Kako revizorji odkrijejo prevaro DeFi Rug Pull: ali lahko to storite sami?

Hekerji so leta 2022 s platform za decentralizirano financiranje (DeFi) ukradli več kriptovalute kot kdaj koli prej. Skoraj 98 % vseh žetonov, lansiranih na vodilni platformi DeFi DEX Uniswap, je bilo prepoznanih kot vlečenje preproge.

Najnovejša, Defrost Finance, prišel kot božična nočna mora za kripto vlagatelje, ki je izbrisala 12 milijonov dolarjev njihovega denarja. 

Večina vdorov na platforme DeFi se zgodi zaradi kršitev varnosti in izkoriščanja kode. Projects that end up being rug pull scams have serious security issues that have been allowed to slide, or maybe, undetected on purpose. To prevent similar risks, DeFi security audits are critical.

Here we’ll find out more about these audits, how they are conducted, and whether it is possible to run a DeFi audit by yourself. 

DeFi projects are implemented as complex, self-executing smart contracts, often transparent and open-source. They act as legal agreements between two parties. And since no centralized entity is behind them, even a small bug in smart contracts might lead to irreversible consequences.

To pomeni, da v pametnih pogodbah ne sme biti prostora za napake. Varnostne revizije pametnih pogodb DeFi naj bi to zagotovile.

Security audits examine the code of smart contracts and how it grounds contracts’ terms and conditions. The detailed analysis searches for potential security flaws, violations, and system bugs in the code, so it cannot be exploited. 

Security audits, usually conducted by third parties, are vital to ensuring the security and credibility of projects and maintaining a healthy DeFi ecosystem.

A rug pull is a type of exit scam that operates in a simple model: developers create a legit-looking DeFi protocol, run and promote it until the project attracts enough liquidity, then pull out the funds and disappear. 

Well, not always. Occasionally, rug-pull scammers blame hackers for stealing liquidity and stay in business until the next time.

Za izvedbo napada prevaranti vdelajo zlonamerno kodo v pametne pogodbe. Spremenijo jih, da vlagateljem preprečijo prodajo: določijo najvišjo (100-odstotno) prodajno provizijo, lastnike žetonov uvrstijo na črni seznam in zaklenejo denar uporabnikov v pogodbo.

Nekatere pametne pogodbe vključujejo kodiranje zlonamernih "zadnjih vrat", ki razvijalcem omogočajo dvig likvidnosti.  

Spremenjene pametne pogodbe večinoma niso preverjene s strani varnostnih revizorjev in so skrite očem javnosti. Ker je večina pogodb v verigi javno dostopnih, je pomanjkanje preglednosti GitHub je lahko rdeča zastava. 

Industrija veriženja blokov in pametnih pogodb je še vedno razmeroma mlada, prav tako revizijski sektor pametnih pogodb. Številna podjetja so specializirana za revizije varnosti pametnih pogodb, razvijajo svoja orodja in oblikujejo svoje znanje in izkušnje. 

Industrijski standardi in najboljše prakse varnosti pametnih pogodb se razvijajo. Kljub temu akterji revizijske industrije DeFi uporabljajo nekaj precej standardnih revizijskih metod.

Običajno se njihove preiskave začnejo z oceno pametne pogodbe. Revizor analizira belo knjigo, poslovno logiko in tehnične specifikacije protokola DeFi, da oceni možna tveganja in varnostne funkcije.

Nato preusmerijo pozornost na kodo pametne pogodbe. Takrat se začneta pregled in analiza kode. 

Auditors inspect code line by line, looking for vulnerabilities of different levels: critical ones that can result in a liquidity leak; medium-level, which could partially damage the smart contract; and low-level issues, which affect the contract’s security the least.

Uporabljajo številne revizijske tehnike, vključno z avtomatsko in ročno analizo. Oba imata svoje prednosti in slabosti.

An automated security audit means scanning the code with automated analysis software, which searches for bugs against the database of known vulnerabilities and identifies their precise location in the code.

The software-based audit is typically conducted before the manual analysis to detect errors that humans might overlook. It is faster and less time-consuming, but at the same time, it may not always be aware of the context and thus miss certain vulnerabilities. 

Manual code analysis is king in smart contract auditing and is the most critical part of a comprehensive and accurate smart code security audit. It is conducted by at least two separate experts that inspect the code line by line.

Cilj je preveriti, ali je vsaka podrobnost v specifikaciji projekta implementirana v pametno pogodbo in da nič ne krši njenega prvotno predvidenega vedenja. 

The auditors scrutinize the code for unintended, unexpected behavior, crucial security issues, and vulnerabilities like re-entrance, data manipulations, flash loans, and other manipulations that might be implemented while the smart contract interacts with others.

In addition to that, manual audits run simulations to evaluate how well the DeFi project’s smart contract responds to unidentified threats and how capable it is of defending itself against them. 

V zadnjem delu ročne analize kode revizor primerja logiko pametne pogodbe z njenim opisom v beli knjigi projekta. 

Ko so vse ranljivosti prepoznane in odpravljene, revizorji izvedejo postopek dvojnega preverjanja, da zagotovijo, da pametna koda deluje po pričakovanjih.

Nazadnje, po opravljeni presoji varnosti, revizorji pripravijo celovito poročilo. Tukaj podajo podrobne povratne informacije o tem, kaj so odkrili. Običajno njihovo poročilo vsebuje priporočila o tem, kako je mogoče odpraviti odkrite pomanjkljivosti kode, da se zmanjša varnost projekta. 

Smart contracts are a relatively new innovation. Their security standards are evolving accordingly. This means no golden rule guarantees total smart contract safety.

Poleg tega niso vsa revizijska podjetja za pametne pogodbe enaka in vse revizije ne zagotavljajo varnosti. Revizorji imajo lahko različne ravni znanja, različne cilje in različne stroške.

Not to mention the fact that the market is full of sketchy developers that forge audits and still benefit from the name of a respectable company. This is what happened to Peckshield, a blockchain security and data analytics company, more than a year ago.

Takšne situacije so v prostoru kriptovalut precej pogoste. Vzamejo ime zakonitega in uglednega revizorja in ga vnesejo v svojo belo knjigo, kjer pravijo, da je bil njihov protokol revidiran.

The only way to avoid cases like this is to check for confirmation on the auditor’s original channels. If there aren’t any, chances are that the auditor’s name has been stolen. 

Always check its client portfolio to evaluate whether the auditor is solid and reputable. Google the cases to verify their experience records, and check if any of the audited projects have suffered a rug pull or other attacks.

With so many hacks and rug pulls in the crypto space, it’s naive to imagine that DeFi projects are safe without looking into them in more detail. Smart contract audits provide a critical layer of safety. 

However, even the most professional ones do not guarantee that a DeFi project is absolutely bug-free. Smart contracts are complex. They require detailed and comprehensive analysis, expertise, tools, and, most importantly, more than one pair of eyes.