Cointime

Cointime

Download App
iOS & Android

MetaTrust: The Key to Web3 Security Is Vigilant and Continual Reassessment, Automatic Code Security Scanning Can Build the First Moat

Cointime Official

How to build a secure Web3?

Everything in Web3 is built on code, and one thing every Web3 developer can never get around is code auditing. Though it’s the same case as in Web2, Web3 goes a step further in security. Blockchain can be seen as a distributed ledger, which entails finance attributes by nature. If It's about money, it must be secure.

Web3 can be risky

According to reports from CertiK and SlowMist, crypto lost from attacks has surged in 2022, reaching $2 billion in the first two quarters. In particular, flash loan attacks resulted in a $300 million asset loss in Q2. November has become the worst month in DeFi history, as hackers stole $700 million on more than 12 DeFi protocol attacks in just two weeks. In addition, according to tweets from on-chain data service provider OKLink, hackers stole approximately $31 million from multi-chain wallet provider BitKeep on Dec. 27.

Fear spurs in crypto world after a string of attacks. The lag of code auditing continues to plague Web3 developers, while users are stuck in the dilemma that technology developments are not able to cope with the evolving attacks. Numerous hacks have already forced some people to leave the world of Web3 in frustration and fear, and what's even worse is, these could lead to economic collapse, which will leave more people who don't even have a chance to be Web3 users. Crypto industry needs to be prepared for cyber-security crises now more than ever, and luckily, it’s already on the way.

MetaTrust breaks into Web3 security

MetaTrust provides automated code auditing services for Web3 builders, bringing code auditing that was usually lagging behind the project development forward to the early stage to cover the entire development lifecycle. The "auditing as you develop" feature achieves Shift Left testing & security, which helps builders to identify vulnerable code at the earliest stages in the development lifecycle.

1. Builders do need code security tools, what's the specific size of your target audience?

According to Dr. Liu Yang, the co-founder of MetaTrust, the number of Web2 builders may reach 50 to 60 million. While Web3 is still in a very early stage, the number of Web3 builders is roughly 20k to 30k.

Many Web2 engineers are transitioning to Web3. In the next three years, the number of Web3 builders may grow to hundreds of thousands. MetaTrust hopes to work on code security at the earliest stage, thus we can build a proven and secure development methodology following the continuous development of Web3.

2.  Each line of code is unique, and requirements in different development stages vary. How can automated scanning tools achieve smooth user experiences and accurate code audits?

Liu Yang: we provide corresponding support to each phase in the development cycle, including project plan security assessments in pre-development phase, secure package management tools and our code scanning tool MetaScan in development stage, project contract security audit services in post-development phase, and security monitoring in post-launch phase.

MetaTrust not only provides comprehensive automated scanning services but also provides a toolchain for the entire development pipeline. Our scanning tool MetaScan includes 4 primary engines that cover code security in full range, the 4 engines are fast static code scanning, precise formal scanning, development supply chain security scanning, and IP analysis scanning. In addition, MetaScan can continuously empower software development security automatically by integrating CI/CD. Corresponding scans will be performed every time code is submitted, providing builders security support in the complete development lifecycle.

For better user experiences, MetaScan is in use in just three steps: simply import, scan, and download, then a complete auditing report will be ready in a few minutes. The report automatically integrates scanning results of four major engines, users can very verify project security from multiple dimensions, saving them time and learning costs.

To ensure auditing quality, we have hired a large number of talented auditors and research & development engineers to improve the accuracy of scanning tools. MetaTrust has built a complete Web3 vulnerability classification criteria standard, including 12 main vulnerability categories and more than 150 subdivided vulnerability types — each with a detailed definition. Based on the criteria standard, an automated scanning rule is implemented for each type of vulnerability. Plus, after comparing the results of automated scanning and manual auditing on top 50 projects, we have found that automated scanning audit reports can detect 20% more vulnerabilities than manual auditing while maintaining a low false alarm ratio and false negative rate levels (under 10%). Thus, we believe automated audits will definitely replace manual audits in the near future. This is the core competitiveness of MetaTrust.

3. How to solve open-source security risks?

Liu Yang: Open source is the core spirit for many Web3 builders. Open-source components are widely used, and the proportion of open-source code in a project can reach 60% to 90%. When a large number of open-source components are used, there are possibilities of inheriting security issues or infringing on IP. To solve this problem, MetaTrust provides an automated open-source security scanning engine to identify open-source components and built-in security issues, plus code repair suggestions. In addition, MetaTrust created the concept of secure package manager (MPM), we provide secure package manager (which must have passed our audit and verification first) for open-source components. MPM can solve open-source security risks in pre-development phase. The product is scheduled to launch in Q1 of 2023.

4. Does the "full development life cycle" include post-launch phase? What security services are provided for non-engineers? What are the billing standards?

Liu Yang: 7x24 dynamic monitoring is a key feature of MetaScout — another MetaTrust product. MetaScout is a dynamic and real-time smart contract security monitoring platform. It offers a complete solution through the combination of automatic scanning in development stage and dynamic monitoring in post-launch stage. In addition, MetaScout's real-time monitoring feature will focus on newly launched hot projects. Once potential vulnerabilities and security risks are identified, it will "broadcast" to warn all Web3 participants at the foremost time.

MetaScan is a SaaS product. A 14-day free trial is available for the MetaScan community version. Developers can utilize the static engine and development supply chain engine in MetaScan for project scanning. We hope MetaScan can be used by as many developers as possible, so we can continuously optimize and upgrade our product services based on feedback from developers and the market. A paid version of MetaScan is also available. Users can choose to subscribe on a monthly or yearly basis. The paid version includes a complete set of four primary engines and product features, such as professional report generation and export. The paid version is mainly billed per month and depends on code amounts. Currently, MetaScan offers three primary pricing tiers — $599 per month, $799 per month, and $999 per month, with a 10% discount for annual subscriptions. Bonus manual audit services are also provided for annual subscriptions: 1 x manual audit service included in $599/month package, 2 x manual audit services included in $799/month package, 3 x manual audit services included in $999/month package.

Each additional manual auditing services are a standalone payment of $2499.

5. Can you tell us more about MetaTrust's team and fundraising plan? Any thoughts on ICO?

Liu Yang: MetaTrust is a technology and research-based start-up company. Our co-founders and key team members are top cyber security professors. We are highly confident in our research and development competence.

We have completed around ten million US dollars in our seed round. Investors include M23, Redpoint Ventures, ABCDE Capital, Longhash, Hash Global, SNZ, Yunqi Capital, GGV, Fellows Fund, Aimtop Ventures, and many other well-known venture capitals.

Four products are scheduled to launch in Q1 of 2023, and we will look for the next round of funding after reaching our revenue and profit goals. Our top priority at the current stage is to focus on building to ensure product delivery in full on time.

Building a security development community is one of our future plans. We wish to incentive engineers to be better involved in open-source programs through our ecosystem and collaboration tokens. R&D contributions can be directly pegged to token rewards, the more you contribute, the higher value of token rewards you will receive, this mechanism will promote security development in the whole open-source world and achieve a closed loop of value generation and economic return.

Conclusion

 Outstanding research and development capabilities are the DNA of MetaTrust. Blockchain security is an industry with high thresholds, we chose to break into the market with SaaS products that focus on high accuracy and ease of use and cover the entire life cycle of project development.

However, being responsible for code is far from enough for Web3 security. The most urgent problem in Web3 is to build new industry consensus standards and programming paradigms in the fast-growing industry. Providing security feedback can optimize the best practices for Web3 and enhance code development security in the future. Whether these valuable security feedback data and solutions can be completely open source still depends on MetaTrust's future choice.

In addition, other than individual developers, most of MetaTrust's clients are project stakeholders. A fatal vulnerability disclosure could lead to the instant death of a thriving project. When dealing with clients who "refuse to disclose potential risks" and the constraints of service terms, can MetaTrust still keep its faith in defending the security of Web3? Time will tell.

Web3
Comments

All Comments

Recommended for you

  • Tevaera Closes $5 Million Funding Round to Create One-Stop Gaming Ecosystem Powered by zkSync's ZK Stack

    Tevaera, a gaming platform powered by zkSync's ZK Stack, has closed a $5 million funding round led by Laser Digital and Nomura Group. The funding will support Tevaera's mission to create a one-stop gaming ecosystem. The project has attracted prominent investors, including Hashkey Capital, Fenbushi Capital, and Crypto.com Capital. Tevaera has also launched a redesigned website and is preparing to introduce two new games and the first decentralized L3 gaming chain on zkSync.

  • The Hong Kong Securities Regulatory Commission’s official website has listed the Bitcoin and Ethereum spot ETFs and stock codes of China Asset Management, Bosera and Harvest.

    Hong Kong Securities and Futures Commission website has listed the Bitcoin and Ethereum spot ETFs of three fund companies, Huaxia, Boshi, and Jiashi, with approval dates all on April 23, 2024. The related funds are not derivative product funds, specifically including:1. Huaxia Bitcoin ETF (BUU163) with share codes of 03042, 09042, and 83042;2. Huaxia Ethereum ETF (BUU164) with share codes of 03046, 09046, and 83046;3. Boshi HashKey Bitcoin ETF (BUU104) with share codes of 03008 and 09008;4. Boshi HashKey Ethereum ETF (BUU105) with share codes of 03009 and 09009;5. Jiashi Bitcoin Spot ETF (BUT244) with share codes of 03439 and 09439;6. Jiashi Ethereum Spot ETF (BUU885) with share codes of 03179 and 09179.

  • Correction: Nigeria’s central bank says “freezing Bybit, KuCoin, OKX, Binance user accounts” is unofficial

    The official X account of the Central Bank of Nigeria (CBN) stated that the announcement "the Central Bank of Nigeria will freeze Bybit, KuCoin, OKX, and Binance user accounts" is not an official release. Previously, according to Cointelegraph, the Central Bank of Nigeria (CBN) issued an instruction requiring all banks and financial institutions to identify individuals or entities trading with cryptocurrency exchanges and ensure that such accounts receive no debit (PND) instructions within six months.

  • Alliance of 314: The X314 contract is suspected to have a hidden additional issuance switch, developers should pay attention to verification

    Alliance of 314 issued a statement claiming that the contract of a certain 314 project has not been open-sourced on the blockchain. As for whether other platforms have open-sourced their contracts, there is a misconception that open-sourcing on other platforms is self-submitted and does not necessarily mean that the contract is deployed on the chain, so there may be unknown hidden issuance. Additionally, the said 314 project announced that it will soon launch a trading platform, and the first requirement for logging into a centralized exchange is to open-source the contract. Open-sourcing is the first thing that any project should do to ensure investor confidence. Referring to the open-sourcing of the 0.1, 0.5, and 0.9 versions before, it can be concluded that there is hidden code in the X314 contract, and therefore it cannot be open-sourced out of fear. The biggest risk warning: after decompiling and querying ethervm, it is highly suspected that a certain 314 has a hidden issuance switch to increase mining pool output and arbitrage. The field is as follows: 0x40c10f19mint(address,uint256). The risk alert level for this switch is the highest level, and generally, ordinary developers do not set this switch.

  • Binance Founder Faces Potential Three-Year Prison Sentence and $50 Million Fine for Money Laundering and Sanctions Violations

    Binance founder Changpeng Zhao has been recommended a three-year prison sentence by federal prosecutors for violating federal money laundering laws and sanctions. The Department of Justice argued that this sentence would hold him accountable for his intentional criminal conduct and send a message to the world. Zhao made a "business decision" to break the law to attract users, build his company, and line his pockets, according to prosecutors. Along with the prison sentence, DOJ lawyers also requested that Zhao pay the $50 million fine he agreed to as part of a plea deal. Zhao, who is a citizen of the UAE and Canada, has been released on a $175 million bond but must remain in the U.S. until his sentencing on April 30.

  • Market News: South Africa authorizes 75 companies as cryptocurrency service providers

    According to Jinshi news, South Africa has authorized 75 companies as cryptocurrency service providers.

  • Indonesian President: $8.6 billion laundered through cryptocurrency in 2021

    According to Golden Finance News, Indonesian President Joko Widodo stated that he has noticed signs of money laundering through cryptocurrency in 2021, amounting to $8.6 billion (IDR 139 trillion). In addition to cryptocurrencies and NFTs, the president emphasized the need to monitor other potential money laundering tools, including virtual assets, market activities, e-currencies, and AI-driven transactions. Mahendra Siregar, Chairman of the Financial Services Authority (OJK) Committee, responded to the President's directive, stating that when cryptocurrency regulation is transferred to the OJK next year, his agency will supervise these issues.

  • BTC breaks through $67,000

    Tthe market shows that BTC has broken through $67,000 and is now trading at $67,025.99, with a daily increase of 1.12%. The market is volatile, please be prepared for risk control.

  • Bitcoin spot ETF had a total net inflow of $31.6354 million yesterday, and the ETF net asset ratio reached 4.27%

    According to SoSoValue data, the total net inflow of Bitcoin spot ETF was $31.6354 million on April 23 (US Eastern Time).Grayscale ETF GBTC had a net outflow of $66.8838 million on April 23, and the historical net outflow of GBTC is $16.833 billion.The Bitcoin spot ETF with the highest net inflow on April 23 was BlackRock ETF IBIT, with a net inflow of $37.9233 million in a single day, and the historical total net inflow of IBIT has reached $15.479 billion.The second highest was the ARKB ETF from Ark Invest and 21Shares, with a net inflow of $33.282 million in a single day, and the historical total net inflow of ARKB has reached $2.267 billion.As of now, the total net asset value of Bitcoin spot ETF is $55.82 billion, and the ETF net asset ratio (the proportion of market value to the total market value of Bitcoin) is 4.27%, with a historical cumulative net inflow of $12.416 billion.

  • CZ announces Giggle Academy logo and design ideas

    CZ has released the Giggle Academy Logo and its design concept. He hopes that the logo can showcase youthfulness, fun, positive energy, and growth while continuing the "Binance tradition":

Daily Must-Read

Popular Activities

Delysium $AGI & AI Private Yacht Party

Delysium $AGI & AI Private Yacht Party

March 27 - March 27
Seoul

Popular Tags

Cointime
News
Contents
RSS
Company