- Topic
90k Popularity
45k Popularity
15k Popularity
12k Popularity
5k Popularity
4k Popularity
16k Popularity
23k Popularity
13k Popularity
3k Popularity
- Pin
- 🌟 Photo Sharing Tips: How to Stand Out and Win?
1.Highlight Gate Elements: Include Gate logo, app screens, merchandise or event collab products.
2.Keep it Clear: Use bright, focused photos with simple backgrounds. Show Gate moments in daily life, travel, sports, etc.
3.Add Creative Flair: Creative shots, vlogs, hand-drawn art, or DIY works will stand out! Try a special [You and Gate] pose.
4.Share Your Story: Sincere captions about your memories, growth, or wishes with Gate add an extra touch and impress the judges.
5.Share on Multiple Platforms: Posting on Twitter (X) boosts your exposure an
- 🎉 [Gate 30 Million Milestone] Share Your Gate Moment & Win Exclusive Gifts!
Gate has surpassed 30M users worldwide — not just a number, but a journey we've built together.
Remember the thrill of opening your first account, or the Gate merch that’s been part of your daily life?
📸 Join the #MyGateMoment# campaign!
Share your story on Gate Square, and embrace the next 30 million together!
✅ How to Participate:
1️⃣ Post a photo or video with Gate elements
2️⃣ Add #MyGateMoment# and share your story, wishes, or thoughts
3️⃣ Share your post on Twitter (X) — top 10 views will get extra rewards!
👉
A Must-Read for DeFi Entrepreneurs: How to Create a Comprehensive and Efficient Audit Strategy
A Guide to Auditing for DeFi Entrepreneurs: How to Choose a Secure Auditor and Establish an Effective "Audit Perspective"
In the cryptocurrency industry, audits are crucial for ensuring the integrity and security of projects. Observations show that some leading projects like Lido and Compound invest heavily in audits, often reaching seven-figure dollar amounts, and frequently hire multiple auditing firms to review the same batch of product code.
This reflects, on one hand, that leading projects in DeFi have received substantial returns since the summer, with sufficient funds continuously invested to build deeper competitive barriers. On the other hand, it also demonstrates an important aspect of auditing to other projects and entrepreneurs in the industry: the auditing process is not simply a "pay-hire-report-promote" workflow, but should involve a complete "audit perspective" and methodology. Project teams need to consider which products require auditing, how to select vendors, how to ensure the effectiveness of the auditing work, and how to complete the auditing work in the most cost-effective and secure manner.
This article will explore what an ideal "audit perspective" should look like from the perspective of practical entrepreneurship and project operation.
Overview of Security Service Providers
In the past 2-3 years, the number of available audit service providers has seen explosive growth, with about 15-20 commonly seen providers in the market. Based on experience and communication with peers, considering reputation, technical capability, and coverage completeness, some providers such as Peckshield, SlowMist, Trail of Bits, and OpenZeppelin can be regarded as the top tier.
Overall, Chinese background suppliers are still the preferred choice for Chinese projects in the crypto industry, mainly due to the advantages of real-time communication and language convenience. The pricing is also relatively reasonable, usually ranging from $12,000 to $15,000 per person per week, and may fluctuate with the market's off-peak and peak seasons. In contrast, overseas suppliers have lower recognition in Chinese projects, but due to factors such as brand premium, founding team resources, or technical capabilities, their pricing is typically 1.5 to 2 times higher. Some overseas suppliers can even secure large orders; for example, a certain platform once hired OpenZeppelin for auditing at a price exceeding one million dollars in a single quarter.
In addition to traditional audit vendors, there is a type of "white hat community" service providers, such as certain bug bounty platforms. This model is a mature business in the traditional security field and has emerged in the crypto industry in the past two years. Project parties publish the modules they wish to be audited on the platform, such as front-end, back-end, smart contracts, etc. (, define the severity of bugs and corresponding bounties to attract "white hat hackers" to actively report issues. This can serve as a beneficial supplement to traditional audits, but it requires project parties to accurately define bug classification, level, and coverage, as well as provide reasonable bounties.
Audit Process, Methodology and Cost Control
For project parties, it is necessary to prepare the following before requesting the auditor's review for the first time:
Ensure that at least two rounds of internal testing have been conducted, and if possible, it is best to conduct an additional round of community testing to avoid paying for obvious issues.
Package the code according to project milestones as much as possible and deliver it for auditing in one go to control costs.
Ensure that the contact person understands the overall operating principles of the product, the approximate amount of code, and the distribution of main modules, to avoid unclear communication of requirements during the initial setup phase.
Compare the schedules of different suppliers and consider paid schedule locks for important product milestones.
Although there are many vendors in the market, the scheduling differences among them are significant. It is recommended to send evaluation requests to at least 3 auditors for the same piece of code to obtain scheduling, pricing, and workload assessments. For important product nodes, it is suggested to prepay 30%-50% of the fees to lock in the schedule to avoid impacting progress. Typically, Chinese vendors recommend booking 2-4 weeks in advance, while overseas vendors require at least 1 month in advance.
After confirming the schedule and quotation, the project code is delivered to the auditor for review. During the process, the responsible auditor will discuss any questions with the project party. The project liaison is responsible for maintaining good communication with the auditor and ensuring:
The project team needs to have a clear position and retain control rights to a moderate extent.
Audit firms mainly focus on code quality, logic, and security, and rarely involve the correlation between code and business. Sometimes, adjusting code logic or security may affect business logic.
For key modules such as contract permission upgrades, fee adjustments, and token issuance, from the perspective of early business development, it is actually necessary for core members of the project team to be able to control them individually. This allows for timely adjustments in response to market changes or sudden security incidents, rather than blindly pursuing multi-signature control, which can affect the project's ability to respond in times of crisis.
The reasonable retention of "backdoors" or "super permissions" not only concerns the project itself but may also affect the survival of the entire industry. Imagine if certain exchanges did not take emergency measures, certain stablecoins did not pause redemptions, and certain public chains did not perform "chain maintenance"; the current state of the industry could be very different.
Continuous communication and sharing promote long-term security
The services of auditors can identify problems but cannot guarantee 100% security; security incidents can happen at any time. On one hand, project parties need to proactively communicate with auditing companies to discuss how to handle solutions that may include compensation, free secondary audits, refunds, etc., regarding ). On the other hand, the discovery and repair of each security vulnerability are related to the progress of the entire industry. In the absence of critical business interests, all project parties are encouraged to publicly review similar issues together with auditing companies, which helps the industry share higher security standards and can reduce the auditing costs for each project in the long run.
The project's decision-making body should possess a hacker mentality and value the power of the community.
Auditing is a long-term battle for funds and an important barrier in project competition. On one hand, continuous investment should be made between each product milestone to hire well-known and reliable external auditors to cover potential security vulnerabilities. On the other hand, the power of the community should also be valued, encouraging the white hat community to participate in the project's security construction.
The author successfully invited a community white hat member with a bounty of about $30,000 to help debug and fix a contract managing millions of dollars in funds.
In addition, making use of mature contracts as much as possible, rather than taking a different approach, is also an effective method for reducing costs and increasing efficiency.
Conclusion
The entrepreneurial threshold in the cryptocurrency industry has significantly increased, with millions of dollars in funding not being uncommon in the current market. From the previous discussion, it can be seen that it is very difficult to truly support a reliable, secure, and stable decentralized application, and even the top applications in the industry cannot guarantee absolute security.
Therefore, from the perspective of cost control, each startup project should embed existing mature facilities as much as possible when choosing contracts and models, avoiding reinventing the wheel. Common categories such as decentralized exchanges, lending platforms, yield aggregators, liquidity staking, and re-staking, as well as derivatives trading and synthetic assets, have a number of mature and usable infrastructures for new projects to reuse and nest. This not only reduces the project's security costs but also effectively enhances the project's own security, ensuring that system security evolves with the upgrades of the reused objects.
From an overall industry perspective, achieving comprehensive safety requires the joint efforts and contributions of all market participants.
For auditors: 1( need to guard against possible tricks from project parties, such as using a different code version for the audit than the one that is actually online. It is recommended to verify the actual code version again after the project is officially deployed. 2) can consider exploring a model that combines with insurance, providing a compensation mechanism for safety incidents for clients purchasing large services, protecting the rights and interests of project parties. 3) widely publish audit cases and debugging experiences. The audit industry is similar to the medical industry; overall progress relies on long-term investment in technology research and development, as well as the accumulation of cases. From this perspective, the "public relations-style audit" often joked about by users is also a driving force for industry progress, at least allowing more audit cases to be shared across the industry.
For users: 1) should adopt a separation of hot and cold wallets, use dedicated wallet addresses for different Decentralized Finance applications, regularly clean up unknown authorizations, and avoid operating on airdropped tokens of unknown origin as safety measures. 2) high-net-worth users should develop a habit of regularly checking the security incident reports published by various auditing firms and remain vigilant against common security risks.