To prevent hacks in decentralized finance (DeFi), the crypto industry needs to commit to universally agreed-upon security standards, the security lead for smart contract auditing firm OpenZeppelin told Decrypt.
Speaking at this year's EthCC event, OpenZeppelin security solutions architect Michael Lewellen emphasized the importance of setting a “standard on security” with a “broad agreement” across the auditing firms and developers in the space to protect users.
Currently, protocols rely on audit reports from blockchain security firms. However, there have been instances in the past where an auditor didn’t find bugs, but the contracts were hacked regardless.
For instance, cross-chain interoperability blockchain Thorchain repeatedly went back on its security audits after multiple hacking attempts.
Lewellen told Decrypt that it “seems a little crazy to me” that crypto firms take auditors “at their word,” adding that on many occasions, developers and users also ignore the vulnerabilities cited in auditors’ reports.
Lately, many projects such as BitDAO–rebranded as Mantle Network–and Celo have relaunched as Layer-2 networks on Ethereum. Lewellen said that while they can continue with separate approaches, it's important to adhere to standards on important elements like how they interact with users, each other, and Ethereum—citing Optimism’s OP stack as an example.
Standards in the way cross-chain applications interact with each other can also help in preventing bridge hacks, which have been rampant in the space, Lewellen said.
The total value stolen from DeFi protocols in the three years since the DeFi summer of 2020 has reached $6.74 billion, per DeFiLlama data. Cross-chain bridges account for nearly 40% of the total amount, with the rest coming from DeFi.
Based on his experience at an auditing firm, Lewellen said, sometimes projects “aren't willing to pay for the time to do broad, comprehensive security.” This leads to vulnerability and undue pressure on auditing teams.
Lewellen told Decrypt that “standards help” in building trust among users, auditors, and developers because it expands beyond one entity’s opinion. ”It's a broad industry standard,” he said, noting that standards act as a proxy certification of the protocol’s safety.