Hacker News new | ask | show | jobs
by jjordan 1054 days ago
There is a thriving community of security researchers and engineers in the smart contract auditing space.

Services like code4rena (https://code4rena.com/) and sherlock (https://www.sherlock.xyz/) make audits a public and competitive process with leaderboards that track the best of the best. Naturally those that rise to the top of these leaderboards tend to end up offering boutique auditing services due to projects wanting audits from the best of the best in the business.

Trust (a pseudo-anonymous auditor's handle) launching Trust Security (https://www.trust-security.xyz/) is a perfect example of someone who turned public contest success into a highly sought after auditing firm. There are other examples, but overall smart contract security is undeniably improving over time.
3 comments
sunshine-o 1054 days ago
Yes but as you see on code4rena the cost of an audit is about $100k.

What is ballpark what a company would pay to have a security audit of their website or network for example. So I would guess Ethereum has become an "Enterprise" technology because of the prohibitive cost of security of its applications?

From what understood originally, blockchain & Ethereum aimed removing those actors like banks who can afford high cost of licenses, compliance & security of complex systems.

Meaning you could write and execute your will without a lawyer and a court system, or write a smart contract to manage a condominium and its treasury with the other landlords (a $100k audit is out of the question for those use cases).

We are hearing less and less about those use cases and talk more and more about "Enterprise Ethereum" (https://ethereum.org/en/enterprise/) as we find out that developing for the platform will be as complex & expensive as for a big corporation.

link
kaycey2022 1053 days ago
But none of the players involved are "landlords". The 100k etc is just the figure they are charging for their services. It isn't mandatory that you get a security audit. You can just go ahead without it.

Whereas if you want to get those conventional licenses you have to go through mandatory licensing. This means there is unlikely to be a regulatory capture that would introduce licensing terms that would prohibit new players from coming in.

That is objectively a good thing.

link
Veserv 1054 days ago
But does it work?

Do any of the audits ever come back clean i.e. no detected defects?

Are those audits actually serious and representative of the resources available to a profitable attack? Many smart contracts manage millions, tens of millions, hundreds of millions and up in value. Do they actually do multi-year audits with a team of 5 that come back clean?

Do they seriously believe and publicly state their design processes are better than the best IT systems by Google, Apple, Amazon, NSA, FBI, etc.? Because those organizations can not get clean audits against red teams with multiple people and a few years to work.

That would be a extraordinary claim, do they have the extraordinary evidence to back up that claim? Do they even have any verifiable evidence at all to back up that claim other than more marketing drivel?

If the answer to all of that is not yes, then it all sounds like a house of cards and just more “security” bullshit to me.

link
jjordan 1054 days ago
Audits are performed as a due diligence before actually launching the product or service that will utilize it. The audit is a collaborative process between the auditing team (or contest participants, in this case), and the developer of the smart contract. Contestants are rewarded financially for finding exploitable issues, with unique criticals (i.e. exploits that lose customer funds or otherwise fundamentally breaks the intended behavior of the contract) paying the most. AFAIK no public Codearena or Sherlock audit has had a critical vulnerability exploited after a contest was completed.

It would be hard to compare the smart contract auditing ecosystem with audits of internal processes at those entities you mentioned, because the problem being solved is fundamentally different. Google, Amazon, et. al. are protecting access to information stored in data centers, whereas smart contracts are at most a few thousand lines of code that needs to work as intended, without clever hackers finding a way to exploit them.

link
Veserv 1054 days ago
So, no. Lots of “process”, words, and gamification, but no results and no evidence of actual robust security at the necessary multi-million dollar level.

Looking at the leaderboard [1] it looks like the pay out is a few thousand dollars for a “steal all the money” defect. These companys literally want to manage millions of dollars, yet it regularly costs only a few thousand dollars in developer time to steal all the money. And these are the good companys doing audits.

What a joke. It is worse than XP, but at least Microsoft knew they were a laughing stock.

[1] https://code4rena.com/leaderboard

link
WinstonSmith84 1054 days ago
Yes you're right, there are very talented companies, but that's actually what the OP has been saying... These companies exist because of the language. No language is perfect but Solidity is very imperfect to say the least

These challenges are very interesting https://ethernaut.openzeppelin.com/. The thing is, almost none of these hacks could be possible, if Solidity would be better

link