The headlines do not sugarcoat how devastating the failures of smart contracts can be. DeFi in particular has seen several billions of dollars wiped out from novel smart contracts due to exploitable code. While smart contracts are crucial to financial transparency, the attack vectors also increase when code is made fully public to the community.
The tradeoffs between closed source and open source are designed to be disrupted with an open financial ecosystem, however, security is not prioritized enough. Security focus must be deepened throughout pre-launch processes of smart contracts to scale the industry to billions of users and trillions of institutional capital where the risk of attack is mitigated.
Unfortunately, the security auditing practice is difficult for teams in the following ways:
Tier-1 auditing firms have long lead times, requiring LOI months in advance of a scheduled date: Code can be outdated by the time the audit begins. New code that has been developed in the months leading up to the audit will be taken through the scheduling process once again, creating a feedback loop where auditors dictate the pace of product shipping.
Tier-1 auditing firms are extremely expensive: Teams who are self-funded simply cannot afford a security audit. Teams who are in the process of raising funds cannot pay auditors until the fundraising is complete.
Surprisingly the bear market also plays a role in the security auditing practice. Lead times have dropped and the demand for audits has decreased, but it’s crucial to focus on the security needs of teams and develop tooling to create efficient work streams.
The Hexens team placed second in Paradigm’s recent Capture The Flag, an online competition for smart contract hackers. Before going all in on Web3 security, the team has been recognized as world-class cybersecurity experts for over 10 years in the technology industry. Hexens now has a team of 22 employees with expert auditors and developers creating tools to increase the safety of this industry.
In addition to auditing, Hexens has a focus on investigations and has already returned over $13M in assets to hack victims by identifying and de-anonymizing individuals who have taken advantage of smart contract exploits.
“Polygon zkEVM is being audited by two security firms, Spearbit and Hexens. An advantage of two auditing teams working independently is that the results each produces is made more robust in aggregate—Hexens’s feedback will be checked against Spearbit’s and vice versa.”
In addition to auditing previous projects for Polygon and now zkEVM, Hexens is also trusted by 1inch, API3, Azuro, and several other blockchain-based projects.
Learn more about Hexens by visiting their website here.
Follow Hexens on Twitter.