Ethereum Developers Debate New Standard For On-chain Audit Reports
Developers From Prominent Web3 Security Firms Collaborate On Proposal To Make Smart Contract Audit Reports Easily Accessible On-chain
By: Samuel Haig •DeFi News
Ethereum developers have proposed a new smart contract standard intended to help users look up smart contract audits for DeFi protocols.
Devs have been spiritedly debating ERC-7512 since it was first published to the Ethereum Magicians forum by Richard Meissner, the co-founder of Safe, on Sept. 5. Developers representing OtterSec, ChainSecurity, OpenZeppelin, Ackee Blockchain, and Hats Finance also contributed to the proposal.
“The proposal aims to create a standard for an on-chain representation of audit reports that can be parsed by contracts to extract relevant information about the audits, such as who performed the audits and what standards have been verified,” the authors wrote. “To provide strong guarantees about security and allow better composability, it is important that it is possible to verify on-chain that a contract has been audited.”
While the intent of the proposal has drawn broad support from the community, developers are discussing the finer points of how to implement the standard.
“The idea of having on-chain audits is useful,” replied Dexara, the founder of Callisto Network. “However, the implementation proposed in this ERC is overcomplicated significantly.”
Dexara and others suggest utilizing a registry to organize audits in the form of non-transferable Soulbound Tokens as an alternative to developing a new Ethereum standard. Meissner responded that the proposed ERC could be used in the context of a registry, but warned that solely relying on a registry offers “a very centralized approach.”
“This ERC focuses on standardizing what auditors should sign, rather than defining the registry,” added Shay Zluf. “The goal is to ensure consistent verification across the ecosystem.”
Meissner also noted that while security audits are useful, they do not guarantee that a protocol’s code is impenetrable.
For example, the highly-anticipated launch of BANANA, the token for a Telegram trading bot, ended in tears hours after its deployment when a bug was discovered in the smart contract, despite the team claiming its code underwent two audits.
However, Twitter user punk9059 ran BANANA’s code through the popular AI chatbot, ChatGPT, which immediately identified the problem.