Smart contract auditing firm Hacken CEO Dyma Budorin thinks Web3 cybersecurity providers are failing the crypto industry and that “huge blind spots” in market practices are impacting investor behavior.
Budorin believes a lack of accountability and transparency in the audits many providers perform falls short of reassuring users and projects.
Currently, smart contract auditors take no accountability if a token they have audited gets hacked due to a bug in the code. Unsettlingly, most of the largest hack events in 2022 occurred on projects that were audited by third parties.
In a call with Cointelegraph on Apr. 27, Budorin said this makes him uneasy as it compromises the growth trajectory of the Web3 cybersecurity industry which is already lagging far behind non-crypto equivalents according to a report from Hacken.
Web3 auditors take a deep dive into the code of a token in search of threats of varying severity. These audits do not assess other factors like the viability of a business model, team experience, and others.
Budorin explained that “auditors have a lot of responsibility” which is being ignored because the money is coming in and there is no public outcry for better products. However, to him, the services they provide are inadequate, as he says
“They are missing tests, accountability, and transparency in ratings of cryptocurrencies.”Even in the rare instance that a project wanted a more robust audit, they would not be able to get it from cybersecurity firms in Web3 because Budorin says “currently in Web3 cybersecurity, there are no companies offering recurring audits” that happen monthly and go into much more depth about the project.
“Right now, the best market practice is to get a token audit and that’s it.”Budorin used token bridges as an example to demonstrate the dangers of an industry without thorough auditing mechanisms. Two of the largest crypto hacks so far in 2022 took place on token bridges Wormhole and Axie Infinity’s Ronin Bridge which lost a combined $920 million.
While hindsight is always 20/20, it is likely that a full scope audit of any of the bridges that have been hacked this year including Wormhole, Ronin Token Bridge, Qubit’s QBridge, and Meter’s Meter Passport, could have prevented disaster.
In addition to apparent bugs in the code, Budorin said that token bridges further illustrate how there are “a huge amount of blindspots” in cybersecurity because “There is no way of knowing who is responsible for the keys, who mints new tokens, if the tokens are properly bridged, and so on with no transparency.”
Related: Plan for $1M bug bounties and double the nodes in wake of $600M Ronin hack
Budorin feels that for the Web3 cybersecurity scene to really change, some onus rests on retail investors. In his view, more transparency with reliable information from accountable sources “requires a paradigm shift from crypto investors,” who tend to invest in hyped-up projects.
This shift could be sparked by greater availability of information from thorough full-project audits that take into account the team, platform functionality, and other technical aspects rather than just the token.
Currently, data aggregators CoinGecko and CoinMarketCap are the outlets of choice for investors to find information about a project. However, Budorin says those platforms are flawed because “projects are manipulating their data” to show very high or very low market caps. He believes that will eventually change as auditors evolve to fill the negative space.
“When there is more efficient information about the accountability of blockchain companies that issue a token, [investors] will start to compare fundamentals rather than hype.”