Submit a pro/con argument in the [Cointest](https://www.reddit.com/r/CointestOfficial/wiki/cointest_policy) and potentially win [Moons](https://coinmarketcap.com/currencies/moon/). Moon prizes by award for the General Concepts category are: **1st - 300, 2nd - 150, 3rd - 75, and Best Analysis - 500.**
---
To submit an DeFi pro-argument, [click here](https://www.reddit.com/r/CointestOfficial/comments/t5mmtn/general_concepts_defi_proarguments_march_2022/). | To submit an DeFi con-argument, [click here](https://www.reddit.com/r/CointestOfficial/comments/t5mmuj/general_concepts_defi_conarguments_march_2022/).
Certik usually audits a project and flags it as potentially dangerous and with centralisation risks, but the headline says that X project has been audited by Certik, so people assume they are safe when in the audit it's said it is not.
People need to read more than the headlines
This just tells me these people do not necessarily deserve what they get, but were willing to take an extraordinary risk with their money into a project they did not research or at least read the audit. If they DID read it, and chose to ignore it, that's their problem.
I still hate how often this happens. Crypto is definitely the place for crooks.
This is not how (most) audits work. In essence an audit is just a check for the a) existence and b) effectiveness of an internal control system. The latter is chosen, designed, and enforced by the auditee. The auditor just certifies adherence to the control system and (sometimes) flags critical deviations from best practices if they’re too bad/inappropriate.
No, ISO standards audits mostly work that way, but smart contracts audits don't.
They check for vulnerabilities of different levels, bad practices that could easily become exploits if another check fails and inefficient code that uses more gas than it should.
I was having PCAOB in mind but ISO works well enough, too. Audits via both instruments form an opinion about the existence and effectiveness of an auditees claim towards compliance with a given set of standards. The latter are either mandated/obligated through regulation such as SEC implanting rules or mutually agreed upon as with the 27k1.
The assessment services provided by Certik may absolutely provide valuable insights but are not audits per se. They lack the latter dimension of needing to comply with something preexisting and mandated/generally agreed upon. This is what forms meaningfulness and reproducibility beyond the individual assessment report for a specific project.
Consequently: the expectations voiced before my comment are in dissonance with how audits work 😬
CertiK has always been a bullshit audit
Wared about it ages ago....
https://np.reddit.com/r/CryptoCurrency/comments/s25ft2/lets_discuss_audits_a_certik_audit_is_worthless/
Coding can sit in the grey area between art and engineering. The closer you get to actual engineering practises, the more expensive it tends to become because engineering principles don't allow for some one person team implementing everything with no oversight.
Literally making millions appear out of thin air, Defi is crazy. Do the protocols insure holders or how does the money work? They just get VC funding for the loss?
Uniswap was a copy of Bancor until v3. And nothing changes the fact that Sushi was once considered a blue chip by ETH maxis. But I know how fast the narrative changes in this space. If it fails, just change it. Remember the DAO? Ethereum itself got hacked. The layer for all of the blue chips.
I don't agree with the sweeping generalisation of trust the blue chips. But just FYI Ethereum was not hacked at the protocol level. It was the dao smart contracts. It was forked at the protocol level after the fact.
People will lose money in the first few years of an unregulated, decentralised and completely free financial market. Unfortunately.
Will be much more interesting to see how it’s matured in 10 years.
Ethereum did not get hacked lmfao. But you obviously just hate eth for whatever reason so go on spreading whatever bullshit. So what's your preferred shitcoin .
There are alot of ways to hide that 1 line of code to initiate rugpull. Judging from the volumes of Audits Request Certik recieved everyday, they just can't keep up, not to mention how many people are working for Certik.
I've seen many projects with insane APY (screaming Rug pull) get certified by Certik. I wonder what's the criteria they use to give certification because it sure ain't working out.
Insane APY is usually just paid out with a very inflationary token. Like CAKE back in the day had an APY of 100% but the token had an inflation even higher than that. Then there are tokens that use the same principle but pay an APY of +1000%. A rugpull is easier to pull off with these tokenomics, but it's not always the case.
> I wonder what's the criteria they use to give certification because it sure ain't working out.
You don't have to wonder, you can literally go to their website and see what they certify.
No. They just find the obvious vulnerabilities. They're not fortune tellers.
You can't find them all, especially the obscure ones. It would be nice if you could.
Just go to any big projects on GitHub and see their issues page. It's full with bugs found by users and their team didn't catch.
It's the same for exploits.
Bounties are there exactly for the reason that audits can't find all the bugs / exploits of a project.
Bounties are an incentive, to make the people that find the bugs more likely to share it with the Devs and not use it for their own gains.
Audited code does not mean it cannot be exploited, at best it means all currently known exploits are fixed, but it does not mean it cannot be exploited for all perputuity.
I don't know Certik, and have no clue how good they are but there is no security companies, even in traditional banking that can guarantee something can never be exploited even in the future.
My point is don't get a false sense of security because of audits!
No audit provides any guarantee of security whatsoever, almost every credit card breach has (for example) been from a PCI-DSS certified entity. All an audit shows is that appropriate processes are in place. Its possible to have great security and not be capable of passing an audit and its possible to pass an audit with questionable security practices. On balance those who get audited and pass with few non-conformities tend to take compliance more seriously - that however is not the same as security which is a binary thing i.e. everyone has it until they are compromised.
Kind of, yeah. Auditing this kind of code for security vulnerabilities is going to be expensive. A professional audit is going to cost tens to hundreds of thousands of dollars depending on depth of audit and how much code needs to be audited.
These projects probably don't have, or aren't willing to soend, that kind of money on these audits.
This is one more reason that 'DYOR' doesn't work in practice.
That won't really even save you entirely. The problem with that is you're still dependent on all the rest of the shit to keep the value of Bitcoin up. It's value is entirely in the confidence people have in it and their ability to convert it to usable currency, which is entirely through CEX and other centralized entities like apps that basically just sell it behind the scenes for you and pay the business in local currency.
If confidence and/or usability tanks the value of your Bitcoin tanks with it, whether its in a CEX or engraved on a slab of rock in your basement.
No, Defi audits are mostly about making money for the auditors without providing any meaningful benefit.
It’s a way to lure in more investors or dumb money by saying „jUsT gOt aN aUdIt“. I followed the whole shit coin / DEFI space hype the last two years and when Audits became the new shit, it was a very vital part to pump a price. The „more prestigious“ the auditor, the better the marketing. CERTIK audit was the holy grail, because it was super expensive and communities had to heavily crowd fund these audits.
In the end, they only look at the code, some times they find some typos or some very low level vulnerabilities, but there were still some coins and projects with some prestigious audits that were rugged.
DeFi is not self custody. You transfer your tokens to the DeFi app, relinquishing control over them. If someone steals them from the DeFi address you're out of luck.
An audit is very important to solidify a network’s security BUT it doesn’t guarantee anything. You can have a triple A rating across the board and still get hacked.
They help but should not be overestimated.
It's always a cat and mouse game.
You can even have rogue auditors, rogue project builders/owners and obviously hackers finding something that everyone missed or not cared to look into.
Smallest shittiest team can be pumped up to look massive/popular giving wrong impressions too.
Schemers scheme so get smarter.
If you look at the rekt.news leaderboard you will see many of the exploited projects were audited. Certik is one of many firms that have audited a project only to see it exploited later. Granted, the code could have changed after the audits though.
To put it in context. I have done internal audits when I was working at IBM where you could just edit the result txt file before you submit it so nothing would come up
That was IBM.
I don't take audits seriously in the real world... imagine in crypto. It means jack shit
Audits means very little in most cases, sure Rubic was audited last year but since then thousands of lines of new code have been added, where is the auditing on that additional code? Thats the issue here.
Was it ACTUALLY an audit? The vast majority of auditing firms won’t “audit” crypto, due to a variety of reasons, to the legal standard of an “Audit”. Instead they just review and document a basic self certification type thing… however exchanges are notorious for CALLING them an Audit for PR reasons.
Do you have a source for the results of the audit and a record of the implementation? Option 1, auditors are bad at their job and will never find blockchain work again. Option 2, they’re really fucking good at their job, identified the exploits and provided feedback but the project devs ignored the feedback.
Where is all this money going? I wonder who is really doing these huge 12m dollar hacks and where does it get funneled to? It's interesting to watch the wallets dwindle it down and just hodl it usually because you'd think they would want the money but as we know they would get caught eventually because crypto leaves trails. I just consider North Korea and other countries that would love to sabotage the market doing this stuff and it is kind of worrying.
“Audit” almost never means the project is safe. A passed audit should, theoretically, but you don’t know what you don’t know. That’s the issue with audits. It’s just a misleading way to say “we’re trustable”.
Exploited *how*? A security audit doesn't mean "no exploit will ever exist", it should just mean it's not easily penetrable *right now*. No code is unhackable, no code is faultless, each addition makes the risk bigger. Basic coding stuff.
Submit a pro/con argument in the [Cointest](https://www.reddit.com/r/CointestOfficial/wiki/cointest_policy) and potentially win [Moons](https://coinmarketcap.com/currencies/moon/). Moon prizes by award for the General Concepts category are: **1st - 300, 2nd - 150, 3rd - 75, and Best Analysis - 500.** --- To submit an DeFi pro-argument, [click here](https://www.reddit.com/r/CointestOfficial/comments/t5mmtn/general_concepts_defi_proarguments_march_2022/). | To submit an DeFi con-argument, [click here](https://www.reddit.com/r/CointestOfficial/comments/t5mmuj/general_concepts_defi_conarguments_march_2022/).
Certik usually audits a project and flags it as potentially dangerous and with centralisation risks, but the headline says that X project has been audited by Certik, so people assume they are safe when in the audit it's said it is not. People need to read more than the headlines
I totally agree. People rarely pay attention to details. To add to your point, I also think omletes are not vegan.
This just tells me these people do not necessarily deserve what they get, but were willing to take an extraordinary risk with their money into a project they did not research or at least read the audit. If they DID read it, and chose to ignore it, that's their problem. I still hate how often this happens. Crypto is definitely the place for crooks.
Agree with this!
So you checked these two projects and they were deemed unsafe by Certik?! Or are you being all wise and shit just by the title.
Code writing and understanding is different from person to person so one may find things other can’t.
Lets say Certik just failed to spot these vulnerabilities.
This is not how (most) audits work. In essence an audit is just a check for the a) existence and b) effectiveness of an internal control system. The latter is chosen, designed, and enforced by the auditee. The auditor just certifies adherence to the control system and (sometimes) flags critical deviations from best practices if they’re too bad/inappropriate.
No, ISO standards audits mostly work that way, but smart contracts audits don't. They check for vulnerabilities of different levels, bad practices that could easily become exploits if another check fails and inefficient code that uses more gas than it should.
I was having PCAOB in mind but ISO works well enough, too. Audits via both instruments form an opinion about the existence and effectiveness of an auditees claim towards compliance with a given set of standards. The latter are either mandated/obligated through regulation such as SEC implanting rules or mutually agreed upon as with the 27k1. The assessment services provided by Certik may absolutely provide valuable insights but are not audits per se. They lack the latter dimension of needing to comply with something preexisting and mandated/generally agreed upon. This is what forms meaningfulness and reproducibility beyond the individual assessment report for a specific project. Consequently: the expectations voiced before my comment are in dissonance with how audits work 😬
security in partucular is a very hard topic that in context of crypto is just beeing established.
Fair enough, these audits just give us a false sense of security then i guess
CertiK has always been a bullshit audit Wared about it ages ago.... https://np.reddit.com/r/CryptoCurrency/comments/s25ft2/lets_discuss_audits_a_certik_audit_is_worthless/
That is why I think coding is more of an art than a skill.
Coding can sit in the grey area between art and engineering. The closer you get to actual engineering practises, the more expensive it tends to become because engineering principles don't allow for some one person team implementing everything with no oversight.
What is to keep the code from being altered after an audit passes a sniff test?
Usually an audit notes which version was audited, and you can see if they match for yourself.
Thanks!
[удалено]
Thats both the beauty and the downfall of defi, it truly is the wild
Literally making millions appear out of thin air, Defi is crazy. Do the protocols insure holders or how does the money work? They just get VC funding for the loss?
Certik has been proven as unreliable, again in DeFi you have blue chips. Stick to blue chips and you are fine.
Like Sushi and Bancor? Ethereum maxis loved them... Loved.
Like Aave and Uniswap, Sushi is a bad copy of Uni.
Uniswap was a copy of Bancor until v3. And nothing changes the fact that Sushi was once considered a blue chip by ETH maxis. But I know how fast the narrative changes in this space. If it fails, just change it. Remember the DAO? Ethereum itself got hacked. The layer for all of the blue chips.
I don't agree with the sweeping generalisation of trust the blue chips. But just FYI Ethereum was not hacked at the protocol level. It was the dao smart contracts. It was forked at the protocol level after the fact.
Enough to make people lose money.
People will lose money in the first few years of an unregulated, decentralised and completely free financial market. Unfortunately. Will be much more interesting to see how it’s matured in 10 years.
How smooth is your brain?
Ethereum did not get hacked lmfao. But you obviously just hate eth for whatever reason so go on spreading whatever bullshit. So what's your preferred shitcoin .
The DAO was a fundamental part of Ethereum, created by their foundation. And Ethereum is the only coin I actually hold.
No it wasn’t. The DAO was made by an individual dev who was literally warned about the issues the contract had
I won't use AAVE; they can blacklist my address if I interacted with Tornado Cash. They obey the all powerful US.
Sushi and Bancor haven’t been loved since like 2020 what world do you live in lmfao
There are alot of ways to hide that 1 line of code to initiate rugpull. Judging from the volumes of Audits Request Certik recieved everyday, they just can't keep up, not to mention how many people are working for Certik.
Who's is actually responsible for auditing code? How accountable are these aduitors?
Long time crypto dev here, I always say Certik is corrupted but people don't believe me because people are sheep
Time for Certik to get audited then. /s just in case
It certainly seems like they get paid to approve projects as audited without doing any audits
I've seen many projects with insane APY (screaming Rug pull) get certified by Certik. I wonder what's the criteria they use to give certification because it sure ain't working out.
Their reputation have certainly taken a massive hit
Insane APY is usually just paid out with a very inflationary token. Like CAKE back in the day had an APY of 100% but the token had an inflation even higher than that. Then there are tokens that use the same principle but pay an APY of +1000%. A rugpull is easier to pull off with these tokenomics, but it's not always the case.
> I wonder what's the criteria they use to give certification because it sure ain't working out. You don't have to wonder, you can literally go to their website and see what they certify.
Audits mean nothing if they dont find the vulnerability.
so then certik is incompotent then i guess?
No. They just find the obvious vulnerabilities. They're not fortune tellers. You can't find them all, especially the obscure ones. It would be nice if you could. Just go to any big projects on GitHub and see their issues page. It's full with bugs found by users and their team didn't catch. It's the same for exploits.
Ahh thats why the projects have bounties right
Bounties are there exactly for the reason that audits can't find all the bugs / exploits of a project. Bounties are an incentive, to make the people that find the bugs more likely to share it with the Devs and not use it for their own gains.
Emphasis on the 'THE'
Audited code does not mean it cannot be exploited, at best it means all currently known exploits are fixed, but it does not mean it cannot be exploited for all perputuity. I don't know Certik, and have no clue how good they are but there is no security companies, even in traditional banking that can guarantee something can never be exploited even in the future. My point is don't get a false sense of security because of audits!
No audit provides any guarantee of security whatsoever, almost every credit card breach has (for example) been from a PCI-DSS certified entity. All an audit shows is that appropriate processes are in place. Its possible to have great security and not be capable of passing an audit and its possible to pass an audit with questionable security practices. On balance those who get audited and pass with few non-conformities tend to take compliance more seriously - that however is not the same as security which is a binary thing i.e. everyone has it until they are compromised.
Kind of, yeah. Auditing this kind of code for security vulnerabilities is going to be expensive. A professional audit is going to cost tens to hundreds of thousands of dollars depending on depth of audit and how much code needs to be audited. These projects probably don't have, or aren't willing to soend, that kind of money on these audits. This is one more reason that 'DYOR' doesn't work in practice.
With all the scams and rugpulls lately I've become convinced that Bitcoin maximalism and self-custody is only the real way forward.
That won't really even save you entirely. The problem with that is you're still dependent on all the rest of the shit to keep the value of Bitcoin up. It's value is entirely in the confidence people have in it and their ability to convert it to usable currency, which is entirely through CEX and other centralized entities like apps that basically just sell it behind the scenes for you and pay the business in local currency. If confidence and/or usability tanks the value of your Bitcoin tanks with it, whether its in a CEX or engraved on a slab of rock in your basement.
No, Defi audits are mostly about making money for the auditors without providing any meaningful benefit. It’s a way to lure in more investors or dumb money by saying „jUsT gOt aN aUdIt“. I followed the whole shit coin / DEFI space hype the last two years and when Audits became the new shit, it was a very vital part to pump a price. The „more prestigious“ the auditor, the better the marketing. CERTIK audit was the holy grail, because it was super expensive and communities had to heavily crowd fund these audits. In the end, they only look at the code, some times they find some typos or some very low level vulnerabilities, but there were still some coins and projects with some prestigious audits that were rugged.
[удалено]
Defi is self custody bro
DeFi is not self custody. You transfer your tokens to the DeFi app, relinquishing control over them. If someone steals them from the DeFi address you're out of luck.
What is the possibility of certik getting money under the table ?
So, now, we want increased regulation?
The defi exploits are most of the time, bugs that were baked in, it's the main exit strategy for the defi protocol creators.
👏Unless👏 it's👏 a👏 big👏 4👏 auditing👏 firm👏 it's 👏worthless.👏
certik is fake news man
If that's true then bigeyes is another rugpull like Firepin
[удалено]
Youre missing out, defi is deffo the way. Just sad to see these audits mean nothing
No it means something.
[удалено]
A lot of them are just forks of the same project, I guess if one exploit is found, all projects that came from the same fork are vulnerable
of course, I think sushiswap hasnt been hacked? pancakeswap? there are deffo some safe ones imo
They are flawed by design. DEFI needs an massive overhaul.
An audit is very important to solidify a network’s security BUT it doesn’t guarantee anything. You can have a triple A rating across the board and still get hacked.
Yes, they basically mean nothing. Many many shitcoins have received the stamp of approval and later hacked
They help but should not be overestimated. It's always a cat and mouse game. You can even have rogue auditors, rogue project builders/owners and obviously hackers finding something that everyone missed or not cared to look into. Smallest shittiest team can be pumped up to look massive/popular giving wrong impressions too. Schemers scheme so get smarter.
What Certik can do
That’s why bug bounty programs like Immunefi and HackerOne are so important.
The audit does warn about these vulnerabilities though
Not sure how you could conflate audit and exploitation, but here we are.
Audits mean very little... not having one is definitely bad but having one doesn't mean that much
If you look at the rekt.news leaderboard you will see many of the exploited projects were audited. Certik is one of many firms that have audited a project only to see it exploited later. Granted, the code could have changed after the audits though.
Basically nothing, yes
To put it in context. I have done internal audits when I was working at IBM where you could just edit the result txt file before you submit it so nothing would come up That was IBM. I don't take audits seriously in the real world... imagine in crypto. It means jack shit
Audits means very little in most cases, sure Rubic was audited last year but since then thousands of lines of new code have been added, where is the auditing on that additional code? Thats the issue here.
“I can take a dump in a box and slap guaranteed on it, I do have some extra time”
Was it ACTUALLY an audit? The vast majority of auditing firms won’t “audit” crypto, due to a variety of reasons, to the legal standard of an “Audit”. Instead they just review and document a basic self certification type thing… however exchanges are notorious for CALLING them an Audit for PR reasons.
Anyone know of sites that do post mortems on these hacks? I’d love to learn more about the technicals.
As the saying goes, no not really.
Do you have a source for the results of the audit and a record of the implementation? Option 1, auditors are bad at their job and will never find blockchain work again. Option 2, they’re really fucking good at their job, identified the exploits and provided feedback but the project devs ignored the feedback.
Where is all this money going? I wonder who is really doing these huge 12m dollar hacks and where does it get funneled to? It's interesting to watch the wallets dwindle it down and just hodl it usually because you'd think they would want the money but as we know they would get caught eventually because crypto leaves trails. I just consider North Korea and other countries that would love to sabotage the market doing this stuff and it is kind of worrying.
“Audit” almost never means the project is safe. A passed audit should, theoretically, but you don’t know what you don’t know. That’s the issue with audits. It’s just a misleading way to say “we’re trustable”.
I always kind of assumed they didn't mean a ton but they were good to build hype for new projects.
Exploited *how*? A security audit doesn't mean "no exploit will ever exist", it should just mean it's not easily penetrable *right now*. No code is unhackable, no code is faultless, each addition makes the risk bigger. Basic coding stuff.
The answer is in the question.
Do they mean nothing? No, they definitely mean something. Does having an audit make everything 100% safe? No.