OpenZeppelin is a security operations platform with countless security best practice features already built into it. Specifically, it describes itself as an open-source framework for building secure smart contracts, meant to simplify the process of building smart contracts. Practically speaking, this means that smart contract developers on Ethereum can ship their products faster, whilst also minimizing security risks.
Normally, these kinds of security features would have to be developed separately by each feature or company team. Moreover, there are no existing developer tools that allow them to collaboratively build, test and audit smart contracts. With the help of OpenZeppelin, developers can focus on deploying smart contracts instead of dealing with the extra hassle of building dedicated security tools.
Put simply, OpenZeppelin looks to act as a security audit for developers creating smart contracts, effectively reducing the risk associated with decentralized finance (DeFi) projects. If you want to learn more about DeFi, smart contracts, cryptocurrency or blockchain, then Ivan on Tech Academy is your go-to place. The Academy is perfect for learning about cryptocurrency, or understanding more of the DeFi industry.
If you know about decentralized finance (DeFi), then you likely already know about some of the high-profile hacks this year, or the well-known Yam Finance bug. Creating DeFi protocols can be so lucrative that it can be tempting for developers to ship a DeFi without paying enough attention to security. However, that kind of thinking can also put users’ funds at risk.
According to OpenZeppelin’s CEO, Demian Brener, OpenZeppelin Defender is the first security platform where developers can securely automate their smart contracts in one easy place. The team decided to build OpenZeppelin after talking to these same developers. That’s how they learned that they were continuously reinventing the wheel to build out their security infrastructure.
Economic Attacks vs Arbitrage
Lines can get blurred when it comes to discerning the differences between an exploit and a good old-fashioned arbitrage opportunity. With certain exploits, savvy attackers can create their arbitrage opportunities that don’t exist for the regular user.
Attackers can use things like Flash Loans to manipulate the price bids. This happened with the Harvest Finance hack and the bZx hack. Hackers manipulated the prices to get better terms on their trades.
So, what was Harvest Finance’s weakness that hackers exploited? Well, the team did some things right. Their code was open source and security auditing firms reviewed their code. However, they relied on Curve’s automated market maker for a price oracle. And that was their weak point. They did this even though attackers had previously exploited a similar vulnerability with bZx.
The good news is that code in the DeFi space is getting more locked in. It’s hardening and becoming more efficient. Moreover, every time someone attacks DeFi it gets stronger. And OpenZeppelin wants to help make sure that DeFi protocols continue to harden.
Is DeFi Trustless?
You’ll hear the word “trustless” bandied about a lot in the DeFi community. But is there such a thing as 100% trustlessness? Or is it just wishful thinking? Because, no matter what we do in DeFi, we all end up trusting something. It’s just a matter of degrees.
For example, even if you trust an Ethereum smart contract, you still have to trust that the Ethereum Virtual Machine (EVM) will work correctly. You also have to trust that the miners will validate your transaction properly. OpenZeppelin’s CEO, Demian Brener talked about all this in a recent interview on Bankless.
The good part is, at least with a smart contract you can audit the code. Whereas with a bank or other centralized organizations, who knows what goes on behind the scenes?
But even if you know the code is secure, there may be someone you don’t know who has the power to change the rules of the smart contract. So, are you trusting a single person? A Multisig? Or are you trusting a decentralized organization (DAO) with thousands of members around the world? If so, you have to ask, what is the probability that these people can collude with bad intentions?
When building a DeFi protocol, it’s all about trust and verification. What can you trust, verify, and what can you NOT trust? Furthermore, how will you build your systems around all this?
To build something properly, developer teams have to understand what the threat model is. That way they can determine how to monitor their systems to prevent bad things from happening.
The CEO Weighs In
Demian Brener prefers the term “trust minimization” to trustlessness. In the same interview mentioned earlier, he stated: “Trust minimization narrows down the pieces that we are trusting and can’t see. We can see the code executed on-chain. But even with the most trust minimized DeFi platforms, what things do we still have to trust? The best way to scale DeFi is to get to a place of massive trust minimization.”
That is an interesting way to look at it, because, yes, the smart contract is on-chain for all to see. But what if people don’t know what they’re looking at? What if they don’t understand the code?
In most cases, users are trusting the project team behind the code. They are trusting that the team understands the threat model. And, they are trusting (or at least hoping) that the team took all the steps to minimize the risk of an exploit.
A Multitude of Security Questions
Unfortunate scenarios like price manipulation always pose a risk. So, the questions to ask are, has the system been audited? And who’s monitoring it? What if a critical scenario begins to materialize? Are circuit breakers in place to stop the exploit? Can the team at least stop the bleeding before the attacker completely drains the liquidity pools? If a bad actor is engaging in price manipulation, can the team pause that feature in the smart contract?
The questions are numerous but in essence, they boil down to a single issue: Can the team prevent bad things from happening or not? The team at OpenZeppelin believes that trust can be minimized. And that is their objective – to continuously minimize trust.
Are More Security Audits The Answer?
Audits are expensive. The YAM protocol launched its project quickly within a couple of weeks. What’s more, they didn’t feel like dropping tens of thousands of dollars on an audit. That, however, became a problem. At one point the protocol locked in $400 million, but the whole thing blew up when they found a bug in a smart contract. That required the team to build a whole new version. Ouch!
Security audits are great, they are necessary but they are expensive. OpenZeppelin’s team of researchers boasts of having conducted over 150 audits for some of the most prominent projects in DeFi, like Aave, Balancer, Compound, dYdX, Uniswap, and others. But Brener doesn’t believe audits are a “sign-off” in and of themselves.
More Than Just An Audit
OpenZeppelin spends the necessary time and effort in security research to reduce their chances of missing something important. However, a more relevant question is, how do you scale security whilst keeping up with the demands for growth in DeFi?
Projects want to “move fast and break things” as the Facebook mantra says. However, teams must reduce the risks whilst moving fast because a lot of user’s funds are at stake.
OpenZeppelin’s philosophy doesn’t hold the belief that projects can scale security by hiring more auditors. The team created an open-source library called OpenZeppelin Contracts, for developing smart contracts. They now boast over two million downloads.
So, OpenZeppelin doesn’t promise to replace an audit. But neither do they believe that scaling with more auditors is the answer. They believe you scale by giving developers the right infrastructure to build on top of from the start.
A Set of Security Standards
The OpenZeppelin Defender team’s approach is to give developers a set of modules that the community has already vetted. They believe that developers can then move faster with security best practices already baked in.
Yes, different smart contracts will have different use cases. But the point is to minimize the amount of net, new code that must be produced each time a DeFi protocol is built.
Everyone wants to get Ethereum 2.0 rolling to churn out more transactions per second, but the other part of the equation is security. DeFi protocols must be secure or we’ll never onboard new users. Security is a must.
If you want to learn more regarding DeFi, Ethereum 2.0 or other blockchain-based solutions, there are courses available for that! Ivan on Tech Academy has over 20,000 existing students and dozens of content-filled courses. Use the code BLOG20 when enrolling to get a 20% discount!
The Advantages of Mature DeFi Platforms
There’s nothing old about DeFi. But the more mature projects have more experience under their belt. Thus, they will not suffer as much as the new ones. So how will these young projects get off the ground on the right foot? Without the resources, capital, experience, and community it could be difficult.
That’s why OpenZeppelin wants these projects to build the right security infrastructure from the get-go. Their platform is standardized so developers can come in and build right on top of it. A sound security foundation can now “take minutes instead of months,” as the team likes to say.
Bitcoin Maxis and other critics complain that DeFi will never work because it gets hacked too often. The other side of that coin is that DeFi gets hacked because it’s so new. But with each attack, the protocols get stronger. Thankfully, the DeFi ecosystem is undergoing a hardening process and OpenZeppelin is dedicated to seeing that through.
The Four Components of OpenZeppelin Defender
Besides OpenZeppelin’s Contracts feature, they also offer Defender so that developers can ship fast with built-in best practices.
Because, as with all DeFi projects, teams must also figure out how to administer smart contracts after they’re in production. They have to figure out who can execute changes, what the security weak points are, and how they can be upgraded. Hence, the Defender platform’s built-in Admin feature.
Admin is one of Defender’s four components. It allows teams to automate and secure their smart contract administration. Too many teams are trying to herd cats with a messy process. Defender’s Admin component simplifies the process by offering a seamless interface where developers can upload their smart contracts.
With relayers, OpenZeppelin Defender can provide a secure infrastructure for sending transactions. This eliminates the need for projects to build their transaction infrastructure which can oftentimes end up being unreliable. This feature implements relayers with support for Testnets, Mainnet, Layer 2 solutions, and Sidechains.
OpenZeppelin Defender allows projects a way to build their scripts to perform continuous actions on smart contracts in a serverless environment without having to build it themselves. Quick response tools like these alone could have reduced losses in many of the recent exploits.
This feature is a collection of security best practices that the team continuously updates. These can be implemented across the phases of development, testing, monitoring, and also operations.
DeFi and the Road Ahead
DeFi is attracting some of the smartest people in the world. And talented developers are keen to join. We’re talking about talented people like Andre Cronje of Yearn.Finance.
What’s more, DeFi will soon be able to offer 100x the kinds of services people could expect to find in a bank. The more DeFi grows, the more funds will pour in and the more creative people will come to build things.
The team at OpenZeppelin Defender wants to help accelerate this process along with DeFi’s adoption. The Security solutions are out there, and Brener believes it’s just “a matter of being smart, collaborating and implementing them.”
Hardening the DeFi Ecosystem
Many of the attacks that have plagued DeFi came from known vulnerabilities. So, just implementing the Advisor component in OpenZeppelin Defender alone could help new projects.
Adding the ability to monitor the likelihood of critical scenarios will also be a huge leap forward. Implementing Autotasks can act as automatic safeguards to prevent bad things. Remember the Harvest Finance hack? Developers could set up a task to watch out for something like that.
As more casual adopters realize the potential that DeFi has to offer, the more of their money will flow into the space. However, hackers and viruses are just two of the obstacles that can hamper mass adoption. With all the volatility and economic crises around the globe, users will be willing to switch over to DeFi only if it’s stronger and sounder than the centralized alternatives.
Platforms like OpenZeppelin Defender will go a long way to help harden the DeFi ecosystem so it can thrive and provide a better alternative to traditional global finance.
If you’re a developer, you can use OpenZeppelin Defender for free on the testnet, but you must use the paid subscription version for production. If you want to become a blockchain developer, visit Ivan on Tech Academy and start your DeFi journey today!