What We Need to Understand About Audits

Comments · 839 Views

There is no technology that is 100 percent safe and secure from attacks. Everything has its own vulnerability.

Some are asking why audits on DeFi protocols have not prevented attackers from siphoning some or all of the liquidity and getting away with their stash?

 

So let me explain how audits work in the most basic way so that everyone will be able to understand it. Audits are as good as the amount that projects are willing to pay code auditing organizations or companies. When it comes to auditing codes, there are various area of vulnerabilities which are being taken into consideration. Each area involves really difficult tasks and each also incur fees. There are areas which are less expensive than others. Some auditing organizations or companies bundle these areas into one payment.

 

Projects do their own audits prior to a formal auditing. They could not just rely on their own when it comes to auditing. They pay for the area of vulnerabilities that they want to be audited. Priorities are of course given to common vulnerabilities, those which are frequently being used by attackers to gain access to funds. Those complicated audits especially involving new modes of attacks or an entirely new protocol which aim to introduced new features are usually being left out of the picture due to high costs.

 

Aside from this reason, attackers are always on their journey to find new ways to attack DeFi protocols. It is their means of livelihood, it is where they earn. While developers spend as much as 18 hours doing their codes, so thus, these attackers too. They spend so much time to perfect their craft, find more and faster ways of exploiting vulnerabilities. Even if they get away with just a few hundreds of thousands of their loot, it is enough to sustain them for months or years to plan and execute another successful attack. Some attackers (gray hats) are simply just there to expose vulnerabilities, earning from it while telling projects of their lapses.

 

With all of these, should the blame be put to the project or those who conducted the audit?

 

One thing I can say, not really. While projects and auditing organizations and companies do their best to ensure that all vulnerabilities are covered and checked, attackers do innovate and progress too. We must remember that there is no technology that is 100 percent safe and secure from attacks. Everything has its own vulnerability. All it takes is one brilliant attacker who could not use his brilliance in a good way, to unveil it. But all of these attacks serve as lesson and a room for innovation in general.

Comments