VeradiVerdict - Issue #170
Vulnerabilities in smart contracts have been a longstanding concern of the crypto ecosystem and one of the most highly-touted criticisms of DeFi. Earlier this year, PolyNetwork made headlines when over $600 million in assets were stolen in a smart contract attack by a self-proclaimed “white hat” hacker, demonstrating the need for much more rigorous security practices around smart contracts.
Much of smart contract security efforts have focused on pre-deployment audits, where experienced security researchers identify key vulnerabilities in smart contracts to be addressed before their deployment. This approach unfortunately fails to capture latent vulnerabilities that are only discovered later, potentially by bad-faith actors that could threaten the balances of millions of DeFi users.
Forta is a new project incubated by OpenZeppelin that helps developers better identify vulnerabilities during real-time execution of smart contracts. Forta has two components:
Agents are scripts that scan blockchain transactions for threats, anomalies and other risks. Anyone can write an agent to monitor any smart contract or transaction, enabling an expanding community of agent writers to address the potential vulnerabilities in the evolving smart contract ecosystem.
Nodes are servers that run agents against L1 or L2 blockchains. When an agent detects something, the node emits an alert that is stored in IPFS and recorded on Polygon.
Forta also offers several addition features to enhance smart contract security, including an interface for developers to easily deploy and manage agents (Forta Connect), a tool for users to browse and subscribe to specific alerts (Forta Explorer), and agents with obfuscated code and encrypted alerts for discreet vulnerability monitoring (Private Agents).
As of today, over 200 agents have been deployed to surface alerts like unusually high gas fees, unusually high transaction volumes, and reentrancy calls. Leading DeFi projects are also integrating with Forta to monitor a variety of security, financial, operational and governance risks. The Forta community has grown to over 10,000 members on Discord.
Ultimately, with real-time detection of vulnerabilities, Forta offers a more complete solution towards smart contract security, helping popularize smart contracts as a secure, trustable technological primitive, and in turn, advancing the secure, decentralized vision of web3.
New Technologies, New Risks
Since the launch of Ethereum in 2015, smart contracts have become the defining feature of web3 technology. While Bitcoin showed the viability of a fully-decentralized public ledger, Ethereum popularized a fully-decentralized model of compute––one that remains unparalleled in terms of its trustlessness and transparency. Smart contracts enabled developers to deploy new custom applications to the blockchain, powering hundreds of use cases that have exploded into a multibillion dollar ecosystem today. They are central to most crypto projects today, including Uniswap and the Maker protocol, and have enabled the incredibly rapid growth of numerous newer blockchains, including Solana, Binance Smart Chain, and Polkadot.
Inevitably, with new technological territory come new technological risks. Earlier this year, PolyNetwork made headlines when over $600 million in assets were stolen in a smart contract attack by a self-proclaimed “white hat” hacker; though the assets were returned in full, the incident demonstrated the importance of rigorous security practices and monitoring in developing the technology that underpins the next generation of the financial system. Vulnerabilities in smart contracts have been a longstanding concern for the crypto community, so much so that “smart contract risk” has become a term of art in the financial sphere to describe how bugs and missteps in contract execution must factor into determining the risk of a digital asset or investment decision.
From One-Time Audits to Real-Time Security
Much of the effort into enhancing smart contract security has focused on smart contract audits, where highly-experienced smart contract developers are hired to review and test a new project’s contracts in order to identify potential vulnerabilities ahead of the project’s public launch. Though audits are crucial for secure blockchain development, they are far from a panacea; many audited projects have fallen prey to smart contract hacks via attack vectors that are only discovered later in the project’s lifecycle.
To prevent these latent attacks, it is critical to constantly monitor an application’s state and security, even post-deployment. In web2, this concept is known as runtime security, and real-time application monitoring and alerting tools have become a staple of most modern cloud hosting services. In web3, runtime security has been significantly harder to enforce given the decentralized nature of applications and the relative newness of the smart contract model.
Forta is a new decentralized runtime security protocol for web3 applications that helps developers better identify vulnerabilities during real-time execution of smart contracts. The project was incubated by OpenZeppelin, a team that has audited dozens of crypto protocols including Compound, Maker, and Augur.
What is Forta’s approach?
Forta’s approach to decentralized real-time security is founded on two components: agents and nodes. Agents are scripts that scan transaction blocks for outlier transactions or changes in the state of smart contracts. Nodes are servers that run agents against blocks of transaction from any Layer 1 or Layer 2 blockchain. If an agent detects a particularly suspicious event or state change, the node emits a public alert that is stored on IPFS and recorded on Polygon.
Importantly, anyone can develop an agent and run it on Forta. The highly malleable and composable nature of web3 applications necessitates a decentralized, community-driven approach to security; no individual actor can identify all possible vulnerabilities in an application. Over 100 developers have created and deployed an agent on Forta. Those interested in creating new agents can check out Forta’s SDK here.
Forta has also released additional features to further enhance real-time security, including:
Forta Connect, a self-service platform that makes it easier for developers to publish and manage agents using MetaMask instead of the command line
Forta Explorer, a tool that helps users browse and subscribe to alerts from Forta agents, via Slack notifications, email updates, and more
Private Agents, which obfuscate their code and alert outputs, allowing developers to monitor for threats with discretion
The project is also releasing an integration with OpenZeppelin Defender, a leading platform for smart contract operations, on November 15. The integration will make it significantly easier for developers to operate and monitor the security of smart contracts through a consolidated user interface.
How might this work in practice?
As an example, let’s return to the August 2021 hack of PolyNetwork. PolyNetwork is a protocol that enables users to transfer digital assets between different L1 and L2 blockchains; it accomplishes this by “locking” a user’s assets on the sending chain and issuing an equivalent amount of new assets on the receiving chain. More specifically, users access the issued assets on the receiving chain through a set of PolyNetwork wallets on the receiving chain. In the attack, the hacker executed a transaction that replaced the public keys for PolyNetwork’s wallets on the receiving chain with the hacker’s own public keys, meaning that the hacker gained full control over the wallets and could siphon the issued assets away from users.
Real-time monitoring with Forta could have avoided or mitigated the attack in two simple ways:
An agent could have detected an unusual state change in the PolyNetwork smart contract that manages its wallets when the hacker replaced PolyNetwork’s public keys with their own. If this state change had been efficiently surfaced to the PolyNetwork team, the original public keys could have been reinstated, preventing the attack entirely.
An agent could have detected unusually large changes in the balances of PolyNetwork’s wallets on the receiving chains, enabling the team to recognize the attack earlier and limit the extent of losses.
As of today, over 200 agents have been deployed to identify and flag vulnerabilities like the one described above. Several leading DeFi projects are also integrating with Forta to monitor for security, financial, operational and governance risks. Since Forta was announced on October 1, their community has grown to over 10,000 members on Discord.
Better blockchain security is paramount for the growing institutional and mainstream interest in crypto. Hacks like the attack on PolyNetwork earlier this year, on The DAO in 2016, and on Parity in 2017, have soured many potential users’ initial conceptions of crypto and DeFi; resolving such incidents and preventing them in the future is critical to building confidence in blockchain and smart contracts as the fundamental technologies that underpin the next generation of the financial system.
By abstracting web3 runtime security into simple tooling, Forta makes it easier than ever for developers to write and manage smart contracts with rigorous security practices. The project’s decentralized approach also makes it simple for anyone to track specific behaviors in smart contracts, which is necessary to address the growing set of vulnerabilities within the constantly evolving smart contract ecosystem. Ultimately, Forta is a massive step forward in enhancing smart contract security, helping smart contracts become the bread and butter of the Internet, and in turn, helping realize the decentralized, secure, and trustless vision of web3.
- Paul Veradittakit
Coinbase Analysts See ‘Green Shoots’ After Weak Third-Quarter Results
The largest U.S. cryptocurrency exchange should benefit from near-term crypto strength and diversification of revenue streams.
Apple CEO Tim Cook says he personally owns Bitcoin - but dismisses idea that tech company would allow products to be bought with cryptocurrency
Apple CEO Tim Cook said that he personally owns cryptocurrency, but did not specify which one.
You’ll soon be able to earn bitcoin every time you eat at Bubba Gump Shrimp or Morton’s
Restaurant giant Landry’s is partnering up with crypto custody firm NYDIG to power a bitcoin loyalty rewards program at its 500 locations nationwide.
Huobi Global to Expel Singapore Users, Citing Local Regulations
The exchange is looking to expand overseas to make up for lost Chinese users.
Day 7 of Kleiman v. Wright: Wright Tells Jury Kleiman Only Mined ‘Testnet’ Bitcoins
The self-styled “Satoshi” also testified that he bought (and then spent) 1.1 million BTC through the notorious “Tulip Trust.”
IN THE TWEETS
NEW PRODUCTS AND HOT DEALS
Andreessen Horowitz Leads $50M Investment in Ethereum Layer-2 Developer Matter Labs
Matter Labs, an Ethereum layer-2 developer team, has raised $50 million in a Series B funding round led by Andreessen Horowitz (a16z)
LETS MEET UP
Los Angeles, Nov 22-26
Coffee meetings or walks in San Francisco
Hi, I’m Paul Veradittakit, a Partner at Pantera Capital, one of the oldest and largest institutional investors focused on investing in blockchain companies and cryptocurrencies. I’ve been in the industry since 2014, and the firm invests in equity, early stage token projects, and liquid cryptocurrencies on exchanges. I focus on early-stage investments and share my thoughts on what’s going on in the industry in this weekly newsletter.