As we venture deeper into 2024, the Web3community continues to grapple with an unsettling trend:
"Projects still fall prey to hacks orengage in malicious activities such as rug pulls, leading to the loss ofbillions of dollars."
This not only erodes trust in the web3ecosystem but also underscores a fundamental issue:
"The lack of accountability anddiligence in upholding security standards"
The genesis of this problem can be tracedback to two main factors:
Audit Firms Falling Short: The first rootcause lies in the discrepancy between the services promised and delivered byaudit companies. Instances where firms assign junior auditors instead ofseniors or simply provide static analysis reports instead of manual reviews.
The problem here lies within the fact thatthe engagement of the review is incorrectly communicated, leading to a falsesense of security. There is absolutely no problem if you assign juniorauditors, just communicate it clearly such that the protocol will schedule a2nd audit.
Project Founders' Apathy: The second rootcause points to a more troubling trend:
"Project founders prioritizing personalgain over the security of user funds."
This is particularly prevalent among"degen" projects and outright Ponzi schemes, where the allocation ofresources towards robust security measures is often seen as an unnecessaryexpense. The founder simply doesn't care about this. Either a cheap company ishired or none at all.
Recognizing these issues is the first steptowards remediation. The solution, albeit controversial, is clear:
Projects and companies engaging innegligent security practices must be publicly called out to raise generalawareness for this topic. This approach aims to foster a culture ofaccountability, encouraging investors to exercise caution and thereby mitigatingthe risk of financial loss.
The practice of public disclosure, however,is not without its challenges:
1. Investor Skepticism: Often, investorsperceive such disclosures as FUD, because it will downgrade the protocol in itscredibility and will eventually affect the native token price. Yet, it'scrucial for them to understand that a temporary dip in value is preferable tothe total loss of funds in the event of a security breach.
If you are an investor, ask yourself thefollowing:
"Do you rather prefer a pumped tokenprice followed by a full hack?"
2. Backlash from the Community: Securityresearchers who engage in calling out may face criticism from both investorsand their peers, which prevents a lot researchers from following that practice.I get a lot of DMs from researchers that simply do not follow this practicebecause it may harm their business.
The fine line between raising genuineconcerns and being perceived as engaging in "auditor bashing" isoften hard to navigate. Calling out is often seen as "bashingauditors", which it absolutely not is. Anyone can and will miss issues,including myself.
It is clear that the practice of callingout can harm my reputation and my business. This is an acceptable risk for meas long as I can save at least one investor from losing funds in a hack orrug-pull, it was already worth it.
Unfortunately, investors often learn thislesson in hindsight, following a hack or rug pull.
A Personal Standpoint
As someone who is deeply involved in theWeb3 security space, not only as security researcher but also as investor andmotivated by firsthand experience with the ramifications of inadequatesecurity, I persist in highlighting these issues despite facing potentialbacklash and a reduction in customer engagement.
Looking Ahead
The path to widespread Web3 adoption isfaced with challenges, among them the need to address foundational securityconcerns. Without a concerted effort to enhance transparency, accountability,and investor education, the vision of a secure and decentralized future remainselusive.
It is only by confronting these issueshead-on, despite the controversies and complexities, that we can hope to fostera more resilient and trustworthy Web3 ecosystem.
