Code is law. Code is vulnerable.
You may have heard Curve Finance, one of the biggest DeFi protocols, suffered millions of loss due to a vulnerability in Vyper, the compiler level of the smart contract language.
That’s how DeFi work: it operates entirely through smart contracts, which are essentially code. No need to trust anyone except the code itself. This principle is often referred to as “code is law.”
But code is also vulnerable when there are bugs. Whether you’re a user or a developer, do you rigorously make sure to inspect all the code you’re utilizing? Hardly so.
So here’s the irony: when a code vulnerability is discovered,
Is it really a good idea to aggregate information related how to execute a hack? Who should we trust? (source)
It circles back to establishing a chain of trust among individuals.
On the other hand, this level of bug “could have been caught with a unit test.”
Here’s another example, SQLite:
I’m going to write tests to bring SQLite up to the quality of 100% MCDC, and that took a year of 60 hour weeks. That was hard, hard work. I was putting in 12 hour days every single day. (source)
Will DeFi developers and the industry learn the lesson? I hope they prioritize software quality over chasing short-term profits.