🛠️ BUIDL 7.6.22 - How to mitigate protocol exploitations?

Weekly update email on the most important web3 trends, thoughts, and jobs and internships

weekly recap

⏸ Arbitrum will resume Odessey after Nitro upgrade During the Odessey, a multi-week explorer rewards event, Arbitrum’s layer 2 fees surpassed ethereum mainnet fees. Odessey is set to resume after Arbitrum implements its Nitro upgrade, which promises a 20-50x Layer 2 execution speed, compatibility with WebAssembly architecture, and a seamless rollout that requires app devs to. Do. Nothing.

📙 EIP4907 NFT rentals standard is finalized EIP4907 separates NFT ownership from usage, allowing users to rent NFTs. This standard will improve ease of development around the transference of utility with in-game assets and member cards.

💰 Quixotic got exploited Quixotic, an Optimism NFT marketplace, was exploited for 100k due to a vulnerability in a recent update to its marketplace contract. Quixotic permanently paused the contract and refunded affected users.

---

how to secure against protocol exploitations 🏛️

The Ronin bridge lost $625m and Harmony’s Horizon bridge lost $100m to hacking. Both incidents were attributed to Lazarus, a North Korean state-backed hacking group. More hacking attempts are likely because crypto is one of few ways that North Korea can circumvent punishing economic sanctions.

Sure, North Korea sounds scary, but where did it go wrong on protocol side?

The Ronin bridge operated using only nine (yes, 9!) validators. Out of nine, four nodes were under Sky Mavis and the one node under Axie DAO was delegated to Sky Mavis. With this centralized setup, hacking into Sky Mavis alone was enough to sign off on fraudulent transactions for the whole bridge. So much for decentralized validators!

Harmony’s Horizon bridge employed a multiple-signature scheme for transaction approval. However, the security of the entire bridges rests on getting two out of four signatures. So much for decentralized gatekeepers!

As builders, what can we learn from these massive hacks?

⚖️ Scale your security: As TVL grows, so should your investment in security. At launch, it’s okay to keep costs low and move fast — such as using only nine validators or having a two-out-of-four multi-sig scheme! But as your TVL grows, so should your investment in security.

🕵 Run audits periodically: Audit certifications are the gold standard in web3. You have a badge, you are deemed safe. Codes change. TVL grows. Attack vectors increase. These audit badges should have a renewal date.

On average, an audit could cost $5000-15,000 for a small project or up to $500k for a project such as Uniswap. An average data breach costs $3.92m and a crypto theft can set your protocol back hundreds of millions. Renew your audits periodically.

🔗 Decentralize to avoid choke points: Centralized protocols are easier to attack. The vulnerability due to centralization outweighs the cost of decentralization. But is decentralization affordable?

Each Ethereum 2.0 validator costs 32 eth of staking to start and about $800/year to maintain. Using this as benchmark, most blockchain projects with traction should be able to afford adding and rewarding partners to run validators for decentralization.

---

web3 tweet of the week 💬

Patrick Scott | Dynamo DeFi @Dynamo_Patrick

Last week dYdX announced they were moving to their own Cosmos chain. The responses to this revealed a flurry of misunderstandings. As Cosmos grows, understanding this ecosystem will be crucial. This thread can be your primer on one of the most unique ecosystems in crypto🧵 1/17

8:26 PM ∙ Jun 26, 2022

---

If you were forwarded this email and are interested in getting a weekly update on the most important web3 trends and jobs, please click this subscriber button below:

---

jobs 💻

That.app - Business Development Manager (SF)

BitGo - Engineering Manager, DeFi (Remote)

Connext - Developer Relations (Remote)

Compound - Product Manager (Remote)

Nillion - Senior Software Engineer, Blockchain App Layer (Remote)

Messari - Customer Success Manager (Remote)

Aztec - Full Stack Engineer, Aztec 3 (Remote)

Circle - Ventures Associate (Remote)

Pantera - Associate, Investor Relations (Menlo Park)

internships 🎓

P72 - Communications Internship (NYC)

Lunar Digital - UI/UX Dev Intern (LA)

Panther Protocol - Cryptography Engineer Intern (Remote)

Gelato Network - Marketing Intern (Zurich)

Ledger - Financial Project Management Intern (Paris)

candidates 💼

For founders hiring crypto talents, find a list of ex-Coinbase employees here. These candidates are excellent and passed Coinbase’s thorough vetting process. They are great people who were unfortunately hit by macro-driven CB18 layoff. Feel free to reach out to me for resumes. #GetEmHired

---

All views are my own. Statements above are not investment advice.

Thanks for reading. What do you think? I’d love to hear from you - holla at me on LinkedIn and Twitter. If you liked this post, why not share it?