Share this page!

Mikko Ohtamaa 🐮 Profile picture
Twitter logo
Apr 27 70 tweets 16 min read
1/ CAN #DEFI SMART CONTRACTS EVER BE SAFE?

Is it possible to write bug-free software?

No spoilers, to get the answer you need to read this thread on Twitter *NOW*, before Muskalypse starts.

#infosec #ethereum

👇👇👇
2/ #DeFi keeps scoring higher and higher in the value of "hacks", counting losses in dozens of millions of dollars. This will make the users legitimately worried.
3/ But not just users as "heists" make great headlines that the press likes to tout, often missing the positive benefits, or "innovation" in blockchain and #defi industries.
4/ In this thread, we look at the security aspect of DeFi and this aspect only.

The security (or lack of it) is the next argumentation point for "DeFi can never happen" folks after we get over the argument "DeFi does not create anything valuable".
5/ For the value creation argument, public blockchains and decentralised finance can create fundamental value, not just speculative value and negative effects.

For insight into what this value is please read my blog post here:

tradingstrategy.ai/blog/most-effi…
6/ So let's divulge the details of the interesting question "WYAAAAAR DEFI CAN NEVER BE SAFE REGULATE REGULATE PONZI HACK NORTH KOREA SANCTIONS LAZARUS GROUP SCAM RUG I HOPE ALL DEFI BURNS" argument.
7/ CAN YOU WRITE BUG-FREE SOFTWARE?

👇👇👇
8/ Yes. See my screenshot.
9/ Now when we have gotten "no bug free software can exist" out of the way, let's dice the bugs a bit more. Hakuna matata.
10/ The argument "no bug free software exists" often comes from software developers. Often this argument comes from software developers that have never written smart contracts themselves.
11/ "no bug free software exists" argument is not a mature opinion; It is very easy to write simple software without any bugs (see above). It is harder to write complex software without bugs.

The wrong question is "is it not possible". The right question is "how hard is it"?
12/ Smart contract programming is closer to embedded programming (automotive/aero/space/toasters) than traditional programming which most of the software developers are familiar with.

Also, smart contracts are closer to math than programming.
13/ Real #DeFi products are "protocols". Protocols entail a small core, with a number of limited rules and equations.

The core of Uniswap v2 protocol is here, around 400 lines of code:

github.com/Uniswap/v2-cor…
14/ I bet any senior software developer agrees that you can write 400 lines of code without any bugs. Which is the case. Uniswap v2 has never been "hacked". Uniswap v2 and its derivates have transacted billions of dollars of volume.

tradingstrategy.ai/trading-view/e…
15/ Furthermore, unlike in real-world industries in the meat space, smart contracts are deterministic.

You do not need to deal with failing analogue inputs or components. No sandstorms blocking your solar panel or no failing integrated circuits.
16/ Smart contracts also can be often mathematically proven to be right.

This is called formal verification.

Here is an example of formal verification of "Ethereum 2.0" deposit contract :

daejunpark.github.io/deposit.pdf
17/ Also, attack vectors are well-known at this point - new attack vectors are getting rare after 6 years of smart contract evolution. Makes the job easier when you know the enemy.

An example security check list:

ethereum.stackexchange.com/questions/8551…
18/ I DO NOT BELIEVE YOU; HACKS STILL HAPPEN. PROVE ME THEY DO NOT HAPPEN.

👇👇👇
19/ I have $150B reasons to say writing secure #DeFi is possible.

Here is a list of some of the "blue chip" projects that have "never" been hacked.
20/ (First, let's define hack as "losing a significant amount of money that makes headlines and kills the project due to the programming error".)
21/ DeFi bluechips

- makerdao.com
- curve.fi
- aave.com
- uniswap.org
22/ Then we have popular ERC-20 token contracts that have $100B assets tied to them

- USDT tether.to (might be questionable for other reasons, but not for technical security)
- USDC circle.com

Never hacked.
23/ So writing an unhackable ERC-20 token contract is definitely possible.
24/ Then we have Bitcoin that has never been hacked (at least since not after 2010):

en.bitcoin.it/wiki/Value_ove…
25/ Note that the same "never hacked" argument can be applied to centralised cryptocurrency exchanges. There are exchanges that have never been hacked, although their users have been: Kraken, Coinbase.
26/ A lot of crypto would have already disappeared to North Korea by Lazarus group if it were possible to take it.
27/ BUGS STILL HAPPEN.

Don't take me as a fool, as I have written software for 25 years.

Then we mitigate.
28/ Risks can be managed with a framework.

A risk framework comes down to only a few factors

Risk
- likelihood
- impact
- mitigations
- residual (after mitigations)
29/ *Likelihood*: In long term, it is a game of statistics, like the insurance business. We can say numbers like bugs per line of code and so on.
30/ *Impact*: Protocols governing millions and billions of dollars need less residual risk (more mitigations) because the impact would be larger.

Also, they have more money to pay for the mitigations.

Nobody cares if your school project gets hacked.
31/ *Mitigations*: Have a solid software development process. We discuss this in a bit.
32/ *Residual*: After the risk mitigations, the likelihood of a bug number should go so low that we never get hit any bugs during our lifetime.
33/ WHAT DOES SECURE SOFTWARE DEVELOPMENT LOOK LIKE?

But maybe it is just a miracle these protocols have not been hacked yet?

No, it's all about mitigations and good risk management.

👇👇👇
34/ As impact goes up (millions, billions dollars) better to suit you up and make sure you do your development well.

How to write bug-free software?

With patience, slowly, a lot of ceremony and people.
35/ Linus's law is the assertion that "given enough eyeballs, all bugs are shallow".

Increase your eyeballs to code ratio. It's easier if the core protocol is small (unlike in e.g.embedded sw dev.)
36/ Key factors

- High-quality software development process
- External independent audits
- Open source bug bounty programs
- Risk management framework
37/ A lot of this is summarised in this excellent presentation by @Corpetty

docs.google.com/presentation/d…
38/ For more technical discussion on "how to build software securely" happy to engage more, so ping me if you need hints or want to cricitize.
39/ Some projects like MakerDAO and Aave have risk committees which also look at factors outside pure software:

makerdao.world/en/learn/gover…
40/ My current grief with #DeFi projects is that there is little mitigations reduce the impact of realised risks - like hacks.
41/ The lack of speedbumps helps attackers to get outsized rewards, like in the case of Wormhole and Ronin hacks.

If withdrawal speeds were limited, the impact would have been lesser.
42/ I STILL DO NOT BELIEVE YOU. PROJECTS GET HACKED EVERY DAY. INVESTORS LOST MONEY ON A SCAM TOKEN PROMOTED BY KIM KARDASHIAN.

A good point. If it is so well known how to build high quality, bug-free, unhackable #DeFi why do the hacks still happen?

👇👇👇
43/ The short answer is: "arrogance" and "greed".

The projects get hacked either because they underinvest to high quality software development practices vs. to the impact of the realised hack risk.
44/ Before we go further, let's first discard

- Did not have money to do this at the beginning

We are not interested in small hacks, because if you have a high quality project with a growing AUM, rising capital to cover security is easy.
45/ Cap the AUM growth until mitigations/impact is correct.

Have a budget number e.g. 5% of free cash flow or $1M/year to spend on security.
46/ This leaves us big hacks that did not have sufficient risk framework in place. Two main reasons. to get hacked:

- Do not want to invest in security in the first place, because the management does not plan to stay around (are here just to cash easy VC money for lifestyle)
47/ Or....

- Now have the money, but are too busy to party
48/ For example, the Ronin bridge hack is an example on how to lose $500M lose because of your arrogance.

rekt.news/ronin-rekt/
49/ VCs often call this "scaling too fast" but for me the security always comes first, because established actors know the risks of blockchain industr. If you under invest in security someone more capable should replace you and your business in long run.
50/ What happened with Ronin? They disregarded some the core of the cryptographic security principles that have been in place since 80s.
51/ - No risk management framework - They did not even realised money was gone until 5 days later.
52/ - Not open source and transparency - third parties could not vet if the sound software development practices were followed.
53/ - No true decentralisation - compromise of one party (Sky Mavin) lead loss to all the capital

- They even knew about the compromise, but still did nothing
54/ Because Ronin/Axie Infinity/Sky Mavis is large they can raise equity capital to cover losses of users. But incompetent founders should be diluted away in this process.
55/ Another similar story is Aku NFT auction where they lost $42M.
56/ The auction smart contract was neither audited or not professionally written. No open source on Github, no evidence of solid software development practices followed.
57/ People were even reaching out to the team on Discord and begging them to stop the auction, because they saw bugs in the contract.
58/ Aku team ignored them with "Trust us, we know what we are doing."

Obviously they didn't know.
59/ HAHAHA YOU JUST PROVEN DEFI IS NO SECURITY NIGHTMARE AGAINST YOUR ORIGINAL ARGUMENT

👇👇👇
60/ Not really. To get exposure to unsafe #DeFi projects you need to work hard.

It's unlikely you can buy them at Coinbase.
61/ It's not like 90s predatory pink sheet stock marketing (Wolf of the Wall St). People are not calling your grandma and ask her to put money on this new NFT auction using her Metamask.
62/ To get to be exposed to risky stuff where you can lose money, you really need to learn about DeFi and work hard for it.

In this process, you learn about the rule "Beyond this line it's going to be high risk. Only invest capital you can afford to lose."
63/ So don't be salty when you lose your money. There is always risk/reward ratio and you, like DeFi projects themselves, need to manage the risk. Not all investments can make profit (see startups/NASDAQ tech stock.)
64/ Although DeFi hacks happen, the hacks are not a significant % of the overall market. It's similar to credit card business - there is always % of the fraud of overall market.

[NUMBER CITATION NEEDED PLZ]
65/ For comparison, the UK COVID-19 relief loan program saw GBP 20B loss because of fraud and errors, from £260bn - £370bn overall.

theguardian.com/world/2022/feb…
66/ Compared to Boris's numbers, DeFi security is doing really really well.

And it will do better in the future, because the industry matures, we get over of the bootstrap hick-ups and bad actors get cleaned out.
67/ One can be still skeptic. It is ok to be cautious and critical about DeFi, and I even encourage this. Some things only mature and become less risky over time. But it is very incorrect to say secure DeFi cannot exist now, or in the future.
68/ FIN.

GM.

Thank you for the @RektHQ for inspiring me to write this thread and for their non-disclosed sponsorship.
69/ Ps. Subscribe to my *new* newsletter

newsletter.tradingstrategy.ai
Pps. More about losing money in TradFi. And this is your tax money, not magical DeFi money.

archive.ph/carsS

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Mikko Ohtamaa 🐮

Mikko Ohtamaa 🐮 Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @moo9000

Mikko Ohtamaa 🐮 Profile picture
Feb 26
1/ WHAT IS A MOLOTOV COCKTAIL

Not all famous drinks come from New York bars.

How did we ended up with the Ukraine crisis, what is the way out? Does a drink named after a former USSR foreign minister help?

A thread

👇👇👇
2/ It has been a fucking messed up week. I am pretty sure anyone can excuse my inpolite pronunciation in this point and agree with the sentiment.
3/ I usually write Twitter threads about cryptocurrency technology and anti-money laundering. But today, we have a much larger humanitarian crisis in hand, so let's forget the tech for a while and focus on the larger issues.
Read 64 tweets
Mikko Ohtamaa 🐮 Profile picture
Feb 21
1/ ON PHISHING SCAMS AND CYBERSECURITY

In the light of OpenSea (alleged) phishing campaign, how large is the problem, how responsibility should be divided and what can we do to fix phishing?

A thread

👇👇👇
2/ Phishing is age olds problem that predates the internet.

I do not know any studies on it, but I would guess phishing has become more of a problem recently.
3/ Phishing may have increased due to

- Globalisation and free trade, as you always end up importing a bit of crime
- Internet and online services kill brick and mortar, less in-person trade
- Geopolitics, China and Russia do not need to play nice with West
Read 33 tweets
Mikko Ohtamaa 🐮 Profile picture
Feb 20
1/ I am happy to announce the version 0.2 release of eth-hentai library for #ethereum and #python developers

github.com/tradingstrateg…

A thread

👇👇👇
2/ Eth-hentai contains common Ethereum smart contracts, and related utilities, for developing automated test suites, backend integration and trading bots for EVM based blockchains.
3/ As opposite to slower and messier mainnet forking workflows, this project aims to explicit clean deployments and very fast test execution.
Read 14 tweets
Mikko Ohtamaa 🐮 Profile picture
Feb 5
1/ Is #Solana going down to a hole?

Let's look at the causes of the Wormhole hack and what we can learn from this.

Let's discuss Solana security.

A thread.

👇👇👇
2/ One of Solana's bridges, Wormhole, got hacked for ~120k ETH earlier this week.

coindesk.com/markets/2022/0…

The amount of US dollar value at risk, or lost, at this point, is $200-300M.
3/ A bridge is a blockchain application that bridges value between two blockchains together.

In this case, Wormhole was bridging ETH from Ethereum Mainnet to Solana.
Read 34 tweets
Mikko Ohtamaa 🐮 Profile picture
Jan 21
1/ 1/ The short history of Web3.

It is going to be a really short thread, the #DeFi historian promises.

Also, any reader will also become a prolific #javascript developer after reading this.

Storytime.

👇👇👇
2/ Web3 originally meant three different APIs injected to web context. This was circa 2015-2016.

Web = web context
3 = three different APIs

Web + 3 = web3.

But what does this mean?
3/ API stands for Application Programming Interface. It tells how applications (developed by a software developer) can communicate with other applications that they have not developed themselves.

For example, how your wallet can communicate with #Ethereum is defined by API.
Read 17 tweets
Mikko Ohtamaa 🐮 Profile picture
Oct 15, 2021
1/ HOW YOUR CRYPTO FUND OR EXCHANGE GETS HACKED

In the light of the recent event of a prop trading firm losing big monies in an old-fashioned Microsoft Word attachment attack, let me sip my tea and try to remember what kind of hacks I have seen over the years.

👇👇👇
2/ I will skip all retail-focused attacks, like fake websites and weak passwords and only focus on serious cases where tanotable business pitself was a victim.
3/ Also no talk about SIM swapping etc. as it is the US only problem and only possible because the US does not have strong ids issued by the government (don't live in a crap nation plz.)
Read 33 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(