We& #39;re hired to provide industry-best advice @trailofbits, and that& #39;s exactly what we provided to @HegicOptions. How, then, were bugs found in their code mere hours after they deployed it to mainnet? (1/n) https://twitter.com/HegicOptions/status/1253937104666742787">https://twitter.com/HegicOpti...
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.

Bottom line: we told them to hold off deploying.
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.Bottom line: we told them to hold off deploying.
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.Bottom line: we told them to hold off deploying.
In 3 days earlier this month, we identified 10 critical flaws in @HegicOptions that could harm users. We noted a lack of tests, a lack of documentation, and that the time afforded to review their code was insufficient.Bottom line: we told them to hold off deploying.
This was the right advice, and we generally expect people listen to us when they& #39;re paying for our help.

Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
This was the right advice, and we generally expect people listen to us when they& #39;re paying for our help.Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
This was the right advice, and we generally expect people listen to us when they& #39;re paying for our help.Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
This was the right advice, and we generally expect people listen to us when they& #39;re paying for our help.Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
This was the right advice, and we generally expect people listen to us when they& #39;re paying for our help.Instead, Hegic patched the few bugs we found, made no further changes, misrepresented our 3-day code review as an "audit", then immediately deployed.
https://twitter.com/gakonst/status/1253987789219205121">https://twitter.com/gakonst/s...
This is when the uproar began. There are some who mistakenly relied on a code review from @trailofbits as proof that @HegicOptions would never get hacked, without ever reading the report or investigating further.

If they did their own investigation, what would they find?
They would find that their code had no documentation, not even a README file. They wouldn& #39;t find a single test.

They would find that our report concluded by warning more bugs exist, and that time allocated was insufficient.
They would find that their code had no documentation, not even a README file. They wouldn& #39;t find a single test.They would find that our report concluded by warning more bugs exist, and that time allocated was insufficient.
They would find that their code had no documentation, not even a README file. They wouldn& #39;t find a single test.They would find that our report concluded by warning more bugs exist, and that time allocated was insufficient.
They would find my numerous public statements ( https://defiprime.com/defi-smart-contract-audits)">https://defiprime.com/defi-smar... and client guidelines ( https://github.com/trailofbits/publications/blob/master/reviews/citation_guidelines.pdf)">https://github.com/trailofbi... to distrust projects that solely rely on code audits as proof of safety.

They would find that 3 days is an extremely short review.
They would find my numerous public statements ( https://defiprime.com/defi-smar... and client guidelines ( https://github.com/trailofbi... to distrust projects that solely rely on code audits as proof of safety.They would find that 3 days is an extremely short review.
They would find my numerous public statements ( https://defiprime.com/defi-smar... and client guidelines ( https://github.com/trailofbi... to distrust projects that solely rely on code audits as proof of safety.They would find that 3 days is an extremely short review.
They would find my numerous public statements ( https://defiprime.com/defi-smar... and client guidelines ( https://github.com/trailofbi... to distrust projects that solely rely on code audits as proof of safety.They would find that 3 days is an extremely short review.
They would find my thread from just last week, describing the holistic activities needed to secure a DeFi project. https://twitter.com/dguido/status/1251960692460093443">https://twitter.com/dguido/st...
... and they& #39;d find the consensus opinion of the blockchain industry is to avoid misrepresenting security reviews as certifications of safety.
https://twitter.com/zmanian/status/1254220509077598214
https://twitter.com/zmanian/s... href=" https://twitter.com/rleshner/status/1254151232677003264">https://twitter.com/rleshner/... https://twitter.com/MyCrypto/status/1254119736020881408">https://twitter.com/MyCrypto/...
This was obvious to anyone that had hired a security firm, or been on the receiving end of a security report before.
https://twitter.com/MyCrypto/status/1254058121342803968">https://twitter.com/MyCrypto/... https://twitter.com/AFDudley0/status/1254018557685325825">https://twitter.com/AFDudley0...
It was more than just security experts who understood this about @HegicOptions. It was obvious that further work was needed to non-experts too. “It& #39;s OK we have no tests because the auditors will catch all the bugs” said no one ever
https://twitter.com/BlockEnthusiast/status/1254132916675907584">https://twitter.com/BlockEnth... https://twitter.com/hitchcott/status/1253982497446166528">https://twitter.com/hitchcott...
We know there are roadblocks to interpreting our results by non-experts. For example, we purposefully avoid subjective opinions in our reports, preferring objective facts to maintain our integrity and independence. https://twitter.com/HeidyKhlaaf/status/1254121886902083584">https://twitter.com/HeidyKhla...
Further, it& #39;s possible for clients to simply ignore what we document in reports. @trailofbits does not have any authority over our clients, we simply provide them advice.
https://twitter.com/HeidyKhlaaf/status/1254122500407152640">https://twitter.com/HeidyKhla... https://twitter.com/spencecoin/status/1254116602720608258">https://twitter.com/spencecoi...
How will we improve after this incident?

1st, we will no longer work with @HegicOptions. Their behavior has been deeply irresponsible. They ignored our advice and recklessly put user funds at risk. This hurts the entire DeFi community.
2nd, we will keep services from @trailofbits accessible for those with lower or limited financial resources. Security assistance is essential for smaller projects, and we& #39;ll continue to help those that need it with shorter project sizes.
3rd, we& #39;ll add structure to our summary reports to help readers better evaluate the current state and maturity of the project while remaining objective. It& #39;s unfortunate so few people look beyond our reports so we& #39;ll provide stats and info about the code in them.
cc @defiprime @lalleclausen @tzhen @drVillo @preston_vanloon @hitchcott @intocryptoast @quentinc137 @Fiskantes @ck_SNARKs @nicksdjohnson @ChainLinkGod @hosseeb @IamNomad @JTremback
Thanks for your earlier comments! We& #39;re open to hearing your opinions about how we can improve.
You can follow @dguido.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
There are a lot of misconceptions about the Turkish diaspora in Germany. Since i just finished writing an essay about this topic I thought it's time to give other people
Read more
Las mejores calculadoras online en 2020A thread http://totumat.com/2020/11/26/las-mejores-calculadoras-online-en-2020/ Cuando se estudian asignaturas que requieren de cálculos complicados, nada mejor que contar con una buena calculadora.
Read more
Mitigating #ClimateChange is as much about taking up new techs as about leaving others behindMost studies focus on #coal's global downfall but another #energy tech decline is loomingRead my new
Read more