BeinCrypto spoke to Dmitry Mishunin, CEO and Founder of HashEx. He discusses the importance of crypto projects testing and auditing their code.
Much like any technology, blockchain is susceptible to errors. One tiny bug in a code can undermine a platform’s security and functioning.
Most recently, an algorithm bug on Binance crashed the price of bitcoin on the platform to $8,200. This incident was quickly resolved. It happened just after BTC reached its latest all-time high of $66,930 on October 20.
This highlights how even the biggest platforms are still struggling with bugs in their code.
Making code clear and understandable
Code bug incidences are not a surprise in the crypto and blockchain world. However, they still cause a lot of pain for those who are affected by them.
Mishunin explains that projects are put under severe pressure to keep up. This is because the space is growing at such an intense rate. All while maintaining expected standards.
“The most important thing to bear in mind with this technology is that everything is public, which means a lot of people will be scrutinizing your code. And unfortunately, not all of them will be doing it with good intentions. The industry has no shortage of bad actors who would try to take advantage of any and all errors and vulnerabilities in a project’s code for their own gain, and you shouldn’t forget about this,” he says.
“Blockchain is immutable, which basically means that your code is exposed to everyone’s eyes and stored live. When you make changes to it, you can’t edit the original data. You can only move it to a new address with the new adjustments. This is something project creators should think of before they write even the first line of code.”
The devil is in the (code) detail
As such, the need for clear and understandable code is even more important. For blockchain projects, the devil is in the detail. This is especially so because the cost of failure could be in the millions of dollars.
“It is crucial to write clear and understandable code from the very beginning and make sure it has as little in terms of vulnerabilities as the creators can possibly make it. It’s like going on a train ride with no brakes – once you are on, there is no getting off it, and the pace of things only continues to pick up as time goes on.”
“Remember – one wrong symbol in the code, one unwritten unit of information, or not well-documented feature may cost millions of dollars. Every step must be carefully considered because often after deployment, you can’t change things, and the cost of making a mistake is very high,” he says.
Code audits are taken seriously
From Mishunin’s perspective, projects and platforms in the space are taking auditing of their code seriously.
“We can see that based on the increasing demands in security audits. Security should be a top priority for any blockchain project from the very beginning. And today, audits have become not just good practice, but a must-have for every project,” he says.
“Most teams do their best to take every precaution in order to make their products as safe as possible and retain the trust of their customers. Projects that take security most seriously order several audits from independent companies, open source their code, invest efforts in documenting it well, hire white-hat hackers, and start bug bounty programs.”
Never going to be 100% safe
However, even if projects are putting in the work to make sure they have clean, safe code, there is still room for bugs to slip in.
“There can be a variety of reasons for this. Unfortunately, no matter how much you invest into testing and audit, it does not guarantee 100% freedom of bugs,” he says.
“Sometimes, if the project is simple enough – for example, it’s a fork of another popular project – the team can skip some phases or decide not to order an audit. In some cases, the project sacrifices time on testing in favor of going live earlier. This is one of the mistakes that you can and should avoid – because even a single typo can lead to serious bugs and massive loss of funds.”
To illustrate how this happens so quickly, Mishunin turns to the Uranium Finance project exploit from April 2021. A simple math bug in the code during the migration to V2.1 resulted in $57 million lost.
Security key issues
Another hack vector is compromised security keys. So even if a project has ensured its code is safe, improperly storing these all-important keys can become a problem.
“To avoid this and keep your crypto funds safe, it is always safer to store keys in cold wallets that are not connected to the Internet. But while a cold wallet is the safest bet, it may not be convenient to use for some people,” Mishunin explains.
“Therefore, another option for securing accounts would be using multi-signature wallets. With those, a transaction needs to be signed by several accounts, and even in the event that one account gets compromised, it won’t become a problem. Because other multisig wallet owners won’t sign off on a malicious transaction.”
Putting in the time and effort
Mishunin’s advice to teams mainly revolves around putting in the required effort. He explains that taking shortcuts and not staying on top of the situation is where problems can begin.
“Projects often have to consider using a complex set of actions that can only help prevent bugs when all the measures are taken together.”
He explains that it starts with choosing the right team.
“It may sound like something obvious, but actually accomplishing it is not easy. Intensive onboarding and training are crucial. Hire talented professionals eager to develop quality code and solutions. It takes the right mindset and specific skills to develop a solid blockchain project,” he says.
In addition, keeping on top of what the industry is doing means you won’t be caught unawares by new attack vectors or hacks.
“Be sure to stay on top of what’s going on with other projects in the industry, keep an eye on known attacks and bugs, review known attacks and share best practices inside your team. Participating in bug bounty programs and contests is also a good idea, as it puts you in the shoes of a potential hacker and could yield insight that you wouldn’t get otherwise.”
Do not skimp on design and testing
It might be easy to overlook this part of the process, as many teams want to focus on the actual product they are making. However, Mishunin strongly warns against taking shortcuts.
“As far as the developing phase is concerned, projects should not cut down on time for design and testing. I would suggest using automated software testing, always aiming at 100% code coverage. Code coverage helps greatly in determining how comprehensively the project’s software is verified and, in turn, where the team should focus their testing,” he says.
“For design, coding, and testing I would recommend leveraging existing or preparing your own checklists. Or even do both in tandem, so that nothing gets missed.”
Ensuring a proper sign-off on code
Finally, he emphasizes the need for a proper release process. This is the final stage but is not the end of the road for project code security.
“A proper release process is also important, as it includes the final sign-off. Using automated scripts for deployments would be preferable here to avoid human errors. And it doesn’t end with the release,” he says.
“Be sure to pay attention to matters of support and incident handling, think in advance, what you should do when hackers come for you. Because chances are – they will at some point.”