Article by CryptoJelleNL
After the recent BananaGunBot fiasco, it has once again become clear that when a new crypto project has been audited, that does not necessarily mean it is without bugs, or exploiting opportunities.
I hoped the previous cycle would've taught us this lesson by now, but the developments in the past few days have once again pointed out that a project can be audited not once, but twice, and still come crashing down less than 90 minutes after its launch because of a critical bug.
What is an audit? New crypto and Web3 projects hire auditing firms to skim through their smart contract code to look for potential exploiting opportunities, bugs, and other problems.
In today's article, I discuss the events that happened, and what I think can be done to prevent similar situations in the future.
Before we start, let's make one thing clear: Just because I'm using Banana as an example, does not necessarily mean I blame them for what happened, or that they should be treated as bad actors. They are just another example in a long list of projects that passed audits and still ended up running into trouble shortly after.
What the h*ll happened to BananaGunBot?
After major anticipation on CT, September 11th was to be the big day for BananaGunBot. At 8:35 PM (Times are in CEST), the project announced that it went live, that presale bags could be claimed, and explained where the tokens could be traded.
At first, the launch seemed successful, and prices shot higher. Friends of mine who got into the presale rejoiced, as they made a lot of money. At least, they thought they did, until 9:51 PM, just 1 hour and 16 minutes after the contract went live.
The BananaGunBot team said: "Announcement: We have a bug in our contract we cannot hotfix. Despite two audits, there is a bug in the contract with our taxes, which allows people to sell their bags while having tax tokens remaining in their wallet."
What followed was a brutal sell-off, wiping out 99% of the token's value in mere minutes.
It took 1 hour and 16 minutes for the market to find security vulnerabilities in a project that was audited not once, but twice!
This brings me to the crux of the problem; when a new cryptocurrency project is audited, it doesn't mean anything!
This becomes especially clear once you realize that out of all the exploits, hacks, and breaches in the past year, the majority have happened to projects that have been rubber-stamped by blockchain and smart-contract auditing companies. Just look at Terra (Luna), which was audited, approved, and even applauded by CerTik before crashing down in May of 2022.
Do crypto-audits meet their objective?
The reality seems to be that auditors are not truly independent – and that they're mostly focused on keeping their customers (the project that is hiring them) satisfied.
A project that wants to launch soon will be unhappy to hear that there are vulnerabilities in its code, and the auditors know this. In fact, they may even be inclined to ignore potential red flags, just so that they can keep their customers happy. Of course, this completely destroys the purpose of an audit and reduces the audit to a mere marketing ploy.
According to Keir Finlow-Bates – a blockchain researcher and developer – this problem is more common than many people think. In his experience, clients tend to push back when auditors find problems in their code, wanting to sweep the concerns under the rug and approve the smart contract regardless of the highlighted vulnerabilities.
If this is true, audits are nothing more than a simple marketing tool to lure investors in. What's perhaps even worse, is that many projects do not seem to care about the security of their protocol.
If we take a step back to BananaGunBot, the team made the following announcement after the market crashed:
Allow me to highlight point 1 of their tweet, where they state: We are having our new contract audited, but won't launch until we are sure everything is in order. Should not launch until they are sure everything is in order and not have been the approach from the start?
How the industry can do better
So, audits generally fall short of reporting vulnerabilities, but that is in part to blame on projects not wanting to hear about them in the first place. On top of that, we can't be made to believe that an auditing firm is responsible for the security of a smart contract.
Of course, their job is to sniff out problems, but the developers should ensure that the product is good, before they even send it to an auditor. Just like the in-house accounting team of a publicly listed firm will do everything they can to prepare an airtight annual report before sending it to the auditors, blockchain developers should do everything they can to make sure the auditors won't be able to find any vulnerabilities.
From there, it's probably best to get multiple, independent auditing teams to fully go through the smart contract, the tokenomics, the logic, everything – and make sure that everything checks out. I'd even argue that pushback from the team should automatically result in a failed audit. Take security seriously, or else.
In essence, I believe that while auditing firms play an instrumental role in maintaining the security of this industry, it is crypto projects that bear the responsibility for the security of the tools and products they build.
They should invest the time and resources to develop better practices that ensure high-quality code with top-tier security – or this industry will forever be viewed as the Wild West. Do better.
Author's Disclaimer: This article is based on my limited knowledge and experience. It has been written for informational purposes only. It should not be construed as trading or investment advice in any shape or form.
Editor's note: CryptoJelleNL provides insights into the cryptocurrency industry. He has been actively participating in financial markets for over 5 years, primarily focusing on long-term investments in both the stock market and crypto. While he watches the returns of those investments roll in, he writes articles for multiple platforms. From now on, he will be contributing his insights for WOO as well.
Check out his twitter: twitter.com/cryptojellenl
The content above is neither a recommendation for investment and trading strategies nor does it constitute an investment offer, solicitation, or recommendation of any product or service. The content is for informational sharing purposes only. Anyone who makes or changes the investment decision based on the content shall undertake the result or loss by himself/herself.
The content of this document has been translated into different languages and shared throughout different platforms. In case of any discrepancy or inconsistency between different posts caused by mistranslations, the English version on our official website shall prevail.