You can add location information to your Tweets, such as your city or precise location, from the web and via third-party applications. You always have the option to delete your Tweet location history. Learn more
This is when the uproar began. There are some who mistakenly relied on a code review from @trailofbits as proof that @HegicOptions would never get hacked, without ever reading the report or investigating further.
If they did their own investigation, what would they find?
They would find that their code had no documentation, not even a README file. They wouldn't find a single test. They would find that our report concluded by warning more bugs exist, and that time allocated was insufficient.pic.twitter.com/v8JkRZXz1E
They would find my numerous public statements (https://defiprime.com/defi-smart-contract-audits …) and client guidelines (https://github.com/trailofbits/publications/blob/master/reviews/citation_guidelines.pdf …) to distrust projects that solely rely on code audits as proof of safety. They would find that 3 days is an extremely short review.pic.twitter.com/sY6pDlNSEe
They would find my thread from just last week, describing the holistic activities needed to secure a DeFi project.https://twitter.com/dguido/status/1251960692460093443 …
... and they'd find the consensus opinion of the blockchain industry is to avoid misrepresenting security reviews as certifications of safety. https://twitter.com/zmanian/status/1254220509077598214 … https://twitter.com/rleshner/status/1254151232677003264 …https://twitter.com/MyCrypto/status/1254119736020881408 …
This was obvious to anyone that had hired a security firm, or been on the receiving end of a security report before. https://twitter.com/MyCrypto/status/1254058121342803968 …https://twitter.com/AFDudley0/status/1254018557685325825 …
It was more than just security experts who understood this about @HegicOptions. It was obvious that further work was needed to non-experts too. “It's OK we have no tests because the auditors will catch all the bugs” said no one ever
https://twitter.com/BlockEnthusiast/status/1254132916675907584 …https://twitter.com/hitchcott/status/1253982497446166528 …
We know there are roadblocks to interpreting our results by non-experts. For example, we purposefully avoid subjective opinions in our reports, preferring objective facts to maintain our integrity and independence.https://twitter.com/HeidyKhlaaf/status/1254121886902083584 …
Further, it's possible for clients to simply ignore what we document in reports. @trailofbits does not have any authority over our clients, we simply provide them advice.
https://twitter.com/HeidyKhlaaf/status/1254122500407152640 …https://twitter.com/spencecoin/status/1254116602720608258 …
How will we improve after this incident?
1st, we will no longer work with @HegicOptions. Their behavior has been deeply irresponsible. They ignored our advice and recklessly put user funds at risk. This hurts the entire DeFi community.
2nd, we will keep services from @trailofbits accessible for those with lower or limited financial resources. Security assistance is essential for smaller projects, and we'll continue to help those that need it with shorter project sizes.
3rd, we'll add structure to our summary reports to help readers better evaluate the current state and maturity of the project while remaining objective. It's unfortunate so few people look beyond our reports so we'll provide stats and info about the code in them.
cc @defiprime @lalleclausen @tzhen @drVillo @preston_vanloon @hitchcott @intocryptoast @quentinc137 @Fiskantes @ck_SNARKs @nicksdjohnson @ChainLinkGod @hosseeb @IamNomad @JTremback
Thanks for your earlier comments! We're open to hearing your opinions about how we can improve.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.
