Hvordan revisorer opdager en DeFi Rug Pull Scam: Kan du gøre det selv?

Hackere stjal mere kryptovaluta fra decentraliserede finansplatforme (DeFi) end nogensinde før i 2022. Næsten 98 % af alle tokens lanceret på DeFis flagmand DEX Uniswap blev identificeret som tæppetræk.

Den seneste, Defrost Finance, kom som et julemareridt for kryptoinvestorer, der udsletter $12 millioner af deres penge. 

De fleste hacks på DeFi-platforme sker gennem sikkerhedsbrud og kodeudnyttelse. Projects that end up being rug pull scams have serious security issues that have been allowed to slide, or maybe, undetected on purpose. To prevent similar risks, DeFi security audits are critical.

Here we’ll find out more about these audits, how they are conducted, and whether it is possible to run a DeFi audit by yourself. 

DeFi projects are implemented as complex, self-executing smart contracts, often transparent and open-source. They act as legal agreements between two parties. And since no centralized entity is behind them, even a small bug in smart contracts might lead to irreversible consequences.

Det betyder, at der ikke skal være plads til fejl i smarte kontrakter. DeFi smart kontraktsikkerhedsrevisioner er beregnet til at sikre det.

Security audits examine the code of smart contracts and how it grounds contracts’ terms and conditions. The detailed analysis searches for potential security flaws, violations, and system bugs in the code, so it cannot be exploited. 

Security audits, usually conducted by third parties, are vital to ensuring the security and credibility of projects and maintaining a healthy DeFi ecosystem.

A rug pull is a type of exit scam that operates in a simple model: developers create a legit-looking DeFi protocol, run and promote it until the project attracts enough liquidity, then pull out the funds and disappear. 

Well, not always. Occasionally, rug-pull scammers blame hackers for stealing liquidity and stay in business until the next time.

For at implementere et angreb indlejrer svindlere ondsindet kode i de smarte kontrakter. De ændrer dem for at forhindre investorer i at sælge: Indstil det maksimale salgsgebyr (100%), sortliste token-ejere og lås brugernes penge i en kontrakt.

Nogle smarte kontrakter involverer kodning af en ondsindet "bagdør" ind i dem, hvilket giver udviklere mulighed for at trække likviditeten tilbage.  

Det meste af tiden bliver modificerede smarte kontrakter ikke verificeret af sikkerhedsrevisorer og er skjult for offentligheden. Da de fleste on-chain kontrakter er offentligt tilgængelige, en mangel på gennemsigtighed vedr GitHub kan være et rødt flag. 

Blockchain- og smartkontraktindustrien er stadig relativt ung, og det samme er revisionssektoren for smarte kontrakter. Adskillige firmaer specialiserer sig i smart kontraktsikkerhedsrevision, udvikler deres værktøjer og former deres knowhow. 

Smart kontraktsikkerhed industristandarder og bedste praksis er under udvikling. På trods af det bruges nogle ret standard revisionsmetoder af aktører i DeFi revisionsindustrien.

Typisk begynder deres undersøgelser med den smarte kontraktevaluering. Revisoren analyserer hvidbogen, forretningslogikken og tekniske specifikationer for DeFi-protokollen for at estimere potentielle risici og sikkerhedsfunktioner.

Så flytter de deres opmærksomhed til koden for den smarte kontrakt. Det er her, kodegennemgang og analyse starter. 

Auditors inspect code line by line, looking for vulnerabilities of different levels: critical ones that can result in a liquidity leak; medium-level, which could partially damage the smart contract; and low-level issues, which affect the contract’s security the least.

De anvender en række revisionsteknikker, herunder automatiseret og manuel analyse. Begge har deres fordele og ulemper.

An automated security audit means scanning the code with automated analysis software, which searches for bugs against the database of known vulnerabilities and identifies their precise location in the code.

The software-based audit is typically conducted before the manual analysis to detect errors that humans might overlook. It is faster and less time-consuming, but at the same time, it may not always be aware of the context and thus miss certain vulnerabilities. 

Manual code analysis is king in smart contract auditing and is the most critical part of a comprehensive and accurate smart code security audit. It is conducted by at least two separate experts that inspect the code line by line.

Målet er at verificere, at hver eneste detalje i projektets specifikation er implementeret i den smarte kontrakt, og at intet krænker den oprindeligt tilsigtede adfærd. 

The auditors scrutinize the code for unintended, unexpected behavior, crucial security issues, and vulnerabilities like re-entrance, data manipulations, flash loans, and other manipulations that might be implemented while the smart contract interacts with others.

In addition to that, manual audits run simulations to evaluate how well the DeFi project’s smart contract responds to unidentified threats and how capable it is of defending itself against them. 

Inden for den sidste del af manuel kodeanalyse sammenligner revisor den smarte kontrakts logik med dens beskrivelse i projektets whitepaper. 

Når alle sårbarheder er blevet identificeret og rettet, kører revisorerne en dobbelttjekproces for at sikre, at smartkoden kører som forventet.

Til sidst, efter at sikkerhedsrevisionen er afsluttet, udarbejder revisorerne en omfattende rapport. Det er her, de giver detaljeret feedback på, hvad de har opdaget. Typisk kommer deres rapport med anbefalinger om, hvordan opdagede kodesvagheder kan rettes for at afbøde projektets sikkerhed. 

Smart contracts are a relatively new innovation. Their security standards are evolving accordingly. This means no golden rule guarantees total smart contract safety.

Desuden er ikke alle smarte kontraktrevisionsfirmaer ens, og ikke alle revisioner garanterer sikkerhed. Revisorer kan have forskellige færdighedsniveauer, forskellige mål og forskellige omkostninger.

Not to mention the fact that the market is full of sketchy developers that forge audits and still benefit from the name of a respectable company. This is what happened to Peckshield, a blockchain security and data analytics company, more than a year ago.

Situationer som denne er ret almindelige i kryptovalutaområdet. De tager navnet på en legitim og respektabel revisor og skriver det ind i deres whitepaper og siger, at deres protokol blev revideret.

The only way to avoid cases like this is to check for confirmation on the auditor’s original channels. If there aren’t any, chances are that the auditor’s name has been stolen. 

Always check its client portfolio to evaluate whether the auditor is solid and reputable. Google the cases to verify their experience records, and check if any of the audited projects have suffered a rug pull or other attacks.

With so many hacks and rug pulls in the crypto space, it’s naive to imagine that DeFi projects are safe without looking into them in more detail. Smart contract audits provide a critical layer of safety. 

However, even the most professional ones do not guarantee that a DeFi project is absolutely bug-free. Smart contracts are complex. They require detailed and comprehensive analysis, expertise, tools, and, most importantly, more than one pair of eyes.