➤First of all, Certik has some problems.
https://skynet.certik.com/zh-CN/projects/dexx…
First, open the project page and see the rating! As an auditing agency, what the hell is your rating?
When we look at an audit report, what we need to know is how big the risk is, not how good the project or code is!
Second, there are project highlights. And what are the highlights of DEXX? The number of Twitter followers, the community, and the market stability. What does this have to do with your audit business? Can this be called a highlight?
Third, when it comes to key issues in the audit, click "View Vulnerability Information", and then, not only is the vulnerability information not displayed, the entire code audit is gone... If you don’t believe it, you can try it yourself. I also recorded a video.
Fourth, there is actually a PDF audit report file on the page, but the location is not obvious. On the other hand, the risk events in the audit report are not written on the page, but some highlights and scores that are not related to security are written on the page...
➤Secondly, when a layman reads an audit report, he should at least look at the risk summary.
Generally, audit reports will classify risks into several levels: fatal, major, moderate, minor, and information-based.
We can look at how many risk issues there are at each level, how many have been resolved, and how many have not.
As written in the DEXX audit report, there is one major problem - centralization.
4 medium issues - vulnerable code. This is pretty straightforward. 2 resolved, 2 unresolved.
4 minor issues - design issues, 1 resolved, 3 unresolved.
Solved means the problem has been solved and we are aware of it, but it doesn’t mean it has been resolved, haha.
Let me put it this way: if there are no problems in the audit report, it does not necessarily mean that there are no problems. But if there are problems in the audit risk summary, then there are indeed problems.
➤ Comparison of audit reports of other DEXs
❚ DYDX
Speaking of DEX, let’s take a look at the audit of the famous DEX #dydx.
DYDX did not pay certik to conduct an audit, but instead had a team of different code auditors conduct informal audits for a total of 6 times. The latest audit report shows:
https://github.com/dydxprotocol/v4-chain/blob/main/audits/Informal-Systems-Audit-Report-2024-Q2%2B.pdf…
Total:
1 item of moderate risk, not resolved.
There are 6 low-risk items, 2 of which have been resolved and 4 have not yet been resolved.
There are 7 information risk items, 7 of which have not been resolved yet.
❚ DeGate
Let's take a look at a DEX#DeGatebased on Ethereum Layer 2. From its launch in August 2023 to today, it has undergone 5 code audits by 3 auditing agencies, including @trailofbits, @LeastAuthority and #Secbit.
Take a look at the latest audit report. The auditing agency is Secbit. The address of the audit report is
https://github.com/degatedev/protocols/blob/degate_mainnet/packages/loopring_v3/security_audit/DeGate_Report_EN-final20230912.pdf… 。
There were 4 medium risks, all of which have been resolved.
There are 8 low-risk issues, 5 of which have been resolved and 3 are temporarily unresolved.
There are 4 information risks, 1 of which has been resolved and 3 are temporarily unresolved.
There are 4 discussion-level risks, 2 of which have been resolved and 2 are temporarily unresolved. This type of risk should be discussed, but it is not certain whether there is a problem.
No higher level risks were found, and the highest risk remaining is low risk.
The common points between DYDX and DeGate audits are:
First, no money was spent on "gilding" of Certik. Instead, multiple audits were conducted by multiple audit entities, which enabled more comprehensive discovery of security issues in the code.
Second, the audit report is published on the Github platform instead of the official website of the audit agency or project party. This way, the submission, modification, deletion and other behaviors of the audit report file can be seen, which is more open and transparent.
Third, there are no unresolved medium risks in the audit reports of these two DEXs. According to the audit results, the risks are controlled at a low risk level.
DYDX V4 and DeGate have been running safely for 14 and 16 months respectively.
It can be seen that whether it is a large DEX or a small or medium-sized DEX, the insecurity of DEXX can be compared.
➤Written at the end
As code rookies, when we hear that the project has a code audit, we should open the audit report and take a look, instead of listening to the project's statement of how many security passes have been made.
Take DEXX as an example. Although Certik ranks its code in the top 10%, its score is only 59.31 points. This shows that the actual security of DEXX may be worse. As long as we open this audit report, we can't understand anything, but at least we can see the score of 59.31. If we look down carefully, we will find the words "vulnerable code". After seeing these two details, I guess we would not use this DEXX.
After opening the audit report, even if you are not good at English, you can search for the word Medium, find the risk event summary, and see how many risk issues of each level have been discovered, how many have been resolved, and how many have not been resolved.
0:10 Although projects with secure code audits are not necessarily safe, and although we may not understand the specific code risks, if we find that factors with higher risk levels have not yet been resolved, it is likely that the project code may be in a relatively sloppy stage and its security needs to be improved. We must be extremely cautious when using it.
The more audit entities participate and the more audits are conducted, the better the security of the project may be. Of course, it is only relatively safe. After all, many risk events are not necessarily at the code level.
To improve security, our assets can be stored in a decentralized manner, and cold wallets can be used for large long-term investments. On the user side of the application, it is also very important to maintain the security of the mobile phone and computer environment. The browsers and devices involved in transactions and holding coins are isolated from daily use. When operating assets, including transactions, games, etc., be slow, slow, slow, and check the information carefully... Welcome to add
