Exploring DeFi's Security Challenges: An In-Depth Look by Alp Bassa on Smart Contract Safety

In this exclusive chat recorded during the Hack Seasons Conference, Alp Bassa , a Research Scientist at Veridise we delve into Veridise’s cutting-edge tools, the complexities surrounding zero-knowledge proof audits, and what the future holds for blockchain security. This conversation provides a glimpse into the merging of mathematics, cryptography, and blockchain technology through the lens of a top industry expert.

Many entrepreneurs are inspired to enter their field due to a defining moment or experience. Could you share your journey into the Web3 world?

My foundation is in academia. With a background in mathematics, I was deeply engaged in number theory, focusing on curves over finite fields, particularly elliptic curves, and their implications in coding theory and cryptography. These mathematical concepts are especially relevant now as zero-knowledge cryptography gains traction within the Web3 landscape.

I noticed the exciting developments in this arena, which led me to join Veridise, a firm dedicated to conducting security audits with a particular focus on zero-knowledge technology—an area that aligns perfectly with my expertise.

Why are security audits essential? Are they optional for developers, or are they indispensable?

Ensuring security within systems necessitates a shift in mindset that should begin right from the development phase. Not all developers have the capacity to juggle every single aspect of the development process—like adhering to correct specifications, ensuring behavior, optimizing efficiency, integrating components, and securing the system. Often, security is an afterthought that isn't adequately prioritized during development.

Today, it's nearly impossible for a developer to have the confidence necessary to navigate numerous sophisticated tools and ensure they're being applied effectively while also confirming that no vulnerabilities exist. Adopting a different mindset is crucial, which is where the role of audits becomes vital.

Could you elaborate on the proprietary tools developed by Veridise and how they enhance the quality of audits?

Veridise employs a diverse array of tools. Some are quite basic yet accessible, like fuzzers, while others sit in a mid-spectrum like static analysis tools—these are relatively quick but can deliver inaccurate results due to false positives.

Then, we have sophisticated tools grounded in mathematics, particularly utilizing SMT solvers and other mathematical principles. While these tools may be computationally intensive, they offer precise results. We employ a blend of all these tools, recognizing their unique strengths and weaknesses to detect bugs and identify vulnerabilities effectively.

What distinct security challenges does Veridise address specifically for DeFi protocols?

In the realm of DeFi protocols, we utilize a static analysis tool where users can inform the system about specific vulnerabilities to scrutinize or particular architectures to analyze. The landscape is fraught with potential risks. For instance, reentrancy attacks led to the infamous DAO hack back in 2016, while flash loan exploits were behind the Cream Finance incident that resulted in approximately $130 million being siphoned off.

Having gained extensive experience through years of auditing, we maintain a robust understanding of common vulnerabilities, and our tools are meticulously designed to screen for these risks. During audits, we meticulously analyze each vulnerability one by one to discern if such threats manifest.

Can you expand on your application of zero-knowledge technology and explain why ZK audits take precedence?

Zero-knowledge technology stands out, especially in terms of formal verification, due to its compatibility with tool utilization. We possess tools specifically designed to assess ZK applications, which is why this domain has become a focal point for our efforts.

Our team has successfully identified critical vulnerabilities in essential circuit libraries. Our proficiency in this area drives our commitment to remaining at the forefront of developments. ZK auditing How does your knowledge of ZK circuits set you apart from other firms?

Our differentiation lies heavily in our toolset; we stem from a background rooted in formal verification. We boast robust tools, and as our projects have expanded, the volume of work has reached a level where solely relying on human analysis isn't sufficient for exhaustive code coverage. While human expertise is valuable, it's just one part of the equation.

What is Veridise's strategy for blending manual code reviews with automated tool assessments during the audit process?

Both manual reviews and automated tool assessments are essential in our methodology. Our audits have shown that rigorous human analysis paired with subsequent tool evaluations on the codebase often reveals vulnerabilities that we might have initially overlooked. Conversely, while employing tools first can expedite detection, they only catch certain types of structural flaws.

Given the numerous layers of complexity inherent in these systems, relying solely on either approach proves inadequate. I believe a balanced combination of both will be vital moving forward.

What are the standout features of Veridise’s Vanguard tool, and in what ways does it bolster smart contract security?

Vanguard serves as a cornerstone of our toolkit, primarily utilized for static analysis. In static analysis, you define expected behaviors and then verify if those specifications are met—assessing properties without executing the code. Unlike dynamic methods, this approach enables us to identify potential vulnerability patterns proactively.

Our Vanguard tool comes in various formats; some aspects are particularly adept at enhancing smart contract security, while others focus on zero-knowledge applications.

Could you elaborate on the vulnerabilities you've encountered within smart contracts and ZK circuits?

In my focus on ZK circuits, one of the prevalent vulnerabilities is under-constrained circuits. In a ZK context, the codebase is split into two components: the execution program and its constraints. It's crucial for these constraints to accurately reflect the operational behavior of the program.

An overwhelming 95% of vulnerabilities in ZK circuits stem from these under-constrained scenarios. To address this, we utilize tools like PICUS, which is specifically designed to identify such issues.

According to a recent paper What is Veridise's stance on disclosures when vulnerabilities are discovered during audits?

We maintain a strict policy of confidentiality regarding vulnerabilities; we never disclose these until the issues are fixed, as preemptive exposure could lead to exploitation, especially if the codebase is actively in use. After completing an audit, we provide clients with a detailed report outlining all the vulnerabilities and bugs we discovered.

We allow the clients time to remediate the identified issues before reviewing their fixes to confirm that all concerns have been addressed. The resulting report is proprietary to the client, and we only publish it with their consent.

If you visit the Veridise website, you can find a compilation of reports that clients have permitted us to disclose to the public. Typically, clients are agreeable to this, seeing it as a validation that their code has undergone a thorough audit and is as secure as possible.

How does Veridise customize its auditing strategies for different blockchain platforms and programming languages?

Given the rapidly evolving nature of this industry, with new blockchains and languages emerging consistently, we recognize the importance of adapting to these changes. We notice trends in incoming project requests for audits across various environments.

Staying attuned to where these demands arise allows us to anticipate future developments in the field, enabling us to modify our tools to meet community needs effectively. This adaptability will be key as we progress.

Can you share insights on tools you're planning to introduce in the near future?

Looking ahead, one significant direction is our intention to provide security as a service through our SaaS platform. This will enable developers to access our tools during the development phases.

Instead of waiting until project completion to conduct audits, developers will have the opportunity to utilize our tools in real-time, ensuring the security of their code and minimizing vulnerabilities as they work. We anticipate launching this service soon.

Unveiling DeFi Weaknesses: A Comprehensive Exploration by Alp Bassa on Smart Contract Protection - Metaverse Post