Business
Dan Guido, cofounder and CEO of Trail of Bits, and Taylor Monahan, founder and CEO of MyCrypto, discuss all the recent hacks in DeFi, how it can be made more safely and who is responsible. We tackle: the Hegic security incident: whose responsibility it was to make sure the contract was secure — the auditor (Trail of Bits) or the team (Hegic) — what Trail of Bits was saying in its audit summary, and how to read between the lines of an audit summary how long an audit should be upgradeability: particularly around when more advanced technology and contracts interface with older technology/contracts centralization vs. decentralization: whether contracts can be made safely while maintaining adhering to the principle of decentralization, why Taylor would prioritize centralization and security, and how teams can create different levels of risk for users bug bounties: why asking what amount they should be is the wrong question the security threats posed by oracles and what a checklist for DeFi teams might look like Thank you to our sponsors! Crypto.com: https://crypto.com Kraken: https://www.kraken.com Stellar: https://www.stellar.org Episode links: Dan Guido: https://twitter.com/dguido Trail of Bits: https://www.trailofbits.com Taylor Monahan: https://twitter.com/tayvano_ MyCrypto: https://mycrypto.com Initial tweet by Hegic calling the security issue a typo: https://twitter.com/HegicOptions/status/1253937104666742787?s=20 Hegic tweet saying, “It’s not a security issue”: https://twitter.com/HegicOptions/status/1253954145113038849?s=20 Trail of Bits saying it will no longer work with Hegic: https://twitter.com/dguido/status/1254260725431894020?s=20 Taylor breaks down the audit summary: https://twitter.com/MyCrypto/status/1254058121342803968?s=20 Molly Wintermute’s Medium post on requesting a week audit vs. three-day review: https://medium.com/@molly.wintermute/post-mortem-hegic-unlock-function-bug-or-three-defi-development-mistakesthat-i-feel-sorry-about-5a23a7197bce Unconfirmed episode with Haseeb Qureshi on the Lendf.me attack: https://unchainedpodcast.com/haseeb-qureshi-on-the-unbelievable-story-of-the-25-million-lendf-me-hack/ Unchained interview showing Matt Luongo's approach to kill switches and upgradeability with tBTC: https://unchainedpodcast.com/tbtc-what-happens-when-the-most-liquid-crypto-asset-hits-defi/ Discussion of the bZx attacks on Unchained: https://unchainedpodcast.com/the-bzx-attacks-unethical-or-illegal-2-experts-weigh-in/ Issue with Curve contract: https://blog.curve.fi/vulnerability-disclosure/ Compound bug bounty program: https://compound.finance/docs/security#bug-bounty Taylor on “upgradeability makes things more insecure”: https://twitter.com/tayvano_/status/1222564979657723904?s=20 Synthetix oracle incident, allowing a bot to profit $1 billion: https://unchainedpodcast.com/how-synthetix-became-the-second-largest-defi-platform/ Taylor’s tips on how to get more ROI on an audit: https://twitter.com/MyCrypto/status/1254061500244713474?s=20 Tips to follow before getting an audit: https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/ Resources for security in DeFi: crytic/building-secure-contractsGuidelines and training material to write secure smart contracts - crytic/building-secure-contractsgithub.com https://consensys.github.io/smart-contract-best-practices/ https://forum.openzeppelin.com https://swcregistry.io https://diligence.consensys.net/blog/2020/03/new-offering-1-day-security-reviews/