Read on Twitter
For those too lazy to open a PDF, heres the "audit"
For those who don't know wtf this is:
1. It's an audit summary.
2. There are red flags in summary.
3. You need to read between the lines a bit whenever looking at an audit. Actually easier to do the summary. https://twitter.com/AFDudley0/status/1254018557685325825
For those who don't know wtf this is:
1. It's an audit summary.
2. There are red flags in summary.
3. You need to read between the lines a bit whenever looking at an audit. Actually easier to do the summary. https://twitter.com/AFDudley0/status/1254018557685325825
Part 1: statement of facts
When, how many days
What exactly they auditted
Who did the auditing
Even w/o knowing the size of these contracts, a 2-day audit performed by 1 eng is a hard sell for me. 16 hours to understand all that code, find bugs, try to exploit, report back?
When, how many days
What exactly they auditted
Who did the auditing
Even w/o knowing the size of these contracts, a 2-day audit performed by 1 eng is a hard sell for me. 16 hours to understand all that code, find bugs, try to exploit, report back?
1.1
An expert who was already familiar w/ the underlying structure & concepts of a system may be able to do so in a very small, simple, beautiful codebase. (This was not that.)
Further, they would not have time to begin thinking of economic impacts of code.
An expert who was already familiar w/ the underlying structure & concepts of a system may be able to do so in a very small, simple, beautiful codebase. (This was not that.)
Further, they would not have time to begin thinking of economic impacts of code.
1.2
Small audit was likely due to financial limitations of Hegic, which I do appreciate. However, the point of an audit is to try to avoid bad things happening NOT to tout your audit around as a sales mechanism or say "not our fault it's @trailofbits'!" when shit goes bad.
Small audit was likely due to financial limitations of Hegic, which I do appreciate. However, the point of an audit is to try to avoid bad things happening NOT to tout your audit around as a sales mechanism or say "not our fault it's @trailofbits'!" when shit goes bad.
1.3
Easiest way to improve ROI on audit: MAKE THE AUDITORS JOB EASIER
Clean code + comments
Use ALL the free tools to catch basic issues so experts can focus on complex ones
Call in favors to others to look at code, ask questions
Document, provide summary + areas of focus/concern
Easiest way to improve ROI on audit: MAKE THE AUDITORS JOB EASIER
Clean code + comments
Use ALL the free tools to catch basic issues so experts can focus on complex ones
Call in favors to others to look at code, ask questions
Document, provide summary + areas of focus/concern
Part 2: what they were looking for + what they found (summary edition!)
Notable notes:
They had 3 areas of focus aka "can these Bad Things happen?"
The answer is yes to all 3 of varying degrees of severity.
Further, they choose to call out that these were arithmetic related
Notable notes:
They had 3 areas of focus aka "can these Bad Things happen?"
The answer is yes to all 3 of varying degrees of severity.
Further, they choose to call out that these were arithmetic related
2.1
More on the arithmetic bit in a bit but next they look at what @ChrisBlec calls "admin exploits" and Bitcoin maximalists would cite as reasons centralized bullshit is better than #defi right now.
They're both right. You don't have to like that fact but you have to accept it.
More on the arithmetic bit in a bit but next they look at what @ChrisBlec calls "admin exploits" and Bitcoin maximalists would cite as reasons centralized bullshit is better than #defi right now.
They're both right. You don't have to like that fact but you have to accept it.
2.2
<insert progressive decentralization argument here>
Regardless, you should be aware of the possibilities AND know that auditors spend time on this.
How many of the 16 hours to find all exploits in a new financial system were spent on these valid but (maybe) known exploits?
<insert progressive decentralization argument here>
Regardless, you should be aware of the possibilities AND know that auditors spend time on this.
How many of the 16 hours to find all exploits in a new financial system were spent on these valid but (maybe) known exploits?
2.2 (again bc it's important)
You have 16hrs to find ALL THE EXPLOITS
Bugs in math/typos
Things like re-entrancy
Financial/economic impacts
Malicious internal actor
Malicious external actor
Whoopsies/unexpected outcomes
Loss of funds
on and on and on.
It's not possible. Ever.
You have 16hrs to find ALL THE EXPLOITS
Bugs in math/typos
Things like re-entrancy
Financial/economic impacts
Malicious internal actor
Malicious external actor
Whoopsies/unexpected outcomes
Loss of funds
on and on and on.
It's not possible. Ever.
2.3
Auditors are never going to say "this code sucks donkey balls."
Ask yourself *why* they include certain bits. Don't expect them to tell you what to think or have their own reaction.
This is a perfect example of something many overlook bc it's not a Twitter hot take:
Auditors are never going to say "this code sucks donkey balls."
Ask yourself *why* they include certain bits. Don't expect them to tell you what to think or have their own reaction.
This is a perfect example of something many overlook bc it's not a Twitter hot take:
2.3
I'll help you.
THE CONTRACT OVER HERE DIDNT KNOW WHAT ASSETS WERE IN THE CONTRACT OVER THERE WHICH MEANS SOMEONE COULD STEAL THE ASSETS.
I'm honestly not quite sure how a pool even works without knowing the assets in the thing it's pooling for.
Also note: "bookkeeping"
I'll help you.
THE CONTRACT OVER HERE DIDNT KNOW WHAT ASSETS WERE IN THE CONTRACT OVER THERE WHICH MEANS SOMEONE COULD STEAL THE ASSETS.
I'm honestly not quite sure how a pool even works without knowing the assets in the thing it's pooling for.
Also note: "bookkeeping"
Part 3: the recommends
This is always the most important part because it's where the carefully worded screams from auditors are.
In the actual audit you would have piles of code and fixes and stuff for Hegic to address. But the summary is for outsiders. For us.
This is always the most important part because it's where the carefully worded screams from auditors are.
In the actual audit you would have piles of code and fixes and stuff for Hegic to address. But the summary is for outsiders. For us.
3.1
DO MORE STUFF PLEASE TO MAKE SURE ITS SAFE PLEASE!!!
DO MORE STUFF PLEASE TO MAKE SURE ITS SAFE PLEASE!!!
3.2
WE DIDN'T REALLY HAVE TIME TO BEGIN WITH AND THE AMOUNT OF BASIC MATH ISSUES ATE UP MOST OF IT AND WE DEF DID NOT CATCH ALL OF EVEN THE MATH ISSUES LET ALONE THE BIGGER ISSUES.
WE DIDN'T REALLY HAVE TIME TO BEGIN WITH AND THE AMOUNT OF BASIC MATH ISSUES ATE UP MOST OF IT AND WE DEF DID NOT CATCH ALL OF EVEN THE MATH ISSUES LET ALONE THE BIGGER ISSUES.
3.3
SERIOUSLY WE KNOW THERE ARE MORE ISSUES AND NOW YOU DO TOO.
SERIOUSLY WE KNOW THERE ARE MORE ISSUES AND NOW YOU DO TOO.
3.4
You paid us to find some pretty basic shit that you could have found on your own for way cheaper and then paid us to find another bug.
(Also, shoutout to our awesome tool we built. linkylink https://crytic.io/ linkylink
)
You paid us to find some pretty basic shit that you could have found on your own for way cheaper and then paid us to find another bug.
(Also, shoutout to our awesome tool we built. linkylink https://crytic.io/ linkylink
)
3.5
Your lack of documentation is so abhorrent we dedicated 3/5 points to it because its the best chance you've got to find issues and give security folks/white hats of chance of saving your users' asses.
Your lack of documentation is so abhorrent we dedicated 3/5 points to it because its the best chance you've got to find issues and give security folks/white hats of chance of saving your users' asses.
3.6
*Evaluate* owner privs: We didn't do a good enough job.
*Verify* your math: Be careful w/ your fixes. Check everything again bc you're really bad at it.
*Evaluate* arbitrage: We didn't even start to think about this.
Maybe you'll find issues if you actually write docs.
*Evaluate* owner privs: We didn't do a good enough job.
*Verify* your math: Be careful w/ your fixes. Check everything again bc you're really bad at it.
*Evaluate* arbitrage: We didn't even start to think about this.
Maybe you'll find issues if you actually write docs.
3.7
I honestly dont know what to make of this final line.
This is typically something you would find with code snippets in the full audit. The fact that its here, the last line, speaks volumes.
I honestly dont know what to make of this final line.
This is typically something you would find with code snippets in the full audit. The fact that its here, the last line, speaks volumes.
3.8
It's either so important they chose to leave the reader with it OR they were like "shit did we fully check everything w/ these functions?" and threw it in the summary at the last second.
Either way this is likely where a fatal flaw will live or, based on this audit, lives.
It's either so important they chose to leave the reader with it OR they were like "shit did we fully check everything w/ these functions?" and threw it in the summary at the last second.
Either way this is likely where a fatal flaw will live or, based on this audit, lives.
Overall takeaways.
1. @trailofbits did NOT have enough time to complete this audit under the best of conditions.
2. The codebase did not provide "the best of conditions"
3. No docs.
1. @trailofbits did NOT have enough time to complete this audit under the best of conditions.
2. The codebase did not provide "the best of conditions"
3. No docs.
4. You need to be good at math/bookkeeping/accounting if you build financial systems.
There were so many issues here that it made @trailofbits job harder.
But more importantly, this is an underlying issue. The solution is "be better & more aware of math" not "have audits"
There were so many issues here that it made @trailofbits job harder.
But more importantly, this is an underlying issue. The solution is "be better & more aware of math" not "have audits"
5. Hegic has NO RIGHT to use this as a promise of a safe system or to pass blame as they are currently doing ("even trailofbits didn't find the issue!")
6. Hegic sees an audit as a thing you show others, not to protect users or learn or ensure their systems are safe. This attitude indicates lack of care and potentially bad culture and is always a huge red flag for me.
7. Hegic should have not have launched this. If they had a gun to their head and was forced to, they should have advertised as unaudited, pre-alpha, with limits set.
8. @trailofbits didn't mention tests. Not sure why as they have in other audits. Maybe because basic docs before tests?
It's kinda like thinking about pruning a certain bush when there is a forest of 6ft weeds covering your entire yard. https://twitter.com/hitchcott/status/1253982497446166528
It's kinda like thinking about pruning a certain bush when there is a forest of 6ft weeds covering your entire yard. https://twitter.com/hitchcott/status/1253982497446166528
9. As a community we need to be mindful that an audit, even by top name, doesn't mean its secure. Perhaps even moreso w/ top names.
Last for now. Reading comprehension & diligence are important skills, esp. in this space. Not everything comes at you in Twitter hot-take form.
Last for now. Reading comprehension & diligence are important skills, esp. in this space. Not everything comes at you in Twitter hot-take form.
Actually lastly for now. Only fucking @tayvano_ can make a tl;dr of a summary on Twitter longer than the actual fucking summary. 
