DeFi Entrepreneur Experience: How to Choose a Security Audit Firm and What Should Your “Audit View” Be Like

Choosing a Security Audit Firm for DeFi Entrepreneurs: Tips for Your "Audit View"

BlockingNews Contributing Author: Leo, Co-founder of a DeFi project

In the crypto industry, auditing is an essential part of ensuring the integrity and security of a project. A careful observation reveals that outstanding projects like Lido and Compound require an astronomical amount of at least seven-figure USD investment in auditing. Often, multiple auditing service providers are hired for the same set of product codes.

On the one hand, it shows that since the DeFi summer, the top on-chain businesses and products have received a lot of rewards, which provides them with sufficient ammunition to continue building deeper competitive barriers. On the other hand, it also reveals a side of auditing for many projects and entrepreneurs in the same field. Auditing work is not just a simplified process of “spending money-hiring people-producing reports-promoting”. Instead, there should be a complete “audit view” and methodology-what kind of product delivery requires auditing? How to select suppliers? How to ensure the effective awakening of auditing work to the greatest extent? How can auditing work be completed most economically, safely, and comprehensively?

In the following article, I will discuss my ideal “audit view” from the perspective of doing projects and starting businesses, combined with my own experience.

• 5 narratives and trends in cryptocurrency inventory
• How to use “law” to defeat “magic” when facing a “AI face-swapping” fraud that resulted in a loss of 4.3 million?
• Gitcoin COO: How to Build a “Web3 Anti-Scalping” System

Overview of Security Service Providers, Compare and Contrast

In the past 2-3 years, the number of options for auditing suppliers has surged. There are about 15-20 relatively common auditing suppliers on the market (ranked in no particular order).

Based on my experience and discussions with colleagues, Peckshield, SlowMist, Trail of Bits, and OpenZeppelin are among the top tier in terms of comprehensive reputation, technical ability, and coverage.

Overall, Chinese-led suppliers (mostly the first line) are still the main choice for Chinese projects in the crypto industry. There is no time difference, and communication in Chinese is smooth. The quotation of domestic suppliers is basically at the level of 12K-15K USD/person/week, which fluctuates with the market’s off-season and peak season.

In comparison, foreign suppliers have a relatively low presence in the Chinese industry. However, these suppliers often have higher pricing than Chinese suppliers due to brand premium, founder team resources, coverage/technical capabilities, and can often come up with a large number of orders. For example, OpenZeppelin was once hired by Compound to conduct audits at a price of millions of dollars in a single quarter.

Aside from the mainstream audit vendors, there is another type of service provider, such as Immunefi and PwnedNoMore. The author defines them as “white hat communities,” which should belong to a more mature business model in the traditional security circle and a newly emerged one in the encryption industry, but still attracts many projects to settle in and use. The basic operating mode is that the project party publishes the modules (front-end, back-end, contract, etc.) that they hope to be audited/debugged on the platform, defines the severity of the bugs and the corresponding rewards, in order to attract the “white hats” to actively report bugs and solve problems. This form should be viewed as a beneficial supplement to “corporate audit vendors.” Project parties need to accurately, clearly, and effectively define the classification, level, and scope that the other party needs to cover, and generously provide rewards. Often, they can get unexpected surprises.

Audit Process, Methodology, and Money-Saving Guide

For the project party, before inviting audit vendors to review, certain design and arrangements are required. Generally, it is recommended to ensure the following:

1- The code to be audited has undergone more than 2 rounds of internal testing. If time permits, it is best to have a community beta test before submitting it for review to avoid “obvious” problems that need to be paid to resolve;

2- The code to be audited should be packaged according to the project party’s milestones as much as possible, and delivered for audit in batches to avoid raising costs;

3- Ensure that the contact person who submits the code for review has a clear understanding of the overall operational principles of the product, the approximate amount of code, and the distribution of the main modules, to avoid inappropriate quotation due to unclear requirements during the initial setup stage;

4- It is necessary to compare the scheduling. It is necessary to pay to lock in the scheduling for important product milestones.

Although there are many vendors on the market, the scheduling differences are huge. The submitter needs to send evaluation requests to at least 3 audit vendors for the same code, obtain scheduling, quotation, and workload evaluations, and prepay a portion (generally recommended as 30% -50%) for important product milestones to lock the audit vendor’s schedule and avoid affecting progress.

Based on the author’s experience, it is recommended to book appointments with Chinese vendors at least 2-4 weeks in advance (compared to the expected report output date) and overseas vendors at least 1 month in advance (mainly considering the time difference, contact person introduction, and the fact that foreigners generally do not work 996).

After adhering to the aforementioned review principles, schedule and quote prices, and deliver the project code to the audit vendor for review. During the process, responsible auditors will generally discuss questions and issues with the project team. The contact person and technical personnel of the project must communicate more with the audit vendor to resolve issues. The contact person needs to ensure that:

1) The audit’s intermediate progress is proceeding as scheduled;

2) Two different technical personnel from the project team must cross-review the initial audit report provided by the audit vendor and synchronize whether the audit vendor’s draft is finalized;

3) The audit contact person should play a role in linking and synchronizing to ensure that key technical and product personnel in the team establish a group chat with the person who actually conducts code review in the audit vendor, instead of passively waiting for the audit vendor to issue a report and sign it;

4) [Add icing on the cake] The contact person can pay attention to the “security event review report” issued by other audit vendors in the market during the audit process, actively raise and communicate with the audit vendor for situations that may match their own project, and proactively debug possible uncovered issues.

Project parties need to have a clear “bias” and the need to retain backdoors

Most audit companies are able to complete the work of the code itself, the quality, logic, and security are complete and sufficient, and there is little touch on the code and business association. Often, there are situations where the code logic/security is adjusted, but the business logic is affected.

For example, for critical modules such as contract permission upgrades, rate adjustments, and token sales, from the early development of the business, it actually requires a core member in the project party who can make decisions to control them alone and respond to market changes/emergency security incidents in a timely manner, rather than blindly pursuing multisignature control, which affects the project’s ability to respond to crises.

Reasonable “backdoor retention”/”super permissions” not only concern the project, but may also affect the life and death of the industry. Imagine, if BitMex had not unplugged the network cable, Circle had not stopped redemption, BNB Chain had not “stopped chain maintenance”, what would the industry be like now?

Continuous communication and sharing can promote long-term security

The audit vendor’s service can only debug but cannot ensure 100% security, and security incidents may occur at a certain point. On the one hand, the project side needs to actively communicate with the audit company to discuss how to handle it (may be compensation, free re-audit, refund, or other solutions).

On the other hand, the discovery and remediation of each security vulnerability actually also concerns the overall progress of the industry. In the case of not involving the key commercial interests of the project party, it is encouraged that all project parties actively work with audit companies to publicly recap each similar issue. This can better enable the industry to share a higher set of security standards, which is also a long-term way to reduce the cost of each project party’s audit.

Project decision-makers should have a hacker mindset and value community power

Audit is a long-term capital war and an important barrier to competition for project parties.

On the one hand, funds should be continuously invested between each milestone of each product, and well-known and reliable external audit companies should be hired to cover possible security vulnerabilities. On the other hand, community power should also be valued, encouraging white hat communities such as Immunefi and PwnedNoMore to participate in the security buidl of the project.

The author once successfully invited a white hat person from the community with a bounty of about 30,000 US dollars to debug and assist in deploying a contract that hosted millions of dollars.

Reshuffling is also a good way to reduce costs and increase efficiency.

The threshold for entrepreneurship in the encryption industry has already increased significantly, and financing of millions of dollars is not uncommon even in the current market. As can be seen from the previous discussion, it is very difficult to truly support a reliable, safe and stable dApp. Even top-tier applications in the industry such as Compound, Lido, and Uniswap cannot guarantee full security.

Therefore, from the perspective of cost efficiency, each start-up project should nest as much as possible into existing mature facilities in the selection of contracts and models, and avoid taking a different approach . Common DEX, Lending, income aggregators, liquidity staking and re-staking, as well as derivative trading, synthetic assets and other categories, actually have a batch of mature and usable infrastructure for new project parties to reuse and nest. This not only reduces the security costs for project parties, but also effectively enhances the security of the project itself, and can ensure that the security of the system evolves with the upgrade of the reuse object.

From the perspective of the industry as a whole, achieving complete security actually requires the participation and contribution of all entities in the market.

For auditors, 1) be cautious of project tricks. Some projects commonly operate by having two sets of code: the real audited code and the code delivered to the community for deployment. Auditors should verify the actual version of the code again after the project is officially deployed. 2) It is necessary to explore and combine “insurance” mechanisms. For customers who purchase services above a certain amount, there should be a compensation mechanism after a security incident to protect the interests of the project. 3) Share audit case experience more widely with peers. Auditors are similar to the medical industry, and overall progress depends on long-term technology and research investment, as well as accumulating case volume. From this perspective, the often criticized “PR-style audit” actually drives the industry’s progress and at least shares more audit cases with the industry.

For users, 1) separate hot and cold wallets, use a separate wallet address for dApps, often clear unfamiliar authorizations, and do not operate unknown airdrop tokens, etc. Always prioritize safety when engaging in degen activities. 2) High-net-worth users should develop the habit of frequently reviewing security incident reports published by various audit firms to have a good understanding of common security risks.

We will continue to update Blocking; if you have any questions or suggestions, please contact us!