Protocol Audit = Security Assurance? An Overview of the Probability of Cryptocurrency Audit Failures
The decentralized exchange MERLIN in the zkSync era of L2 solution was recently hacked for $1.8 million. From initially claiming to have undergone thorough audits and successful fundraising to being hacked right after, the auditing firm Certik transitioned from asserting no vulnerabilities to admitting that the MERLIN developers executed a rug pull. How should users evaluate auditing firms? The community has compiled a track record of past auditing firms' failure rates.
The following content is compiled from Stacy Muur's Twitter. For detailed information and discussions, please refer to the original link.
Table of Contents
CertiK audits 70% of crypto audits
REKT has gathered data on over 3,000 rug pulls and exploits since 2011, CertiK has audited over 70% of projects in the crypto space. With the recent hacking of MERLIN on April 26, CertiK has audited a total of 34 projects that were hacked.
PeckShield had 18 audit projects hacked
The well-known security audit firm PeckShield had 18 audit projects hacked or rug pulled.
DeFi Safety had 12 audit projects hacked
However, Stacy Muur also mentioned some positive data, stating that since 2021, no projects audited by DeFi Safety have been hacked.
Crypto audit summary: Mist has the lowest error rate
Stacy Muur compiled a list of audit institutions, audit project numbers, hacked numbers, and hacking percentages based on REKT's data on hacks and CoinGecko's security institution ratings.
It was found that Quantstamp had the highest error rate, while Mist's SlowMist had the lowest.
However, Stacy Muur emphasized that the data in the chart is still too general and should not be interpreted as the error rate of audit institutions.
Crypto audits cannot guarantee 100% security
Stacy Muur's conclusion after analyzing the data:
Audits cannot guarantee absolute security.
He pointed out that in his previous work in over a dozen companies that underwent cybersecurity audits, most critical vulnerabilities were discovered by in-house developers rather than audit institutions.
Typically, audit institutions use "generic scripts" to detect potential vulnerabilities, but since each project has unique code and architecture, audits need to be tailored for each project.
Furthermore, he also expressed doubts about the feasibility of conducting a deep audit every month for all projects. Even if some projects can achieve this, Stacy Muur still stressed:
Remember, no one can guarantee 100% security, only invest what you can afford to lose.
SlowMist founder: Auditors should not evade responsibility
SlowMist founder Cos Yuxian retweeted Stacy Muur's statistical article and pointed out:
Audited projects do not represent 100% security
Beware of projects claiming to be audited and 100% secure
Even in the case of minor errors, auditors should not evade responsibility
Related
- Sub-Saharan Africa Emerges as a Key Driver in the Cryptocurrency Market, Chainalysis: DeFi and Stablecoins Play Crucial Roles
- Looking at the future of SocialFi from the demise of FriendTech: Greed-driven speculation hinders innovation, industry remains optimistic
- TON lockup value plunges by 53%, Telegram DeFi protocol assets hemorrhage, TON staking decreases