By Paweł Sobotkowski & Filip Pawczyński
Blockchain has definitely revolutionized the way we think about money and assets, and it is growing in importance every year. It is expected to climb to 23.3 billion U.S. dollars in revenue just by 2023, which paints a good picture of the technology’s potential.
Promising, fresh, and revolutionary, it is held back by one serious concern: security. To build trust in Blockchain’s cyber protection systems, companies started to carefully examine their potential weak points and execute full security audits to secure their companies’ future.
Open Zeppelin is one of the companies, whose mission is to bring us closer to risk-free Blockchain systems. Enthusiastic about the latest worldwide security standards, Paweł Sobotkowski together with Filip Pawczyński from Swiss-Polish Blockchain Association interviewed Jonathan Alexander from Open Zeppelin to dive deeper into the world of Blockchain security.
What do you take into account during the security audit? Which factors are the most important during the security audit?
OpenZeppelin takes an approach to security audit not only from the standard perspective of finding bugs in the code (e.g. overflows), but also from a broader viewpoint where we consider the business logic and the integration between the different parts of the project with external components and among themselves. OpenZeppelin reviews the specification carefully when there is one, making sure the implemented code matches its intent. In cases where there is no specification, as is often happens with smaller projects, we infer one from the code, and always strive to error on the safe side (reporting potential issues to the project team if there is doubt).
What makes your audits unique among other solutions proposed on the market?
Although OpenZeppelin does run automated tools on the code, we rely much more on the manual inspection of the code and on our auditors who are very deeply trained in blockchain security. In some cases, our audits take longer than some other approaches but this is intentional - because we want to be thorough and because the cost of one missed issue is potentially so high. This approach allows us to uncover much subtler issues (like the ones related to business logic mentioned above) than the more generic ones that are caught by the tools or those caught by less thorough audits.
How do you handle the system’s and the market’s volatility? Do you have any special processes to protect your projects from unexpected changes?
The key to managing volatility is to anticipate the unexpected which requires you to review all your dependencies and assumptions and how they might change. Public blockchains and cryptocurrencies are still highly volatile and subject to internal failures and external pressures such as the recent economic volatility triggered by the COVID pandemic. In response to this, we are working with our customers on new methodologies and tools to identify and quantify volatility risk and then to have systems in place to monitor and protect against large fluctuations.
Have your business approach and working methods changed significantly during the COVID-19 pandemic? How have you adapted to the ongoing crisis?
OpenZeppelin was already a highly distributed company with employees in 7 countries, so we are used to working remotely and we work collaboratively using online tools like GSuite and Slack. But the pandemic has definitely affected our normal processes, for example, we try to get our entire company together in retreats frequently, our last retreat was scheduled right around the time the pandemic took hold, we had many employees in transit and we quickly had to make plans to get everyone back home safely before travel was suspended (which thankfully we did). Now we sometimes just have company social get-togethers on Zoom just to reduce stress and relax, for example, some online board games and book club conversations are a new hit. Maybe we'll keep these after the pandemic ends too!
As you’ve worked with big Blockchain brands like Ethereum Foundation, would you say that their approach to security is different from the approach of startups, and private Blockchain companies created by corporates like IBM?
Leading projects like the Ethereum Foundation, Compound, Maker and Coinbase are at the forefront in their approach to security. While many startups in our space deeply recognize their security responsibilities they often don't have the time to implement the same level of controls as the leading projects. Sometimes this is reflected more in their processes and tools - like how they monitor their systems or how they manage administrator keys - than in their core protocols and smart contracts. For private blockchains, we see that they typically rely on the traditional approaches to IT security that they use for centralized systems, but they have concerns especially when the public can interact with their blockchains or when they integrate with a public blockchain which we are seeing more frequently now and may increase over time.
All things considered, Blockchain security systems run on adaptability, as they need to respond to the needs of the market, which is constantly changing. Jonathan mentioned that they are always working on new tools and methodologies to better manage risk, so they use innovation against cyber surprises and security holes. Since their company executes very cautious, thorough security audits, combining modern technology with human expertise, it leaves little to none room for mistakes. Perhaps the emergence of new security tools and development of effective threat-detecting systems will help build trust in Blockchain security, and digital future. Open Zeppelin may, in turn, become one of the path blazers on our way to digitalised finances.