The WingRiders source code has been audited by the renowned security company CERTIK. Let’s explain why a security audit is important, how it is performed, and most importantly, what was the result.
How the financial world works
Today’s financial world is centralized and regulated. This means that your funds are held and operated by regulated institutions that are directly responsible for your assets. These commercial institutions are overseen by government authorities who audit the process, accounting, or infrastructure security level. Bank accounts are often insured, so if the bank unexpectedly goes bankrupt or is robbed, users will not lose their money.
Users trust third parties, such as banks, and at the same time trust authorities to audit banks thoroughly. If the bank does not behave according to the rules and users are not satisfied, they can complain to the authorities. Bankers cannot simply steal money from their clients, as this is illegal and easily detected. In the event of major problems, the authorities would revoke the banks’ licenses needed to operate the service.
Today’s financial world is built on trust in institutions and the legal system.
How trust works in a decentralized world
Cardano is a decentralized network, so in principle, you cannot trust one entity. People put their trust in the source code. Your assets are primarily protected by the Cardano network. Secondarily by smart contracts (Plutus scrips) if you decide to use a decentralized service. The current legal system does not yet have a clear regulatory framework for cryptocurrencies. Even if that changes and regulations come, current cryptocurrency users primarily trust the Cardano network and the people who collectively take care of running it.
Cardano, like any other blockchain network, is a technology. More specifically, it is a network protocol whose rules must be designed and then implemented by a team. We’re talking about a relatively complex software development process. The quality of development can vary substantially from project to project. IOG is committed to the highest principles of academic rigor and evidence-based software development. The company builds high-assurance blockchain infrastructure solutions. Cardano is being built as a mission-critical project, which means that the quality of the source code is comparable to the quality of software being developed for NASA, nuclear power plants, airplanes, etc. This is one of the reasons why the cryptocurrency community values Cardano so much and trusts the network. The trust is built on the attitude of the team and the quality of the protocol.
The experience of the team and the quality of the source code is very important, as it is essentially the only thing that protects the users’ assets in a decentralized world. This applies to the Cardano network as well as to all smart contracts. Cardano is a platform. This means that any team can leverage Cardano’s infrastructure to create their own financial service. WingRiders is an Automated Market Maker (AMM) decentralized exchange (DEX). There is a team behind WingRiders that has nothing to do with IOG. WingRiders is a separate and very skilled team that is only responsible for the source code of its decentralized exchange. Not for the Cardano source code.
We have seen many hacks in the DeFi space in the past on other platforms. A lot of people have lost funding. If a smart contract is poorly written and hackers manage to steal coins, the team that left a security hole in the app is to blame. It is important to remember that in a decentralized world, normal asset protection does not work. No authority can force the team to be accountable for the smart contract they have written and refund users in the case of a hack. Teams may try to voluntarily cover the loss, but may not have sufficient funds. In that case, users are simply out of luck.
The importance of a security audit
Every team building a decentralized application wants to write smart contracts of the best quality. The team needs to design the application well at the very beginning. After that, it is possible to implement it. High quality and extensive testing after writing the source code is extremely important. The team will verify that the application behaves exactly as specified. An experienced team tries to hack their own application to make sure someone else can’t. It is wise to test new smart contracts on the Cardano test-net first. Test-nets use tokens that have no real value. In case of a problem, there is no financial loss. Skipping this phase can be seen as a red flag. Teams may want to quickly deliver their application to the main-net to have a competitive advantage. However, skipping the testing phase may not pay off.
The WingRiders team is very experienced and wants to avoid potential problems. They take the testing phase really seriously and everyone has the chance to try out the DEX on the Cardano test-net. Is there anything more the team can do? Yes, it can. It can ask a third independent party to perform a security audit of the source code. This way, the team can prove to users that WingRiders is a secure exchange and that they don’t have to worry about using it. Recall that key parts of the Cardano protocol have also undergone a security audit. The WingRiders team honors good security standards in the Cardano ecosystem.
CERTIK confirmed that WingRiders is a safe DEX
A team can do its best, but it may overlook something important. There are firms on the market that specialize in security audits of smart contracts. These companies employ security experts who are able to closely inspect the source code of smart contracts and look for potential vulnerabilities. This is a form of review that takes place after the WingRiders team has conducted its own review and tested the application.
The WingRiders team had the smart contracts audited by CERTIK. It was founded in 2018 by a professor from Yale and Columbia universities. CERTIK is a pioneer in blockchain security and uses best-in-class formal verification and artificial intelligence technologies to secure and monitor blockchains, smart contracts, and Web3 applications.
CERTIK experts identify errors and potential risks of abuse. They then issue a report that lists the vulnerabilities in order of severity. The most serious errors are marked as Critical and Major, and the application is definitely not ready for main-net if it contains such errors. The source code may also contain less critical errors marked as Medium and Minor. These errors should also be fixed. The last two error levels are Informational and Discussion. These errors are not serious and are often minor errors that do not critically affect the functionality of the program.
The auditing process pays special attention to the following considerations:
- Testing the smart contracts against both common and uncommon attack vectors.
- Assessing the codebase to ensure compliance with current best practices and industry standards.
- Ensuring contract logic meets the specification and intentions of the client.
- Cross-referencing contract structure and implementation against similar smart contracts produced by industry leaders.
- Thorough line-by-line manual review of the entire codebase by industry experts.
The security audit was very positive for WingRiders. CERTIK found only 5 vulnerabilities with Informational severity. The team accepted and fixed the errors. These were errors at the level of coding style, logical issue, and inconsistency. These kinds of errors can be fixed very easily. CERTIK has formally verified several of the core functions. The verification proves that the core business logic functions satisfy important properties and invariants, which builds confidence that the program logic is correct.
In other words, we can say that WingRiders is basically ready to run on the Cardano main-net.
Nothing verifies source code like time. The longer service is used, the more certain users are that it will not be hacked. New DeFi services don’t have this comfort and want to attract a large number of users from the start. Users don’t want to risk losing their coins and tokens. In the beginning, trust in the service may not be high. WingRiders has done its best to prove to users that they can use the decentralized exchange without worry. There were no significant problems on the test-net and the security audit performed by CERTIK also proves that you can swap tokens securely on WingRiders.