There are no comprehensive runtime security solutions for smart contract systems; that is a big problem.
When a developer ships a new contract, they get a set of audits done by security firms that identify common issues, run a bunch of tests, and when they feel secure enough, deploy the contract to mainnet and hope nothing goes wrong. From that point on, security practices are entirely manual and reactive. If an exploit happens, hopefully the team is awake, paying attention and in a position to mitigate the damage quickly (if that is still possible).
Think about it: this is like launching a rocket and then waiting for it to light on fire to react to a problem. By the time the rocket’s engulfed in flames, it’s probably already too late.
Most of the time, the only way to mitigate an exploit is to exploit it yourself, so the extent of the damage is heavily influenced by the time it takes to discover the problem. To make matters worse, when a new exploit is discovered, there’s no incentive for the auditors to go back and check previously audited contracts, whereas there is a large incentive for attackers to do so.
These are large, universal problems of building smart contract systems, so what’s the best way to solve them?
Centralized monitoring solutions are incapable of moving fast enough to cover all the new smart contracts being launched. Once a decentralized, open source ecosystem hits escape velocity, its momentum is omnidirectional and centralized efforts can at best cover narrow pieces of it. The only way to fight this kind of fire is with fire: you have to incentivize the ecosystem to proactively monitor itself.
This is why I’m proud to announce our backing of Forta, a decentralized protocol for runtime security. Forta incentivizes a network of nodes that continuously scan major L1 and L2 blockchains for threats and notify relevant systems and people immediately upon detection.
Critically, Forta operates as an open market for runtime security. It incentivizes security engineers and protocol developers to collectively contribute to a security ecosystem — enabling its threat detection capabilities to grow side-by-side with the attack surface, rather than constantly playing catch up.
Forta can also be viewed as the first security primitive. Just as DeFi developers have built powerful financial applications on top of Chainlink’s price oracles, smart contract developers will be able to build powerful security applications on top of Forta’s threat oracles. For example, bots can be programmed to automatically respond to new threats by sending defensive transactions — creating something that could be likened to a blockchain defense tower.
If Forta had existed over the last few years, many of the hacks we’ve experienced could have been avoided or mitigated. For instance, when Spartan Protocol was attacked due to a flawed calculation in their smart contract, resulting in a $30m+ loss, the Forta protocol could have proactively identified and alerted stakeholders of the deployment of a suspicious bot, the first suspicious transaction, and the first losses incurred by the protocol — potentially saving millions or even preventing the exploit altogether.
The initial idea for Forta came from OpenZeppelin, the leading audit and security firm in crypto. If you’ve deployed a smart contract on Ethereum, odds are you’ve used contract templates engineered by the OZ team. Simply put, there isn’t a team in the world better positioned to kick off this decentralized community.
We believe the Forta protocol and its surrounding ecosystem of security applications have the potential to drastically reduce the frequency and impact of hacks and exploits, and we are excited to see what people build with it!