of https://t.co/5y4MBhvNB7
Anon is allowed and protected but putting your face down (by default or not) is a sign of confidence
I am here, and I am showing my time and face to the reviews https://t.co/CoVRSThymG
Don’t be shy, help the community! pic.twitter.com/uq0KtV2pCV
– Emiliano Bonassi | Emiliano (milianobonassi) February 15, 2021
Bonassi and ReviewsDAO are not alone, either. 423n4 code It is another project that aims to stimulate a security movement within the ecosystem, and to benefit from an experimental development favorable to the rewards of errors. Likewise, Immunefi, another DeFi bonus platform launched in December last year, is reforming the security disclosure form by paying in excess of 10% of the weak money as a reward.
Immunefi’s model in particular has already made waves, taking it a $ 1.5 million white bonus.
Three new projects have emerged in just two months, and each has its own incentive model – it’s an industry-wide effort that Stani Kulechov, founder of lending platform DeFi Aave, believes will be key to space health and security going forward.
“Auditors are not here to ensure the security of the protocol, they are just helping to discover something that the team itself was not aware of. Ultimately, it is about peer review and we need to create community incentives to enable more security experts in space.”
‘No silver bullet’
Bonassi should be a household name to anyone who has kept up the streak of recent feats. The Italian developer is one of a half-dozen or so white-hat hackers who meet frequently in the wake of an attack in an attempt to replicate the exploit and help projects correct vulnerabilities.
Just ask any DeFi founder about Bonassi and his fellow Whitehats “War Room” after the exploit, and they’ll be quick to sing their praises.
“The DeFi community is blessed with having white hats like Samczsun and Emiliano. Their efforts […] Not only does it make the space safer, but it also highlights the narrative that there are a lot of people within our ecosystem who care about the success of space, ”Kulichov said.
While Whitehats’ response skills are widely appreciated, ReviewsDAO is in some ways an attempt to reduce the repetition that projects need.
In Bonassi’s view, the tension between the project needs and the limited resources of audit firms is drastically undermining the security of the Defi space: Auditors are always busy, but teams in the midst of the DeFi innovation race must remain fast-moving. While the project may need auditing for some small changes, availability and costs often require a larger demand, resulting in the ‘splitting’ of the code.
“Since they are not available, you usually set up a bunch of things you want to review and ship them to them. The interaction is really, let’s say, ‘snapshot-based,’” rather than there’s an ongoing collaboration, Bonaci said.
So how can more iterative security reviews be enabled that better meet the needs of projects? Bonassi says he initially viewed the Gitcoin grant for the White Hat collection as a solution, but ultimately decided that such a model would be too centralized and would not be able to scale. None of his white hat colleagues had insight into how to solve the problem, so he chose simplicity.
The Ultimate Guide on How to Increase Fault Rewards in Boosting DeFi and Smart Contract Security, from our CEO Embed a Tweet:
Smart contracts are difficult to protect
Rewards for mistakes are motivational change factors
– Scaling bug bonuses will protect the community https://t.co/szvOn2JQu7
Immunefi (immunefi) February 18, 2021
“If you don’t have any kind of ideas, start from the basics: start a forum, let’s say a ‘marketplace,’ where people can request comments big or small, as well as provide their expertise.”
Bonassi notes that it is not intended to completely replace the audit and audit firms, instead envisioning that it is the DAO that can help smaller enterprises better prepare for audits by providing “ongoing review” and “liquid audit”.
It’s a model that security expert Morelian at OptimismPBC believes leaves room for major audit firms, while also acknowledging the necessity of other security solutions.
“There is real value to being audited by a quality company, and nothing else really serves as a ‘substitute’, but I also think there is a problem with over-reliance on audits to provide security,” he said.
Bonassi also believes ReviewsDAO could eventually become a kind of auditing “university”, where people with specialized knowledge can branch out to other areas and young developers can evolve into full auditors – both through evaluating and enhancing developer resources via DeFi.
“My goal is also to identify people and projects – to have a transparent place where people can share information, and to help us understand how many people are in the ecosystem mainly from a security perspective that’s good enough.”
Whip in the game
While it fulfills an apparent market need, Bonassi says there are no current monetization plans or ReviewsDAO code.
“I think such initiatives should be a benefit to society,” he argues.
This effort to avoid capital incentives is more than just ideal. These new audit projects emerge because the current model is not fully sustainable, says Bonassi – which is a “transactional” model, which means that auditors don’t have an in-game look that the most engaged partner might have. As a result, the entire DeFi scene suffers (which auditors ostensibly must secure).
“It’s not a relationship,” Bonassi says. “It’s not a partnership.”
Even the public interest, however, often has public funding, and it is an open question whether developers – who are often overwhelmed at first – are willing to donate time according to what Andre Cronje calls “Emiliano Bonassi Rate”: with no bonus but recognition.
Bonsai notes that several of the main DeFi protocol founders have submitted grants, which have so far been rejected. He’s stubborn to see if developers are willing to give back to the space that often gives them so much, even when other profitable options become available.
“What we really need in this ecosystem is more people working on it – let’s say, someone might hate me but, fewer might hate me if they didn’t add value. […] I don’t want to end up in the ICO era. I don’t want to go back to 2017. ”
If you want to participate, join the dispute and tell me how you want to participate. https: //t.co/7AZSlMDKS9https: //t.co/3YyPmKqs6I
– code 423n4 (@ code423n4) February 15, 2021
Early returns on the effort are promising. The Coverage / Insurance Protocol Cover was the first project to be cross-referenced with a reviewer via ReviewsDAO.
“It was amazing,” says Pumpkin, one of the lead developers of Cover and the Ruler Protocol. “I was one of the few that I shared the idea with Emiliano right before the release. I immediately liked it because what I was looking for (to get external code reviews more easily and quickly) […] I’m not sure what will come out of the review, but the forum is definitely working fine as intended. ”
Morellian also believes that there is hope in the ideal – and that it may be more transactional than it appears at first glance.
“You reap what you sow. So participating in a project like this might be a good idea if you plan to be in space for the long term.”
Even if some developers donate time to acquire futuristic services, Emiliano remains firm in his view that efforts to secure the ecosystem must come from a place of altruism and love.
“This is the ideal that we should pay. And since we have a lot of money, and this industry has a lot of money, it shouldn’t need bonuses, you are supposed to do it because you love this industry. This is a call to all of the people who want to grow the system Environmental. “