Denken’s Tritsch-Tratsch Letter

Share this post

Code is law. Code is vulnerable.

denkeni.substack.com

Code is law. Code is vulnerable.

Denken
Aug 4, 2023
1
Share this post

Code is law. Code is vulnerable.

denkeni.substack.com
Share

Hi frens,

You may have heard Curve Finance, one of the biggest DeFi protocols, suffered millions of loss due to a vulnerability in Vyper, the compiler level of the smart contract language.

That’s how DeFi work: it operates entirely through smart contracts, which are essentially code. No need to trust anyone except the code itself. This principle is often referred to as “code is law.”

But code is also vulnerable when there are bugs. Whether you’re a user or a developer, do you rigorously make sure to inspect all the code you’re utilizing? Hardly so.

So here’s the irony: when a code vulnerability is discovered,

Is it really a good idea to aggregate information related how to execute a hack? Who should we trust? (source)

It circles back to establishing a chain of trust among individuals.

On the other hand, this level of bug “could have been caught with a unit test.”

There’s a saying that “given enough eyeballs, all bugs are shallow.” But you still need to work very hard to achieve that.

Here’s another example, SQLite:

I’m going to write tests to bring SQLite up to the quality of 100% MCDC, and that took a year of 60 hour weeks. That was hard, hard work. I was putting in 12 hour days every single day. (source)

Will DeFi developers and the industry learn the lesson? I hope they prioritize software quality over chasing short-term profits.

Your friend,

Denken

1
Share this post

Code is law. Code is vulnerable.

denkeni.substack.com
Share
Previous
Next
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Denken Chen
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing