As we venture deeper into 2024, the Web3 community continues to grapple with an unsettling trend:
"Projects still fall prey to hacks or engage in malicious activities such as rug pulls, leading to the loss of billions of dollars."
This not only erodes trust in the web3 ecosystem but also underscores a fundamental issue:
"The lack of accountability and diligence in upholding security standards"
Unveiling the Root Causes:
The genesis of this problem can be traced back to two main factors:
Audit Firms Falling Short: The first root cause lies in the discrepancy between the services promised and delivered by audit companies. Instances where firms assign junior auditors instead of seniors or simply provide static analysis reports instead of manual reviews.
The problem here lies within the fact that the engagement of the review is incorrectly communicated, leading to a false sense of security. There is absolutely no problem if you assign junior auditors, just communicate it clearly such that the protocol will schedule a 2nd audit.
Project Founders' Apathy: The second root cause points to a more troubling trend:
"Project founders prioritizing personal gain over the security of user funds."
This is particularly prevalent among "degen" projects and outright Ponzi schemes, where the allocation of resources towards robust security measures is often seen as an unnecessary expense. The founder simply doesn't care about this. Either a cheap company is hired or none at all.
The Call for Change: Recognizing these issues is the first step towards remediation. The solution, albeit controversial, is clear:
Projects and companies engaging in negligent security practices must be publicly called out to raise general awareness for this topic. This approach aims to foster a culture of accountability, encouraging investors to exercise caution and thereby mitigating the risk of financial loss.
The Controversy of "Calling Out":
The practice of public disclosure, however, is not without its challenges:
1. Investor Skepticism: Often, investors perceive such disclosures as FUD, because it will downgrade the protocol in its credibility and will eventually affect the native token price. Yet, it's crucial for them to understand that a temporary dip in value is preferable to the total loss of funds in the event of a security breach.
If you are an investor, ask yourself the following:
"Do you rather prefer a pumped token price followed by a full hack?"
2. Backlash from the Community: Security researchers who engage in calling out may face criticism from both investors and their peers, which prevents a lot researchers from following that practice. I get a lot of DMs from researchers that simply do not follow this practice because it may harm their business.
The fine line between raising genuine concerns and being perceived as engaging in "auditor bashing" is often hard to navigate. Calling out is often seen as "bashing auditors", which it absolutely not is. Anyone can and will miss issues, including myself.
It is clear that the practice of calling out can harm my reputation and my business. This is an acceptable risk for me as long as I can save at least one investor from losing funds in a hack or rug-pull, it was already worth it.
Unfortunately, investors often learn this lesson in hindsight, following a hack or rug pull.
A Personal Standpoint
As someone who is deeply involved in the Web3 security space, not only as security researcher but also as investor and motivated by firsthand experience with the ramifications of inadequate security, I persist in highlighting these issues despite facing potential backlash and a reduction in customer engagement.
Looking Ahead
The path to widespread Web3 adoption is faced with challenges, among them the need to address foundational security concerns. Without a concerted effort to enhance transparency, accountability, and investor education, the vision of a secure and decentralized future remains elusive.
It is only by confronting these issues head-on, despite the controversies and complexities, that we can hope to foster a more resilient and trustworthy Web3 ecosystem.
"Projects still fall prey to hacks or engage in malicious activities such as rug pulls, leading to the loss of billions of dollars."
This not only erodes trust in the web3 ecosystem but also underscores a fundamental issue:
"The lack of accountability and diligence in upholding security standards"
Unveiling the Root Causes:
The genesis of this problem can be traced back to two main factors:
Audit Firms Falling Short: The first root cause lies in the discrepancy between the services promised and delivered by audit companies. Instances where firms assign junior auditors instead of seniors or simply provide static analysis reports instead of manual reviews.
The problem here lies within the fact that the engagement of the review is incorrectly communicated, leading to a false sense of security. There is absolutely no problem if you assign junior auditors, just communicate it clearly such that the protocol will schedule a 2nd audit.
Project Founders' Apathy: The second root cause points to a more troubling trend:
"Project founders prioritizing personal gain over the security of user funds."
This is particularly prevalent among "degen" projects and outright Ponzi schemes, where the allocation of resources towards robust security measures is often seen as an unnecessary expense. The founder simply doesn't care about this. Either a cheap company is hired or none at all.
The Call for Change: Recognizing these issues is the first step towards remediation. The solution, albeit controversial, is clear:
Projects and companies engaging in negligent security practices must be publicly called out to raise general awareness for this topic. This approach aims to foster a culture of accountability, encouraging investors to exercise caution and thereby mitigating the risk of financial loss.
The Controversy of "Calling Out":
The practice of public disclosure, however, is not without its challenges:
1. Investor Skepticism: Often, investors perceive such disclosures as FUD, because it will downgrade the protocol in its credibility and will eventually affect the native token price. Yet, it's crucial for them to understand that a temporary dip in value is preferable to the total loss of funds in the event of a security breach.
If you are an investor, ask yourself the following:
"Do you rather prefer a pumped token price followed by a full hack?"
2. Backlash from the Community: Security researchers who engage in calling out may face criticism from both investors and their peers, which prevents a lot researchers from following that practice. I get a lot of DMs from researchers that simply do not follow this practice because it may harm their business.
The fine line between raising genuine concerns and being perceived as engaging in "auditor bashing" is often hard to navigate. Calling out is often seen as "bashing auditors", which it absolutely not is. Anyone can and will miss issues, including myself.
It is clear that the practice of calling out can harm my reputation and my business. This is an acceptable risk for me as long as I can save at least one investor from losing funds in a hack or rug-pull, it was already worth it.
Unfortunately, investors often learn this lesson in hindsight, following a hack or rug pull.
A Personal Standpoint
As someone who is deeply involved in the Web3 security space, not only as security researcher but also as investor and motivated by firsthand experience with the ramifications of inadequate security, I persist in highlighting these issues despite facing potential backlash and a reduction in customer engagement.
Looking Ahead
The path to widespread Web3 adoption is faced with challenges, among them the need to address foundational security concerns. Without a concerted effort to enhance transparency, accountability, and investor education, the vision of a secure and decentralized future remains elusive.
It is only by confronting these issues head-on, despite the controversies and complexities, that we can hope to foster a more resilient and trustworthy Web3 ecosystem.
