Afleveringen
-
Blockchain Security Series 16 - Matt Aereal (Co-founder @ The Red Guild)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member)
Topics discussed:
- 00:00 - Intro
- 01:40 - How you got into cybersecurity
- 09:26 - Artist side: Producing events and photography
- 12:52 - Parallelism between hacking, art and magic
- 16:31 - Ekoparty: Working for The biggest Latam Security Event
- 21:16 - Beginnings in blockchain and web3 security
- 27:07 - The Red Guild
- 40:48 - SEAL: What is the Security Alliance and how are you related
- 55:50 - The challenge of building web3 public goods
- 01:04:01 - Educating consumers vs building more secure systems
- 01:08:30 - OSINT and tools
- 01:12:50 - Cybersecurity state in Argentina
- 01:18:15 - Web2 exploits in web3
- 01:27:23 - Best security tips
- 01:33:53 - Krakenâs lawsuit against Certik
- 01:41:13 - Tooling in web3 research
- 01:44:34 - Read teams work and training
- 01:48:25 - Damn vulnerable DeFi
- 01:51:26 - Final thoughts
Summary:
This is the 16th episode of the Blockchain Security Series Podcast but the first one recorded live!
Pablito engages in an insightful conversation in Buenos Aires with Matt Aereal, co-founder of The Red Guild. Matt, a security generalist with a rich background in hacking and art, shares his journey into cybersecurity, starting from his early interests to his current endeavors in the blockchain and web3 space. Beginning with Matt recounting how he got into cybersecurity, highlighting the influences that shaped his career, the conversation delves into his artistic pursuits, including event production and photography, drawing parallels between hacking, art, and magic.
They touch upon the significance of Ekoparty, a renowned security conference in Latin America, and how it has fostered a community of like-minded professionals. Matt explains the origins and mission of The Red Guild, emphasizing its role in enhancing security within the web3 ecosystem. They will also explore his involvement with SEAL (Security Alliance), discussing how collaboration and shared knowledge are vital for advancing security measures and the importance of educating consumers versus the necessity of creating inherently secure systems.
In this episode you will be provided with a comprehensive exploration of the multifaceted world of cybersecurity, blending technical insights with philosophical reflections. Itâs an enlightening listening for anyone interested in the nuances of blockchain security, the role of community in technological advancement, and the creative parallels that enrich the field.
Highlights:
- 29:19 - "We work as a non profit because we think that thereâs space to complement the profit schemes that there are currently in the ecosystem and the way that we do so itâs being a group of security researchers with a lot of freedom to do it. So we take things really differently."
- 59:43 - "If you think security is expensive, try with an incidentâ.
- 01:05:26 - "There is a bigger problem that is that there is a huge gap between people who actually know about technology and people who donât know about technology and the speed of the development of technology that has surpassed the capacity of some people to cope with it. And if the gap in technology itself is really really wide, then imagine in security."
- 01:07:10 - "Do you know how people have an accountant or a lawyer for themselves? I'am thinking security specialists for individuals"
- 01:44:34 - "At the beginning for people was always easier trying to break, because you know what to break, in comparison to defend, where you donât have a scope of what to defend."
Takeaways:
- Having met Tincho Abbate they begin the journey of creating The Red Guild: an educational non-profit web3 organization.
https://x.com/mattaereal https://x.com/theredguild https://blog.theredguild.org/ https://www.damnvulnerabledefi.xyz/ -
Zijn er afleveringen die ontbreken?
-
Blockchain Security Series 15 - Nikita Varabei (Founder @ ChainPatrol)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, Opsek founder, SEAL member)
Topics discussed:
- 00:00 - Intro
- 01:40 - How Nikita got into programming and blockchain security
- 08:05 - How ChainPatrol started
- 10:10 - Scam investigators
- 12:20 - Burn Mywallet
- 15:05 - ChainPatrol early days
- 20:20 - What ChainPatrol does now
- 24:25 - Social engineering
- 28:30 - Post mortems
- 33:04 - Scammers investments and ROI (Return on investment)
- 38:10 - Service providers role: registrars, cloudflare, google ads, twitter, linkedin
- 46:00 - Scammers stack: registrars, hosting providers
- 51:18 - Mixing on-chain and off-chain data to detect threats
- 55:21 - Collaboration between security companies, Threat Intel, SEAL ISAC
- 58:56 - Issues with competitors and ChainPatrol openness
- 01:02:10 - Web3 vs Web2 security
- 01:06:18 - Scammers reporting each other
- 01:10:04 - Methods used by scammers to avoid detection. Cloaking techniques, Cloudflare, Captcha.
- 01:15:07 - Users and community reporting, incentives, threat hunters.
- 01:19:37 - Making scammers lose time
- 01:21:06 - Scammers using hacked domains and legitimate companies' domains getting hacked
- 01:22:43 - Wordpress hacks and secure domain registrars
- 01:25:35 - How to manage legitimate projects domains and accounts being compromised
- 01:31:38 - Transaction simulation bypass. Proxy contracts, exploit of contract variables. Bit flip attack.
- 01:37:20 - Challenge to build for more privacy and improving threat detection at the same time.
- 01:42:24 - Private information retrieval (PIR)
- 01:44:11 - Companies taking more care of their users trend
- 01:48:47 - IPFS being used by scammers
- 01:49:55 - Best tips for crypto companies
- 01:53:39 - Security tips for users
- 01:56:41 - Final thoughts
Summary:
Pablito.eth sits down with Nikita Varabei, co-founder of ChainPatrol, to dive deep into the world of blockchain security, uncovering the tactics scammers use and the innovative ways companies like ChainPatrol are fighting back.
From his background in programming and computer science, his love for crypto, and his experience working at Coinbase. He explains the need for dedicated security measures in the crypto space and how ChainPatrol helps protect users from phishing attacks and impersonation.
Follow this road into the discussion of various topics related to blockchain security, including the prevalence of scams with social engineering , the challenges of detecting and preventing these attacks and how to frame security from a economical and incentives perspective where attackers make an investment expecting a return. Also they will address the importance of securing accounts and using trusted brand protection providers and why traditional companies are not succeeding in diminishing these scams.
Takeaways
- ChainPatrol helps protect users from phishing attacks and impersonation by scanning domains, social media accounts, and replies to detect and block scammers.
- Scammers in the crypto space operate like an industry, with developers creating scam kits and others deploying them to steal funds.
- Post-mortems are crucial for improving security measures and preventing recurring issues in the crypto space.
- Tracking down scammers and taking down their fraudulent accounts requires collaboration with domain registrars, hosting providers, and social media platforms. Scammers often go under the radar of detection systems on social platforms due to the volume of accounts to monitor.
- Scammers employ various techniques, such as using Cloudflare and cloaking, to avoid detection.
- Incentive mechanisms are needed to encourage users to report scams. Secure all your accounts and use strong authentication methods to prevent unauthorized access.
- For individual users, use security extensions and wallets that offer protection against scams.
Links:
https://chainpatrol.io/
-
Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)
Topics discussed:
- 00:00 - Intro
- 01:13 - How you started with computers and programming
- 02:41 - Working in Blizzard Entertainment
- 08:12 - Red and blue teams
- 14:19 - Incident response: What should web3 security learn from web2 industry?
- 18:57 - Planned and unplanned war rooms
- 22:58 - Communication mistakes during incident response
- 29:18 - Operational security
- 36:38 - Security awareness
- 39:19 - Social Engineering
- 42:51 - Role at Ethereum Foundation
- 45:38 - EF Bug Bounty Program
- 47:18 - Bounties for the execution and the consensus layer
- 49:01 - Most common types of vulnerabilities reported.
- 51:20 - Vulnerability disclosure process.
- 54:04 - Ethereum Protocol Attackathon with Immunefi.
- 59:39 - Blockchain monitoring and live threat detection.
- 01:01:46 - The future of the security in Ethereum: main challenges
- 01:06:29 - Balance between daily work and technical research
- 01:08:19 - Programming as a skill to be a blockchain security researcher?
- 01:12:16 - Favorite conferences and events
- 01:14:19 - Final thoughts
Summary:
In the 14th episode of the podcast, Fredrik Svantes, Security Research Lead at the Ethereum Foundation, shares his journey from his early days in computers and programming, through his time at Blizzard Entertainment, to his transition into the Ethereum ecosystem. In this discussion, he provides valuable insights into operational security within the blockchain space, emphasizing the crucial role of incident response, preparedness, and the growing need for security awareness and best practices.
Fredrik also explores the significance of social engineering in cybersecurity and outlines the key responsibilities of the protocol security team at the Ethereum Foundation. This team is dedicated to protecting the Ethereum network and ensuring effective coordination of security efforts across various client teams. Fredrik discusses the Ethereum bug bounty program, shedding light on the management challenges and highlighting common vulnerabilities reported, such as denial-of-service attacks. He underscores the importance of clear communication and transparency in the vulnerability disclosure process. Looking forward, Fredrik shares his perspective on the future of Ethereumâs security and the challenges the network will face as it continues to evolve.
Takeaways:He emphasizes the importance of incident response preparedness and conducting regular exercises to ensure a calm and effective response
In the blockchain ecosystem, there is a need for increased focus on operational security, including securing front-ends, infrastructure, and private keys
Security awareness and best practices should be tailored to specific roles and responsibilities within a project or organization. Social engineering is a critical aspect of cybersecurity.
The protocol security team at the Ethereum Foundation focuses on ensuring the security of the Ethereum network and coordinating security between client teams.
The bug bounty program is an essential part of vulnerability disclosure, and it helps identify and fix vulnerabilities in the Ethereum network.
Communication in security and public disclosure are crucial in the vulnerability disclosure process, and the Ethereum Foundation follows a phased approach to disclosure.
Blockchain monitoring and live threat detection are valuable tools in identifying and responding to security threats in the Ethereum ecosystem.
The future of security in Ethereum lies in expanding the number of experts in protocol security and addressing the challenges posed by the evolving roadmap.
Programming skills are not necessarily required to be a blockchain security researcher, but having an understanding of programming and the associated risks is important.
-
Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)
âThere are a lot of hidden gem auditors in the space really. And this is my mission to find them and to work with themâ
Topics discussed:
- 00:00 - Introduction
- 01:06 - How did you get started into computers and programming?
- 05:22 - Mastering Ethereum, Andreas Antonopoulos
- 07:05 - When and why did you decide to switch from developing to security research?
- 11:02 - Do you need to know how to code to be a smart contract auditor?
- 13:07 - What is your advice for someone that is just getting interested in cybersecurity?
- 15:10 - How important do you think it is to be a self-taught person in this industry?
- 16:15 - Reviewing new code step by step. You first understand what the protocol does on a high level or you just jump into de code?
- 19:17 - Income for a security researcher
- 24:12 - What things have changed in the security space in the last years and what things still remain the same?
- 26:42 - What does the ecosystem need in terms of security? More people, better tooling?
- 27:52 - On chain vs off chain audits. How have the incentives mechanisms been evolving and which one is in your opinion the system that works better for auditors? Code Arena, Hats Finance, Cantina, Sherlock, etc.
- 29:37 - How to choose the right audit contest? What strategy should one adopt (focusing only on DeFi protocols, bridges, etc)?
- 32:14 - Recommendations for developers and companies regarding secure software development? In what part of the development cycle should an auditor be involved?
- 35:49 - What can you share with us about your latest audits from some major protocols like Ethena, 1Inch or Layerzero?
- 37:42 - When, why and how did you decide to found a security company?
- 41:03 - Web2 security researcher vs Web3 developers
- 42:51 - Which would you say are the most important skills having worked with teams but also starting your own company?
- 44:03 - Would it have been possible to launch your company without being known in the industry already?
- 46:20 - Did you find it difficult to switch from an independent auditor to run a security auditing company?
- 47:34 - What is the hardest part about launching a boutique web3 security company?
- 48:49 - What are mistakes that should be avoided when building a brand?
- 50:18 - Angel investing. What excites you the most about investing in new companies? Are you planning to focus on other security companies, web3 protocols?- 53:41 - Do you invest in companies after having audited them?
- 53:30 - How do you get involved with companies you invest into?
- 56:56 - Accepting tokens as payment
- 59:04 - How do you keep updated in web3 cybersecurity? Newsletters, conferences and events
- 01:01:58 - Final thoughts
Summary:
In this episode, Pablo Sabbatella sits down with Pashov, the top tier smart contracts auditor and founder of Pashov Audit Group. They will explore Pashov's journey from being a developer to becoming a well known web3 security researcher, and sharing insights into his meticulous code auditing process and offering valuable advice for aspiring blockchain security professionals. Later in this talk they will also cover the evolving landscape of security, the financial realities for researchers, and the strategic decisions behind audit specialization.
Pashov also opens up about the challenges of launching a security firm, the rewards of investing in the crypto space, and the reason has led him to become an angel investor in several firms.
Takeaways:
- The income for security researchers can vary depending on factors like the type of work (contests, audits), skill level, and market conditions. Working harder during bull markets and focusing on stacking cash can be a good strategy.
- Having a long-term security partner is beneficial for companies, as it provides ongoing security support and expertise.
-
Blockchain Security Series 12 - Stephen Tong (Co-Founder & CEO @ Zellic)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)Topics discussed:- 00:56 - Your story: How did you start getting interested in security? - 04:01 - Perfect blue: A weeb team with a CTF problem. Tell us all about it!- 06:49 - Similarities between web2 and web3 security. CTF skills comparison- 09:55 - Traditional security background for auditors- 11:41 - How did you start Zellic and whatâs its focus?- 13:05 - Development cycle and security.- 15:11 - Unit testing- 18:35 - Formal verification: The wETH example- 23:27 - The current state of DeFi security- 26:27 - Hacks and kill switches and recovering funds mechanisms- 30:15 - Monitoring and threat detection- 31:05 - Code is law?- 32:18 - Consumer education & mass adoption- 33:19 - Security Alliance - Whitehat Safe Harbor Agreement- 35:35 - The Nomad hack: Audit diffs- 37:50 - Bridges and OpSec importance- 41:30 - Programming languages. Solidity and itâs origin- 43:15 - Rust & Move programming language- 46:05 - Key features of a blockchain programming language- 46:38 - ERC-4626: Standards for yield bearing assets - 47:40 - MPC from scratch- 50:04 - Zellic Forky- 51:03 - How to store crypto safely- 52:55 - Threat modeling- 55:15 - Favorite conferences
Summary:
In this conversation, Stephen Tong, co-founder and CEO of Zellic, shares his journey into blockchain security and the founding of Perfect Blue. He discusses the similarities and differences between security in web 2 and web 3, the importance of diverse skill sets in the security industry, and the origin and focus of Zellic. The conversation also covers topics such as the correct approach to security in blockchain development, the importance of unit testing and formal verification, and the challenges of ensuring safety in DeFi protocols. The discussion concludes with a reflection on the concept of code is law and the need for balance between being permissionless and protecting users from hacks. Stephen Tong covers the importance of decentralization and how to make the ecosystem more secure. The conversation touches on the initiatives of the Security Alliance (SEAL) and the need for a standardized approach to tokenizing yield-bearing assets. They also discuss the strengths and weaknesses of different blockchain programming languages, such as Solidity, Vyper, and Rust. The conversation concludes with recommendations for safely storing crypto assets and the importance of threat modeling.
Takeaways:
- Stephen's interest in security began with hacking Minecraft and Counterstrike, leading him to become a skilled auditor and co-founder of Perfect Blue.
- The skills required for auditing smart contracts in web 3.0 are similar to those needed for web app pen testing, low-level exploitation, and cryptography.
- The development cycle for secure smart contracts should include early engagement with security professionals, thorough testing, and formal verification.
- Unit testing is crucial for ensuring the security of smart contracts, and projects should aim for 100% line and branch coverage.
- Formal verification involves encoding code into mathematical formulas to prove that it adheres to protocol invariants, but it can be time-consuming and challenging.
- While no system can be 100% secure, it is possible to be reasonably sure about the security of a protocol under a given threat model and set of assumptions.
- Monitoring tools for detecting hacks before they happen are still maturing and often have false positives, but they are a step in the right direction.
- 'code is law' should be balanced with the protection of users from hacks
- Initiatives like the Security Alliance (SEAL) contribute to making the ecosystem more secure.
- Hardware wallets and compartmentalization are recommended for safely storing crypto assets.
- Threat modeling is essential for understanding and mitigating security risks.
-
Blockchain Security Series 11: Peter Kacherginsky (Lead @ Unit 0x Threat Research Team at Coinbase)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member)
Topics discussed:
- 01:45 - How Peter get into crypto
- 03:39 - Interest in cybersecurity as teenager
- 08:44 - From web2 security to web3
- 10:29 - Why did you start BlockThreat?
- 11:25 - Generating content to keep learning
- 14:28 - Similarities and differences in security industry from the last 20 years
- 16:45 - Intelligence driven security
- 18:47 - Web2 criminals coming into web3
- 26:45 - Top 10 ways a protocol get hacked insights
- 35:55 - Threat actors profiles
- 39:36 - Insider threats
- 44:59 - Other personality profiles in the community
- 49:01 - Nation states criminals and other hacks
- 52:50 - The role of UX to leverage users security
- 01:01:15 - Userâs education about security
- 01:07:15 - Most important things you learn about incident response
- 01:14:03 - Independent security researchers
Summary:
In the 11th episode of Blockchain Security Series we sit down with Peter Kacherginsky. We discuss his journey into the cryptocurrency world and his role in blockchain security. Also he talks about the early days of hacking and the parallels between web 2 security and blockchain security.
Peter shares his experience in creating BlockThreat, a popular newsletter in blockchain security and makes us think about the importance of threat intelligence and the need for mature security programs in the DeFi space. He also explores the top attack vectors in DeFi protocols and the profiles of threat actors. Later in this conversation, Peter Kacherginsky discusses various topics related to blockchain security, including threat actors, incident response practices, and user security. Emphasizing the importance of automation in incident response and the need for a security mindset among all team members he also highlights the significance of building trust in the crypto industry and the need for user-friendly and secure UX design and the potential for decentralized incident response and the role of independent security researchers in protecting protocols.
Takeaways:- Threat intelligence is crucial in understanding who the adversaries are and how they target DeFi protocols.
- The top attack vectors in DeFi protocols include stolen private keys, function parameter validation, and JavaScript injection.
- Crypto natives, individuals with technical proficiency and questionable ethical beliefs, are responsible for a majority of exploits in the blockchain space.
- Insider threats and stolen private keys are significant risks that DeFi protocols need to address.
- The industry should focus on building mature security programs and adopting industry standards and procedures.
- The complexity of DeFi protocols and the financial incentives make them attractive targets for attackers. Automation is crucial in incident response to detect and respond to exploits quickly.
- All team members should have a security mindset and be involved in security practices.
- Building trust is essential for mass adoption of blockchain technology.
- User-friendly and secure UX design is important for protecting users from scams and phishing attacks.
- Decentralized incident response and the involvement of independent security researchers can enhance the security of protocols.
Sound Bites:"It's been more than six years now and still enjoying it like it's never a dull moment."
"Not so many people that are today in blockchain security come from web 2 security, right? But some people as you or me do, well, we have all these things in common."
"We can't live in a society where we don't trust anyone."
"We need to build everything within incident response and monitoring to strive towards automation."
"Everyone is a security team. Everyone is an incident responder to the degree that they can"
-
Blockchain Security Series 10: Adrian Ludwig (CISO @ Tools for Humanity)Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher)
Topics discussed:
- 01:10 - Adrianâs background and journey
- 03:55 - Introduction to Worldcoin
- 06:16 - What changed in the last 25 years in security?
- 08:35 - Security Challenges for you as CISO
- 11:40 - Identity Verification: biometric data privacy
- 15:40 - Zero Knowledge Proofs
- 17:25 - Open-Source and decentralization
- 20:55 - The ZK backdoor and Open-Source challenges
- 24:00 - Decentralization vs. Security
- 26:00 - Incident Response
- 28:58 - War rooms
- 30:45 - Collaboration with the Community regarding security
- 33:50 - Technological innovations
- 36:55 - Self custody challenges
- 39:15 - AI and Fraud Prevention
- 45:10 - User Education
- 50:00 - Typical Day as a CISO
- 53:49 - C levels: soft vs hard skills
- 55:52 - Learning
- 58:05 - Future of Blockchain Security
- 01:01:05 - Controversial Belief about security
Summary:
In this episode, we sit down with Adrian Ludwig, Chief Information Security Officer at Tools for Humanity, to explore his extensive background in cybersecurity and his journey to his current role.
Adrian begins by providing an insightful overview of WorldCoin and its mission to improve trust and expand access to the global economy through blockchain technology. He underscores the significance of open source and community collaboration in bolstering WorldCoin's security framework, delving into the challenges posed by decentralization and the critical role of incident response in managing potential security breaches.
As the discussion deepens, he covers the use of zero-knowledge proofs and other advanced technologies to enhance WorldCoin's security posture, and the importance of secure multi-party computation (SMPC) and self-custody in the blockchain space. Adrian emphasizes the need for decentralization while balancing self-custody with data availability and explains how WorldCoin's World ID system addresses AI-driven fraud and the crucial role of privacy in blockchain transactions.
Later in the conversation, he shares his daily responsibilities as a CISO, offering insights into the blend of technical and soft skills required for leadership positions.
Challenging the notion that security conflicts with other values, Adrian advocates for clean and simple security solutions that uphold all principles.
Takeaways:
- WorldCoin's mission is to improve trust and increase access to the global economy using blockchain technology.
- Open source and community collaboration are important in enhancing WorldCoin's security.
- Decentralization is seen as a way to test the effectiveness of security controls.
- Incident response requires good visibility, communication, and ownership.
- WorldCoin leverages cutting-edge technologies like zero-knowledge proofs to enhance its security posture.
- Decentralization and privacy are key considerations in the design of blockchain systems.
- WorldCoin's World ID system aims to address AI-driven fraud by providing proof of humanity.
- A balance between technical and soft skills is crucial for leadership positions in the security field.
- The future of blockchain security lies in combining transparency and auditability with privacy.
- Good security is clean, simple, and does not compromise other values.
Bites
- "We're trying to provide privacy-enhancing services to enhance protections in the age of AI."
- "A lot of what we have to do as technologists is identify how we can change the underlying infrastructure to acknowledge the limits of humans and acknowledge the limits of our existing technology and build new technology to move past that."
- "Our belief is data about a person is really something that should be held by that person."
- "Dealing with the reality that humans make mistakes and they lose stuff has been a challenge for cryptographic systems forever."
-
Blockchain Security Series 9: Andy Beal (Ecosystem Lead @ Forta)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher)
Powered by Blockfence
Topics discussed:
- 00:00:00 - Introduction
- 00:01:20 - Your story: Who are you? How did you get into crypto?
- 00:03:50 - Your experience as an angel investor.
- 00:07:40 - Introduction to Forta
- 00:14:35 - Role of FORT token and delegated staking
- 00:19:05 - Use cases for Forta
- 00:24:10 - The ecosystem around the Forta Network today
- 00:29:50 - How has threat detection evolved in the last 2.5 years since Forta launched?
- 00:38:30 - Mechanisms to stop attacks: automation, front running.
- 00:51:40 - What does the future of threat detection/prevention look like?
- 00:58:10 - RIP 7614 (Rollup IImprovement Proposal): expose call stack to contracts
- 01:05:20 - Security spending in the next 5 years
- 01:14:40 - Final thoughts
- 01:16:40 - Which conferences will you be attending?
Summary:
In this episode, Pablo Sabbatella interviews Andy Beal, the ecosystem lead at Forta, about his journey in the crypto and security space. They discuss topics such as what is Forta, the role of FORT token, the Forta Network ecosystem and their evolution over the past years.
The conversation delves into the use cases of Forta, including threat detection and operational monitoring in the DeFi space. Andy emphasizes the importance of early detection of exploits and the need for improved security practices within the industry.
The discussion covers various mechanisms and approaches to threat detection and prevention in DeFi, including malicious smart contract detection, transaction simulation, and anomaly detection. While front-running transactions can reduce the impact of attacks, it is not a foolproof solution. Andy highlights that the future of threat detection and prevention lies in real-time monitoring and prevention tools capable of blocking malicious transactions. He also notes that security spending is expected to shift towards threat detection and prevention tools, moving away from a sole reliance on audits.
Takeaways:
- Early detection of exploits is crucial in the security of DeFi protocols.
- The Forta network provides real-time threat detection and operational monitoring for the blockchain.
- The Forta token is used for staking and governance within the network.
- The ecosystem around Forta consists of bot developers, scan node operators, and consumers of threat intelligence.
- The industry is shifting towards a more proactive approach to security, with a focus on prevention and automated responses. There are three primary ways of detecting exploits in - DeFi: malicious smart contract detection, transaction simulation, and anomaly detection.
- Front-running transactions can help mitigate the impact of an attack, but it is not a foolproof method.
- The future of threat detection and prevention lies in real-time monitoring and prevention tools that can block malicious transactions.
- Security spending is expected to shift towards threat detection and prevention tools rather than relying solely on audits.
Sound Bites
- "The Forta network is a giant security camera and alarm system for Web3."
- "The Forta token is primarily used as a staking token or a bonding token."
- "Real-time threat detection has emerged as a legitimate part of Web3 security."
- "There are many other ways to mitigate the damage from that transaction."
- "This is where machine learning often comes in."
- "Front-running would be more sustainable on layer two."
-
Blockchain Security Series 8: Rosco Kalis (Founder @ Revoke cash)
Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher)
Powered by Blockfence
Topics discussed:
- 00:01:30 - Your story. How you got into crypto and security.
- 00:03:30 - Bitcoin.com (Cashscript)
- 00:05:30 - Chaingrep: human readable transactions
- 00:07:50 - Revoke.cash
- 00:08:30 - Revoke browser extension
- 00:10:00 - Revoke.cash: how it started
- 00:15:20 - Step by step how revoke grew.
- 00:17:50 - Browser extension
- 00:22:10 - OpenSource, getting revenue.
- 00:28:35 - ERC20 allowances: what they are, how they work, unlimited allowances are a frontend issue?
- 00:32:15 - Approvals for NFTs (ERC 721)
- 00:34:10 - Source of most hacks? Users signing malicious transactions or protocols getting hacked?
- 00:38:20 - The process of exploiting a contract regarding allowances, why it takes time, black hats copying the original attacker.
- 00:44:20 - Phishing attacks
- 00:50:30 - Scammers using gasless transactions, signatures
- 00:54:25 - Revoking an off-chain approval
- 00:57:40 - Approval Hacks & Exploits Tool
- 00:59:55 - Wallet Health feature & ScamSniffer integration
- 01:04:00 - Conferences and hackathons: EthCC, Devcon, Trufflecon
- 01:06:40 - Becoming a target. Your personal OpSec and Revoke.cash.
Takeaways:
Rosco Kalis got interested in computers and programming in high school and later studied computer science in Amsterdam. He became fascinated with Ethereum and smart contracts during the 2017 crypto bull market. He created the Revoke browser extension as a side project to help users avoid scams and understand token approvals. The extension provides warnings for token approvals and listing NFTs for sale, which are common ways scammers steal money.
Revoke cash is an open-source project, and Rosco believes in the importance of keeping security tools accessible even if he stops working on them.
The risks of browser extensions include malicious extensions and supply chain attacks. Rosco acknowledges the trade-off between convenience and security and hopes that wallets will integrate better security features in the future.
ERC-20 allowances are necessary for tokens to interact with smart contracts. Unlimited allowances can be a front-end bug, but they offer convenience for frequent token swaps. NFTs have limitations in token approvals, making it challenging to give limited approvals for individual tokens.
The source of most hacks related to allowances and permits is phishing and scams. Users often unknowingly sign malicious transactions due to the complexity of understanding what they are signing. Protocol hacks are less common but can result in significant losses.
Old contracts and abandoned protocols can still pose risks, as attackers can exploit vulnerabilities and drain funds. The process of exploiting contracts with allowance issues is not immediate and can involve multiple attackers over time.
Revoke cash is a valuable tool for managing and revoking token approvals to protect against hacks and scams. Hacking and exploiting token allowances is a common method used by attackers, and it often involves targeting valuable assets and taking advantage of token approvals.
Phishing attacks and impersonation of Revoke Cash are prevalent in the crypto space, and platforms like Twitter and Google need to improve their security measures to combat these scams.
User education and awareness are crucial in preventing hacks and scams, and users should regularly check and revoke their token approvals.
Attending conferences like ECC and Devcon can provide valuable insights and networking opportunities for those interested in blockchain security.
Founders in the security space may become targets themselves, and it's important to prioritize personal security and stick to their area of expertise.
Sound Bites
"I always try to open source everything I build."
"Hackers will just target the most valuable assets first."
-
Blockchain Security Series Episode 7: Mudit Gupta (Chief Security Officer @ Polygon)
Hosted by Pablo Sabbatella - pablito.eth (Head of Security Research @ Blockfence)
Topics discussed:
- 00:00:00 - How you got into crypto and security
- 00:05:00 - The projects you worked and what you learned at each one (Polymath, etc)
- 00:09:00 - Differences and similarities between blockchain security in 2018 and now
- 00:11:45 - Blockchain security industry standards
- 00:15:50 - Exploiting web3 companies with web2 hacking techniques
- 00:19:00 - The Ronin bridge hack
- 00:24:30 - Do projects have good OpSec?
- 00:26:40 - How to start in blockchain security
- 00:31:00 - Developers and security tooling. The future of auditing: AI, automation?
- 00:35:00 - The future of formal verification
- 00:37:10 - Polygon PoS vs Polygon zk-EVM: their difference and what it means from a security perspective
- 00:40:30 - ZK vs Optimistic rollups security
- 00:43:00 - Polygon multisig
- 00:46:20 - Arbitrum Security Council
- 00:49:40 - Events: what are they? Should they be dropped?
- 00:53:32 - Multichain vs Crosschain. Is the future multichain?
- 00:56:47 - War rooms
- 01:01:30 - Security Alliance (SEAL) initiatives
- 01:05:00 - How to hack a DeFi protocol
- 01:08:00 - Easy tips that have the highest impact in security
- 01:09:40 - Conferences: Devcon, EthCC, EthGlobal
Summary:In this episode, Mudit Gupta, Chief Information Security Officer at Polygon, discusses his journey into blockchain security and the lessons he learned from his experiences. He emphasizes the importance of not relying solely on smart contract audits for security and highlights the need for a security mindset and deep technical knowledge. Mudit also discusses the current state of security in the blockchain industry, including the lack of operational security standards and the need for better tooling. He shares his thoughts on the future of automation and AI in code writing and auditing, as well as the potential for formal verifications to become more accessible to smaller protocols. Mudit also explains the differences between Polygon POS and Polygon ZK-EVM and their respective security guarantees. He shares his experience with war rooms and the importance of monitoring and bug bounties in maintaining security. Gupta also provides tips for securing blockchain projects, such as enabling 2FA and using hardware wallets. He mentions his favorite conferences, including DevCon and ETHGlobal Hackathons.Takeaways- Don't rely solely on smart contract audits for security; other aspects like operational security are equally important.- Develop a security mindset that allows you to think critically and identify potential vulnerabilities.- Deep technical knowledge of the system you're securing is crucial, whether it's smart contracts, chain-level security, or cryptography.- The blockchain industry still lacks operational security standards, and more focus is needed in this area.- Current tooling for security in blockchain is limited, but advancements in automation and AI are expected in the future.- Formal verifications offer a higher level of security but are currently complex, time-consuming, and expensive; making them more accessible to smaller protocols is a long-term goal. Formal verification is a security method that provides a guarantee of security, but it is dependent on the quality of rules or invariants written.- Polygon POS is a hybrid L2 side chain that offers good security guarantees and low transaction costs, making it suitable for retail users and adoption.- Polygon ZK-EVM is a true L2 ZK-based rollup that borrows security guarantees from Ethereum, making it more secure but more expensive to use.- Monitoring and bug bounties are crucial for maintaining security in blockchain projects.- Enabling 2FA and using hardware wallets are simple yet effective security measures for individuals working in the blockchain space.
-
Blockchain Security Series Episode 6: Oliver Hörr (Founder @ Hats Finance)Hosted by Pablo Sabbatella - pablito.eth (Head of Security Research @ Blockfence)Powered by BlockfenceTopics discussed:- 01:00 - Your road into crypto & Security- 06:00 - Crypto UX, security and scalability.- 07:00 - How Hats Finance started- 08:30 - The state of the auditing market- 13:45 - How to select which audit competition to participate- 17:30 - Audit firms vs Audit competitions- 21:15 - How security researchers should choose competitions- 25:00 - Fuzzing and formal verification- 28:00 - Bringing audits on-chain: ERC 7512- 37:30 - Account abstraction- 45:30 - 2 reasons your project is being hacked- 52:00 - Incentives: white hat vs black hat- 58:00 - Inside jobs. Bounties for employees- 01:00:00 - Security of composability- 01:07:00 - ETH Dam- 01:10:00 - Favorite conferencesSummary:Oliver Hörr, founder of Hatch Finance, discusses his journey into the crypto and security space. He highlights the importance of security in blockchain adoption and the challenges in the auditing market. Oliver also talks about the ERC for on-chain representation of audits and the potential impact of account abstraction on user experience and security. He also talks about the challenges of selecting auditors and the need for better incentives for security researchers. Oliver highlights the risks of composability in the blockchain space and suggests using incentives to improve security at different layers. He shares his experience at ETHBerlin and emphasizes the importance of attending security conferences to learn and network.
Keywords:Oliver Hörr, Hats Finance, crypto, security, blockchain adoption, auditing market, ERC, on-chain representation, account abstraction, user experience, security, auditors, incentives, composability, security conferencesTakeaways:- Security is a key factor in mainstream blockchain adoption.- The auditing market in crypto has seen challenges, including long wait times and reduced audit quality.- The ERC for on-chain representation of audits can bring more security and transparency to the ecosystem.- Account abstraction has the potential to improve user experience and security in blockchain applications.- Selecting auditors is challenging, and better incentives are needed for security researchers.- Composability introduces additional risks, and incentives can be used to mitigate them.- Attending security conferences is important for learning and networking in the industry.Some Bites:- "Security is one of the three big blockers for mainstream adoption."- "The auditing market faced issues with long wait times and reduced audit quality."- "The ERC for on-chain representation of audits can bring more security and transparency to the ecosystem."- "If we lose our good relationships to the security researchers, there's a big chance that everything will be less secure." -
Blockchain Security Series Episode 5: Daniel Von Fange (Smart contracts @ Origin Protocol)
Hosted by Pablo Sabbatella - pablito.eth (Head of Security Research @ Blockfence)Powered by Blockfence
Topics discussed:
00:00 - His path in crypto and security. Origin Protocol 12:45 - How to do code review. 20:00 - Upgrading a running protocol. 23:00 - Most attackers are not actually that smart. 28:50 - Bug bounty programs 34:00 - Insider threat 37:30 - Anon devs & infiltrations 40:40 - XZ backdoor & Opensource 43:00 - How to understand an attack 45:30 - War rooms 51:00 - Is code law? 53:00 - Things that have the greatest impact in security 56:00 - AI in auditing 58:00 - Bug bounties
-
Blockchain Security Series Episode 2: Jameson Lopp (Casa Co-founder & CTO)Wednesday, January 10, 2024Hosted by Pablo Sabbatella - pablito.eth (Head of Security research @ Blockfence)Powered by Blockfence
