“A smart contract audit is a powerful process, but is limited in time and scope to detect vulnerabilities and bugs. Our security researchers use their expertise and deep knowledge of the audited codebases to detect different circumstances and potential edge cases, and then create monitoring recommendations. Implementing these recommendations can provide a much longer term protection to the audited project,” Omer Greisman, Head of Security Services at OpenZeppelin.
Audit firms are often the only security professionals supporting a DeFi protocol. In the course of an audit engagement, the security researchers become experts in the protocol and understand attack vectors and dependencies. As a result, they are often in the best position to recommend areas of the system worthy of real-time monitoring post deployment.
“We learned quickly working with large DeFi projects that many of them don’t have full-time security resources. They rely exclusively on auditors and bug bounty programs, and audits only last for a few weeks. The rest of the year, they’re on their own. That absence impacted how they thought about and prioritized other aspects of security like real-time monitoring,” said Andrew Beal, ecosystem lead at the Forta Foundation.
Security monitoring is a natural extension of an audit report. Audit reports identify risks in the smart contract code. In some cases these risks can be eliminated at the code level. However, where teams can’t eliminate the risk completely, it is best practice to mitigate that risk with monitoring.
Monitoring recommendations often focus on invariants – aspects of a protocol that should remain constant regardless of the circumstances. It’s also common to see monitoring over privileged functions and third party dependencies (i.e. oracles).
“We are grateful the Forta Foundation grant allowed us to spend additional time in selected audits to focus on monitoring recommendations to further strengthen the security of the projects audited by ChainSecurity,” said Emilie Raffo, Head of Sales at ChainSecurity.
Security monitoring represents another potential product and service vertical for audit firms. More auditors are taking a comprehensive approach to smart contract security, bundling continuous audit work with adjacent services like monitoring and emergency response.
“Smart contract audit is a powerful process, yet limited in time and scope, to detect vulnerabilities and bugs. Our security researchers use their expertise and deep knowledge of the audited codebase to detect different circumstances and potential edge cases, to create monitoring recommendations. Implementing these recommendations can provide a much longer term protection to the audited project” Omer Greisman, Head of Security Services.
To date, over 20 audits reports issued by these firms have featured security monitoring recommendations.
MixBytes and OpenZeppelin also operate Forta scan nodes.