EthCC: Vitalik Buterin lays out ways to test if a crypto firm is hack-proof and decentralized

At the EthCC, Vitalik Buterin mentions a number of tests that can be used to prove whether a company in the crypto space is truly secure and durable enough to withstand various attacks.

During his speech at the Ethereum Community Conference or EthCC, Ethereum (ETH) co-founder Vitalik Buterin highlights several ways users and builders alike can judge whether a crypto firm is truly as secure and decentralized as they claim to be.

The first test he mentioned was the “walkaway test,” which involved the question of whether users’ assets are still safe if the company and all its servers were to suddenly dissolve. The main benefit of being on-chain means that user assets are inherently safe because they are not all held on one server.

“This is like the most baseline thing that you should be trying to get out of your assets being on-chain instead of your assets being on a server,” said Buterin at the EthCC.

He referred to the “privvy embedded wallets” as an example of good security, as they grant users the ability to export their key into another wallet instead of only keeping it in one.

Another example he mentioned was Farcaster, a decentralized social media protocol built on blockchain technology that gives users the option to choose a backup address such as an Ethereum account be the basis for the social media account.

“The reason why this is amazing is because they’re for fulfilling the goal of decentralization, not just as a thing that they say they have because they’re on-chain,” said Buterin.

The next test is something he calls the “insider attack test,” which poses the scenario that if a company gets hacked by an insider employee or the founder himself, how much damage will they be able to get away with?

During his EthCC speech, Buterin said that builders need to evaluate the weak points in the system not just from an outsider point of view, but from an insider’s. These weak points can range from smart contracts, the UI, the oracle to the top governance token holders.

“A lot of projects in the ecosystem, I think, have been doing a great job of seriously thinking about these issues. But it’s something that we really need to insist on much more as a first-class property,” said Buterin at the EthCC.

Another test to consider is the trusted computing base test. Buterin asks the EthCC audience to consider just how many “lines of code are you trusting not to rug you.” Essentially, the fewer trusted lines there are, the more secure the system is. He believes it is fine for a system has millions of lines of code. The same goes for if the majority of codes are sandboxed or restricted from performing critical actions.

However, if the TCB is bloated beyond what anyone can realistically audit, then even systems that claim to be trustless are only trust-based in practice.

Lastly, Buterin asked builders to “analyze the properties of the game” that a system creates. He warned that even if a protocol is designed to be decentralized and neutral, it can still end up being centralized if it incentivizes convenience through centralized solutions, much like how Web1 evolved into Web2.

Therefore, he declared that without good decentralized backup solutions, users tend to drift toward centralized providers for convenience, negating the benefits of decentralization entirely.