Smart contracts auditing is becoming even more important with the advent of decentralized finance. This is where companies like HashEx enter the picture. HashEx has provided smart contracts auditing for over 500 projects to date and the company helps secure DeFi protocols. The vulnerabilities the company has found in smart contracts have saved projects more than $2 billion.
Bitcoinist sat down with HashEx CEO Dmitry Mishunin to talk about the company’s work in the space. Founded in 2017, HashEx boasts an impressive track record in the DeFi space. Mishunin told Bitcoinist about his work in the cybersecurity space, working with smart contracts, and HashEx’s most recent audit, the KODA smart contract.
Bitcoinist: How did you get into cybersecurity?
Dmitry Mishunin: I did software development for ten years for different companies. Mostly, I worked with a small team of engineers putting together complex solutions. We never did websites or mobile applications. We always created something complicated. Our clients were big Russian IT companies and when they had a lack of internal development teams and they had interesting projects to run like Big Data and analytics tools, they came to us and asked to do it. Before HashEx, we had at least five years of outsourcing our services.
Something interesting to mention here is that I worked as a CIO in three e-commerce companies in Russia and there is always a war between the CIO and the CSO because the CIO wants to optimize all the processes, implement new solutions, introduce new software to run faster, and all of this is a potential security risk for a security officer. So you always have some conflict there. At that time, I was on a different line of battle. When I started working on cybersecurity in blockchain, I think the main point was not the security itself but investors and investors’ funds.
Bitcoinist: With your background, you could have gone into any part of the cybersecurity sector. Why did you choose smart contracts auditing?
Dmitry Mishunin: In mid-2013 or 2014, I got into Bitcoin mining. I tried to mine Bitcoin. Then I turned my focus to Litecoin. I built some farms. Then I shifted focus to mining software and mining monitoring systems. When Ethereum was introduced, I already had some experience with blockchains and the technology itself.
In 2017, with the first ICO boom, we decided to stop outsourcing our development activities for different directions and focused only on Ethereum smart contracts. We worked on it for a year, from 2017 to 2018. We did about 100 different projects, smart contracts, and decentralized applications, gaining good skill and knowledge on how Ethereum, Solidity, and smart contracts worked. Our clients’ requests changed from code requests to consulting to make sure their codes are safe. We started as a real auditor. We changed our main job from code writing to code inspecting, and then to code auditing.
I had broad experience with the stock markets like the Nasdaq and the Russian stock market. So I understood how important it was to keep your funds safe. Not from thieves alone, but bad investment decisions too. We were thinking about how to gain trust in a trustless space. This was much more important to us than cybersecurity.
Before going into blockchain, I had countless opportunities to become a security officer, maybe start a company that does penetration testing and finding security leaks. I was not interested in this sphere. However, when it came to blockchain investments and blockchain projects and the high risk associated with the space, I was excited about how we could make it safer, how we could help people safely take advantage of the opportunities this field presented.
Bitcoinist: Your company HashEx has audited over 500 smart contracts. Can you talk about some of your most challenging projects?
Dmitry Mishunin: Sometimes we’re faced with big projects with a massive codebase. In September, we conducted an audit of Trader Joe’s lending protocol that is built on Avalanche. They had forked C.R.E.A.M Finance, which has been hacked several times with hundreds of millions of dollars stolen. By forking C.R.E.A.M, they had also inherited the vulnerabilities of the network. So they came to us to do an audit of the codebase. It was huge.
A smart contract audit usually takes 5-7 business days to complete. But it took us over a month to complete the audit of the Trader Joe’s protocol. We had to bring in more auditors on the project. We couldn’t do it with our standard approach of two auditors on the project. We had a supervisor auditor between two small teams of auditors. This was one of the most complicated projects we have worked on.
Bitcoinist: HashEx recently audited the KODA smart contract. Can you talk about the project?
Dmitry Mishunin: We started working with them this summer. We’ve had at least two or three smart contracts from them, the first of which we got in the summer. Then they released the second version of KODA. They changed it many times because they were trying to adjust it for market needs. KODA is an interesting project because behind it, there is an entrepreneur, James Gale, who is very good at what he does. I think someone like this is good for a project like KODA. He has a real-world business in Great Britain, and his business experience is important for them.
Bitcoinist: What risks did you uncover in the KODA smart contract during the course of your audit?
Dmitry Mishunin: As far as I remember, KODA is an RFI forked token and most of them are just trying to fork each other. This causes them to have many opportunities for backdoor breaches. One of the biggest RFI projects is Safemoon, which reached more than $2 billion in capitalization. We performed an audit for them over the summer and found some backdoor insights. They had about 10 vulnerabilities and these vulnerabilities were risky when these projects began to interact with one another.
We published an article that was published in prominent crypto publications. We revealed how the Safemoon team could steam about $20 million of investors’ funds. The project had had about ten prior audits and no one had found this vulnerability. When KODA went to market, they had forked the same code as Safemoon, so they had the same backdoor.
We revealed the vulnerabilities to the KODA team and they fixed the ability to steal funds through this backdoor. Now, I think the project is pretty good.
Bitcoinist: Subsequent to finding these vulnerabilities in the smart contract, how did you improve the security of the smart contract?
Dmitry Mishunin: When we perform an audit, we send a preliminary report to the team. We send over our recommendations and suggestions and the team will follow them in their code. They then send us the next version of the codebase. We recheck for issues and make sure that there are no more vulnerabilities in the code. As far as I remember, we passed KODA with a good audit result. There were some minor issues but I don’t think it’s a big deal not to work with it.
Bitcoinist: With the audit successfully completed, how confident are you in the future of the KODA project?
Dmitry Mishunin: If we’re talking about the tech side, as the smart contract, I am 100% confident in the project.
Bitcoinist: Where do you see the DeFi industry in the next, say, five to ten years?
Dmitry Mishunin: I think it will be bigger than the current banking industry. We are seeing many institutional investors, major companies like Microsoft, Facebook, are all entering the space. It’s very easy to use. I think traditional finance sectors like banking, loaning, lending, and more will be transformed by decentralized finance (DeFi).
Featured image from Medium