The French branch of the giant KPMG has published a report, in which it highlights the importance to be given to security in our ecosystem. It insists in particular on smart contract audits and the need to recruit more experts to cope with the shortage in the sector
KPMG stresses the importance of security
KPMG, the world’s leading accounting and consulting firm, has released a report highlighting the importance of security in Web 3.0 applications. Indeed, while the main public blockchains are built in such a way that a frontal attack is difficult, this is not the case for the applications that are grafted onto them.
This observation echoes a thought that Ethereum (ETH) founder Vitalik Buterin shared last month on Twitter. He said he wanted Ethereum to be resilient, even to the worst threats, while the applications built on it have flaws far from the standards he hopes for:
Contradiction between my desire to see Ethereum become an L1 that can survive truly extreme circumstances and my realization that many key apps on Ethereum already rely on far more fragile security assumptions than anything we consider acceptable in Ethereum protocol design.
– vitalik.eth (@VitalikButerin) May 17, 2022
The vulnerability of smart contracts is indeed a lucrative angle of attack for hackers. This is especially true since anyone can, in theory, deploy their own dApp on blockchains such as Ethereum. With all the possible problems that this implies.
It is mainly these security flaws in smart contracts that KPMG points to. The company points out that if we compare the first quarter of 2022, with that of last year, the funds stolen in decentralised finance protocols (DeFi) have exploded by 692%, bringing losses to the tune of $1.2 billion.
We also reported on similar amounts a few weeks ago, following a report by Chainalysis. These figures are mainly due to the Ronin and Wormhole hacks
A shortage of audit experts
KPMG’s findings are clear: of the 5 biggest DeFi hacks, 4 involved unaudited smart contracts.
On a global level, the company estimates that there are between 1,000 and 1,500 experts specialising in Web3 application security. At the same time, the report suggests that there are 18,000 active developers every month. While it is difficult to settle on exact figures, it is clear that this would represent less than one person capable of conducting an audit for every ten developers.
Yet, according to Immunify, 10.6% of the total cryptocurrency capitalization was deposited in DeFi protocols at the beginning of 2022. If we refer to Defi Llama today, we find a relatively close figure of around 8%. This high figure illustrates the importance that must be given to security.
Number of security experts worldwide according to KPMG
The table above shows the geographical distribution of web security experts3 . We see that the US and China dominate the market, with India to a lesser extent.
These numbers are still too low, given the ambitions of our ecosystem. Moreover, the majority of specialist companies are still young, having only been established in 2017.
According to Trail of Bits, 78% of the most critical vulnerabilities could be found with an automated tool. Even though the company points out at the same time that 50% of all these flaws could go unnoticed with the same tool. So we understand the need to find and train talent.
Other important security issues identified by KPMG
Becoming an expert takes time and even then there is no guarantee that all the flaws in an application can be found. However, audits should become an industry standard and it is likely that security will become a growth area in the future.
In addition to smart contracts, KPMG also emphasises all the elements that are grafted on top of a layer 1 blockchain. Sidechains, as well as layer 2s such as ZKs and Optimistic Rollups, can also be attack vectors. Just like phishing attacks in general.
Security is therefore one of the major challenges that our ecosystem has to face in order to become more democratic. This is a normal process for every new technology. But as in all fields, money sometimes attracts bad people, which then requires special attention from all the players in the sector.
