Disclosure: The views and opinions expressed herein are solely those of the author and do not necessarily represent the views and opinions of crypto.news editorial.
Security audits are vital; however, its results often remain unchallenged and a single investigation cannot always detect all vulnerabilities. Public audits that force white hat hackers to double-check audit results through DeFi incentives could improve the security of the entire web3 as it would make bug bounties affordable even for small-scale projects.
Why aren’t regular inspections always enough?
According to Hacken’s Q3 Security Report, the web3 industry has lost a staggering $1.8 billion in 2024 alone. Approximately 40% of these losses were caused by preventable issues such as smart contract vulnerabilities and re-entry attacks. Worryingly, 90% of the hacked projects had passed no audits at all, highlighting a critical oversight of security.
Traditional security controls are very important; They ensure the safety of user funds by providing in-depth, expert-led reviews at critical points in a project’s lifecycle. However, due to the centralized nature of these audits, there is usually no opportunity to challenge their findings unless a project invests in a second audit, which is rare. Because even the most diligent auditors are prone to human errors, it is unrealistic to expect a single inspection to catch everything.
The solution to this problem lies in web3’s understanding of decentralization. Crypto projects can engage a broader community of white hat hackers for public audits, thus ensuring decentralized, ongoing, and community-driven security reviews.
Decentralized security controls: Principles and benefits
The number one issue in designing decentralized controls is to give strong incentives to independent auditors while ensuring that they do not add extra costs to projects. Let me show you a possible way to achieve this balance with DeFi tools.
Imagine that the security platform launches a custom smart contract-based reward pool whenever it has a new customer requesting an audit. The company fills this pool with a share of the auditing cost, while token holders add more by staking the platform’s tokens. After the platform completes its own audit, independent security researchers join the game and re-check the customer’s code. Once the community moderation is completed, independent moderators and stakers collect rewards from the pool.
This is how DualDefense Flash Pools work in Hacken. Each customer who pays for a private audit receives an additional public audit, creating a double-layered security model. And in the true spirit of DeFi, community participation is incentivized through staking rewards.
This approach has far-reaching benefits: the community gets a high real return APY tool, auditors welcome peer testing of their findings, and white hat hackers earn rewards for valid bug discoveries, even for finding clean code. For crypto projects, this means further ensuring the security of their code. It offers a viable approach to improving security and combating cybercrime for the entire web3 industry.
Decentralized controls democratize access to security, especially for emerging web3 projects. Many crypto startups have great MVPs but often lack the resources for traditional bug bounties, which can be costly; no one can predict how many bugs ethical hackers can uncover. The model we propose addresses this problem with a fixed, community-funded reward pool, making security accessible and predictable from the start.
Implementing this model poses a very tangible risk for auditing companies: It jeopardizes the platform’s reputation by allowing external auditors to verify the platform’s work. Only this way the company has an extra incentive to approach each audit more carefully, knowing how publicly the results of its work will be made; Ultimately, this will benefit the entire industry. Smart contract auditors should not walk away after an audit; Now is the time to be brave and take responsibility.
Finally, public audit pools offer something DeFi has been missing: rewards backed by real-world money. This model ensures that users’ returns are not due to token emissions causing inflation, which often results in unsustainable growth and loss of value over time. Instead, users earn from real market activity, taking a step towards more sustainable financial models in DeFi.
Combining traditional controls with open community-supported controls paves the way for a resilient security model suitable for projects of all sizes. Public audits backed by DeFi-focused incentives mark a transformative step towards an accessible, robust and proactive security culture on web3.
Dyma Budorin
Dyma Budorin is the co-founder and CEO of leading blockchain security auditor Hacken, co-chair of EEA DRAMA (a DeFi Risk Assessment Management and Accounting group), and co-author of crypto industry standards. After more than eight years of audit experience at Deloitte, he served as an audit consultant at Ukrspetsexport and deputy CEO of strategy and development at Ukrinmash (both Ukrainian government entities). A crypto enthusiast and cybersecurity expert, Dyma’s views have been featured on BBC, Wired, Cointelegraph, Coindesk and other reputable media outlets. He is also the Vice President of the Ukrainian Blockchain Association.