Why do projects that pass audits still get attacked?

2, some people will say after the leak, so simple, why not discovered? The problem is complex, and security audits are based on existing tools and experience to logically review code for defects and check for common vulnerabilities such as overflow, replay, and validation. However, the difficulty of defi and other protocols is not the code, but the complex financial business logic, such as process control, external portfolio nesting, market manipulation, etc., which is beyond the business scope of security companies.

3. There are all kinds of combinations in blockchain ecology, such as open source + non-open source, audited projects + non-audited projects, off-chain validator+ on-chain execution, etc. Many projects' audits for security companies are only carried out modularized. For example, audit the open source part, but what about the unopen source part? What if the off-chain process affects the on-chain execution? What if the market is manipulated because of the depth of market transactions? Security companies can't be blamed for everything that goes wrong.    

4, the terrible thing is that many project parties, looking for the purpose of security audit is not pure, just hope to get a so-called "security endorsement", with such a mentality to do the project, its investment in their own security preparedness can be imagined. When something goes wrong, I look for xx head security company to audit the innocent face, ask, the project itself in the security defense + reinforcement + emergency response investment how much? I think this is the fundamental reason why security incidents are so common;    

5. In fact, the biggest threat to the industry ecology is not all hacking attacks, but more "man-made disasters" caused by weak security awareness, such as the news spread to RUGs once some projects are attacked, and the phishing scam that is common to us, etc., which cannot be counted at all. What if you add up the security losses to RUgs, phishing, cyberextortion, fund board fraud, and so on? Its security threats are no less serious than those of hackers;    

6. In my opinion, there is a long way to go to solve the security problems in the crypto industry. Our expected ecology is that the project's own security protection + third-party security audit prevention assistance + users are all aware of security, and the industry will fundamentally become more "secure". But in fact, the security company is not a security builder at all. The security company can act as a repairman. It is good to repair Bridges when Bridges collapse and roads break. A safe ecology needs to be guarded by every participant.    

The original link