Dan Guido, cofounder and CEO of Trail of Bits, and Taylor Monahan, founder and CEO of MyCrypto, discuss all the recent hacks in DeFi, how it can be made more safely and who is responsible. 

We tackle: 

• the Hegic security incident: whose responsibility it was to make sure the contract was secure — the auditor (Trail of Bits) or the team (Hegic) — what Trail of Bits was saying in its audit summary, and how to read between the lines of an audit summary
• how long an audit should be
• upgradeability: particularly around when more advanced technology and contracts interface with older technology/contracts
• centralization vs. decentralization: whether contracts can be made safely while maintaining adhering to the principle of decentralization, why Taylor would prioritize centralization and security, and how teams can create different levels of risk for users 
• bug bounties: why asking what amount they should be is the wrong question
• the security threats posed by oracles
• and what a checklist for DeFi teams might look like

Thank you to our sponsors! 

Crypto.com: https://crypto.com 

Kraken: https://www.kraken.com 

Stellar: https://www.stellar.org

Episode links: 

Dan Guido: https://twitter.com/dguido

Trail of Bits: https://www.trailofbits.com

Taylor Monahan: https://twitter.com/tayvano_

MyCrypto: https://mycrypto.com

Initial tweet by Hegic calling the security issue a typo: https://twitter.com/HegicOptions/status/1253937104666742787?s=20

Hegic tweet saying, “It’s not a security issue”: https://twitter.com/HegicOptions/status/1253954145113038849?s=20  

Trail of Bits saying it will no longer work with Hegic: https://twitter.com/dguido/status/1254260725431894020?s=20 

Taylor breaks down the audit summary: https://twitter.com/MyCrypto/status/1254058121342803968?s=20

Molly Wintermute’s Medium post on requesting a week audit vs. three-day review: https://medium.com/@molly.wintermute/post-mortem-hegic-unlock-function-bug-or-three-defi-development-mistakesthat-i-feel-sorry-about-5a23a7197bce 

Unconfirmed episode with Haseeb Qureshi on the Lendf.me attack: https://unchainedpodcast.com/haseeb-qureshi-on-the-unbelievable-story-of-the-25-million-lendf-me-hack/

Unchained interview showing Matt Luongo's approach to kill switches and upgradeability with tBTC: https://unchainedpodcast.com/tbtc-what-happens-when-the-most-liquid-crypto-asset-hits-defi/

Discussion of the bZx attacks on Unchained: https://unchainedpodcast.com/the-bzx-attacks-unethical-or-illegal-2-experts-weigh-in/

Issue with Curve contract: https://blog.curve.fi/vulnerability-disclosure/ 

Compound bug bounty program: https://compound.finance/docs/security#bug-bounty

Taylor on “upgradeability makes things more insecure”: https://twitter.com/tayvano_/status/1222564979657723904?s=20 

Synthetix oracle incident, allowing a bot to profit $1 billion: https://unchainedpodcast.com/how-synthetix-became-the-second-largest-defi-platform/

Taylor’s tips on how to get more ROI on an audit: https://twitter.com/MyCrypto/status/1254061500244713474?s=20

Tips to follow before getting an audit: https://blog.openzeppelin.com/follow-this-quality-checklist-before-an-audit-8cc6a0e44845/ 

Resources for security in DeFi: 

crytic/building-secure-contractsGuidelines and training material to write secure smart contracts - crytic/building-secure-contractsgithub.com

https://consensys.github.io/smart-contract-best-practices/ 

https://forum.openzeppelin.com

https://swcregistry.io

https://diligence.consensys.net/blog/2020/03/new-offering-1-day-security-reviews/

Learn more about your ad choices. Visit megaphone.fm/adchoices