As the Web3 ecosystem continues to expand and mature, ensuring its security and robustness becomes increasingly vital. I was at the recent EthDubai event, where industry experts gathered to discuss the latest developments and challenges facing Web3 security.
Here are some of the key questions and insights that emerged from the discussions:
1. We have seen enormous of attacks with Euler, nomad etc., due to post-audit checks; what are your thoughts about it? Should the audit get invalidated? Also, what protocols do you go for post-audit checks?
The primary goal of auditing is to identify contract loopholes, and auditors work hard to uncover hidden issues. However, one audit should not be considered sufficient; Multiple audits and Bug Bounties should be conducted.
The audit itself should not be invalidated because it is useful in identifying areas for improvement.
Talking about Post Audit checks, Once deployed, it is critical to monitor them regularly to ensure that it is functioning as intended and that there are no suspicious transactions or activity. Contract monitoring tools such as Forta, Tenderly, and others are available.
It is also Important to monitor smart contracts in order to reduce the risk of vulnerabilities and keep contracts up to date with the latest security patches and upgrades.
In case of an unexpected event or a security breach, it is critical to have a disaster recovery plan in place to minimise the impact and quickly restore the smart contract.
2. What does the state of monitoring smart contracts looks like? Why is no one using it properly?
Monitoring smart contracts on the blockchain is critical because it provides real-time insights into investor behaviour patterns and transaction activity of smart contracts on the blockchain. It also provides alerts to any potential security issues or vulnerabilities, or function calls.
There could be several reasons why people aren't using it properly, such as the complexity of smart contracts, which have many interacting components and dependencies. Because of this complexity, developing effective monitoring strategies and tools can take time for Companies.
Lack of awareness: Many blockchain developers and users need to be made aware of the importance of smart contract monitoring tools and Last but not least, monitoring tools and services can be costly, making them unsuitable for smaller projects or organisations with limited resources.
3. How much has horizen of audit expanded with multichain and L2s adding new compiles? How does a dev and audit firm take care of that?
The growth of multi-chain and L2 solutions has significantly broadened the horizon of the Smart contract security Audit Industry. With the introduction of new L2 (such as ZK rollups and Optimism), protocols, and smart contract language, the potential for vulnerabilities and security risks gets bigger.
As a result, it is critical for auditors to stay up - to - date on new developments in the blockchain space by conducting extensive research, attending events, and participating in forums with key industry Players.
As the leading Security Audit firm, we at Quillaudits stay up to date on the latest chains and attack vectors in the space. We have monthly internal sessions on the latest developments and attacks, and we also have our own team of security researchers.
4. Recently there have been a lot of Web2 attacks on Web3 apps, from phishing to rce on servers with keys; why isn't Web3 learning from Web2?
It's important to remember that Web3 is still a young and developing technology; therefore, there's a lot to learn about developing and securing decentralized applications. While Web2 attacks on Web3 apps are undoubtedly concerning, it is also worth noting that many Web3 developers are actively working to improve their applications' security.
One of the challenges with Web3 security is that it fundamentally differs from Web2 security models. Because Web3 applications are decentralized, many different parties are involved in their security, and security risks are distributed across the network. This makes it difficuit to apply the same security practices and techniques used in centralized Web2 systems.
Another factor to consider is that Web3 applications often involve complex interactions between different smart contracts and protocols, which can create new and unforeseen security risks. Additionally, the decentralized nature of Web3 applications means that traditional security measures like firewalls and intrusion detection systems may not be effective.
5. How do you go about having a good test case with mutation, invariant testing, and fuzzing? Does your org prefer anything?
Having a good test suite is essential for ensuring the security and correctness of smart contracts.
To create a good test suite with mutation testing, invariant testing, and fuzzing for a smart contract audit, it is important to start with a clear understanding of the contract's requirements, perform mutation testing to identify gaps in the test suite, use invariant testing to ensure the contract adheres to specified invariants, use fuzzing to identify unexpected behavior or security vulnerabilities, perform test coverage analysis to identify any parts of the code that are not being adequately tested and test the contract under real-world scenarios to ensure it functions correctly in a production environment.
We at QuillAudits, prefer UNIT Test Cases with at least 80% test coverage done.
The rest of the Edge case scenarios are carried out by our team.
6. Like zk code, zk audits techniques are also zero knowledge for me. Can you tell me how difficult it is to find bugs in it? Or if you have found something in the wild?
Zero Knowledge Proof is a verification method between a prover and a verifier. In a zero-knowledge proof system, the prover can prove to the verifier that they have the knowledge of a particular piece of information (such as the solution to a mathematical equation) without revealing the information itself. Modern cryptographers can use these proof systems to provide increased levels of privacy and security.
To find bugs in Zero-Knowledge Proof (ZKP) systems, auditors typically use a combination of static analysis, formal verification, and testing. Auditing ZKP systems requires specialized knowledge of cryptography and a deep understanding of the specific ZKP system being audited. In the past, there have been instances where vulnerabilities were discovered in ZKP systems, such as zk-SNARKs protocol used by the Zcash cryptocurrency and Bulletproofs+ protocol, but developers quickly patched these.
7. What are the pros and cons of using a crowd-sourced audit contest platform like Code4rena versus traditional security firms for auditing smart contracts🕵️?
While traditional security firms have experienced auditors with deep knowledge of smart contract security, Code4rena uses a crowd-sourced approach, which may leave room for missed bugs.
However, Code4rena offers measures such as bounties and skills requirements to mitigate risks. Choosing between traditional auditors and an audit contest platform depends on project needs.
8. What's your fav smart contract vulnerability you have seen in recent times, a vulnerability which you would have wanted to find lol?
In one of our DAO audits, we discovered a smart contract vulnerability that involved a governance takeover using flash loans and voting amplification. It was a fascinating issue to work on, and it highlighted the importance of building resilient systems that can withstand potential attacks.