Of the 157 protocols listed on Rekt, 92 were hacked due to being unaudited or out of scope, and websites often displayed an “audited” logo. This makes the audit process as well as the users unreliable. Both users and auditors suffer from mid-audit statements that misinterpret the results. Enter ERC-7512: a standard for storing audit information on chain.
that much ERC-7512 Users can see who has audited a protocol, as well as whether the audit is up to date or valid. Let’s take a closer look at ERC-7512.
problem
As emphasized, the audit flow does not really work for end users who rely solely on interpreted information.
- Discovery Protocol: Users look for new protocols.
- Audited Assurance: Seeing the “Audited” logo gives users confidence that the protocol is secure.
- Protocol used: Users who trust the logo deploy funds using the protocol.
- security breach: The protocol has been hacked.
- Funds lost: Users lose funds that were considered safe.
- Broken Trust: These experiences lead users to think that “auditing doesn’t work.”
But it doesn’t work for auditors either. See the auditor’s perspective.
- initial audit: The protocol is audited.
- branding: The protocol displays the “audited” logo of the audit firm.
- Protocol evolution: Changes or new versions are introduced in the protocol, resulting in changes to the audited code base.
- Misleading branding: The protocol continues to display the initial “audited” logo, misleading users into thinking that the current version is just as secure as the audited version.
- Hack and Blame Game: When a security breach occurs, the first thing to blame is the auditing firm. This is especially true if the audit firm’s logo is still visible on the protocol website.
- Reputation Management: It’s difficult to clear an audit firm’s name because of the first tweet/article/blog.
ERC-7512 Solution
The solution is to eliminate the middleman and provide users with a proven and easy way to verify the validity of the audit report. To be effective, the audit process must include:
- Applicable range: The audit covers the deployed code base.
- Re-audit: Audits are up to date, including the latest releases.
- Fixes applied: The development team fixed all issues identified in the audit.
ERC-7512 addresses these criteria by submitting all audit parameters on-chain in a standardized format verified and signed by the audit firm. This allows anyone to get all the information using a simple RPC call rather than downloading a PDF, retrieving a summary, and checking audit coverage against the code base directly.
The ERC-7512 flow is simple:
- Protocols are audited.
- The protocol implements ERC-7512 and adds the first “Audit Summary” entry (there may be multiple).
- The auditor signs the audit summary, which is the property of ERC-7512.
- The user (or a website like Rekt) queries the protocol to obtain a signed audit summary.
So don’t check your website’s logo in the ERC-7512 era. Look for ERC-7512. Ackee Blockchain will pioneer this by encouraging customers to implement ERC-7512 in all future audit reports.
In the next article we will talk about:
- Integration into tools for mass adoption;
- Automate on-chain data submission to minimize overhead and deliver only benefits.
- Use cases for smart contract flows to power the ecosystem.