We tend to think of software as a cold, mechanical, logical thing.
But people write code. Emotions and the way we handle them impact the security of a project as much or perhaps more than any other contributing factor.
Though almost no one will admit it, everyone's carrying around a lot of emotion when it comes to security. These feelings strongly affect the way people approach security even though most people never show them.
Like software vulnerabilities, there are no flags waving and red lights blaring. These feelings are buried deep and never raise their head above the surface—but they’re ever present.
- Developers fear they'll be publicly embarrassed by a hack.
- Auditors worry they'll miss something that gets exploited.
In the world of DeFi, the emotional intensity of this fear is even greater. A high-profile hack could mean not only friends losing money, but also getting piled on by the mob of speculators wanting token prices to go “up only“.
These fears lead people to approach security in a way that is less productive and effective than it could be, leading projects to focus on security theater, image management, and trying to turn audits into proof of a project's security so that blame can be swiftly assigned.
But security doesn't work that way. Top audit teams and well respected developers have had their contracts exploited. Security is a process not a destination, and that's even more true in a bleeding edge domain like DeFi.
We aim to reduce the fear and shame driven approach and replace it with a healthier one_,_ which starts with recognizing what an emotionally challenging task it is to secure code.
It is not the critic who counts; not the one who points out... where the doer of deeds could have done them better. The credit belongs to the one who is actually in the arena... who errs, who comes short again and again, because there is no effort without error and shortcoming. —Teddy Roosevelt
We think of _everyone—_auditors, developers—as playing their role together in the arena, with the ultimate goal being to level up smart contract security while reducing the pressure and burden on individual people.
While we use a competitive arena to add a dimension of fun and an incentive to strive for the best work we can each uniquely contribute, we strongly believe security is a collaborative, community effort.
Fear and shame are powerful motivators, but they are unsustainable, short-sighted, and redirect attention to appearance rather than substance.
It may not be "logical" for humans to act in emotional ways, but humans are indeed emotional beings. Rather than arguing against reality, we should acknowledge this and work with it. As one of C4's bootstrappers, Scott Lewis, put it:
"The way all human brains work is not silly. We should change technology for humans, not change humans for technology."
We believe the same is true for both our approach to building C4 as an organization and the way we view security.
An audit is an investment in a better long-term outcome for both the project undergoing the audit as well as its users and the community as a whole.
It requires tremendous courage to ask someone to look closely and find as many places where code could be improved.
Because of this, we treat sponsor projects with respect. We consider every finding discovered in an audit contest as a tool that we can use in the future to help others learn and better understand smart contract vulnerabilities.
We take sponsors’ feelings into consideration, working to help find ways to communicate and disclose the results of audits in a way that works as best as we can to eliminate the “blame and shame” approach and replace it with one that honors sponsors’ contribution toward making their project and the DeFi space more secure for everyone.
Our contest process is transparent, with all issues reviewable on GitHub. We put an impartial judge in the position of listening to all players’ positions on a given issue and making a final determination.
We trust that a community-driven approach with valuable incentives ensures enough coverage to give sponsors a meaningful and valuable audit without putting the burden on any one person to do a ’good enough job’ catching every bug—a burden that burns out traditional auditors.
Our community chose the wolf as our symbol, and it’s fitting. Wolves are highly collaborative creatures who hunt in packs.
Rather than putting the pressure on individual auditors to catch all the vulnerabilities in a project, we ask competitors to catch the bugs that they can, and trust that the community will show up and contribute.