Many hacks in the DeFi ecosystem come from “leaked” master keys (e.g. Raydium), meaning that founders or developers have a key with master power on the smart contract (like pausing, updating or syphoning it), and that this key has been hacked by an attacker (most probably an insider).
DeFi protocols with no master key in their smart contracts are much safer obviously. They can’t be paused or syphoned. However they also can’t be upgraded, which can be useful in some cases.
Uniswap for instance proposed several smart contract versions over the years up to Uniswap v4, with different smart contracts and frontends each time. Updating was social, announcing new versions and their locations, and was pretty smooth.
Frontends have the same dilemma as smart contracts, they should be immutable, otherwise the master key will “get hacked” some day and that day when you use the protocol it will surprisingly empty your wallet (cf all the recent hacks described in our presentation here). And they should be updated, hopefully not too often.
I would like to start these discussions before bad habits are taken in Massa’s DeWeb:
- what would be the recommended pattern for builders to both have immutability and social upgradability on the DeWeb frontends ?
- do we need to change anything on the MNS smart contract to help with this ?
One way of doing this could be:
- when someone books a domain name “domain.massa” on the MNS, it automatically locks extension like “domainv1.massa”, “domainv2.massa”, etc meaning only the same address that owns the original domain can book the versions extensions.
- social upgrades would be announced by the project (and potentially relayed by the foundation), like “The frontend has been updated for [whatever] reasons, you can see the code here, and it is now available on domainv2.massa so please do not use v1 from now”.
We could even imagine that builders would keep a master key on “domain.massa” making that frontend point to “domainv1.massa” which itself is immutable, and after an upgrade, make “domain.massa” point to “domainv2.massa”. That way, people who don’t care about being hacked by that master key could use the shortcut “domain.massa” and benefit from automatic upgrades, and people caring about their tokens would prefer to bookmark “domainv1.massa” and only switch to “domainv2.massa” after carefully checking that the project announced the switch on their socials, or even to the extreme check the updated frontend code.