Since 2014, our team has been deeply involved in Web3 security audits. In fact, several members of our group boast over three decades of experience in computer security. Websites such as Etherscan, CoinMarketCap, and CoinGecko prominently display information on the security audits of numerous blockchain technologies and smart contracts. However, there’s a catch. Despite complying with all the specified requirements, if you offer your information to these platforms, the odds of them listing you as an auditor vendor are quite slim. The result? A lack of genuine decentralization. These sites wield significant power in dictating the flow of information, curating content at their discretion.
This centralization bottleneck is often referred to as the “listing” or “last-mile Web3” issue. If a Web2 app serves as your portal to the decentralized world, it’s crucial to realize that this final mile isn’t truly decentralized. The core decentralization exists a step back. To illustrate, consider a crypto wallet that displays an array of cryptocurrencies. Should the company behind this wallet suddenly prioritize certain tokens over others, users could inadvertently become captured in a “decentralization trap.” It’s worth nothing that even renowned wallets, such as MetaMask, have revised their open-source licenses, thus diminishing their decentralized essence. ERC-7512 aims to decentralize data related to security audits and addresses this issue.
Taking another example, the BitTorrent Protocol, hailed for its file-sharing innovation, isn’t devoid of challenges, as highlighted in the Achilles’ Heel article. When centralized platforms like block explorers or Web3 market data become the primary access points for most users, the full narrative remains obscured. In BitTorrent you should rely on Web2 apps to discover content.
This is precisely where an Ethereum Improvement Proposal (EIP), such as ERC-7512 (“Onchain Representation for Audits”), steps in, aiming to decentralize data related to security audits.
However, various facets of this proposal demand a more in-depth discussion. One potential issue to ponder upon is the anonymity of auditors. It’s not uncommon for projects to withhold the names of their auditor(s). How does ERC-7512 address such concerns? Moreover, there’s a lingering apprehension regarding the potential manipulation of this system. Even with multiple audits in place, vulnerabilities persist. As highlighted earlier, the likelihood of a hack escalates with the rise in your Total Value Locked (TVL) – often at a pace that outstrips the number of security audits undertaken. This phenomenon can be further understood by examining the piece: DeFi’s Growing Pains: As TVL Surges, So Does the Risk of Hacks.
It’s worth considering the addition of metadata to smart contracts as a broader practice, not just limited to security audits. In conclusion, ERC-7512 holds the potential to revolutionize the way we handle security audits in the Web3 ecosystem.
