Gu Ronghui, CEO of CertiK: Security audit is a standard configuration for high-quality DeFi projects

In the past 8 months, DeFi has been developing at a rapid pace. As of September 1, according to Debank data, the total lock-up amount of DeFi has risen from about 700 million US dollars to 11.614 billion in the past 8 months, about 16.3 times; the total market value of DeFi has risen from 1.5 billion US dollars to 18.6 billion US dollars in the past 8 months. About 12.4 times; DEX trading volume rose from about US$4.64 million to US$1.1 billion in the past eight months, about 236.8 times; the total borrowing volume of the mortgage lending market rose from US$149 million to US$1.6 billion, about 10.7 times.

While the DeFi market is soaring, more and more DeFi protocols such as Yam Finance, Spaghetti Money, SushiSwap, and Kimchi Finance have attracted billions of dollars in assets.

Liquidity mining triggered by protocols such as Balancer (BAL), Compound (COMP), Synthetix (SNX), Ampleforth (AMPL), and UWA (yUSD) has set off a wave of enthusiasm. Although there are many projects that have not been audited, many users still invest a large amount of money in them and enjoy mining.

Larry Cermak: There are rumors that companies such as Jump and Alameda provided another $2 billion to save UST: Golden Finance reported that Larry Cermak, research director of The Block, tweeted that there were rumors that companies such as Jump and Alameda provided another $2 billion Come save UST. Regardless of whether this rumor is true or not, their spread is very meaningful. The big problem here is that even if they somehow manage to get it to $1, trust is irreversible. Personally I think the only way to save it right now is to fully (or possibly very close to) mortgage. Otherwise I can't see it being used again. [2022/5/10 3:02:58]

How do you view this wave of DeFi liquidity mining? How should ordinary investors get involved? What are the risks to be aware of? Jinse Finance had a dialogue with CertiK co-founder & CEO Gu Ronghui to discuss the risks and opportunities.

Racing game Riot Racers partners with Citroën to launch NFT cars: On March 18, racing game Riot Racers announced a partnership with French automaker Citroën to launch NFT cars that players can drive in the Riot Racers car video game. car.

It is reported that Riot Racers is a play and earn racing game, players can hold part of the game in the form of NFT, including drivers, cars, car upgrades, gas stations, mechanic shops, racetrack land and billboard land, primary and secondary sales All on Polygon. (DappRadar)[2022/3/18 14:05:22]

Jinse Finance: How do you view this wave of DeFi liquidity mining?

Gu Ronghui, co-founder & CEO of CertiK: The recent upsurge of DeFi liquidity mining can be said to demonstrate the success of DeFi in new practices. On the basis of DeFi, liquidity mining expands the characteristics of finance, attracts blockchain investors with high profits through mining, and locks up huge amounts of funds, thus providing a foundation for DEX (Decentralized Exchange Decentralized Exchange) ) to provide massive liquidity (Liquidation).

Titano Finance: The new contract will be deployed, and the audit has been completed by Certik: According to news on February 20, Titano Finance, a mortgage agreement that was attacked before, tweeted that the security company Certik has contacted us and asked the team to deploy the new contract. The Titano team has received a preliminary audit report from Certik, confirming that the new contract has no loopholes and is 100% secure.

In previous news, PeckShieldAlert tweeted that the attack on Titano Finance was detected, and the hackers had made a profit of 4828.7 BNB (about 1.9 million U.S. dollars). [2022/2/21 10:04:38]

From the perspective of the financial market, the essence of liquidity mining is to provide a large amount of liquidity for the current DEX. Liquidity mining reduces transaction slippage for DEX, enhances transaction depth, and enhances liquidity. The greater the liquidity, the easier it is for investors in the financial system to buy and sell assets in the market.

From the perspective of the capital market, these DeFi liquidity mining projects have come one after another, precisely because a large amount of funds have poured into them. For example, Sushiswap is supported by community funds, which reflects that the public is generally optimistic about the DeFi market; UniSwap is supported by VC funds, which shows that capital has full confidence in the blockchain, especially in the future of DeFi.

News | Ontology announces strategic cooperation with CertiK, an American formal verification company: On July 17, Ontology announced a strategic cooperation with CertiK, an American formal verification company. The security and reliability of the blockchain system. [2018/7/17]

But at the same time, this upsurge also reflects the pursuit of interests by groups and the social values of profit-seeking. Many people think that as long as there is enough profit, the risk is negligible. The excessive hype of the project party and the exaggeration of some media can easily lead the masses to blindly follow the trend and make irrational investment. In particular, mass investors see that some people make money because of this, and there will be "survivor bias", and they will get away with thinking that bad things will not happen to them.

For the blockchain itself, although the current DEX and projects such as SushiSwap have injected great vitality into the DeFi system, they still cannot find enough application scenarios to make this huge financial system profitable, that is, Killer Application. And this application scenario allows DeFi and even blockchain projects to be implemented, and is willing to let the market take the initiative to pay the bill.

EOSeoul-EOSpay held the largest EOS Block Producer Alliance seminar in Korea: EOSeoul and EOSpay held the EOS BP Alliance seminar in Seoul, South Korea on the 26th of this month. In this seminar, EOS BP candidate units such as Huobi Pool, EOS Cannon, EOS Gravity, EOS UNION, OracleChain, and eos ONO will publish EOS-related projects. [2018/5/21]

In terms of transaction details, due to the slow transaction confirmation time (up to a few minutes) and high transaction fees during the transaction process, it also reflects the shortcomings of Ethereum.

Most importantly, due to the rapid and overheated development of DeFi, many speculators quickly went online in order to make money, released projects following the trend, and even imitated other projects nakedly. Leaving aside the copyright issue in the code world, many of these projects have not been professionally audited, and some are eager to go online without testing. The safety of the project and the safety of the public's funds are very worrying.

Golden Finance: Many SushiSwap imitation disks appear, are there any security risks or technical risks? Why can't these risks and loopholes stop crazy users?

Gu Ronghui, co-founder & CEO of CertiK: Unaudited contracts have a higher probability of having loopholes, which will become a security risk. And due to the current boom in DeFi mining, loopholes in unaudited contracts are likely to be inherited by emerging mining projects (imitation disks). In order to make everyone see more clearly, I will classify and explain the risks below.

1. Smart Contract Risk

To give the simplest example, there is a mistake when writing code. For example, in the well-known YAM project, the basic calculation formula was wrongly written, resulting in an irreversible situation.

Regarding vulnerabilities related to smart contracts, here I use several projects that have become popular recently as examples: for example, the SushiSwap project has a reentrancy attack (reentrancy) security vulnerability; another example is the SushiSwap imitation disk project Yuno and Kimchi, which have similar "unlimited issuance vulnerabilities". That is to say, the smart contract owner has the absolute right to issue unlimited tokens. In this case, once there is no external force restriction, it may cause the crazy release of tokens, resulting in token inflation and depreciation. Of course, the current SushiSwap and Kimichi projects have been managed by Timelock, and the problem has been temporarily alleviated.       

Once there is a problem with the smart contract and it is used maliciously, it may affect the financial security of LP (liquidity pool). Contract loopholes can also lead to drastic changes in market prices, such as the YAM project mentioned above, whose value fell from 100$ to 1$ in a short period of time. In either case, it is a "blood loss" for mass investors.

2. Other risks

In addition to smart contract risks, there are but not limited to lock-up loss risks, operational risks, transaction friction risks, and private key risks, etc. For example, for ordinary users, the mining process is relatively complicated, and if the operation is wrong, the funds will be lost accidentally; for retail investors, each gas fee is relatively expensive, and several gas fees may be paid, but the transaction itself is still unsuccessful.

As for why these risks still cannot resist the flock of users:

First of all, I think that with the emergence of this new financial model, the public is generally willing to "try it out". Second, some people have a herd mentality. Especially now that the news of DeFi liquidity mining is flooding this circle. Of course, the most attractive thing about these projects is the super high returns they can obtain in a short period of time. Such an astonishing rate of return has broken the inherent annualized return limit of traditional finance for several years. For example, the highest APY (annualized) of the SushiSwap project was 20,000% at the beginning, and the highest APY (annualized) of Kimchi was 400,000% at the beginning. In many cases, as long as the profit margin is high enough, the public may be deceived by the interests and ignore the risks and even take risks and try.

Jinse Finance: If ordinary people want to participate, which indicators should they focus on to prevent related risks?

Gu Ronghui, co-founder & CEO of CertiK: First of all, everyone has different risk appetite and financial strength. Before entering the project, you may wish to assess your risk tolerance. I think this is what all investors need to do before entering any project (whether it is DeFi or traditional finance). However, the characteristics of DeFi projects such as being too hot and frequent new releases can easily cause the public to ignore the judgment of risk preference and the assessment of risk tolerance in a short period of time.

Secondly, users should try their best to research the project before investing, such as whether there are different voices in the media in the community, and whether anyone has questioned the security of the contract. Of course, we also need to keep our eyes open to identify the authenticity of the news. Because various groups in society have different interests, many of them have rhythms. Therefore, it is suggested that everyone would rather spend more time to observe clearly and "enter" later than to enter risky projects rashly.

Finally, if you have the ability and energy, you can check whether the contract of this project has been professionally audited. Security audits are now standard for high-quality DeFi projects. If the project has not been audited, for users, the investment behavior must be extra cautious; for the project party, it is necessary to find a professional and reputable auditing company for auditing. If the project has been audited, it is necessary to try to understand the background of the audit company and the indicators in its audit report, including but not limited to:

Scope, method, and conclusion of security audit

Are there any loopholes or security risks in the contract? If so, need to understand the severity of these problems and their possible impact

Code quality of the contract as a whole

Professionalism and independence of the audit firm

Tags：

BNB