By Demian Brener, CEO, and Roy Zanbel, Head of Product
OpenZeppelin Defender is a mission-critical developer security platform to code, audit, deploy, monitor, and operate blockchain applications with confidence. Integrating directly into the developer workflow, Defender makes it easy and fast for developers and operators to prevent and fix security issues pre and post deployment. Built as the result of 7 years developing and auditing the world’s most popular smart contracts, Defender embeds OpenZeppelin’s industry-leading expertise and world-class intelligence across all stages of your project’s lifecycle.
From price oracle and reward manipulations, to stolen private keys, access control and governance attacks, billions of dollars are lost every year due to hacks arising from the lack or ineffective implementation of security measures.
In our experience developing the OpenZeppelin Contracts library and performing 370+ security audits, it became clear that exploited projects could have dramatically reduced losses by implementing secure development processes, robust operational security, and instant detection and response to incidents.
Since launching Defender 1.0 in October 2020, we’ve seen 15,000+ blockchain developers adopt the platform to secure and automate their smart contract operations. Developers from top protocols like Compound and Matter Labs are using Defender to monitor threats and automate the execution of governance proposals. We’ve also seen institutions like ANZ bank using Defender to launch the first bank-issued stablecoin in compliance with evolving regulations.
Now, we are excited to announce Defender 2.0, a significant leap forward for the platform.
Today, we are introducing four major developments for Defender 2.0, as well as a new, deeply integrated user experience:
Developing secure smart contracts is a daunting task. Therefore, security must be baked in from your first line of code.
The OpenZeppelin Contracts Library already provides security best practices, community-vetted code, and the most commonly adopted ERC standards. However, starting with secure building blocks is just the first of many layers of security when writing code.
Surfacing issues early in development is a key practice for healthy, fast-moving projects. Existing static analyzers and fuzzers have become popular tools among security researchers, but high false-positive rates and complex outcomes make them hard and time-consuming for non-security experts to use.
Defender 2.0’s Code module provides developer-friendly automatic code analysis powered by our machine learning models and state-of-the-art tools. For every push to your code on GitHub, the Code module identifies potential vulnerabilities and suggests improvements to enhance your code quality, including:
Thanks to its native GitHub integration, the Code module fits naturally in the CI/CD pipeline of your public and private repositories, enabling all developers to strengthen their code’s security without slowing down the team.
The code phase is wrapping up and it’s time for a security audit.
Since OpenZeppelin’s first audit in 2016, security audits have become a mandatory requirement before deploying or upgrading smart contracts. However, managing audits and review processes remains a cumbersome experience, forcing you to sort through multiple Slack messages, emails, PDF versions, and spreadsheets.
With the new Audit module, you can now easily track audit issues and resolutions, and iterate directly with auditors for faster and more efficient communication. By streamlining the process, auditors can focus their time on finding the most critical bugs, yielding better results for your project, reducing time, cost and complexity.
The Defender 2.0 Audit module also adds efficiencies before an audit even starts through the Code module’s analysis reports, providing your team with actionable recommendations to better prepare for an audit and thus optimize your time and budget. In our experience as auditors, projects using OpenZeppelin’s Contracts library and implementing fixes surfaced by the Code module can save significant amounts of time, resulting in lower price quotes from any audit firm.
You've crossed all the t's and dotted and the i's, the time has come to deploy or upgrade your project.
Deploying immutable code or upgrading multi-million dollar systems securely without outbreaks or losses can be a nerve-wracking experience for many. Often, upgrades can take several weeks to prepare and execute due to complex contract landscapes, unique upgrade processes, unexpected scenarios, and reverted transactions — slowing down delivery timelines, increasing the likelihood of errors, and wasting lots of gas in the process.
The new Deploy module now offers a suite of automated features for a secure deploy and upgrade process. It ensures your team executes the deploy or upgrade in compliance with security best practices, so you can minimize risk while avoiding unnecessary delays and post-deployment surprises.
By adding just 5 lines of code to your existing Hardhat (and soon Foundry) deploy script configuration, you can automatically:
Additionally, the Deploy module integrates with Safe app and Fireblocks for multisig and MPC wallet approvals, as well as OpenZeppelin Contracts library Timelock and Governor for secure on-chain governance.
Even if you have followed all security best practices before going live, your team must remain vigilant for potential ‘black swan’ events or vulnerabilities outside of the scope of your project, like a bridge or the Solidity compiler. The impact of vulnerabilities can be catastrophic if a project is not prepared.
Existing tools do allow projects to monitor smart contract activity, but the challenge remains knowing what risks and behaviors to monitor – and what to do about them if they occur. Slow detection and remediation can result in millions of dollars in user funds lost.
Defender 2.0 helps your project reduce detection and remediation times by giving you full visibility into your smart contracts' risks and behaviors, and providing your team with the right tools to react quickly (if not automatically) in case of an incident.
With the new Monitor module, you can:
In tandem with the Monitor module, the new Incident Response module allows you to:
Beyond incident detection and remediation, you can extend the Defender 2.0 platform with custom code, using the new Actions module to automate workflows for both on-chain and off-chain operations.
Finally, with the Access Control module, you can oversee and command smart contract permissions on a grand scale, with the power to view and control access at a granular level.
Defender 2.0 is our most important step yet in our mission to protect the open economy.
OpenZeppelin’s vision is to build the end-to-end security solution for blockchain applications. As part of this vision, we aim to redefine how security is implemented at every stage of the blockchain development lifecycle, providing startups, enterprises, institutions, and DAOs the most comprehensive combination of tools, processes, and people to succeed.
Our success is only possible if we help secure our clients’ and the wider community’s blockchain success. Beginning with a centralized platform, OpenZeppelin will work to progressively decentralize Defender modules, finding opportunities to create new, permissionless, community-based networks in the spirit of Web3 (e.g. the Forta Network was our first initiative in this direction).
We will continue working closely with clients and partners, as well as investing in even more integrations with the ecosystem and community. Our current footprint supports 30+ networks and 15+ integrations, as well as continued efforts building the open source Contracts library as a public good for all.
Whether you are coding smart contracts, engaging with auditors, deploying or upgrading to a new version, or running your system on-chain, Defender 2.0 is the best way to strengthen your project’s security posture and minimize risk.
Defender 2.0 is currently in beta phase. We’ll be rolling out access to both existing OpenZeppelin Defender 1.0 users as well as new accounts upon request:
Defender 2.0 can also be implemented and extended using our team of world-class security experts, who can work alongside your team to move through each phase of the development lifecycle including: audits, advisory, threat modeling, system integration, and incident response preparation services.
Defender 2.0 provides a new, deeply integrated user experience, coupled with more powerful features and an expanded scope.
Defender 2.0 is currently in beta phase and access will be provided upon request. You can join the waitlist here. Once access to the new version is granted, your account will be automatically converted to the new 2.0 experience, maintaining existing configurations, with no additional action required from you or your team. All Defender 1.0 features are supported in 2.0, meaning there are no breaking changes between versions.
Based on the learnings from onboarding users to the new version, we will define and communicate a timeline when Defender 2.0 becomes the de-facto version and v1.0 stops getting maintained. For more information about the changes and updated terminology, please refer to the Defender 1.0 FAQ