What we have to do for Crypto security in the future

Today is big day (2022/5/12), the Terra incident will become a security case for the industry that will be repeatedly mentioned for years to come, the damage to the industry from this incident will continue to ferment in the days to come, but on the flip side, this incident will also become a treasure trove where we can reflect on our own behavior from time to time, it increasing people's understanding of this crypto security in deep thinking, and create a better safety valve for industry participants.

From the reflection of Terra incident, I try to summarize this issue of crypto risk from three perspectives.firstly, the psychological risk of speculation, then also crypto business logic risk, and finally, the risk of code vulnerability. For the first type of risk, I don't want to talk too much about in this article, because it is an eternal topic, for everyone greed,speculation and gambling can't be eradicated, we are all the same, just to different degrees , In this incident I see many people have clearly understood the logic and risk of Terra, but still participate in it and lose a lot of money, I can only say that this tuition is very expensive. In addition, these three types of risks are often intertwined, making it more difficult to prevent, especially the intersection of business risk and code risk is more in-depth.

This paper will focus on business risk and code risk, and combine existing industry pain points and existing solutions to industry solutions to put forward some new thinking. This paper will mention some security companies, such as Certik、Slowmist and other industry leaders, and discuss with their existing business, I have been following Certik since 2018 years when certik started their project fundraising and set up their team, and Their growth history will give crypto security builders some interesting inspirations, if someone wants to enter this industry, I suggest you first go to understand the growth history of these security OG, which will provide a lot of useful references for your team to build a great business.

Crypto Security Pain Points

I will try to list existing industry pain points from the developer perspective, security company perspective, industry service perspective, platform tool perspective, community contribution perspective, and security education perspective.

Six Pain pints for Crypto Security
Six Pain pints for Crypto Security
  1. Developer's point of view: the cost of security review is too high, and it is impossible to realize the security testing of code logic and business logic quickly with low cost.
  2. Security company perspective: limited resources, excellent security review engineers are scarce, especially engineers who are familiar with crypto business logic and own experience in code security verification are lacking. So it can not effectively spread the security business in a large area.
  3. Industry service perspective: currently, the security review is more often for crypto products at a particular point for a specific business and code review, but these services are not persistent and systematic, so you will see some defi products even finished the audit, after some time it also exploded a huge vulnerability, ensured product security requires multiple dimensions of security measures, security vulnerabilities is like Space X's rocket launch, any tiny mistake can lead to a product crash, especially in the current defi business, such as the recent security breaches of Fei and AXIE. Our industry still lacks a complete and continuous long-term security service for price matters, we may be able to learn from the experience of the telecommunications industry, and the solution later will be talked .
  4. Platform tool perspective: in the web2 development business, the engineering team has a lot of automated verifying and engineering management tools and services, some of these tools are open source, some are integrated into the product services, but in the crypto security field is still lacking such a platform and developer tools, these platform and tools should contain the following characteristics,:easy to integrate, modular, a large number of security Test data base and own verification data, open source, low cost.
  5. Community contribution perspective: the current project were protected mainly by the team itself and security companies , for example, Certik has served thousands of crypto products, but these forces are not enough, from the quarterly security incidents we know that there is a lot of work to be done. We all know that security is one of the cornerstones of the crypto industry that can continue to move forward, but few people are engaged in this area, and I think one of the reasons is the incentive problem, that is our existing industry service model does not inspire the developer community to contribute a great enthusiasm, and there is a huge development value here, both at the commercial level and the open source level.
  6. Security education perspective: Now,many of the code and business logic risks can be avoided in advance during the initial product iterations, but this need train and educate engineers,in many times ,education is a public service, the code and business vulnerabilities that occurred in the past did not lead to effective education services, perhaps in the future, that will produce some industry education service in the future and which can generate profit.

Security Service Solutions

Combining the existing pain points as well as future needs, let's talk about possible solutions, the pain points above will all be transformed into various mature commercial services as well as open source services in the future, as the main security service provider in this industry, security verification companies have a vast growth space, so I will elaborate on various potential solutions from the perspective of existing security solution providers, as the explorer of the industry One of them, certik has provided many beneficial services from 2018 to now, protecting a large number of assets from loss, and certik had developed a public chain and issued token and has launched a popular commercial security service, Certik has a lot of experience both in the public chain space and in developing security products.

Synthesizing the above industry pain points, I will propose solutions in the following areas, which are.

Before we start discussing the solution, let's assume that the following three actors exist: Alice, Bob and Tim. the following assumptions include some potential services now and in the future (in the current crypto industry, these services may be offered and developed by dozens of companies, these are not three specific companies and do not refer to any specific meaning)

Startup Team:Alice and her partners are developing a Web3 Social APP , their dream is to create the WeChat and Facebook of the Web3 world.

**The Big Crypto Finance Companie:**Bob is the product owner of a crypto asset management service provider. his company offers three business segments, the first is to provide compliant transaction services for businesses and rich families who want to enter the crypto world, the second is to provide asset management and lending services for clients, and the third is to develop secure smart contract business systems and Permission chain platform for traditional financial companies, these systems allow traditional companies to rapidly deploy B2B business logic and connect their own commission chain platform to the crypto economic world.

**Security Service Company:**Tim is the solution leader of a security audit provider(Eg: Certik) whose business covers Crypto Asset Platform Audit, Trading Platforms Audit, Wallet Audit, Blockchain Security Audit, Smart Contract Audit, Crypto Asset Threat intelligence, Web3 Platform Defense Deployment, Hacking Asset Monitor, Product development and automated security testing platform and other services. and other services.

1.Development and Security Testing Integration Service: Through this service, we can solve the problem of missing tools in security development faced by developers and the problem of rapid iteration and security testing faced by web3 developers.

Imagining,Alice is as a full-stack engineer in Web2, just entered the Web3 world to start her startup. In Web2, its development process is usually as follows, designing product prototype, choosing the right development kit, product iteration, automation testing, product public testing, and community feedback.

Alice and her partners want a robust smart contract development kit, she wants the team to produce code that meets certain security standards, and she even wants every function she uses to have undergone rich security testing by the community, because they are not familiar with Solidity or other languages' smart contract products, so she wants to find an open source community to discuss common security issues in development with everyone security issues, and could leverage existing proven code function.

Now she heard that Maybe Certik would provide product development and automated security testing platform and other services, on which she can develop code that meets certain security standards, and certik's tools can help she avoid some common mistakes.

After the code is finished, she wants to use certik's skynet and other automated testing tools to fully test every function in the code. Finally, after finishing the demo and getting the financing, she hopes that the code developed by the team in the future can be debugged in the development and testing platform provided by certik, and expects that after the product is completed, she can conduct customized attack testing and security deployment services and discover potential vulnerabilities with security companies like certik.

Alice doesn't want to be hacked as AXIE have $600 million stolen by hackers, she hopes to work with companies like certik for a long time and find such catastrophic problems early. Also she wants to get certik's services for every big iteration of the product in the future, to use their security testing library to find product vulnerabilities early, and she also wants these services to be reasonably priced and available for a long time. but after discussing with community,In the development kit level she chose the Foundry development environment developed by Paradigm, and she wanted to be able to benchmark the product after development was complete:


contract FooTest {
  Foo foo;

// The state of the contract gets reset before each// test is run, with the `setUp()` function being called// each time after deployment. Think of this like a JavaScript// `beforeEach` blockfunction setUp() public {
    foo = new Foo();
  }

// A simple unit testfunction testDouble() public {
    require(foo.x() == 1);
    foo.double();
    require(foo.x() == 2);
  }

// A failing unit test (function name starts with `testFail`)function testFailDouble() public {
    require(foo.x() == 1);
    foo.double();
    require(foo.x() == 4);
  }
}

Next she hopes to interface with Skynet's security verification system and take advantage of the mature security verification library inside. In the current situation many services still need to be improved and require a lot of contributions from the open source community.

I believe a mature development and security testing service is desperately needed by developers and this can turn into a lucrative business, especially the later security testing services, developers be able to dock, customize and pay fee as needed, and individual services can be automated and modularized.

For example ,Wallet Audit is the service they especially need,currently it is the need for security companies solutions engineers to design, but they want to be free to choose and customize, implementation to see the results of the feedback rapid, with the product iteration of continuous security testing, and reasonable prices. Security testing services should be integrated with the development framework platform, and automated and modularized as much as possible, crypto security service should be as an infrastructure like cloud services. And DAO community can be introduced to participate and contribute, while introducing appropriate DAO incentive mechanism.

2.Integrated security product service platform: Through this platform, we can solve the problems of high marginal cost of security audit companies, slow service expansion, long-tail services for customers that cannot be satisfied, and product automation.

I have served in the telecom field for 10 years and was responsible for the product testing framework development for one telecom Bridge product and technical support for customers. We develop a product management and support system internally, and customers can call us with this system at any time. On the one hand, customers can raise bugs and support cases, and we can use this system to track and coordinate various parts to solve customers' problems.

It includes four capabilities: first, customer case support and tracking; second, internal team coordination; third, access to internal testing systems; fourth, customers can customize the new support services we provide, just as you use cloud services to form a product service according your requirement. We have served all of our customers worldwide with this system, and most of them we have signed long-term service contracts of 5-10 years.

After the first discusstion with Bob, Tim designed four services for Bob's company: Crypto Asset Platform Audit, Smart Contract Audit, Hacking Asset Monitor and Platform Defense Deployment Guidance, and extracted some key tests from each of the four services. The service period is 5 years.

In the second year, Tim's company developed a new service, Platform Attack Test, which was used to simulate a full scale hacking attack with the goal of breaching Bob's company's security permissions to obtain the client's digital asset keys. Tim now introduces this new service to Bob, who know its helpful in identifying their potential risks in advance, now Bob can choose specific details of the service and sign an electronic contract to pay fee .Tim's team will regularly proactively attack Bob's specific services based on the security team's risk assessment, which is like the Red Team Vs Blue team game.

3.Security Community DAO: The DAO approach may fix the lack of human resources for security education, community contributions, and security audits. where Alice can find good audit teams, seek security training, and contribute code to the community's open source products and call the community members to launch attack tests on their new service. Also Alic, Bob, and Tim can collaborate on some educational products as well as contribute code and test cases to the open source detection tool which Tim is leading.

Now our industry needs passionate, capable, collaborative and open source spirit engineer to do something far-reaching, and I look forward to working with Certik, Compand, Uniswap, Paradigm, Eth Community, and many other industry leaders to create a Dao organization focused exclusively on Crypto security. Security is one of the cornerstones of the crypto industry, and I believe that such an organization will exist in the future, and it could be considered to include the following aspects for a long term operation.

Government Sub Dao: it’s responsible for incentive mechanism design, contribution evaluation model design, ecological asset management, SBT system design, etc. with my failed experience of building a public chain developer community several years ago, Now i understood that there is nothing more important than designing a good community governance scheme.

As we developed a public chain and operated a developer community with my team a few years ago, At that time we didn't call it DAO, actually we think it‘s a user community and we used hacker growth thinking to do fission. Later, with the dead of the whole public chain, the community also slowly returned to calm.

Now I think designing a DAO is a very difficult thing, it’s not a group of people get a multi-signature to manage crypto assets for investment and that's the end , DAO is not exactly a user community, sometimes, DAO does not own a product at the begin and no user, Dao community can also do fission, but if you use WEB2 method to do hacking growth for a product in DAO , it is doomed to failure.

Now I am more happy to see DAO community members as Members/Partners rather than just users of a product. If you are interested in the history of countries, I suggest you read the history of Singapore's founding, and read the memoirs written by Mr. Lee Kuan Yew and his partners, the great work they did as a group at that time for a great goal and ideal is more meaningful for us to create and serve the Dao community.

Audit Tool Develop Sub Dao: An existing community of developers collaborating to create a great suite of security testing tools, pulled by a certain amount of fun and incentive. As we have seen in the Web2 open source community, the collaboration has created both excellent open source products and which has also produced excellent security talent for the crypto security industry. These excellent products are both the best reflection of an engineer's ability and a community honor. and these potential hiring resources can also alleviate the lack of audit engineers for security companies.

Education Sub Dao: For a good engineer who wants to contribute to the web3 world to gain respect, there are usually three ways to do so: one is to develop excellet product; two is to protect user assets as a White Hat Hacker; and three is to be an evangelist to teach skills to other engineers to make them better.

Education is always essential for any emerging industry and can be a huge help to the growth of the industry. There are a lot of engineers in the crypto community who are taking on the job of teachers and providing technical and other development-level guidance to others, especially there are already a lot of courses on smart contract development, but there are almost no such courses on security, and there is no such security education community.

so I look forward to the emergence of such a security education Dao, which will take on part of the security education work and provide safety guidance to engineers and support for startup teams. for security companies, providing the necessary security education and guidance to the industry is good for building product brands, expanding the reach of their products to developers, and promoting an active security community.

Bounty Sub Dao: Bounty always been a good incentive to encourage external developers to find vulnerabilities, but I think this service is not utilized better, when a product launched Bounty,only few developers pay attention on this, and I think many products Bounty incentive for developers is simply an insult. Also the security community should regularly hold some security testing events, just like other development events to encourage the community to spontaneously form attack teams and find problems.

Now this Bounty service is too small to promote the whole industry, so I expect the security community can conduct some more rigorous attack testing on crypto products, which is what I mention below as Attack Sub Dao.

Attack Sub Dao: Let's imagine a situation where 50 crypto projects join Attack Sub Dao and promise that if a hacker team successfully breaks their platform and gets the platform's crypto assets, the hacker can get 5% of the total attack as a reward. As long as the other 95% is returned, the hacking team will not bear any legal risk and the 5% reward will be legal.

This idea is from a security community discussion, and such an incentive mechanism will stimulate the interest of various hacker engineers, who can discover the vulnerability of crypto products more quickly and strengthen the security of the whole industry. Some guys may doubt the morality of this approach, I gave a response to this is that we have many such examples in real life,such as the legalization of marijuana, gambling, but rather regulate the development of the industry, so that it prompt the underground unregulated state to the foreground as compliance regulation, which solved the original problem. We need to look at hacking with a more progressive mindset and provide positive incentives for it to strengthen the security level of the whole crypto industry.

Disclaimer: This article is not intended to be any investment advice and it is for general communication purposes only, any questions are welcome . Twitter is here @ImBlockBB

Subscribe to BlockBB
Receive the latest updates directly to your inbox.
Verification
This entry has been permanently stored onchain and signed by its creator.