Written by: @cmdefi
"Security" should be the biggest topic in the industry for at least the next 10 years, because it currently has contradictions on both the decentralized and centralized ends. Taking advantage of the topic of exchange security issues in the past two days, I will dive into it from the following angles:
1. Asset autonomy
2. Smart Contract Security
3. Censorship resistance
4. Wallet
1/4 Asset Sovereignty
Decentralization is far superior to centralization in terms of asset autonomy, which means that users have full control over their own assets. This was the mainstream narrative during the DeFi Summer period and was also the starting point for the massive coin withdrawal movement that year.
However, as smart contracts are attacked and authorized thefts occur more and more frequently, higher asset autonomy does not necessarily mean greater security, because many ordinary users do not have the corresponding ability to identify risks, or in other words, secure asset management on the chain requires quite high learning time and experience, which leads to higher and higher thresholds for autonomous asset management.
Therefore, newcomers to the market will still choose to entrust their assets to exchanges or institutions. The original intention is to leave professional matters to professionals. Of course, you will lose the autonomy of your assets in exchange for the custody service provided by centralized institutions.
As the industry has developed to this day, exchanges and chains basically carry different user groups, and both have corresponding risks, but the risks are presented in different ways. On-chain self-management of assets has very strong autonomy. You can own 100% of your assets, but you need to have sufficient experience and risk management capabilities. Entrusting management to exchanges is simple enough, but there may be centralization risks. There is no perfect solution. The important thing is to be clear and understand where the risks exist and always be in awe.
2/4 Smart Contract Security
"Risk always occurs in the unknown"
In addition to asset management, from the perspective of DeFi projects, non-upgradeable, decentralized smart contracts are considered to be decentralized and cannot be tampered with. However, does this mean absolute security? In fact, this is not entirely true. Since the code risks of smart contracts cannot be fully predicted and simulated, if a critical smart contract has a fatal vulnerability and the central authority cannot intervene, then even the gods cannot save it. Many cases have occurred in the early days of DeFi.
So how will the security of smart contracts develop in the future? According to the original intention of decentralization, simple smart contracts will be tested by time and the market and will first be "solidified", that is, completely decentralized and cannot be tampered with. Then the complexity will gradually increase. In this process, some complex projects will inevitably need to set up emergency buttons at key links to prevent and recover losses in major events (of course, various permissions are usually used to constrain control in this process to prevent the risks brought by excessive centralization).
Therefore, the security of smart contracts is something that must be tested and rectified over time. Currently, all the fud regarding DeFi security is actually the future of the fud industry. The security issues faced by smart contracts are what all future on-chain projects, whether it is GameFi or SocialFi, will have to go through. It’s just that DeFi is taking the lead first. Only when enough foundation is solidified in the front can the road ahead be easier to go.
3/4 Censorship Resistance
Anti-censorship is an aspect that many people tend to overlook, because most people think that they are just speculating in cryptocurrencies and doing simple transactions, and they are far away from anti-censorship. In fact, once you have experienced it, you will fully realize the importance of anti-censorship, because it is the most direct way for you to feel it. If there is no decentralization, in fact, your money cannot be 100% said to be your money. I will not elaborate on this here. People who basically understand will realize that it is not an exaggeration to say that anti-censorship is the most important item in the decentralized vision.
In this regard, it complements asset autonomy, and decentralized management is indeed superior to centralized management.
4/4 Wallet
When storing assets on the chain, we often come into contact with cold wallets, hot wallets, and hardware wallets.
Cold wallet: Simply put, the private key is not connected to the Internet during the creation and management process. This kind of cold wallet can be made by yourself, such as using an old iPhone to make a cold wallet. You can find a lot of tutorials and information on the Internet. This method is currently very safe from the perspective of personal management. The only thing you need to pay attention to is not to lose the paper that records the mnemonic.
Hardware wallet: First of all, it is not equivalent to a cold wallet. Hardware wallets involve a lot of hardware technology. Generally speaking, the generation of private keys is not online, but the controversy lies in the fact that the hardware manufacturers are also centralized organizations, which may have theoretical centralization risks. On the other hand, hardware wallets usually have an extra step of verification before you execute a transaction, which is equivalent to protection measures such as U shield/security card.
Hot wallet: Hot wallet is the wallet we use most in daily life. It is more lightweight and flexible to use. Frequent on-chain interactions will increase the authorization and signature of the wallet. Especially if some upgradeable contracts are authorized, there may not be any problems at the moment, but the upgraded contracts may bring new risks and lay mines for the future.
The use of a wallet is usually configured according to personal circumstances. The security of a wallet ultimately comes down to the security of private keys and permissions.