Why is self-auditing a bad idea?
While scrolling through Twitter, I stumbled upon this tweet from Ashton Kutcher.
We’re auditing ourselves. We followed the industry standards and haven’t found any glitches. But, we believe we should hold ourselves to higher standards. We learned a lot and are going to write it all up and share it.
— ashton kutcher (@aplusk) July 31, 2021
The immediately red flag was raised in my mind, and I decided to write this article.
Why audit in the first place?
Not all smart contract developers have vast knowledge in EVM, security pitfalls, or know about the latest economic exploits. They should, of course, follow the news closely, and I wrote about that in one of my rants.
When developing a project, developers sometimes lose sight of the broader spectrum of the interaction of the functions. They tend to think about how things should be working instead of how things can go sideways. I'm not saying all developers do that because I audited projects in which code quality was on a reasonable level, and I didn't have much to say. But most time, I see not all edge cases tested, or even creators didn't consider the latest hack and exploit vectors.
That's why we need an audit. To have third-party security professionals look at the code without any bias, with a fresh look. To have someone with vast knowledge of what's happening in the current hacking scene of DeFi. No code is perfect. No code is bug-free.
When we're serious about a product we launch, we should be doing an audit. Saying "we followed industry standards" is not enough. We don't know who wrote the code. Were developers Super Shadow Coders? Or did you write the code yourself? We don't know. That's why external audits are essential. They help showcase any minor to critical issues your team may have forgotten about. Some issues may not be such a big deal, but they will maybe further down the line.
Smart Contracts are deployed once and cannot be changed. Yes, they are upgradable contracts, but that comes with its own set of issues. Once something is put into the blockchain, it stays there forever. People from traditional software backgrounds tend to forget that.
Audits are to help you secure your product. They are not silver bullets to any security issue but will for sure bring you closer to a more secure platform. Having a security audit may be expensive, but it will for sure save you money in the future.
Thanks for reading, and if you like my writing, you can subscribe to my blog to receive the daily newsletter as I'm currently in the middle of 100 days of blogging challenge. Subscription box below 👇
If the newsletter is not your thing, check out my Twitter @adrianhetman, where I post and share exciting news from the Blockchain world and security.
See you tomorrow!