Dust didn't settle after the ThorChain was hacked yesterday. It was an interesting hack, but the reason it was possible was due to business decisions.
Following last week's hack, Thorchain said it had been audited by multiple blockchain security companies to locate bugs in a given network. In a CoinDesk article, we can read ThorChain decision and reasoning
"There were really only two options. Launch and accept the risk of issues, or not launch and stay in the 90% complete audit-review cycle for another six months. Both are difficult."
When 9 figure protocol decides to speed things up and sacrifice security, things are bound to go south quickly. Looking at the fallout of this, I don't understand how people like Kyle Samani can write the following things
No matter the size of the project or your TVL, security should be the number one focus. You're dealing with people's money and hearing about many hacks happening left and right nowadays. You should stay vigilant. Add constantly new test cases and test scenarios. Keep up to date with the latest hacks and check if your application is vulnerable to the same exploit.
Some people put their hard-earned money into crypto as an investment. Some have more cash flow that are more comfortable to put into crypto. It shouldn't be decided by protocol how people's money should be handled in cases like this. There should be a community vote on how to proceed with the protocol after it was hacked last week. It's people's money, not the owners' money.
Rushing anything didn't end well in any case.
Audits are to help you secure your product. They are not silver bullets to any security issue but will for sure bring you closer to a more secure platform. There was a reason ThorChain decided to do multiple audits after last week's hack. Rushing to production again shouldn't have happened. But it did, sadly.
I hope people like Kyle Samani won't spread illogical claims as security shouldn't be the number 1 priority. It needs to be the number 1 priority.
Developers and project owners, remember this:
Your work doesn't end when you deploy to the mainnet. It only begins.
Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I'm currently in the middle of 100 days of blogging challenge. Subscription box below 👇
If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.
See you tomorrow!