This past year has been eventful for anyone building on the Web3 stack — over the course of the year, DeFi has grown from a nascent crypto-money machine into a thriving ecosystem of protocols with an abundance of interlocking parts. The amount of developers, funds, and users has exploded— and the need for security has grown enormously.
Immunefi has succeeded in contributing to that need by saving more than $20 billion dollars worth of TVL from being hacked in just a single year.
We’ve helped whitehats and projects coordinate in securely reporting and fixing those vulnerabilities. As part of that process, we also take the time to write bugfix reviews to recap: 1) the whitehat who deserves the glory, 2) how much the whitehat received as a bounty reward, 3) how much TVL was at risk, 4) the technical details of the vulnerability so that aspiring whitehats can learn to secure the space, and 5) the details of the bugfix itself.
Bugfix reviews help educate developers and security professionals working in projects on the nature of vulnerabilities and how to identify and avoid making those specific mistakes in smart contract design. And as noted, they’re also educational for whitehats and the general public as well. Everyone wins.
But at times, some projects–especially new projects–are nervous about the process. What if a lot of TVL was at risk? What if it leads to FUD? What happens to community trust? Could it jeopardize the project?
From our vantage point, we’ve seen it all, and from our experience, we’ve found that bugfix review not only don’t hurt projects, but they actually increase user confidence and also further incentive whitehats to work hard on keeping their codebases secure.
Here’s why.
Security is an ongoing effort
As a project, you want your users to feel safe, to know that the code will be 100% error-free. Unfortunately, this is impossible in the real world. Despite being one of the most well-funded sectors on the market, there is still no amount of money that can ship perfect code right off the bat.
Even tech behemoths like Google, Apple, and Microsoft regularly have zero-day exploits, on products that have been shipped and iterated over a dozen versions or more. No one is exempt from devastating bugs in code–not even the best in the world. Thinking that your project might look amateurish for acknowledging a bug in your code is just wrong. Even the biggest bluechip companies in the world have bugs, and they acknowledge them because it’s the responsible and transparent thing to do. That’s what it means to be a bluechip company–to embrace a standard of responsibility and transparency.
Security is an ongoing process; an active pursuit. And bugfix reviews contribute to this by providing an ongoing account of what works and what doesn’t, cautioning devs to use only the best practices available in designing their code architecture, as well as creating the basis for content that educates and improves the abilities of whitehats.
Web3 believes in transparency
Compared to Web2, Web3 has an ethos of transparency. It’s what users expect. In Web3, when projects champion their own bugfix reviews, they take charge of the message, which increases user trust and confidence in the project, as it makes the team look knowledgeable, in control, and organized.
Sooner or later, the patch will be discovered by users anyway, whether through observing commits or hearing through the grapevine. This isn’t like Web2 where you can hide behind your own company’s internal firewall or data policy and sweep things under the rug.
The blockchain is transparent, and anything you do reflects on your team and project.
It attracts users and whitehats to your project
Bugfix reviews are widely read and shared. If they were written like news articles, they would probably be headlined something like: “Disaster averted, funds saved after heroic whitehat reports critical issue. Project patches bug within 24 hours of report.”
Bugfix reviews signal to users that your project is on top of security, increasing trust and confidence in your protocol. This also increases the chance of other hackers submitting more bugs for your project, helping you fix even more dangerous vulnerabilities — because hackers are now confident that if they do good work, they’ll be well-paid by a responsible and ethical project.
Bugfix reviews are a public good
Bugfix reviews contribute to the Web3 security stack in many ways — they provide educational resources for hackers, so that they can up-skill and find more bugs, and also smart contract developers, so that they don’t make the same mistake.
The knowledge and value that bugfix reviews provide are so great that they should really be treated as a public good.
In Closing
Although Web3 is rapidly growing, it’s still a small and tight knit community. This rapidly innovating space demands constant vigilance and improvement in security. Every project, no matter how small, is contributing to this space based on how they handle vulnerabilities and reports.
Everyone knows that users of the biggest and most decentralized protocols in DeFi are more likely to want open disclosure, simply because decentralized communities like to work on consensus and transparency.
