Pantera Capital Partner: Understanding the Smart Contract Security Real-Time Monitoring Project Forta

Original authors: Paul Veradittakit, Partner at Pantera Capital

Translator: Lu Jiangfei, Chain News

• Smart contract vulnerabilities have always been one of the most concerning issues in the crypto ecosystem, and this problem has also faced criticism within the DeFi industry. Earlier this year, Poly Network made headlines when over $600 million in assets were stolen in a smart contract attack by someone claiming to be a "white hat" hacker, highlighting the need for the crypto industry to explore stricter security practices around smart contracts.
• Many security efforts for smart contracts have focused on "pre-deployment audits," relying on experienced security researchers to identify key vulnerabilities that need to be addressed before deployment. Unfortunately, this approach fails to accurately capture potential vulnerabilities that may arise after the contract is deployed, which could be exploited by malicious actors, thus threatening the funds of millions of DeFi users.
• Forta is a new crypto project incubated by OpenZeppelin that helps developers better identify vulnerabilities during the real-time execution of smart contracts. Forta has two key components:
• Agent, which is a script that scans blockchain transactions for threats, anomalies, and other risks. Anyone can write an Agent to monitor smart contracts or transactions, and as the community of Agent authors grows, it can effectively address potential vulnerabilities in the evolving smart contract ecosystem.
• Node is a server that runs Agents supporting Layer 1 or Layer 2 blockchains. When an Agent detects certain issues with a smart contract, the Node issues an alert, which is stored on IPFS and recorded on the Polygon blockchain.

• Forta also offers additional features to enhance the security of smart contracts, including: a user-friendly interface (Forta Connect) for developers to easily deploy and manage Agents, tools (Forta Explorer) for users to browse and subscribe to specific alerts, and Agents (Private Agents) with obfuscated code and features for cautious vulnerability monitoring and encrypted alerts.
• To date, Forta has deployed over 200 Agents to support smart contract alert functionalities, such as detecting abnormally high gas fees, unusually high transaction volumes, and reentrancy calls. Many well-known DeFi projects have already integrated with Forta to better monitor various security, financial, operational, and governance risks. Additionally, the number of members in the Forta community on Discord has grown to over 10,000.
• Ultimately, by detecting vulnerabilities in real-time, Forta can provide a more comprehensive solution for smart contract security, helping smart contracts become the safest and most trusted technological primitives, thereby achieving the vision of secure and decentralized Web 3.

New Technologies Bring New Risks

Since the launch of Ethereum in 2015, smart contracts have become a core feature of Web 3 technology. Bitcoin demonstrated that a fully decentralized public ledger is feasible, while Ethereum introduced a completely decentralized computing model—at least at this stage, no other computing model can match Ethereum in terms of trustlessness and transparency. Thanks to smart contracts, developers can deploy custom-built applications on the blockchain, supporting hundreds of use cases that have now evolved into a multi-billion dollar ecosystem and become central to most crypto projects today (including the Uniswap and Maker protocols), driving rapid growth in many other blockchains like Solana, Binance Smart Chain, and Polkadot.

At the same time, the emergence of new technologies inevitably brings new risks. Earlier this year, Poly Network made headlines when over $600 million in assets were stolen in a smart contract attack by someone claiming to be a "white hat" hacker. Although the hacker returned the assets in full, this incident indicates that the crypto industry needs to explore stricter security practices around smart contracts, while the next generation of financial systems also requires more timely attack monitoring capabilities. Smart contract vulnerabilities have become one of the most concerning issues in the crypto ecosystem, to the extent that "smart contract risk" has become a term in the financial sector, aimed at describing errors and bugs that occur during contract execution, which often pose risks to digital assets and affect people's investment decisions.

From One-Time Audits to Providing Real-Time Security Features

Currently, most efforts in assessing the security of smart contracts still focus on audits, where project teams hire experienced smart contract developers to review and test contracts to identify potential vulnerabilities before public release. While audits are crucial for secure blockchain development, they are not a panacea, as many audited crypto projects have also fallen victim to smart contract hacks, and the attack vectors are often only discovered later in the project lifecycle.

In this context, continuous monitoring of the application's status and security becomes essential to prevent these potential attacks, and even after the smart contract is deployed, ongoing monitoring should continue. In the Web 2 space, this concept is referred to as "Runtime Security," and for most modern cloud hosting services, real-time application monitoring and alert tools have become essential; however, in the Web 3 space, given the decentralized nature of applications and the relatively new concept of smart contract models, implementing "Runtime Security" is much more challenging than one might expect.

Forta is a new decentralized "Runtime Security" protocol for Web 3 applications that helps developers better identify vulnerabilities during the real-time execution of smart contracts. The project is incubated by OpenZeppelin, whose team has audited dozens of crypto protocols, including Compound, Maker, and Augur.

What Solutions Does Forta Offer?

Forta's decentralized real-time security solution is based on two components:

• Agent: A script that scans transaction blocks for anomalous transactions or changes in smart contract states.
• Node: A server that runs Agents supporting Layer 1 or Layer 2 blockchains.

If an Agent detects particularly suspicious events or state changes, the Node issues a public alert, which is stored on IPFS and recorded on the Polygon blockchain.

Notably, anyone can develop an Agent and run it on Forta. The high degree of modularity and composability of Web 3 applications necessitates a community-driven decentralized security solution, as no single participant can identify all potential vulnerabilities in an application. Currently, over 100 developers have created and deployed Agents on Forta, and if you are interested in creating a new Agent, you can check out Forta's Software Development Kit (SDK) here.

Additionally, Forta has released several other features aimed at further enhancing real-time security, including:

• Forta Connect, a self-service platform that makes it easier for developers to publish and manage Agents using MetaMask instead of the command line.
• Forta Explorer, a tool that helps users browse and subscribe to Forta Agent alerts through services like Slack notifications and email updates.
• Private Agents: This feature is an Agent with obfuscated code and capabilities for cautious vulnerability monitoring and encrypted alerts, allowing developers to monitor threats more discreetly.

On November 15, the Forta project completed integration with the smart contract operation platform OpenZeppelin Defender, making it easier for developers to operate and monitor smart contract security through a unified user interface.

How Does It Work in Practice?

For example, let's revisit the attack on Poly Network that occurred in August 2021.

Poly Network is a protocol that allows users to transfer digital assets across different Layer 1 and Layer 2 blockchains by locking user assets on the sending chain and issuing an equivalent amount of new assets on the receiving chain. More specifically, users can access the assets issued on the receiving chain through a set of Poly Network wallets on that chain. During the attack, the hacker executed a transaction that replaced the public key of the Poly Network wallet on the receiving chain with their own public key, meaning the hacker gained complete control over the Poly Network wallet and could easily steal the issued assets from users.

Using Forta for real-time monitoring could prevent such an attack or mitigate its impact, and it can be achieved through two simple methods:

• When the hacker replaces the Poly Network public key with their own, the Agent may have already detected an anomalous change in the state of the smart contract managing its wallet. If the Poly Network team effectively monitors this state change, they can quickly restore the original public key, thus completely preventing the attack.
• The Agent can detect significant anomalous changes in the balance of the Poly Network wallet on the receiving chain, enabling the team to identify the attack earlier and limit losses.

So far, over 200 Agents have been deployed to identify and flag the aforementioned vulnerabilities, and some leading DeFi projects are integrating with Forta to monitor security, financial, operational, and governance risks. Since Forta announced its launch on October 1, the number of community members on Discord has exceeded 10,000.

Final Thoughts

Blockchain security needs to be continuously enhanced; only then can institutions and the mainstream better embrace crypto, which is crucial. The attacks on Poly Network earlier this year, as well as the hacks of the DAO in 2016 and Parity in 2017, have damaged the confidence of many potential users in crypto and DeFi. If blockchains and smart contracts are to become the foundational technologies supporting the next generation of financial systems, they must address such incidents and prevent similar events in the future, only then can they regain people's trust.

By abstracting Web 3 "Runtime Security" into a simple tool, Forta can help developers write and manage smart contracts better and more easily, while also implementing stricter security practices.

Moreover, as a decentralized solution, Forta allows anyone to track specific behaviors within smart contracts. Given the increasing number of vulnerabilities in today's smart contract ecosystem, adopting a decentralized solution is essential. Ultimately, Forta will further enhance smart contract security, helping smart contracts become the infrastructure of the internet, thereby realizing the grand vision of a decentralized, secure, and trustless Web 3.