DeFi Security: With So Many Hacks, Will It Ever Be Safe? - Ep.170

Dan Guido, cofounder and CEO of Trail of Bits, and Taylor Monahan, founder and CEO of MyCrypto, discuss all the recent hacks in DeFi, how it can be made more safely and who is responsible.
We tackle:
the Hegic security incident: whose responsibility it was to make sure the contract was secure — the auditor (Trail of Bits) or the team (Hegic) — what Trail of Bits was saying in its audit summary, and how to read between the lines of an audit summary how long an audit should be upgradeability: particularly around when more advanced technology and contracts interface with older technology/contracts centralization vs. decentralization: whether contracts can be made safely while maintaining adhering to the principle of decentralization, why Taylor would prioritize centralization and security, and how teams can create different levels of risk for users  bug bounties: why asking what amount they should be is the wrong question the security threats posed by oracles and what a checklist for DeFi teams might look like Thank you to our sponsors!
Crypto.com: https://crypto.com
Kraken: https://www.kraken.com
Stellar: https://www.stellar.org
Episode links:
Dan Guido: https://twitter.com/dguido
Trail of Bits: https://www.trailofbits.com
Taylor Monahan: https://twitter.com/tayvano_
MyCrypto: https://mycrypto.com
Initial tweet by Hegic calling the security issue a typo: https://twitter.com/HegicOptions/status/1253937104666742787?s=20
Hegic tweet saying, “It’s not a security issue”: https://twitter.com/HegicOptions/status/1253954145113038849?s=20
Trail of Bits saying it will no longer work with Hegic: https://twitter.com/dguido/status/1254260725431894020?s=20
Taylor breaks down the audit summary: https://twitter.com/MyCrypto/status/1254058121342803968?s=20
Molly Wintermute’s Medium post on requesting a week audit vs. three-day review: href="https://medium.com/@molly.wintermute/post-mortem-hegic-unlock-function-bug-or-three-defi-development-mistakesthat-i-feel-sorry-about-5a23a7197bce" target="_blank" rel="noopener https://medium.com/@molly.wintermute/post-mortem-hegic-unlock-function-bug-or-three-defi-development-mistakesthat-i-feel-sorry-about-5a23a7197bce" rel="noopener noreferrer">noreferrer">https://medium.com/@molly.wintermute/post-mortem-hegic-unlock-function-bug-or-three-defi-development-mistakesthat-i-feel-sorry-about-5a23a7197bce
Unconfirmed episode with Haseeb Qureshi on the Lendf.me attack: https://unchainedpodcast.com/haseeb-qureshi-on-the-unbelievable-story-of-the-25-million-lendf-me-hack/
Unchained interview showing Matt Luongo's approach to kill switches and upgradeability with tBTC: https://unchainedpodcast.com/tbtc-what-happens-when-the-most-liquid-crypto-asset-hits-defi/
Discussion of the bZx attacks on Unchained: https://unchainedpodcast.com/the-bzx-attacks-unethical-or-illegal-2-experts-weigh-in/
Issue with Curve contract: https://blog.curve.fi/vulnerability-disclosure/
Compound bug bounty program: https://compound.finance/docs/security#bug-bounty
Taylor on “upgradeability makes things more insecure”: https://twitter.com/tayvano_/status/1222564979657723904?s=20
Synthetix oracle incident, allowing a bot to profit $1 billion: https://unchainedpodcast.com/how-synthetix-became-the-second-largest-defi-platform/
Taylor’s tips on how to get more ROI on an audit: https://twitter.com/MyCrypto/status/1254061500244713474?s=20
Tips to follow before getting an audit: https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/
Resources for security in DeFi:
crytic/building-secure-contractsGuidelines and training material to write secure smart contracts - crytic/building-secure-contractsgithub.com
https://consensys.github.io/smart-contract-best-practices/
https://forum.openzeppelin.com
https://swcregistry.io
https://diligence.consensys.net/blog/2020/03/new-offering-1-day-security-reviews/