Iron Bank Fixed Forex audit: Why audits are bad

I wanted a sensationalist title. An audits role on public perception is bad, an audit for personal use, is good.

Nowadays you’ll see audits being requested, not to be reviewed, but simply as a line item. “Is the project audited? [Yes] [No]”, often, the link to the audit won’t even be required, simply [Yes][No].

Let’s use Fixed Forex as an example, “Is the project audited?” [Yes], and here is the audit. You might have even opened the link, and then you might have even scrolled down to the findings;

Great right? 1 low and 1 informational. But now let’s look at it contextually, this is essentially an ERC20 contract, and while it does show that ibEUR and subsequent ib-assets are a simple ERC20 implementation, what about the rest of the ecosystem?

ibEUR gauge
ibKRW gauge
ibEUR/ETH distribution
ib rewards
Fee distribution

Now, its very easy for me to have left it at a simple tweet, “Fixed Forex audit report”, and be done with that, and this is why, even in the past, I hated sharing audit reports, we use them as a stamp of approval, non-technical individuals use it as confirmation that they are “safe”. Nothing about what we are doing is safe, nothing about what we are trying to do is easy, and we have no future guarantees.

Decentralization is a responsibility, not a right, real decentralization is incredibly hard, and almost impossible to happen over night.

There is real elegance in truly being able to own your funds, but there is an inherent responsibility.

Teams should use audits to supplement, its the same reason peer coding works well, or even a simple peer review, but audits are not a stamp of approval, audits are not a guarantee, and audits are not a safety net.

In fact, if I saw an audit like the above, where a team said they are “audited” and all they did was audit their ERC20, I would be even more cautious.