Author: Haotian, Cryptocurrency Observer Source: X (Twitter) @tmel0211
Perhaps everyone has noticed that some security experts, such as OpenZeppelin and Safe, have jointly launched the ERC-7512 standard, which introduces a method for disclosing Audit Reports in the on-chain environment and provides a unified interface for on-chain calls, aiming to improve the overall security of the blockchain industry. How should we interpret this?
In my opinion, what the security industry lacks is not transparent reports, but standardized audit processes and consensus on business rights and responsibilities. To put it simply:
1. Limited participation from security companies: It is intuitive to find that only a few security companies are involved, such as OpenZeppelin and Safe, while well-known domestic security companies such as SlowMist, BlockSec, Certik, PeckShield, etc. have not made any statements. After briefly chatting with several security experts, they also expressed that there is currently no unified consensus to promote this, so we will wait for further developments.
- Bear Market Gold Mining Battle-tested Strategies from Chinese DeFi Degen in the Crypto Community
- ERC-7739 Draft Introduction Supports adding user intents to account abstract wallets.
- Gangsters Occupy Washington Counteracting Regulation to Create a Better Future
2. Reports stored on the chain: Security audit reports are stored on the chain based on a unified standard, which may provide protection against tampering compared to storing them on Github. However, this requirement is not rigid. The reports provided by audit companies are usually bound by the terms of cooperation contracts and are unlikely to be maliciously tampered with, nor is it necessary.
3. Purpose of the standard: I feel that the purpose of this standard is to guide security companies to output audit report content in a unified format and standard on the chain, mainly for the convenience of subsequent third-party companies to provide services such as parsing plugins (parsing capability). The overall goal is to increase the exposure of audit reports in multiple scenarios through the transparent form of contract calls. For example, when developing a plugin, the security audit report content can be automatically parsed when checking the contract on Etherscan, and similarly, the report can be integrated into the frontend of platforms like Uniswap for visualization. However, the content of audit reports is usually lagging behind, and it is not so rigid for users to check several resolved issues when using a product. Moreover, if a project is found to have many issues, it may affect user confidence in interaction.
4. Meaningful attempt: Overall, it is a meaningful attempt. Based on this, we can gradually explore a path for exposing audit reports, such as audit report – third-party parsing and calling – plugin frontend exposure. It is best to further develop an effective “accountability” system. After participating in more projects and involving more security companies, it will effectively improve the chaos in the current audit industry.
In summary, security audit services are a systematic engineering. The combination of contracts, contract upgrades, and any changes can render the original audit work “meaningless”.
Essentially, security audits are third-party security companies using their professionalism to help project parties identify issues before going live, solve emergency problems during operation, and improve the security level of the project with the assistance of other tools and services. However, it is ultimately an “outsourced” service, not a lifelong all-inclusive guarantee.
We cannot rely solely on security companies for identifying more security risks and conducting risk assessments. The market should pay attention to security audits, but also should not overly rely on them, especially by using audits as a way to endorse projects and pushing them to the market, as this completely changes the original intention.
Like what you're reading? Subscribe to our top stories.
We will continue to update Gambling Chain; if you have any questions or suggestions, please contact us!
