Zest Protocol Team is Supercharging Security on Stacks
10
minute read
September 5, 2024
Tycho Onnasch
The April 2024 smart contract attack on Zest Protocol made us realise that smart contract security on Stacks needed significant improvement. We took action to improve smart contract security on Stacks by helping some of the best security researchers in the industry bootstrap a Clarity focused smart contract auditing firm. In addition to bootstrapping new auditors, we pushed for a swift onboarding of state-of-the-art incident response monitoring software - enabling DeFi protocols to recognise potential vulnerabilities faster. With these improvements, we believe that DeFi builders on Stacks now have the tools necessary to build robust applications.
Improving Stacks security
The Clarity smart contract language on Stacks is, in theory, a more secure scripting language. However, because clarity smart contracts are open source by default, it’s of critical importance that a strong security ecosystem exists around the Clarity language. After all, if smart contracts are available on chain for anyone to read - hackers are looking too. The fact that smart contracts are open source is a unique feature on the Stacks blockchain - Solidity contracts on Ethereum or smart contracts on Solana are closed source by default through compiled code.
When Zest Protocol launched, the security ecosystem around the Clarity smart contract language was virtually non-existent; allowing hackers to have their pick and exploit contracts at will. Two auditing firms were actively auditing Clarity code, yet the amount of critical ImmuneFi bug bounties that were won by white hat hackers made it clear there were issues with these auditing firms. If audited code from multiple protocols gets exploited by the same group of white hat hackers in exchange for ImmuneFi bounties, those audits are of not of high enough quality.
As a result of this lack of a Clarity language security ecosystem, Zest Protocol suffered an attack on its smart contracts in April 2024 (which luckily had no impact on user funds).
We dodged a bullet at Zest Protocol. Knowing that the next smart contract attack would likely take down an entire protocol, we realised that something needed to change. Those white hat hackers had to become our new auditors.
Introducing Clarity Alliance
The Zest Protocol Labs tech team - led by CTO Emil Erkkola - banded together with the white hat hackers who won critical bounties across major Stacks DeFi protocols and asked them to audit the Zest Protocol contracts. The result was an audit of a quality standard that we had never seen before.Some of these white hat hackers rank in the top-15 of ImmuneFi bug bounty ranking and are simply too talented for any security auditing firm to hire as employees. It became clear to us that the path forward for Clarity as a smart contract language would be having hackers like these audit every serious smart contract on the Stacks blockchain. We confirmed our findings with other teams in the Stacks ecosystem and Clarity Alliance was born.
Clarity Alliance is a new auditing firm for Clarity smart contracts on Stacks. In addition to Zest Protocol, it has now audited Bitflow, Stacking DAO, and Hermetica with more audits currently underway. Clarity Alliance brings the best minds of Clarity code together under one brand in order to save DeFi on Stacks. Contrary to a regular auditing firm, Clarity Alliance is a loose collective of white hat hackers that audit smart contracts - producing state of the art audit reports that are made publicly available to the community. Bootstrapping this auditing firm is key for the future growth of Stacks and we’re excited to be a part of it.
If you want to request the Clarity Alliance team to check out your Clarity code: contact them here.
Incident response monitoring
In addition to bootstrapping Clarity Alliance, we also pushed for a swift onboarding of state-of-the-art incident response monitoring software with Hypernative. Tools like Hypernative are critical for DeFi protocols to recognise potential smart contract attacks faster. For example, DeFi protocol teams can receive reports of suspicious activity surrounding their contracts - which often happens days if not weeks before an actual smart contract attack takes place. Even the existence of this kind of monitoring drastically reduces the things that hackers can do on chain without getting caught by the respective DeFi teams.
With these improvements, we believe that DeFi builders on Stacks now have the tools necessary to build robust applications.
*this article does not address the 'ALEX hack'. The ALEX protocol lost user funds as a result of an admin key leak rather than a smart contract hack.