October 15th, 2020
Functionality and security testing is an essential part of the software development lifecycle. The average developer creates a bug every 13 lines of code. Smart contracts, which are often written in newer programming languages (like Solidity) and on relatively new platforms, are likely to have an even higher error rate than this.
Software development best practices state that testing should be a part of the development process. Typically the testing stage comes after the code is complete but before release. The DevSecOps movement is trying to “shift security left” by making it part of automated developer workflows.
However, many DeFi projects aren’t following these best practices. Instead, they choose to “test in production”, a practice that puts the software, its users, and the company at risk.
Software vulnerabilities and other bugs can be found in a number of different ways. Traditionally, many companies try to identify and correct as many issues as possible while the software is still in development. As a result, only 15 of the original 70 in 1,000 lines of code reach the consumer.
Post release, many companies will also support additional vulnerability detection efforts through bug bounty programs. These programs reward security researchers for ethically reporting vulnerabilities in the software, enabling the manufacturer to fix them before they are exploited.
The “test in production” movement skips the first phase of performing in-house bug hunting before release. These smart contracts are released without having undergone any security audits or assessments. Instead, the developers hope that any vulnerabilities discovered will not be exploited by an attacker before they can be corrected.
DeFi DApp users invest money in these protocols in order to make trades and, hopefully, turn a profit by their actions. The smart contracts that power these apps run on the blockchain and transactions are stored on the immutable distributed ledger, making it impossible to reverse a successful hack.
These facts make the “test in production” approach to DeFi security very dangerous for their users. A simple smart contract vulnerability, like the one discovered in the YAM Finance smart contract, can result in a theft or loss of access to user funds. Within two days of operation, the YAM Finance contract was hacked, permanently locking $750 million of user funds within the broken contract.
Testing in production saves DeFi developers time and effort by eliminating the need to perform proper debugging and security testing before launch. However, these advantages come at the expense of their users.
Protecting DeFi apps (or any DApp) against attack requires integrating security into the development lifecycle. By identifying and eliminating potential attack vectors before the code is placed in production, developers gain user trust and reduce the probability of an embarrassing and expensive hack.
An effective DApp security assessment requires more than just a smart contract audit. DApps require a smart contract audit and a comprehensive penetration test of the associated web application to achieve full coverage of the potential attack surface.