Can new code review models solve DeFi’s audit problem?
As the attacks launched against popular decentralized finance (DeFi) protocols grow ever-more complex, the efficacy of audits from major security companies have in turn come under scrutiny — and some members of the DeFi community have already begun building homegrown alternatives.
“I think that now, after all the hacks we’ve had, we basically understand that if you have two audits, three audits, it doesn’t mean you’re safe,” said the co-founder of DeFi Italy Emiliano Bonassi in an interview with Cointelegraph. “This does not mean that audits have no value in this moment, but they are not silver bullets.”
This new reality is what pushed Bonassi to form ReviewsDAO. A simple forum for connecting security experts and projects looking for an extra set of eyes, in the three days since its launch ReviewsDAO has already attracted four volunteer reviewers (including Bonassi), and has matched two reviewers with a project.
Skin in the game it’s one of the implicit rule of https://t.co/5y4MBhvNB7
Anon is allowed and protected but putting your face (virtual or not) it’s a sign of trust
I am in, offering my time and my face for reviews https://t.co/CoVRSThymG
Don’t be shy, help the community! pic.twitter.com/uq0KtV2pCV
— Emiliano Bonassi | emiliano.eth (@emilianobonassi) February 15, 2021
Bonassi and ReviewsDAO aren’t alone, either. Code 423n4 is another project aiming to jumpstart a security movement within the ecosystem, leveraging an gamified, experimental twist on bug bounties. And likewise Immunefi, another DeFi bounty platform that launched in December last year, is overhauling the security disclosure model by pushing for upwards of 10% of vulnerable funds as a reward.
Immunefi’s model in particular has already made waves, successfully netting a whitehat a $1.5 million reward.
Three new projects emerging in just two months, and each with their own incentive model — it’s an industry-wide effort Stani Kulechov, the founder of DeFi lending platform Aave, believes will be key to the health and security of the space moving forward.
“Auditors are not here to guarantee the security of a protocol, merely they help to spot something that the team itself wasn’t aware of. Eventually it’s about peer review and we need to find as a community incentives to empower more security experts into the space.”
“No silver bullets”
Bonassi should be a familiar name to anyone who has kept up with the recent spate of exploits. The Italian developer is one of the half-dozen or so white-hat hackers who frequently convene in the wake of an attack in an effort to replicate the exploit and help projects patch the vulnerabilities.
Ask just about any DeFi founder about Bonassi and his fellow post-exploit “war room” whitehats, and they’ll be quick to sing their praises.
“The DeFi community is blessed to have whitehats such as Samczsun and Emiliano. Their efforts […] makes the space not only more secure but also highlights the narrative that there is lot of people within our ecosystem that cares for the success of the space,” said Kulechov.
While the whitehats’ response skills are widely appreciated, ReviewsDAO is in some ways an effort to cut back the frequency with which projects need them.
In Bonassi’s view, tension between the needs of projects and the limited resources of auditing firms is weakening the security of the Defi space writ large: auditors are always busy, but teams in the thick of the DeFi innovation race need to remain agile. While a project might want an audit on a few small changes, availability and costs often necessitate a larger order, leading to code “chunking.”
“Since they are not available, you usually prepare a bunch of stuff you want reviewed and ship it to them. The interaction is really, let’s say ‘snapshot-based,’ rather than having a continuous collaboration,” said Bonassi.
So, how to enable more frequent security reviews that better met the needs of projects? Bonassi says he initially considered a Gitcoin grant for a whitehat group as a solution, but ultimately determined that such a model would be overly-centralized and wouldn’t be able to scale. None of his whitehat peers had insight on how to solve the problem, either, so he opted for simplicity.
The definitive guide on how scaling bug bounties will boost DeFi and smart contract security, from our CEO @MitchellAmador:
– Smart contracts are hard to protect
– Bug bounties are incentive game changers
– Scaling bug bounties will protect the communityhttps://t.co/szvOn2JQu7
— Immunefi (@immunefi) February 18, 2021
“If you don’t have any sort of idea, start from the basics: start a forum, let’s say a ‘market,’ where people can ask for reviews big or little, and also offer their expertise.”
He’s not aiming to replace audits and auditing companies entirely, Bonassi notes, and instead envisions the DAO as one that can help younger projects better prepare for an audit by providing “continuous review” and “liquid auditing.”
It’s a model that security expert Maurelian at OptimismPBC thinks leaves space for big auditing firms, while also acknowledging that there needs to be other security solutions as well.
“IMO there is real value to an audit by a high quality firm, and nothing else really serves as an ‘alternative’, but I also think there is an issue of over-reliance on audits to provide security,” he said.
Bonassi also believes ReviewsDAO could eventually become a kind of auditing “University,” where people with specialized knowledge can branch into other areas and young developers can grow into fully-fledged auditors — both taking stock of and bolstering the developer resources across DeFi.
“My goal is also to map people and projects — having a transparent place where people can exchange information, help us to understand how many people who are, basically, from a security perspective good enough, are present in the ecosystem.”
Skin in the game
While it meets a clear market need, Bonassi says there are no current plans for monetization or a ReviewsDAO token.
“I think that initiatives like this one should be community goods,” he argues.
This effort to avoid capital incentives is more than just idealism. These new auditing projects are arising because the current model isn’t fully sustainable, says Bonassi — a model that is “transactional,” meaning auditors don’t have as skin in the game that a more fully-engaged partner might. As a result the entire DeFi landscape (one which the auditors should ostensibly be securing) is suffering.
“They’re not a relationship. It’s not a partnership,” Bonassi says.
Nonetheless, even public good often have public funding, and it’s an open question whether developers — who are often overworked to begin with — will be willing to donate time at what Andre Cronje calls the “Emiliano Bonassi Rate”: for no reward other than the recognition.
Bonsai notes that multiple major DeFi protocol founders have offered grants, which thusfar have been turned down. He’s stubborn to see if developers are willing to give back to the space that’s often given them so much, even when there’s other, potentially lucrative options available.
“What we really need in this ecosystem is more people who work on it — let’s say, someone may hate me but, less forks if they’re not adding value […] I don’t want to end up in the ICO era. I don’t want to go back to 2017.”
THE INTRO POST.
— Code 423n4 (@code423n4) February 15, 2021
Early returns on the effort are promising. Coverage/insurance protocol Cover was the first project to be matched with a reviewer via ReviewsDAO.
“It was great,” says Pumpkin, a core dev for Cover Protocol and Ruler Protocol. “I was one of the few Emiliano shared the idea with right before release. I loved it immediately as it is what I have been looking for (to get external code reviews and more easily and quickly) […] I am not sure what will come out from the review, but the forum is certainly working well as intended.”
Maurelian also believes there’s hope for the perhaps-idealistic model — and that it may be more transactional than it seems at first blush.
“You get what you give. So participating in a project like this is probably a good idea if you’re planning to be in the space for the long haul,” he said.
Even if some developers donate time to curry future favors, Emiliano remains resolute is his vision that efforts secure the ecosystem should come from a place of altruism and love.
“That’s the ideal we should push. And since we have a lot of money, and this industry has a lot of money, you’re not supposed to need bounties, you’re supposed to do it because you love this industry. This is a call-out to all the people that want to grow the ecosystem.”