In the evolving landscape of Web3, security remains a paramount concern for crypto companies. Most of these companies rely heavily on pre-deployment smart contract audits, believing that such audits will safeguard their projects and client funds from hacks. However, recent data reveals a stark truth: 90% of the smart contracts that were hacked had undergone pre-deployment audits. This statistic highlights a critical gap in the current approach to Web3 security.

The following opinion editorial was written by Michael Pearl, VP Go-To-Market, Cyvers.ai.

The Role of Smart Contract Audits

Smart contract audits are undoubtedly a crucial element in the security architecture of any crypto project. These audits help identify typical vulnerabilities and security-related bugs before the contract is deployed. Conducting multiple audits by different firms is a common practice, intended to ensure that any potential issue is caught and addressed.

However, while audits reduce the endpoints and the probability of a hack, they do not make a system foolproof. Audits are only a part of the bigger picture. They can find common vulnerabilities, but they cannot account for new, sophisticated attack vectors that may emerge post-deployment. Therefore, relying solely on audits does not equate to doing everything possible to secure a system.

Case Studies: Audited, Then Hacked

The list of projects that got hacked, despite having their smart contracts audited—oftentimes more than once and by more than one auditing provider—is unfortunately very long. Several recent examples illustrate the discrepancy between expectations and actual results.

• Dough Finance was hacked on July 12 of this year and lost $1.8M. The project’s contracts were audited by at least one auditing company in November 2023 and were even labeled as “low risk” by the auditor.
• UwU Lend was hacked twice, on June 10 and 13 of this year, and lost $19.3M. The company’s smart contracts were audited by at least one auditing firm.
• Radiant Capital was hacked on January 3 of this year and lost $4.5M. The company claimed that its contracts had undergone audits by four different auditing companies, described as “world’s best” in the company’s documentation.
• Euler Finance’s smart contracts were exploited on May 13 of last year, resulting in a $197M loss. According to the company, their contracts were audited by four leading auditing companies.
• DeFi protocol LI.FI was exploited on July 16 of this year and lost around $11M. Two years prior to the hack, the company published a blog post proudly presenting the fact that it was audited by two auditing providers.

The Missing Element: Real-Time Monitoring and Pre-Transaction Screening

Many companies overlook the importance of real-time monitoring and pre-transaction screening for risk assessment. These components are essential for a comprehensive security strategy.

Real-Time Monitoring provides continuous oversight of deployed smart contracts, detecting and responding to security issues, scams, fraud, and other malicious incidents as they happen. This proactive approach significantly reduces the window of opportunity for hackers and allows for immediate action to mitigate potential damage.

Pre-Transaction Screening assesses the risk of transactions before they are executed, helping to block malicious actors and prevent fraudulent activities. By integrating this screening process, companies can ensure that only legitimate transactions are processed, further enhancing their security posture.

The Necessity of Crisis Management Mechanisms

In addition to real-time monitoring and pre-transaction screening, it is crucial to implement crisis management mechanisms such as pause functions and other circuit breakers. These can be automated or manual and are vital for responding in real-time to alerts from monitoring and detection systems.

Conclusion

Smart contract audits are an essential part of Web3 security, but they are not sufficient on their own. To truly secure crypto projects, companies must adopt a holistic approach that includes real-time monitoring, pre-transaction screening, and robust crisis management mechanisms. By integrating these advanced security measures, crypto companies can significantly enhance their security posture, protecting their projects and client funds from the ever-evolving threats in the Web3 space.

What do you think about the Cyvers.ai executive’s perspective and opinion? Share your thoughts and opinions about this subject in the comments section below.