In a recent AuditOne's Twitter Spaces roundtable, we had the opportunity to delve into the world of Web3 security with key players in the industry: Alexey Lapitsky, Head of Security at Aurora Labs; Gido, a freelancer specializing in audits and development work; and Rajsikr Thota, CTO and Co-founder at Audit One. They share insights into their backgrounds, the unique aspects of their work, and a recent collaboration with Aurora Labs.
Audit One is a leading security services company, providing a full spectrum of solutions from pre-deployment to post-deployment. AuditOne differentiates itself by utilizing auditor pooling, which consists of three to four auditors working together to discover vulnerabilities using a multi-perspective approach. AuditOne intends to offer automated audit technologies to help auditors, providing even better accuracy and efficiency in the future.
Aurora is a smart contract that utilizes neo networks and is coded in Rust and later compiled into WebAssembly. Its objective is to provide full compatibility with Ethereum EVM. Aurora is committed to ensuring the safety of its users and has launched a bug bounty program that rewards those who identify any vulnerability that could result in a loss of user funds or any potential security issues. Additionally, they aim to identify performance or incompatibility issues with Ethereum that could trigger logical bugs in some ecosystem smart contracts. Aurora emphasizes that even seemingly minor issues are of great importance to them.
Aurora Labs recently launched an audit contest in which registered auditors on AuditOne are invited to participate. The competition is open until November 18th, focuses on uncovering vulnerabilities in Aurora's smart contract, and provides a $50,000 token payout. The current bug bounty program has limitations on the types of issues it covers, excluding performance problems and crashes. However, to incentivize deeper investigation of subtle issues, the program will incorporate challenges to address this problem. It's challenging to align incentives in security, but competition can incentivize code security, which ultimately benefits production.
The contest aims to identify common and subtle issues, such as performance or compatibility problems. Auditors are encouraged to thoroughly inspect the code and report all their findings, not just those that could lead to financial loss. Bug hunting can be time-consuming, but automated tools can help simplify it by using formal verification, fuzzing, and guided fuzzing to generate automated reports.
Guido, a software engineer and fuzzer, created his own tools that he frequently uses in bug bounties. Let me let him explain what it does:
“Cryptography consists of various primitives, such as encryption, key generation, signing and verifying signatures, and mathematical operations. My fuzzer can find bugs by running the same operation in different cryptographic libraries and detecting when a library returns a response different from the other libraries. This usually indicates a bug. On top of that, it also has the capability to detect other types of bugs like memory violations and infinite loops. Cryptography is foundational to blockchain projects, so my fuzzer has been useful for identifying vulnerabilities in Ethereum and other projects. My fuzzer is fully open source, and anyone can use it.”
This method has successfully uncovered numerous bugs in popular cryptographic libraries, including ones that have been used for a long time and have been battle-tested. The Aurora team looks forward to using a fuzzer with Sputnik and Aurora to see what it finds.
Improving Web3 security is a top priority as it continues to evolve. Efforts are being made to explore on-chain security and runtime capabilities for smart contracts, which will enhance protection. Implementing access control, role-based access, control lists, and key management is critical for security. In the future, regulations are expected to be implemented for smart contract security, making security certification essential. The industry is also moving towards incentivizing researchers to find solutions related to governance and access control.
During this insightful discussion, the experts shed light on the ever-changing landscape of Web3 security. They discussed innovative methods to identify vulnerabilities, the difficulties of aligning incentives, and the future of security certifications. The conversation emphasized the ongoing development and significance of strong security practices in the Web3 industry. Whether you're an experienced auditor, project manager, or simply curious about Web3 security, this discussion provides valuable insights into the current state of affairs and future trends in the field.
Alexey Lapitsky - Head of Security at Aurora Labs
Head of security at Aurora Labs. He has a background in engineering and has been focused on security for six years. He has worked in crypto for the past few years and is excited to work in Web3 security.
Guido Vranken - Software security and fuzzing
He participates in bug bounties and audits and occasionally does development work. Gido is not affiliated with any specific company but works as a freelancer for various businesses.
Raja Thota - CTO and Co-founder at Audit One
Raja Thota oversees our pooling platform's audit, leading technical direction and managing audit processes, bug bounties, and contests—a software engineer with three years of experience and a focus on Web3.