How can a finance platform that’s available 24/7 to users stay secure at all times? Here’s what security firms are doing.
Smart contracts are an integral part of blockchain technology, being the foundation of blockchain projects themselves – but if something were to happen to them, things can get fairly bad.
Smart contracts unfortunately can potentially be packed with vulnerabilities and security threats, making the way for possible hacks by bad actors to happen, spelling danger for a lucrative, high-stakes industry.
As exploiters can utilise bugs, exceptions, and other methods to steal digital assets from users, DeFi firms have to implement appropriate cybersecurity measures to keep them, their platform, and their customers safe.
However, DeFi faces a problem that most fiat financial institutions don’t have to consider: how they can stay safe, 24/7, and available at all times to users all over the world.
Security experts can be hired to audit a platform, performing manual and automatic checks for vulnerabilities in smart contracts. Services like Hacken can also provide detailed reports to clients, outlining what needs to be done to fix such vulnerabilities.
In a DeFi audit, the auditor scores the severity of each detected issue, leaving the client to act on fixing such bugs by enlisting the help of a security engineer, or by posting up a bug bounty.
These audits should also be done routinely, alongside the regular security testing of DeFi projects to make sure that new updates, patches, and more are not packed with security vulnerabilities.
So before you get into a DeFi project, be sure to check who’s auditing it – and how often they’re doing so. The rekt.news exploit leaderboard shows a list of unaudited DeFi projects, making it a good place to start to find projects to avoid.
Bug bounty programs
Independent security engineers typically look around Web3 looking for a programming bug to solve in hopes to reap cash rewards. Also known as white hathackers, these individuals take the time to catch exploitable errors before they can turn into a hack by bad actors.
Bug bounties have been gaining popularity as they are known to be effective in compensating whitehat hackers for their work in disclosing vulnerabilities, but also incentivizes bad actors, or blackhats, to act more responsibly, and seriously.
The bug bounty ecosystem is also a slightly complicated one. Whitehat hackers can report vulnerabilities, but for someone to respond to a report to fix it is another. As DeFi demands a system that’s functionally operating 24/7, staffing costs can get fairly expensive if a DeFi firm just decides to have an in-house security team.
Not only that, but sometimes, false reports can also get made, according to Immunefi founder and CEO Michell Amador.
“Lots of people don’t want to wake up on Sunday at 4 in the morning to deal with a report, and you can’t know if the report is that serious hack, or if it’s just spam,” said the founder. “And so [companies] contract us to provide as close to 24/7 coverage as we possibly can.”
Immunefi’s global network of employees makes it easier for Web3 clients to maintain around-the-clock security coverage. The service aggregates thousands of bug bounties on its platform for hackers to browse, review, then submit bugs upon discovering them. According to their website, the service has paid out more than $75 million in bounties to whitehat hackers.
What’s next for DeFi cybersecurity?
As technologies like ChatGPT and MidJourney are gaining public consciousness, people are left guessing that artificial intelligence may be another tool that can be used in DeFi security.
According to Amador, AI can potentially replace overburdened workers, and perhaps maybe can make the average whitehat’s workflow more efficient and accurate. Beyond wishful thinking, AI isn’t quite fit yet to take the job of a security engineer, at this moment.
“As far as we can tell,” Amador said, “we’re a long way away from being able to use this in practical security concerns.”