Lack of transparency among project reviewers a big problem: hacking CEO


Dyma Budorin, CEO of smart contract auditing firm Hacken, believes that Web3 cybersecurity providers are failing the crypto industry and that “huge blind spots” in market practices are affecting investor behavior.

Budorin believes that a lack of accountability and transparency in the audits many vendors conduct is not enough to reassure users and projects.

Currently, smart contract validators take no responsibility if a token they validate is hacked due to a bug in the code. Disturbingly, most of the biggest hacking events of 2022 happened on projects verified by third parties.

Speaking to Cointelegraph on April 27, Budorin said this worries him as it threatens the growth trajectory of the Web3 cybersecurity industry, which Hacken said is already lagging far behind non-crypto equivalents.

Web3 auditors dive deep into a token’s code to look for threats of varying severity. These audits do not evaluate other factors such as the viability of a business model, team experience and others.

Budorin explained that “accountants have a big responsibility” that is being ignored because the money is coming in and there is no public outcry for better products. However, the services they provide are insufficient for him, as he says

“They lack testing, accountability, and transparency in evaluating cryptocurrencies.”

Even in the rare event that a project wanted a more robust audit, they could not get it from cybersecurity firms in Web3, as Budorin says, “Currently, in Web3 cybersecurity, there are no companies that offer recurring audits,” which happen monthly and much more depth about the project.

“Right now, best market practice is to get a token audit, and that’s it.”

Budorin used token bridges as an example to show the dangers of an industry without thorough verification mechanisms. Two of the biggest crypto hacks of 2022 so far took place on Axie Infinity’s token bridges Wormhole and Ronin Bridge, which lost a combined $920 million.

While it’s always 20/20 in hindsight, it’s likely that a full audit of all bridges hacked this year, including Wormhole, Ronin Token Bridge, Qubit’s QBridge, and Meter’s Meter Passport, could have prevented disaster.

Aside from obvious flaws in the code, Budorin said token bridges further illustrate how there are “a huge amount of blind spots” in cybersecurity, because “there’s no way of knowing who owns the keys, who mints new tokens, if the tokens are properly bridged and so on without transparency.”

Related: Plan $1M in bug rewards and double nodes after a $600M Ronin hack

Budorin believes that for the Web3 cybersecurity scene to really change, retail investors need to bear some responsibility. In his view, more transparency with reliable information from accountable sources requires “a paradigm shift from crypto investors” who tend to invest in hyped projects.

This shift could be triggered by greater availability of information from thorough audits of the entire project, considering the team, platform functionality, and other technical aspects, rather than just the token.

Currently, data aggregators CoinGecko and CoinMarketCap are the go-to places for investors to find information about a project. However, Budorin says these platforms are flawed because “projects manipulate their data” to show very high or very low market caps. He believes that will eventually change as auditors evolve to fill the negative space.

“If there is more efficient information about the accountability of blockchain companies issuing a token, [investors] will start comparing fundamentals instead of hype.”