Breakpoint 2023: Auditor's Panel

Summary

The Breakpoint 2023 conference brought together a panel of esteemed blockchain auditors who discussed the paramount importance of security auditing in the blockchain ecosystem, particularly within Solana. This panel included insights from Adam Hrazdira of Ackee Blockchain, Peter Cielas from Halborn, Robert Chen of OtterSec, Robert Reith from Neodyme, and Jack from Sec3. These experts delved deep into why auditing is crucial for the safety of decentralized ecosystems, the tools that assist auditors, the collaborative process between developers and auditors, and the exciting potential of AI and machine learning in this domain.

Key Points:

The Necessity of Auditing in Blockchain Security

Through the dialogue, it became clear that auditing is an indispensable part of ensuring the security and integrity of blockchain applications. Auditing acts as a safety net that supplements the use of security tools. Despite the array of tools available to detect vulnerabilities, the panelists emphasized the need for robust manual reviews and one-on-one collaboration with developers to ensure that no stone goes unturned in the pursuit of securing programs.

The Toolbox for Auditors

Auditors utilize a variety of tools to aid in their work, ranging from simple linting programs to compiler messages and more sophisticated scanning and fuzzing tools. These instruments help provide preliminary checks, warning auditors about potential problematic areas that could lead to vulnerabilities. The discussion highlighted the need for high-quality tools to support auditors, including the development of frameworks that streamline processes like fuzzing for developers.

Partnership Between Developers and Auditors

A key takeaway from the panel was the necessity for a collaborative approach between developers and auditors. Developers should come prepared with thorough unit tests and have a robust understanding of their code before approaching auditors. This upfront work helps facilitate the auditing process and enhances program security. The panelists also suggested that developers ensure their code is well-documented and readable to simplify the audit process.

AI and Machine Learning in Security Auditing

Machine learning and artificial intelligence (AI) were presented as promising technologies in the auditing space. However, the panelists also cautioned that while these tools have potential, they require vast amounts of data and may not yet replace the human elements of auditing. They called for responsible usage of AI and highlighted the need for high-quality training datasets to ensure effectiveness.

Post-Launch Security Considerations

Post-launch, continuous monitoring is essential. Watchtower products can alert developers of unusual patterns in smart contract interactions, indicating potential malicious activity. This proactive monitoring can complement the pre-launch preparation and auditing process in maintaining the security of programs.

Facts + Figures

• Auditing is essential for the safety and total value locked (TVL) in blockchain ecosystems.
• Manual audits are necessary despite the existence of security tools, as some aspects of security require expert judgment.
• Developers should write comprehensive unit tests and prepare their code before contacting auditors.
• Auditors employ a range of tools, including linting programs, compilers, and fuzzers.
• Effective code documentation and readable code can facilitate the auditing process.
• The use of AI and machine learning in auditing is growing, with an emphasis on providing good data to train models.
• Post-launch security tools such as Watchtower can monitor smart contracts for abnormal interactions.

Top quotes

• "It's important to have someone have another look at your code to basically verify that everything that you have done works correctly."
• "The correct way to think about auditing is as they pass. They hopefully will find most of the bugs."
• "Using anchor correctly... you can put insecurity right from the beginning, essentially."
• "Every contract should be open source."

Questions Answered

What is the role of auditing in blockchain security?

Auditing is fundamental to blockchain security, serving as an extra layer of verification that works alongside security tools to protect blockchain programs. Auditors employ manual and automated practices to scrutinize code, catch potential vulnerabilities, and help developers reinforce their programs against threats.

What tools do auditors use when examining blockchain code?

Auditors have access to a suite of tools that include linters, compilers, scanner programs, and fuzzers. These help them to scan for vulnerabilities, correct code, and rigorously test smart contracts to prevent security breaches.

How do developers and auditors collaborate?

Developers and auditors collaborate in a partnership where developers should first thoroughly test and review their code to ensure a baseline level of quality. Auditors then assist by bringing a fresh perspective, identifying overlooked vulnerabilities, and proposing solutions to strengthen security.

Can AI replace human auditors in blockchain security?

AI has not yet reached a stage where it can replace human auditors in blockchain security. While AI and machine learning technologies offer promise and can assist with some tasks like identifying patterns, intricate knowledge and understanding of code and vulnerabilities still require human insight.

Is open sourcing contracts important in blockchain security?

Open sourcing contracts is considered very important in the blockchain community as it allows for transparency, peer reviews, and community involvement, contributing greatly to the overall security of the blockchain ecosystem.