92 out of 157 protocols listed on Rekt resulted in being hacked because of Unaudited or Out of Scope while often having “audited by” logos on the website. This makes the auditing process untrustworthy, not only for the users. Both users and auditors suffer from intermediate audit representations that misinterpret the results. Enter ERC-7512: A standard to store auditing information on-chain.
The ERC-7512 enables users to verify not just who audited a protocol but also whether the audit is up-to-date or valid. Let’s deep dive into ERC-7512.
The Problems
As highlighted, the auditing flow doesn’t really work for end users who often rely only on interpreted information:
- Discover Protocol: Users find a new protocol.
- Audited Assurance: Seeing an “audited by” logo, users gain confidence that the protocol is secure.
- Using the Protocol: Trusting the logo, users use the protocol, putting in their funds.
- Security Breach: The protocol experiences a hack.
- Funds Lost: Users lose their funds, which were considered safe.
- Trust Broken: This experience makes users think “audits don’t work.”
But it doesn’t work for the auditors as well. See the auditor’s perspective:
- Initial Audit: The protocol undergoes an audit.
- Branding: The protocol displays an “audited by” logo of the auditing company.
- Protocol Evolution: Changes or new versions are introduced to the protocol, altering the audited codebase.
- Misleading Branding: The protocol continues to display the initial “audited by” logo, misleading users into thinking that the current version is as secure as the audited one.
- Hack and Blame Game: In the event of a security breach, the first thing is to blame the auditing company, particularly if their logo is still displayed on the protocol’s website.
- Reputation Management: Clearing an auditing firm’s name is difficult because of the first Tweet / Article / Blog.
The ERC-7512 Solution
The solution is to remove any intermediate representation and offer a verified and easy way for the user to check the validity of the audit report. To be valid, the audit process must include:
- Corresponding scope: The audit covers the deployed code base.
- Reaudits: The audit is up-to-date, covering the latest release.
- Applied fixes: The development team fixed all identified issues in the audit.
ERC-7512 addresses these criteria by submitting all audit parameters on-chain in a standardized format that is verified and signed by the auditing company. This will allow anyone to use a simple RPC call to get all the information instead of downloading a PDF, searching for an executive summary, and verifying the audit scope against the code base by hand.
The ERC-7512 flow is simple as:
- The protocol undergoes an audit.
- The protocol implements ERC-7512 and adds a first “audit summary” item (there can be many of them).
- The auditor signs the audit summary, the property of ERC-7512.
- The user (or any website such as Rekt) queries the protocol to get this signed audit summary.
So, in the age of ERC-7512, don’t check the logo on the website. Just look for ERC-7512. Ackee Blockchain will pioneer this by encouraging our clients to implement ERC-7512 in all future audit reports.
In the next articles, we will talk about:
- integration into tooling for mass adoption,
- automation of the on-chain data submission, leading to minimal overhead and only benefits,
- use cases in smart contract flow to strengthen the ecosystem.
