In an informative conversation with SafetyDetectives, Thanos Tsavlis, the dynamic CEO and Co-Founder of Cyberscope, delved into the intricate world of smart contracts. Tsavlis emphasized their crucial need for meticulous auditing, shed light on frequent oversights he’s encountered, and underscored the significance of KYC within the burgeoning Web3 landscape. He also offered invaluable insights for developers eager to craft and launch impenetrable smart contracts on blockchain platforms.
Can you introduce yourself and tell me about your role at Cyberscope?
Hi, my name is Thanos, I’m the CEO and co-founder of Cyberscope. My journey started with a technical background, having worked as a software engineer, where I led and developed teams building software across various companies.
My introduction to blockchain came in 2017. Like many, I began as a trader. From there, I ventured into founding several Web3 companies, including Coinscope and, of course, Cyberscope. Today, our primary focus at Cyberscope is cybersecurity, specializing in smart contract audits and KYC (Know Your Customer) services.
What is the importance of smart contract auditing in the blockchain industry?
Security is crucial, especially when it comes to money—whether it’s being transferred, held, or even when discussing decentralized finance.
Smart contracts are like self-executing codes on the blockchain. Once you deploy them to the main net, if it isn’t a proxy, you can’t change them. If there’s a bug or security issue, it stays there until someone takes advantage of it. That’s why security is so vital.
Think of it like this: you lock your house door to protect what’s inside. In the same way, you want to “lock” your contract to protect your assets. We hear about blockchain hacks frequently, so it’s not something rare.
The key isn’t just to protect your code but also to build trust with your community. Many investors and users aren’t technical. They might not get all the behind-the-scenes stuff. But an audit, and a clear audit report, can give them confidence. It tells them that the project is safe, and won’t be exploitative, and they won’t lose their money.
What are some common vulnerabilities or weaknesses found in smart contracts during audits, and how can they be mitigated?
One of the most common vulnerabilities we frequently come across during smart contract audits is reentrancy. Just recently, there was a significant incident within the finance sector where they were exploited, resulting in losses of around 48 million. Reentrancy essentially occurs when a function can be interrupted and called multiple times before it’s fully executed. The fix for this is quite straightforward: developers can use a modifier to halt any subsequent transactions until the current function has completed its execution.
Another frequent issue we notice is with permissions. Developers, in haste or oversight, sometimes leave high-risk functions unprotected. For instance, there might be a function that can burn tokens without checking for allowances and is left public. This means anyone can call this function, which is extremely dangerous once the contract is live. Sooner or later, someone will spot this vulnerability and attempt to exploit it. To safeguard against such oversights, it’s crucial to employ modifiers for access control. This ensures that only authorized individuals with the correct private keys can call certain functions.
In essence, reentrancy and permissions stand out as two of the most common vulnerabilities we observe during audits.
Can you tell me a little bit about KYC? How does that play into the blockchain industry and what does it do for security?
KYC, which stands for “Know Your Customer,” isn’t inherently a web3 service; it’s rooted in the web2 world. Most of us have come across KYC when opening bank accounts or applying for a government ID. Essentially, KYC acts as an access control system, where you provide your identity for verification.
The integration of KYC into the blockchain industry is vital primarily for two reasons:
- Trust: Given how rife the blockchain landscape is with scams and potential losses, it’s paramount to take all precautionary steps. When a blockchain product incorporates KYC, it inherently provides a layer of trust to its investors. People are more willing to invest their money in a new project if they feel their identity and funds are secure.
- Confidence for Partners and Institutions: Think about a freshly launched blockchain project. If it wishes to attract liquidity from institutions or endorsements from VCs and influencers, it needs to inspire confidence. These entities stake their reputation when they back a project. Requesting a project to undergo KYC provides them a level of assurance about who they’re dealing with.
However, it’s essential to note that KYC isn’t bulletproof. There have been instances where KYC-verified projects have still engaged in fraudulent activities or exit scams. Yet, as with many things, it’s about taking every possible precaution.
How do you assess the potential risks associated with DeFI smart contracts and their impact on security in the blockchain ecosystem?
When we look at the risks in DeFi smart contracts and how they affect security in the blockchain world, we always think like an investor first. Audits can be different depending on who does them, so our way is to see things from an investor’s view.
Let’s say there’s a part of the contract that looks risky to us, but the people who made the project say it’s needed for how their project works. We’ll still point it out. Investors should know about every risk before they put in their money. If the project team has reasons for that risky part, then it’s up to the investor to decide if they’re okay with it. We always tell people: do your own research.
Our main goal is to be really thorough. We write down everything about the smart contract and about DeFi in general. We want users to know as much as possible so they can make good choices.
What advice would you give to developers and businesses looking to build and deploy secure smart contracts on blockchain networks?
For developers and businesses wanting to create and use smart contracts on blockchain, here’s my advice:
- Timing of the Audit: Many developers first put out their smart contract and then think about getting an audit. That’s not the best way. It’s better to get your contract checked by auditors when you’re almost done with the development. This way, if there’s anything wrong or not perfect, you can fix it before it’s out there for everyone to use. Once a smart contract is live, you can’t just change it easily. You’d need to move everything to a new version, and that’s a hassle. Some folks just decide to leave the issues as they are, and that’s risky.
- Learn from the Audit: After the audit, take what you’ve learned and use it to write better code in the future. Every time your code gets checked, you can learn something new. So always aim to write clean and good code.
Remember, when it comes to blockchain, it’s always better to be safe than sorry. So, take your time, do things right, and always keep learning.