As attacks against popular DeFi (decentralized finance) protocols become more and more complex, the effectiveness of audits by large security companies has been verified – and some members of the DeFi community have already started to develop alternatives they have developed themselves.
“I think that after all the hacks we’ve had, we basically understand that two audits, three audits, don’t mean you are safe,” DeFi Italy co-founder Emiliano Bonassi said in an interview with Cointelegraph. “This does not mean that audits have no value right now, but they are not silver bullets.”
This new reality led Bonassi to found ReviewsDAO. A simple forum for connecting security professionals and projects looking for extra eyes. In the three days since its inception, ReviewsDAO has already attracted four volunteer reviewers (including Bonassi) and compared two reviewers to one project.
Skin in the game is one of the implicit rules of https://t.co/5y4MBhvNB7
Anon is legal and protected, but your face (virtual or not) is a sign of trust
I’m there and offer my time and face for reviews at https://t.co/CoVRSThymG
Don’t be shy, help the community! pic.twitter.com/uq0KtV2pCV
– Emiliano Bonassi | emiliano.eth (@emilianobonassi) February 15, 2021
Bonassi and ReviewsDAO are not alone either. Code 423n4 is another project that aims to start a security movement within the ecosystem using a playful, experimental twist on bug bounties. Likewise, Immunefi, another DeFi bounty platform that launched last December, is revamping its security disclosure model by pushing more than 10% of the funds at risk as a reward.
In particular, the Immunefi model has already made waves and successfully rewarded a whitehat with a reward of 1.5 million US dollars.
Three new projects that emerge in just two months, each with their own incentive model – an industry-wide effort that Stani Kulechov, founder of DeFi credit platform Aave, sees as key to the health and safety of the future space.
“Auditors are not here to ensure the security of a log, they are simply helping to identify something that the team itself was unaware of. Ultimately, it’s about peer review and we need to find incentives as a community to empower more security professionals in the room. “
“No silver balls”
Bonassi should be known to anyone who has kept up with the latest exploits. The Italian developer is one of around half a dozen white hat hackers who often come together after an attack to replicate the exploit and help projects close the security holes.
Ask any DeFi founder about Bonassi and his colleagues who have whitehats following the War Room exploit and they will be quick to sing their praises.
“The DeFi community is blessed to have whitehats like Samczsun and Emiliano. Your efforts […] not only makes the space safer, but also underlines the narrative that there are many people in our ecosystem who care about the success of the space, ”said Kulechov.
While the Whitehats’ responsiveness skills are widely recognized, ReviewsDAO is, in some ways, an attempt to decrease the frequency with which projects need them.
In Bonassi’s view, tensions between project requirements and auditing firms’ limited resources weaken the security of the defi area: auditors are always busy, but teams in the middle of the DeFi innovation race need to remain agile. While a project might want some small changes to be considered, often availability and cost require a larger job, leading to code chunking.
“Since they are not available, you usually prepare a bunch of things that you want to review and send them to them. The interaction is really based on snapshots and not on continuous collaboration, ”said Bonassi.
How can more frequent security reviews be enabled that better suit the needs of projects? Bonassi said he initially considered a Gitcoin grant for a Whitehat group as a solution, but ultimately found that such a model was overly centralized and not scalable. None of his colleagues had any insight into solving the problem either, so he opted for simplicity.
The definitive guide from our CEO @MitchellAmador on how scaling bug bounties increases the security of DeFi and smart contracts:
– Smart contracts are difficult to protect
– Bug bounties are incentive game changers
– Scaling bug bounties protects the community. Http://t.co/szvOn2JQu7
– Immunefi (@immunefi) February 18, 2021 “If you have no idea, start with the basics: start a forum, say a ‘market’, where people can ask for reviews, large or small, and bid too their expertise. “
Bonassi notes that he does not want to completely replace auditing and accounting firms, but rather envisions the DAO as one that can help younger projects better prepare for an audit by offering “continuous review” and “liquid auditing”.
It’s a model that, according to security expert Maurelian of OptimismPBC, leaves room for large accounting firms while recognizing that there must be other security solutions.
“IMO, there is real value to an exam by a highly skilled company and nothing else really serves as an ‘alternative,’ but I also think there is a problem of over-reliance on exams to provide security,” he said .
Bonassi also believes that ReviewsDAO could at some point become a kind of exam university, where professionals can branch into other areas and young developers can grow into full-fledged examiners – taking stock and strengthening developer resources in DeFi.
“It is also my goal to depict people and projects. A transparent place where people can share information helps us understand how many people who are basically good enough for security reasons are in the ecosystem. “
Skin in the game
Bonassi says there are currently no plans for monetization or a ReviewsDAO token.
“I think initiatives like these should be commons,” he argues.
These efforts to avoid capital incentives are more than idealism. These new audit projects arise because the current model is not entirely sustainable, says Bonassi – a model that is “transactional,” meaning that auditors don’t have as much skin in the game as a more committed partner. As a result, the entire DeFi landscape suffers (one that auditors were supposed to be securing).
“You are not a relationship. It’s not a partnership, ”says Bonassi.
Nevertheless, even public goods often have public funds, and it is an open question whether developers – who are often overworked at the beginning – are willing to donate time, as Andre Cronje calls the “Emiliano Bonassi tariff”: for no other reward than that Recognition.
Bonsai notes that several great founders of the DeFi Protocol have offered grants that were previously declined. He is adamant to see if developers are willing to give back to the space that is often given so much, even when other, potentially lucrative options are available.
“What we really need in this ecosystem is more people working on it – let’s say someone may hate me, but fewer forks if they don’t add value […] I don’t want to end up in the ICO era. I don’t want to go back to 2017. ”
THE INTRO POST.
If you want to get involved, join the discord and tell me how you would like to get involved.https: //t.co/7AZSlMDKS9https: //t.co/3YyPmKqs6I
– Code 423n4 (@ code423n4) February 15, 2021
The first results are promising. Cover / Insurance Protocol Cover was the first project that was compared with an expert via ReviewsDAO.
“It was great,” says Pumpkin, a core developer for Cover Protocol and Ruler Protocol. “I was one of the few Emiliano had shared the idea with just before it was released. I immediately loved it as this is what I was looking for (to get external code reviews and easier and faster) […] Not sure what will come of the review, but the forum is definitely working as intended. “
Maurelian also believes that there is hope for the perhaps idealistic model – and that it may be more transactional than it blushes at first glance.
“You get what you give. Taking part in a project like this is probably a good idea if you have your long-term plans to be in space,” he said.
While some developers donate time to falsify future favors, Emiliano remains determined to pursue his vision that ecosystem conservation efforts should come from a place of altruism and love.
“That is the ideal that we should be promoting. And since we have a lot of money and this industry has a lot of money, you shouldn’t need a bounty, you should because you love this industry. This is a call to all people who want to expand the ecosystem. “
