Hacker News new | ask | show | jobs
by Veserv 1061 days ago
But does it work?

Do any of the audits ever come back clean i.e. no detected defects?

Are those audits actually serious and representative of the resources available to a profitable attack? Many smart contracts manage millions, tens of millions, hundreds of millions and up in value. Do they actually do multi-year audits with a team of 5 that come back clean?

Do they seriously believe and publicly state their design processes are better than the best IT systems by Google, Apple, Amazon, NSA, FBI, etc.? Because those organizations can not get clean audits against red teams with multiple people and a few years to work.

That would be a extraordinary claim, do they have the extraordinary evidence to back up that claim? Do they even have any verifiable evidence at all to back up that claim other than more marketing drivel?

If the answer to all of that is not yes, then it all sounds like a house of cards and just more “security” bullshit to me.
1 comments
jjordan 1061 days ago
Audits are performed as a due diligence before actually launching the product or service that will utilize it. The audit is a collaborative process between the auditing team (or contest participants, in this case), and the developer of the smart contract. Contestants are rewarded financially for finding exploitable issues, with unique criticals (i.e. exploits that lose customer funds or otherwise fundamentally breaks the intended behavior of the contract) paying the most. AFAIK no public Codearena or Sherlock audit has had a critical vulnerability exploited after a contest was completed.

It would be hard to compare the smart contract auditing ecosystem with audits of internal processes at those entities you mentioned, because the problem being solved is fundamentally different. Google, Amazon, et. al. are protecting access to information stored in data centers, whereas smart contracts are at most a few thousand lines of code that needs to work as intended, without clever hackers finding a way to exploit them.

link
Veserv 1061 days ago
So, no. Lots of “process”, words, and gamification, but no results and no evidence of actual robust security at the necessary multi-million dollar level.

Looking at the leaderboard [1] it looks like the pay out is a few thousand dollars for a “steal all the money” defect. These companys literally want to manage millions of dollars, yet it regularly costs only a few thousand dollars in developer time to steal all the money. And these are the good companys doing audits.

What a joke. It is worse than XP, but at least Microsoft knew they were a laughing stock.

[1] https://code4rena.com/leaderboard

link