tl;dr: Given the huge risks that come with smart contracts, a new protocol seeks to decentralize protection.
Though the public announcement of Forta occurred about a month ago, I only recently heard about it and once I grokked the idea, I said to myself “well, that’s pretty cool.”
As anyone who’s been around the crypto ecosystem for a while knows, smart contract and dApp security is a legitimate concern. The legions of hacks and thefts are testament to that.
The root problem, in my opinion, is that the Solidity development language that must be used on Ethereum is complicated, not intuitive, and really not optimized for the DeFi use case that has emerged from it.
What this means is that developers spend an inordinate amount of time securing their code, instead of innovating the code, which is where the real sexy part.
This problem has given rise to an entire industry of Smart Contract Auditors (a job I blogged about four years agov).
One of the leaders in this field is Open Zeppelin whose CEO was one of the contributors to my first book, Blockchains in the Mainstream: When Will Everyone Else Know?
Now, they are investors in Forta, as are a slew of others including A16Z, Coinbase Ventures, and Blockchain Capital. It’s a strong list and it’s an interesting approach that is uniquely crypto-native to solve the crypto-native problem of smart contract security.
Essentially, they want to do what everyone else has done and create a protocol, with node runners who are operating at the execution layer environment, meaning they will be continuously scanning the blockchain for anomalies in transactions (i.e. high gas fees or unusually large sizes) which may be an indication that a smart contract has been compromised.
From there, software “agents” can immediately provide notification to the smart contract developers who can then run their mitigation protocol.
It’s an interesting way to address this problem, because it’s clear that no centralized company like Mandiant or Norton is equipped to provide the kind of security that smart contracts require.
What’s not yet clear to me is how all of this will be paid for. I suspect that node runners will get paid by smart contract developers who want their contracts monitored by this security service. Developers who build the agents will also need to get compensated in some way as well. Perhaps the token will also have governance rights in terms of promoting/demoting certain agents.
There’s no public information that I can see re: forthcoming token economics, but that’s never been a limiting factor for new business model creation.
It will, however, most likely increase the cost of development which will have to be paid for somewhere by someone.
Regardless, it’s another layer of perimeter defense for smart contracts, which is a good thing. It’s also example of business model innovation, and ultimately is a hint that the big enterprise security players of today may have some competition coming towards them.