Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Morpho Blue is a lending protocol that took security extremely serious from the ground up. So, their perspective on how to make a protocol unhackable is truly interesting.

For their security framework, they have 4 different parts:

1. Pre-Build
2. Build & Test
3. Pre-Deployment
4. Post Deployment

During the pre-building phase, their goal was to make the protocol as simple and feature removed as possible. Simple things are open to secure! They made threat models and had large debates about what functionality was there and what wasn't. During this phase, different PoCs were written as well.

Now, for the most important part - building and testing. Once they had a clear business objectives they set out to build the final version. To catch bugs early, they wrote unit and integration tests. They aimed to catch ever branch of code. To ensure good coverage, they use BTT and forge coverage.

To make tests even better, one can use mutation tools gambit or vertigo-rs. They implemented fuzzing tests with Foundry as well. At Morpho Labs there is a protocol team and integration team. The integration team handles reviews and some of the tests. Every developer reviews all smart contracts that will be deployed, which is crazy!

While still in the building/testing stage they get formal verification done from Certona, send the code to VCs/advisors and a breaking bootcamp, which is where everyone tries to cause major issues in the code.

At this point, they're ready for the pre-deployment phase. They got reviews from Open Zeppelin and Spearbit through Cantina. They have some interesting points about booking audits. First, book them in advance - it's hard to get audits from the best firms. Second, timing is super hard to setup - being early is bad and late is annoying. Reviews are stressful for devs but always give the auditors all of your time.

They also did a 100K pre-deployment bug bounty with Hats Finance. In the post deployment, it's all about good monitoring and a large bug bounty.

Overall, an interesting talk into building a secure protocol from scratch. The tldr; is spend a lot of time in testing and on audits.