Systems that rely on trusted authorities can be compromised with low cost (case in point: SSL/TLS). Panvala solves this problem by decentralizing trust through a token-curated registry.https://twitter.com/PanvalaMark/status/1016337610787180545 …
This pushes a HUGE amount of risk onto security reviewers and away from the contract owners. Won't people just attack or sue the parties voting in support of contracts when bugs are found later?pic.twitter.com/80u0HHFa9D
-
-
The Panvala mark means that a majority of participants agree that certain standards have been followed. It's the task of the community to ensure that the standards are sufficient to prevent bugs (e.g. cross checking audit-reports).
-
But as we all know, there's never a 100% guarantee. The TCR reflects the opinion of the security community as a whole (hopefully including
@TrailofBits). Consumer reports is a good analogy. -
The legal aspects are certainly important. But that's true for companies that do security audits anyway.
-
None of our reports say, "This contract is safe to use." The vast majority of our reports never reach the internet, and for good reason. They intended audience are engineering teams, not the public. The contract owners should stand behind their code, not me.
End of conversation
New conversation -
-
-
By that standard, no one should be giving opinions about the safety of any smart contract. We put in this work so people can actually use these systems with more confidence. But there are no guarantees here.
-
You just made my point. If there are "no guarantees" then maybe you should not be posting a guarantee on Panvala?
-
Panvala does not guarantee smart contracts. Consumer Reports doesn't guarantee consumer products. Publishing opinions about which stuff to use is a valuable public service, and I think the community can do it well together.
-
People are going to use Panvala, not engineers, and the coarse-grained UI won't inform accurate opinions about testing results. E.g., a part of the code with a flaw could have been out of scope for your assessment but the reviewer will still be seen as at fault.pic.twitter.com/omJlGSCmYG
-
I also want to provide transparency to engineers and end-users but this looks like it too easily transfers risk from owners to auditors, and sets us up as "fall guys."
-
This is a good point that we'll have to be vigilant about. Users will never read fine-grained audit reports. They need coarse signals that help them make decisions. I hope that with your input, we can avoid creating new problems that set us all back instead of moving us forward.
End of conversation
New conversation -
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.