As faith in audits falters, the DeFi community weighs in on security alternatives



As attacks against popular decentralized finance (DeFi) protocols become increasingly complex, the effectiveness of audits by major security companies has in turn come into question, and some members of the DeFi community have already started to build alternatives on their own.

“I think right now, after all the hacks we’ve had, we basically understand that if you have two audits, three audits, it doesn’t mean you’re safe.” said the co-founder of DeFi Italia Emiliano bonassi in an interview with Cointelegraph. “This does not mean that audits are of no value at the moment, but not a solution.”

This new reality is what pushed Bonassi to create ReviewsDAO. A simple forum to connect security experts and projects looking for an additional set of eyes, in the three days since its launch ReviewsDAO has already attracted four volunteer auditors (including Bonassi), and has paired two auditors with a draft.

Bonassi and ReviewsDAO are not alone in their crusade either. Code 423n4 is another project that aims to launch a security movement within the ecosystem, taking advantage of an experimental and gamified turn of bug rewards. Similarly, Immunefi, another DeFi rewards platform that launched in December last year, is overhauling the security disclosure model by proposing more than 10% of vulnerable funds as a reward.

Immunefi’s model, in particular, has already caused a stir, as awarded a reward of USD 1.5 million to a white hat hacker.

Three new projects that emerge in just two months, and each with its own incentive model: It’s an industry-wide effort that Stani Kulechov, founder of the DeFi lending platform Aave, believes will be key to the health and safety of the space going forward.

“The auditors are not there to guarantee the security of a protocol, they simply help to detect something that the team itself was not aware of. Ultimately it is a peer review and we have to find incentives as a community to empower more experts in safety in this space. “

“There are no silver bullets”

Bonassi should be a household name to anyone who has kept up with the recent spate of exploits. The Italian developer is one of the half a dozen white hat hackers that meet frequently after an attack to try to replicate the exploit and help projects to patch these vulnerabilities.

Ask any DeFi founder about Bonassi and his “war room” soft-hat buddies after an exploit, and they’ll be quick to show their respect.

“The DeFi community is fortunate to have white hats like Samczsun and Emiliano. Their efforts […] make space not only safer, but also show that there are many people within our ecosystem who care about the success of space “, Kulechov said.

While the responsiveness of white hats is highly appreciated, ReviewsDAO is in a way an effort to reduce how often projects need them.

In Bonassi’s view, the tension between project needs and auditing firms’ limited resources is undermining the security of the overall Defi space: auditors are always busy, but teams in the midst of DeFi innovation need remain agile. While a project may want an audit on a few small changes, availability and costs often require a larger order, leading to code chunking.

“Since they’re not available, you usually prepare a bunch of things that you want to have reviewed and send them to them. The interaction is really, let’s say, ‘instant’, rather than having ongoing collaboration.” Bonassi said.

So how do you enable more frequent security reviews that better respond to project needs? Bonassi says he initially considered a Gitcoin grant for a group of white hats as a solution, but ultimately determined that such a model would be too centralized and unable to scale. None of his white hat colleagues had any idea how to solve the problem, so he opted for the simple.

“If you don’t have any ideas, start with the basics: open a forum, say a ‘marketplace,’ where people can ask for reviews large or small, and can also offer their expertise.”

It is not intended to completely replace audits and auditing firms, Bonassi notes, and instead envisions that the DAO can help newer projects better prepare for an audit by providing a “continuous review” and a “liquid audit.”

It is a model that the security expert Maurelian, OptimismPBC believes that it leaves room for large auditing companies, but also recognizes that other security solutions must exist.

“In my opinion there is real value in an audit done by a high quality company, and nothing else really serves as an ‘alternative’, but I also think there is an issue of over-reliance on audits to provide assurance,” He said.

Bonassi also believes that ReviewsDAO could end up becoming a kind of “University” where people with specialized knowledge can branch out into other areas and young developers can become full-fledged auditors, balancing and strengthening development resources across the DeFi ecosystem.

“My goal is also to guide people and projects: to have a transparent place where people can exchange information, to help us understand how many people, who they are, basically, from a good enough security perspective, are present in the ecosystem.” .

The skin at stake

While responding to a clear market need, Bonassi says there are no current plans for monetization or a ReviewsDAO token.

“I believe that initiatives like this should be community assets”, argues.

This effort to avoid capital incentives is more than just idealism. These new audit projects arise because the current model is not fully sustainable, says Bonassi, a model that is “transactional,” meaning that auditors do not have the same involvement as a more committed partner. The upshot is that the entire DeFi landscape (which auditors should guard) is suffering.

They are not a relationship. It is not an association “, says Bonassi.

However, even a public good is often publicly funded, and it is an open question whether developers (who are often overworked to begin with) will be willing to donate time to what Andre Cronje calls the “Emiliano Bonassi tax.” : with no other reward than recognition.

Bonsai notes that several of the main founders of a DeFi protocol have offered grants, which have so far been declined. It is stubborn to see if developers are willing to give something back to the space that has often given them so much, even when there are other potentially more lucrative options available.

“What we really need in this ecosystem is more people working in it, let’s say, someone may hate me but, less forks if they are not adding value […] I don’t want to end up in the ICO era. I don’t want to go back to 2017. “

The first results of the effort are promising. The Cover / Insurance Protocol was the first project to be paired with an auditor through ReviewsDAO.

“It was great,” says Pumpkin, a lead developer of Cover Protocol and Ruler Protocol. “I was one of the few that Emiliano shared the idea with just before launch. I loved it right away as it is what I have been looking for (get external code reviews and easier and faster) […] I’m not sure what will come out of the review, but the forum is certainly working well as intended. “

Maurelian also believes that there is hope for the perhaps idealistic model, and that it may be more transactional than it appears at first glance.

“You get what you give. So participating in a project like this is probably a good idea if you plan to be in space for the long term.” He said.

Although some developers donate their time to get future favors, Emiliano remains firm in his vision that efforts to secure the ecosystem must come from a place of altruism and love.

“That is the ideal that we should promote. And since we have a lot of money, and this industry has a lot of money, you are not supposed to need rewards, you are supposed to do it because you love this industry. This is a call to all the people who want to do grow the ecosystem “.

Keep reading:





Source link

Comments

0 comments

Related videos