Aleks Larsen
co-authored with ·
No items found.

There are no comprehensive runtime security solutions for smart contract systems; that is a big problem.

Image Caption

When a developer ships a new contract, they get a set of audits done by security firms that identify common issues, run a bunch of tests, and when they feel secure enough, deploy the contract to mainnet and hope nothing goes wrong. From that point on, security practices are entirely manual and reactive. If an exploit happens, hopefully the team is awake, paying attention and in a position to mitigate the damage quickly (if that is still possible).

Think about it: this is like launching a rocket and then waiting for it to light on fire to react to a problem. By the time the rocket’s engulfed in flames, it’s probably already too late.

Most of the time, the only way to mitigate an exploit is to exploit it yourself, so the extent of the damage is heavily influenced by the time it takes to discover the problem. To make matters worse, when a new exploit is discovered, there’s no incentive for the auditors to go back and check previously audited contracts, whereas there is a large incentive for attackers to do so.

These are large, universal problems of building smart contract systems, so what’s the best way to solve them?

Centralized monitoring solutions are incapable of moving fast enough to cover all the new smart contracts being launched. Once a decentralized, open source ecosystem hits escape velocity, its momentum is omnidirectional and centralized efforts can at best cover narrow pieces of it. The only way to fight this kind of fire is with fire: you have to incentivize the ecosystem to proactively monitor itself.

This is why I’m proud to announce our backing of Forta, a decentralized protocol for runtime security. Forta incentivizes a network of nodes that continuously scan major L1 and L2 blockchains for threats and notify relevant systems and people immediately upon detection.

Critically, Forta operates as an open market for runtime security. It incentivizes security engineers and protocol developers to collectively contribute to a security ecosystem — enabling its threat detection capabilities to grow side-by-side with the attack surface, rather than constantly playing catch up.

Forta can also be viewed as the first security primitive. Just as DeFi developers have built powerful financial applications on top of Chainlink’s price oracles, smart contract developers will be able to build powerful security applications on top of Forta’s threat oracles. For example, bots can be programmed to automatically respond to new threats by sending defensive transactions — creating something that could be likened to a blockchain defense tower.

If Forta had existed over the last few years, many of the hacks we’ve experienced could have been avoided or mitigated. For instance, when Spartan Protocol was attacked due to a flawed calculation in their smart contract, resulting in a $30m+ loss, the Forta protocol could have proactively identified and alerted stakeholders of the deployment of a suspicious bot, the first suspicious transaction, and the first losses incurred by the protocol — potentially saving millions or even preventing the exploit altogether.

The initial idea for Forta came from OpenZeppelin, the leading audit and security firm in crypto. If you’ve deployed a smart contract on Ethereum, odds are you’ve used contract templates engineered by the OZ team. Simply put, there isn’t a team in the world better positioned to kick off this decentralized community.

We believe the Forta protocol and its surrounding ecosystem of security applications have the potential to drastically reduce the frequency and impact of hacks and exploits, and we are excited to see what people build with it!

Disclosures: Blockchain Capital is an investor in several of the protocols mentioned above. The views expressed in each blog post may be the personal views of each author and do not necessarily reflect the views of Blockchain Capital and its affiliates. Neither Blockchain Capital nor the author guarantees the accuracy, adequacy or completeness of information provided in each blog post. No representation or warranty, express or implied, is made or given by or on behalf of Blockchain Capital, the author or any other person as to the accuracy and completeness or fairness of the information contained in any blog post and no responsibility or liability is accepted for any such information. Nothing contained in each blog post constitutes investment, regulatory, legal, compliance or tax or other advice nor is it to be relied on in making an investment decision. Blog posts should not be viewed as current or past recommendations or solicitations of an offer to buy or sell any securities or to adopt any investment strategy. The blog posts may contain projections or other forward-looking statements, which are based on beliefs, assumptions and expectations that may change as a result of many possible events or factors. If a change occurs, actual results may vary materially from those expressed in the forward-looking statements. All forward-looking statements speak only as of the date such statements are made, and neither Blockchain Capital nor each author assumes any duty to update such statements except as required by law. To the extent that any documents, presentations or other materials produced, published or otherwise distributed by Blockchain Capital are referenced in any blog post, such materials should be read with careful attention to any disclaimers provided therein.

more by
Aleks Larsen
more on
Thank you! Your submission has been received!
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.