TOP 5 questions about security for web3 projects | Majinx.io

Check out the interview with Ruslan Lynnyk, CEO & Co-owner of Majinx.io, and Yevheniia Broshevan, Co-Founder and CBDO at Hacken.io

Security is one of the most crucial aspects of Web3 projects.

So, how can a project team achieve a high level of safety for their customers and partners?

Ruslan Lynnyk: What tools and techniques do Hacken developers usually use to analyze weak places in web3 products? How do they work with teams to fix the problems identified?

Yevheniia Broshevan: Some of the tools we use include:

• Slither
• Mythril
• Solgraph
• Echidna and other tools
• MythX and other tools

We take 6 steps in our methodology of working with teams to fix identified problems:

• Preparation for a smart contract audit
• Code review and analysis
• Testing
• Reporting
• Bug fixing
• Scoring

After internal audits and findings, we give a comprehensive report of the vulnerabilities with the team and also recommend how they can fix them. They also have time to fix the issues and get back to us for a remediation check. After that, the final score and reports are published.

RL: Which stage is the most successful in starting work with security auditors: ideas, development or launch, etc.?

YB: The best time to work with security auditors is during the development stage of smart contracts. This will allow any vulnerabilities or security issues to be identified and addressed before the contract is deployed on the main net, reducing the risk of potential exploits and protecting user assets. 

While conducting audits at later phases, such as during or after launch, is an option, fixing security issues up front can significantly save time, money, and resources. Note that every update to the smart contract requires audits.

”The best time to work with security auditors is during
the development stage of smart contracts.”

 

The product managers and the founding team should work product and how to scale it during the idea phase of a project. Then the developers can take over to implement the solutions as smart contracts.

The auditors can come in after development or proper launch to review the code base and see if it is vulnerable to attack. Note that every update to the smart contract requires audits.

RL: Name the most typical security mistakes made at the stage of web3 development, and give advice to those who plan to launch.

YB: These are the security mistakes during development:

• Access Control Violation
• Denial of Service Vulnerability
• External Calls to Arbitrary Addresses
• Checks-Effects-Interactions Pattern Violation 
• Missing Validation / Input Validation Violation
• Flashloan Attack
• Inconsistent Data
• Floating Pragma

You may read more details in the article by one of our Smart Contract Auditors Seher Saylik.

Those who plan to launch must ensure that the logic of their contract is correct and no stone is left unturned. Nonetheless, it is equally important to get the service of a competent third-party auditor, ideally a couple of independent reviews. They also should ensure restricting access to sensitive data and functions only to authorized roles/users and use strong data storage methods for protecting vital data, such as the keccak256 hashing algorithm.

”Those who plan to launch must ensure that the logic of their
contract is correct and no stone is left unturned.”

RL: What security trends will survive in 2023? How will these technology trends help to upgrade the crypto field to be a safe place?

YB: 

• Devs Adding Security to their Stack: Due to various security issues in the space, blockchain devs are going out of their way to learn security and write more secure contracts. But their basic security knowledge isn’t sufficient enough because hackers discover new vulnerabilities daily. Hence, the continuous for brilliant auditors.
• Advancement in Smart Contract Programming Languages. The security of smart contracts starts with languages. Various smart contract language builders are becoming more security-conscious. We can see this in languages like Sway and PACT. Even the latest version of Solidity checkmates some vulnerabilities.
• The rise of more auditing tools: GPT-4 and Pyrometer are on the trend tables. However, these tools might do more harm if they are used as the sole basis for auditing because they are not practically efficient yet. Crypto projects must still use human auditors to be safe.
• Monitoring tools: Over the years, hackers made successful moves because the team didn’t know on time. Monitoring tools that detect vulnerabilities will make the space a safe place.
• Improved security standards: The industry will develop more security standards. These standards will place a bar of excellence that crypto protocols must meet. Examples include the Enterprise Ethereum Alliance (EEA) and Cryptocurrency Security Standards (CCSS).

RL: How can developers decrease the risks of losing money and other problems related to DEFI security protocols and products?

YB:  Going forward, DeFi protocols can take these steps to decrease the chance of losing money:

• Put up a decent bug bounty program, e.g HackenProof
• Get a competent third-party auditing company before the launch. It’s worse to come up with independent auditors
• Regular auditing of smart contracts after launch and updates
• Use on-chain security monitoring tools to detect possible exploits on time
• Use security best practices, avoid redundant complexity and inefficient Gas patterns
• Always write unit tests to check if the system runs within the intended way.
  

At the Majinx, we believe in our partner Hacken’s responsibility and upfrontness.
Their goal is to make web3 a completely secure environment for their consumers.

 

Follow us to learn more about our partnerships.
Isn’t that the ideal method to demonstrate our achievement in deals?