DeFi space is growing strong and steady. TVL is growing even faster, but also the stolen value from DeFi protocols. According to DeFiPulse, the Total Value Locked in DeFi projects is roughly $90.16B.
Hacks keep happening even though more projects are getting audited. For me, who audits smart contracts every day, I see how different projects approach an audit. With the current craze of NFT's and just the sheer number of current value being stolen, it's worth talking about the need and purpose of an audit.
What is an audit?
Not all smart contract developers have a vast knowledge of EVM, security pitfalls or know about the latest economic exploits. They should, of course, follow the news closely, and I wrote about that in one of my rants.
When developing a project, developers sometimes lose sight of the broader spectrum of the interaction of the functions. They tend to think about how things should be working instead of how things can go sideways. I'm not saying all developers do that because I audited projects in which code quality was on a reasonable level. I didn't have much to say. But most time, I see not all edge cases tested, or even creators didn't consider the latest hack and exploit vectors.
That's why we need an audit. To have third-party security professionals look at the code without any bias, with a fresh look. To have someone with vast knowledge of what's happening in the current hacking scene of DeFi. No code is perfect. No code is bug-free.
Audit as a marketing tool
When a project decides on an audit, it should have one goal in mind. To increase the security of the code and help secure the future funds of its users. Unfortunately, this not always the case, and projects tend to lean towards the marketing purposes of the audit.
Nowadays, people tend to only look for information if the project was audited and by who. They don't even look at the audit report itself. Information about an audit itself is enough for them, and some projects use it to their advantage.
I worked with some clients who were offended when a report contained many informational bugs (code optimizations, gas-saving, not following certain code standards). To them, that sounded like a project that had many issues, and it would look bad for anybody reading the report.
That's right there ☝️ is a wrong way of thinking about the audits. An audit should be mainly for the development team to fix the bugs, fix any issues and improve the codebase. An audit is nothing more than a comprehensive code review with security in mind. Using audit as a marketing tool, especially when you only want to lure more users into your protocol, is unethical.
I'm not saying it can't be used for marketing. It can be only when you are honest about the report and the findings in it. Stating that you had some issues but you took care of them thanks to an audit and you are working closely with firm X to improve the security further sends a lot better message than "Our audit report didn't found anything, come give us money". Sadly the latter approach is more prominent.
It's hard to tell what's next. Users would need to pay more attention to audit reports and be more skeptical of everything in DeFi. When users are "apeing" into every project, such practices will continue. When community and users mature, such practices won't be happening as often as they are now.
Most audit reports contain an executive summary or project summary of some sort that helps you, the user, understand what important issues were fixed and which not. CertiK created last month a great article on how to navigate audit report. It helps with understanding and will be a great starting point for other audit reports as well.
Remember, be skeptical and verify whatever you can about the project before jumping in. If you can't read the code, read the audit report, which was created in such a way to help everybody understand the issues of the project. Don't fall into the marketing trap and verify every claim project makes.
Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the newsletter. Subscription box below 👇
If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.