Resolving the problems of DApp insurance: developers hacking themselves

The problem.

  1. Develop a ‘malicious’ smart-contract that can be hacked.
  2. Insure the smart-contract at the DApp Insurance Organization.
  3. Exploit a vulnerability of the contract to withdraw the funds operated by the contract.
  4. Claim that the contract was hacked and request the remuneration from the DApp Insurance Organization according to the insurance agreement.

The method of preventing the problem.

1. Security audit of a smart-contract code is mandatory for DApp developer to sign an insurance agreement.

2. Smart-contract Insurance Organization must establish a hack investigation department.

  • The exploited feature of the contract was not described during the security audit. In this case the Insurance Organization must compensate the amount of funds being stolen during the hack.
  • The exploited feature of the contract was described during the security audit as ‘owner privilege’. In general this means that the contract developers exploited their privileges to hack themselves on purpose. In most cases the Insurance Organization must not compensate this losses unless a smart-contract developers can prove that they couldn’t exploit the owner privilege feature. In case they can further investigation is necessary.
  • The exploited feature of the contract was described during the security audit but it was not fixed by the developer. The Insurance Organization must review the security audit report before signing an agreement with the smart-contract developer. All the findings described at the report must be taken into account. This is the responsibility of the Insurance Organization to describe which cases are considered a “hack” in the insurance agreement. If the security audit report states that some features of the contract are considered vulnerabilities or pose a risk of fund losses then the Insurance Organization must not sign the agreement with the smart-contract developer before the fix is applied and the contract is audited again.
  • The exploited feature is not a feature of the smart-contract but a fault of some peripheral service or underlying platform. This cases must be described and resolved according to the insurance agreement. In general if the flaw that lead to the financial loss was known at the moment of the security audit then it is the responsibility of the Auditor to highlight it at the publicly available security audit report. If it is provable that the flaw that lead to the financial loss was known, documented or the effect was predictable and The Auditor failed to describe it then the Insurance Organization must compensate the financial loss of the smart-contract developer (if the insurance agreement does not have any specific descriptions regarding such situations). If it was impossible for the Auditor to identify the flaw or the flaw was not directly related to the security of the audited smart-contract then the Insurance Organization must describe this at the Hack investigation report.
  • The exploited feature was not presented at the contract during the last security audit. Upgrading the smart-contract leaves it in unaudited state. Insurance Organization is not responsible for compensating any losses of unaudited smart-contracts.

3. Insurance Organization and the insured smart-contract developer must coordinate the updates and re-audits of the smart-contracts.

4. “Feeding” the hacker.

  • Respond to critical warnings and requests from the Insurance or the Auditing team no later than X hours later.
  • Implement and utilize the emergency freeze functions if requested by the Insurance team or the Auditor in order to freeze the state of the smart-contract for further investigation.
  • Perform an emergency upgrade of the smart-contract if requested by the Insurance team or the Auditor.

5. WONTFIX cases.

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Ongoing phishing attacks on Trezor users

A Stake in the Game: Public Disclosure Coordinators at the Open Data Table

LuckyChip TestNet Event

The truth about antivirus

Fraudsters came up with a new scheme of deception with NFT tokens. How not to fall into their trap?

Flash Stock Rom on Lava iris 870

11111

Announcement of NULS Nodes Updated to v2.13.0

{UPDATE} Princess Girls descendants one Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Dexaran

Dexaran

More from Medium

Experimental Assets and Ethereum

DIFFERENCE BETWEEN WEB 2.0 AND WEB 3.0

PTP the CRV on Avalanche blockchain

Russia Ukraine War: What Happens When the Frog Jumps?