The WEB3 market is not transparent. We have asymmetry of information, so to speak. Many projects don’t perform an audit, don’t publish audit results, and don’t reveal actual token supply analytics with vesting and lockup periods for the team and investors because they don’t see a point. Investors cannot fully understand the risks.
The incomplete scope of audits is another problem. Any audit is not the same as a relevant audit with fixed bugs. Audits often don’t cover all smart contracts of a project. For example, defi platforms may have an audit of lending contracts, but at the same time, borrowing contracts might not be audited. This is a common problem. According to our internal research, among 545 cryptocurrencies, only 133 (25%) have token audit codes matching the published ones. Indeed, the project can audit the token, but:
- publish another code;
- publish a proxy that refers to the audited code, which may be changed in the future, and the audit will become irrelevant;
- use an upgradable smart contract;
- use another code in other EVM-compatible blockchains
Thus, audit relevancy is as crucial as having an audit.
How has the market changed in the past year?
More and more projects are conducting audits out of necessity instead of a conscious decision. Audits are needed for:
- listing on a crypto exchange
- integrating into other crypto projects under partnership
- attracting investment funds
What was the effect of CER rating?
The statistics for the past three years prove that the CER rating has a significant impact on the overall security of crypto projects, especially crypto exchanges. In 2020, CER’s cybersecurity score was integrated into CoinGecko, accounting for 2 of 10 Trust Score points. Since 2020, bug bounty programs have doubled, and security audits have tripled.
Key finding: CER Rating is the most crucial push factor for projects to follow established security practices.
What effect does the bear market have on the cybersecurity field?
In general, projects do fewer audits. Projects also launch fewer bug bounty programs with lower rewards for found bugs. Nevertheless, big crypto projects with large capitalization and big TVL continue to do regular audits.
Competition between cybersecurity firms is increasing, as well as collaboration between them. Just recently, EEA released the EthTrust Security Levels Specification. Leading security providers, including Hacken, ConsenSys, Trail of Bits, Runtime Verification, EY, OpenZeppelin, and Microsoft, cooperated in establishing industry standards for smart contract audits. These factors will lead to an improvement in the quality of security audits.
What are the most common mistakes that allow bad actors to steal funds?
Each category of cryptocurrency can have its typical threats. When it comes to crypto exchanges, the most widespread reason for a hack is the leak of private keys. These weaknesses exist because crypto exchanges don’t perform audits of the internal processes as ISO27001 or SOC-2. On some iteration, the leakage of a private key becomes possible. Also, some exchanges don’t change the addresses of hot and cold wallets for years. So the secret might be known to a large circle of employees.
Smart contract vulnerabilities and the methods of exploiting them are numerous. They include but are not limited to issues related to gas limits, corrupted logic, reentrancy, and unauthorized access. These mistakes create vulnerabilities that can be exploited, leading to the actual loss of funds. For example, in reentrancy, attackers can call a function multiple times before the completion of the first execution and repeat it until the entire balance gets drained. In unauthorized access, hackers call functions they are not supposed to access to change parameters and steal funds.
What upcoming trends connected to transparency can we expect in the near future?
Since most projects depend on security ratings for new investments and listings, we expect more intention for security audit reports, bug bounties, and insurance. Companies undergoing reports will be more interested in telling the world what they did to improve their positions in ratings.
Projects will openly publish data about their token supply, showing how tokens are distributed and when unlocks will be. Currently, third parties are investigating token supply, but it’s better when the project provides this information.
Upcoming trend: More security services and more disclosure to move up in ratings.
In the meantime, CER’s security rating for exchanges and cryptocurrencies will become more complex with additional indicators and a more detailed breakdown of existing metrics. We are improving the rating so that only the most secure and transparent crypto projects can get the maximum rating. While updating the rating, we keep communicating with aggregators, security services providers, and crypto projects to introduce changes based on honest feedback from the market.
CER is becoming an all-in-one security rating, aggregating all the necessary data to fully assess the project’s safety and risks.