Guarded Launch: Protecting Glow Users Against Hacks

On December 18th, 2023, the Glow protocol launched on Ethereum mainnet using a security strategy called a 'guarded launch'. A guarded launch is a newer concept which adds restrictions and oversight to a set of smart contracts in the name of protecting users against hacks. To see why this is important, make a quick visit to rekt.news - as of writing, 21 different protocols have lost more than $100 million each to bad actors.

Mainstream currently says that protocols should have the smart contract code audited, which usually involves having 2-4 security experts take a deep and detailed look at the solidity code to identify bugs and risky patterns. And yet, rekt.news shows more than a dozen protocols that received one or more audits and still got hacked for more than $10 million.

The latest thinking is that code needs to be reviewed by more than a dozen security experts with different specializations to be confident that a set of smart contracts are secure against hacks and bugs. This is incredibly expensive and time consuming, and ultimately makes it difficult to ship ambitious crypto projects.

A guarded launch is a strong middle ground between a deep audit and an unsafe release of potentially insecure code. With a guarded launch, a protocol can launch, demonstrate market viability, and then raise the hundreds of thousands of dollars required for a deep security review. The protocol can be operational during the multi-month review process, and then finally transition to a full release once all of the bugs and security risks have been eliminated.

The Glow Guarded Launch

Even for a guarded launch, it's important to have safe code. Fewer bugs in the original code means fewer opportunities for hackers to escape the guard and deal damage to users. Before doing guarded launch, the full set of smart contracts for Glow were developed, brought to 100% test coverage, and then audited by Zellic. After that, the contracts were wrapped in a guard, and the guard was audited by Spearbit. The Glow guard has several layers to it.

The most important layer of the guard is the USDC wrapper. During the guarded launch, Glow uses USDG (short for USD-Glow) instead of USDC. You can mint USDG 1:1 by sending USDC to a smart contract. The USDC is then held in a multisig, and there is no redemption process during the guarded launch. Any hack which steals USDG during the guarded launch is unable to affect users, because the multisig keyholders can correct the record after the hack and ensure that USDC gets distributed to the original rightful owners of the USDG.

The second layer of the guard is a circuit breaker, which gives a small number of Glow developers and leaders the ability to freeze all assets and stop trading during the guarded launch. In the event of a hack, it's important to protect users who may not realize that a hack has occurred. Freezing all assets after a hack guarantees that a user will not unwittingly purchase a bunch of stolen coins after the beta, because the coins will not be transferrable after the circuit breaker is thrown.

The final layer of the guard is a ban on all smart contracts except for the tiny list of core Glow contracts. This prevents, for example, the creation of an Eth/GLW Uniswap pool.

If an Eth/GLW Uniswap pool was allowed, then a hacker could steal a ton of guarded Glow tokens and dump them into the uniswap pool, effectively trading stolen goods for Eth and escaping with funds that couldn't be recovered.

By blocking all non-Glow contracts, a hacker has many fewer places where they can turn stolen assets into protfits, and unwitting users have many fewer opportunities to do something risky with their guarded assets.

There are three assets total in the guarded launch: USDG, Glow tokens, and Glow Carbon Certificates. Because USDC is wrapped, all three assets are specific to the guarded launch and therefore allow the community to entirely re-launch the contracts and reassign token balances to correct any hacks.

In summary, the Glow guarded launch protects users by having a full code audit from a reputable auditor, by wrapping USDC in a multisig to protect user funds in the event of a hack, by adding a circuit breaker that halts all trading after a hack, by blocking all non-Glow smart contracts from interacting with Glow assets, and by ensuring that all Glow assets exist within a sandbox that can be entirely re-launched in the event of a hack. With all these protections, the protocol has full functionality without the risks that come with composability.

The code that creates the guard is very simple and unlikely to have bugs. Even so, the guard was audited by Spearbit and given a stamp of approval. In the event of a hack in the main code, Spearbit believes that the guards in place will be able to protect user funds.

Glow Full Launch

The biggest advantage of the Ethereum ecosystem is the incredible composability. Glow's guarded launch deliberately shuts down all composability in the name of safety, which is only desirable for a short period of time.

Over the next few months, Glow will be getting more audits on its codebase and building greater confidence that the final version of the code is bug-free and fully resilient to hackers.

When the time comes to perform a full launch, the circuit breaker will be triggered on the guarded launch to freeze all assets. Then, a brand new set of unguarded contracts will be deployed, and all assets in the guarded launch will be redeemable 1:1 for assets in the full launch. This includes being able to redeem USDG 1:1 for USDC.

Glow has one of the most complete and protective guarded launches in the entire Ethereum ecosystem, and is a pioneer in the field of smart contract safety. Over time, we expect to see more and more protocols launch using guards similar to the Glow guarded launch. A guarded launch is a great way to introduce a new protocol to the chaos of the real world, while also ensuring that protections are in place until a higher level of confidence is built up around the quality of the codebase.