The Future of Audits in DeFi Security

Audits have become a staple of the DeFi industry. They’re an essential part of the DeFi security stack, which also includes automated monitoring and bug bounties. Every project wants at least one audit, and projects that don’t have one are treated with more skepticism by users — especially if the dev team is anonymous.

But some cracks have started to appear. Audit firms are working at a breakneck pace to accommodate growing demand, and bugs are starting to slip through.

Still, audits have proven invaluable at catching a lot of critical issues in protocols. They’re absolutely necessary.

So what does the future hold for audits in DeFi? We offered our perspective and sat down with auditing firms Dedaub and iosiro to get their takes on predictions about what’s been happening in the industry and how it will develop over the coming years.

What’s been the biggest shift in auditing? How has auditing changed in the last year since the beginning of 2020?

Mitchell Amador, Immunefi: The biggest shift has been the dramatic increase in the impact of auditing work. There are many billions of dollars in smart contracts now. If any single thing goes wrong, a colossal amount of wealth is at risk, jeopardizing the entire project. A single hack can crush the founder’s morale and sack an entire team. Crypto had these same problems at a smaller scale before, but with serious amounts of money locked up in contracts, those problems have been magnified. What that means is that the whole auditing business is much more profitable than it used to be. Audit prices have doubled or tripled and waitlists are normal.

Attack vectors have changed as well. Flashloans, for example, have turned minor pricing flaws into critical vulnerabilities. Composability risks introduce immense dependency risk. What happens to Convex Finance users if there happens to be serious vulnerabilities in either Curve, underlying stablecoins, or other dependencies? Nothing good. The scope of smart contract auditing has expanded, and auditors are expected to catch the entirety of this extended scope, which is basically impossible. Moreover, the proliferation of new, viable layer 1 chains means you have to know the particularities of that chain if you’re going to seriously audit smart contracts on, but it’s far too early for those security labor pools to exist. Auditing has become a much more difficult job in the last year, even as the rewards for auditing have increased.

Neville Grech, Dedaub: I think the change was a gradual one, and started in the beginning of 2019. The popularization of DeFi and the composition of multiple DeFi services has changed the security landscape, and therefore also the way a good audit needs to be conducted. The first large-scale economic attacks (starting with the BZX flashloan attack in Feb 2020) were a watershed moment for security researchers (although in retrospect Vitalik Buterin had tweeted in early 2019 alluding to such attack vectors). This year, protocols have become bigger and, although many code weaknesses are well-known, hacks still occur. This is due to the high levels of interactions between protocols and it is hard for the standard DeFi developer to keep up. In addition, DeFi protocols are constantly reinventing themselves so an audit job nowadays only provides a snapshot of the security of a protocol at one point in time. Customers are now asking for recurring engagements and auditing has become a steadier income stream.

Kyle Riley, iosiro: Before 2020, DeFi protocols operated largely in isolation. For most projects, the extent of concerns outside of their own system was limited to having to account for non-standard ERC-20 tokens or integrating with a price oracle. This has largely changed, with the majority of projects now relying in whole or in part on external systems for their product offering. DEX aggregators (e.g. 1inch), yield aggregators (e.g. Yearn), and asset managers (e.g. Set Protocol) are prime examples of projects that are highly dependent on third-party protocols.

The market felt the effect of this development through the rise in flash-loan attacks. Protocols were suddenly being exploited through economic attacks executed through entirely different protocols.

Systems interacting with other systems is referred to as composability, and the ease of doing it in DeFi is one of the key features that makes DeFi superior to TradFi. However, with each new building block, there is an increase in system complexity. From an auditor’s perspective, composability can be an unwieldy problem. It requires a deep understanding of not only the project in scope, but all its external dependencies. To further complicate issues, the dependencies can have components that are upgradeable, making them a moving target.

How are audits going to change in 2022?

Mitchell: Auditors will increasingly specialize to deal with particular protocol types and the vulnerabilities they tend to have. We expect the best firms to increasingly use new proprietary tooling around these specializations, which result in better offerings within those specializations. Today, the gold standard is manual code review: smart teams of auditors use their combined expertise to evaluate all the ways something can go wrong. Specialized tooling will increasingly support manual code review.

Additionally, there’s an underexplored legal component to all of this. With the proliferation of security consequences (hacks, loss of funds), auditors will find themselves more and more under the legal microscope. Are auditors partially responsible when a hack occurs? I’m sure there will be at least one case where auditors are taken to court, either by an affected project or by users who lost money, as a result of a perceived failure in work quality. No one really knows how much liability auditors have, and that’s probably going to be tested. When this happens, it’s going to seriously shake up the auditing market as some players leave and others adopt new measures to limit potential liability.

Neville: Technology will help facilitate audits or, at least, re-audits. Because of the higher auditing demands of evolving protocols, more R&D is needed to invent new techniques and tools to keep a constantly-changing protocol secure. Re-auditing a protocol manually each month will probably become too expensive and we will start seeing serious technological solutions or business models to help project teams maintain security on their protocol. This requires serious engineering, thought and business development before this becomes the mainstream security solution for most projects. Another change that we actually see in the business landscape is that it is becoming profitable for top experts to be actively looking for bug bounties, instead of auditing. A single large bounty per year can possibly net a careful auditor more income than full-time auditing.

Kyle: Projects typically engage with security experts only during the lifecycle of an audit. The problem with this approach is that those experts are only exposed to the project at a specific point in time, which does not allow for any form of ownership of the problem. This is partially to do with the term auditing, which is supposed to be an impartial exercise performed at arm’s length. Audits have historically been conducted instead of more general security assessments because there is a built-in assumption that the system is in a finalized, static state.

This is generally not true in practice, as DeFi tends to iterate rapidly. Audits are seen as a silver bullet in the crypto industry, but in a mature security model they would form only one part of it.

Our engagements have started to focus more on interacting with projects at different stages of their development cycles to ensure that security is made a primary consideration. In 2022, we expect to see this trend continue, with the concept of an audit evolving into more comprehensive DevSecOp services, which might include threat modeling during development, reviewing deployment scripts, and verifying on-chain deployments.

If you could make one prediction about how DeFi security is going to change over the next few years, what’s it going to be?

Mitchell: We’re going to see an explosion of new projects and tooling. Today, most projects deal with their issues via auditing. At Immunefi, we’ve pioneered bug bounties, but it’s really just the beginning of what’s to come in the industry. There will be more automated tooling, like Open Zeppelin’s Defender and Sentinel products and various other methods to watch for questionable activity on-chain. You’re going to see more proven codebases and patterns that make forking safer, and people will build on those. There will be new hardware specific to DAOs built with security in mind. When every tool a DAO uses needs to be ‘secure’, the category of ‘DeFi security’ becomes pretty vast.

Unfortunately, with new features and new tooling comes complexity, and with complexity comes new attack vectors. The level of vulnerability will likely track with the level of innovation, and while there will be lots of new whitehat talent coming into the scene, there will also be more blackhat groups exploiting these vulnerabilities for profit. I expect DeFi security to continue to be as dramatic as it’s been so far.

Neville: I have a few dystopian thoughts:

1) The community is too tolerant of adversarial behavior by miners, such as MEV attacks. The line between MEV and hacking is blurred and may become more so. This may culminate in MEV miners waging wars over protocols that try to prevent MEV. We may see the introduction of liquidity mining protocols that gain value when other protocols are hacked (e.g., by providing liquidity for MEV attacks).

2) Hackers will increase in sophistication and state-sponsored actors will increase in number.

3) We will be seeing more complex financial instruments which require quant-level understanding to use, let alone to secure.

Despite all this the benefits of DeFi outweigh the security challenges, especially if the community makes progress with other challenges such as scalability.

Kyle: DeFi security is going to become increasingly specialized. The vast majority of smart contracts up until this point have been developed in Solidity for EVM-based environments. Competing languages, L2 solutions, non-EVM-based platforms, cross-chain transactions, and a growing number of composable systems and assets will all expand the risk landscape. Innovation across the full stack of DeFi will likely lead to new attack vectors, undoubtedly with an ever-increasing bounty to attract more hackers.

In order to secure these niche complex systems, individuals will have to be familiar with the particular environment that the system is operating in, with considerations such as the specific coding practices to use, the technological trade-offs to contend with, and the intricacies of third-party integrations.