Security is a continuous effort

Smart contract development and security practices have evolved a lot since Ethereum launched in 2015. Smart contract audits and reusable code libraries have become standard practice. However, as helpful as audits, code libraries and other techniques are in identifying or preventing bugs and vulnerabilities in code, there is a limit to their effectiveness. Once a smart contract is deployed on a blockchain, the risk profile changes. How the contract is managed (administration), how the contract interacts with other contracts (composability), and how the contract responds to unanticipated market events all become relevant and introduce new risk vectors. Put differently, the code can work and you can still have problems. Smart contract security requires a continuous effort, and post-deployment monitoring for threats and other issues is as important as the steps taken prior to deployment.

In Web 2.0, active monitoring and protection of live systems is called runtime security. There are very mature, centralized solutions that perform runtime security for applications, systems and networks today, but we don’t have comparable offerings for smart contracts running on decentralized networks…yet.

Incubating a Solution

Since 2015, OpenZeppelin has focused on making the smart contract development process as easy and secure as possible. Their smart contract library has enabled tens of thousands of developers to build assets and applications on Ethereum, and their industry-leading audits help eliminate bugs and vulnerabilities in code pre-deployment. Post-deployment, their Defender platform is now used by dozens of leading projects to automate smart contract operations. As they dove deeper into post-deployment security practices, they quickly realized a reliable, flexible runtime solution was needed.

After speaking with dozens of projects and analyzing the last 18 months of hacks, it became clear that (a) early detection could prevent or significantly minimize loss of funds and other issues, and (b) there were distinct advantages to a decentralized solution to the runtime problem. Based on those conclusions, OpenZeppelin developed a prototype. Over the last year this prototype evolved based on feedback and contributions from the early members of our community.

Today, we are excited to introduce Forta, the first decentralized runtime security protocol for the open economy.

Forta – the “security cameras and alarm system for the open economy”

The goal of Forta is to detect threats and other system critical issues in real time. By providing users with timely and useful information about the security and stability of their systems, they have an opportunity to react and take defensive action, preventing or minimizing the losses and other issues.

The Forta Protocol has two main components – agents and nodes. Agents are pieces of logic (scripts) that look for certain transaction characteristics or state changes (e.g. anomaly detection) on smart contracts across any Layer 1, Layer 2, or sidechain. Nodes run agents against each block of transactions. When the agents detect a specific condition or event, the network emits an alert which is stored on IPFS and linked on a public blockchain. Forta will also maintain an automated public registry of all alerts, and anyone interested in the security of a contract can consume relevant alerts via the explorer or API.

There is value in the negative signal too – knowing that agents are running 24/7 and not triggering alerts. Forta will maintain an automated record of the agents run by each node, for each block.

For a Web3 runtime security solution to be successful, it needs to be permissionless. The pace of innovation on public blockchains is exhausting. Everytime a new protocol or contract is deployed, new risk vectors are introduced. No single company with a centralized solution can effectively address these evolving risks. A decentralized community-based approach that properly incentivizes stakeholders is the most effective and efficient way to cover the landscape of risk.

Community-led

Forta is designed to be a public utility serving the DAO, DeFi and NFT ecosystems. This requires building an even more robust community of engineers, security professionals and infrastructure providers to develop useful agents, operate nodes, and develop related products and services on top of or alongside Forta and to ultimately govern the protocol.

A growing number of developers and protocols are building and using Forta in private beta. These early contributors have provided valuable feedback that continues to improve the developer and user experiences. Beginning today, Forta will be onboarding a wider group of developers to build novel agents.

If you’re a developer interested in building agents, hop in the Forta Discord! If you’re a team interested in using Forta as part of your threat and issue detection capabilities, introduce yourself here! We are excited to work with you!

Securing blockchains and digital assets is a critical part of driving mainstream crypto adoption. As the world’s economy moves to decentralized systems, Forta’s end goal is to protect the world’s most valuable economic transactions.

We look forward to securing the open economy with you.

…

For more info, check out www.forta.org and join the conversation on Discord.