Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 11 - merkle_bonsai
214 Plays24 days ago
riptide & merkle_bonsai discuss his $400,000 bug find on Oasys which took a world record 7 months to finally get paid, bug hunting blockchain backend code instead of contracts, the future of blockchains and which coding languages have staying power, nicotine and caffeine, rewriting protocol code to better understand it, smaller screens means more bugs, behavioral tricks and environmental context to train your brain for bug hunting, how DeGate is his nemesis, humble elliptic curve explanation, ZK moon math, virtual earths and the relation to GPS accuracy, and much, much more ...
Recommended
Transcript
Introduction with Mr. Merkle Bonsai
00:00:07
riptide
Welcome back to Bounty Hunters. And today we have Mr. Merkle Bonsai with us. Good day, sir.
00:00:16
merkle_bonsai
Hello. Hello, everyone.
00:00:18
riptide
I love this guy's handle. Fantastic.
00:00:22
merkle_bonsai
um I'm still sad that I'm not getting the first after there the search of this nickname on a Google, but on other hands, if you Google Merkle Bonsai, you will see some papers that got inspired, actually.
00:00:38
riptide
Okay, cool. And what, I mean, obviously Merkle tree, Merkle bonsai, a little play on that.
00:00:43
merkle_bonsai
yeah i saw a paper that was about crafting the very imbalanced Merkle trees. So you have some branches of height 2-3, another of height 10.
00:00:55
merkle_bonsai
And the researcher called them Merkle bonsais because he was mainly crafting the trees.
00:01:02
riptide
and Who was the guy that coined that term?
00:01:04
merkle_bonsai
I do not remember, sorry. ah You can google it, it's like dozens of papers about that and I was... I'm unable to find the original one.
00:01:14
riptide
Okay.
00:01:14
merkle_bonsai
You know how it happens sometimes.
00:01:16
riptide
Oh yeah. Yeah.
Journey into Bounty Hunting
00:01:18
riptide
So Mr. Merkel Banzai here is, is another top 50 elite white hat bounty hunter. And I was just looking at some of your, I guess you had a tweet pin from 2023.
00:01:31
riptide
And you mind if I say this how, basically how you started, you said with zero solidity knowledge, and just some common sense by programming experience. Found my first 100K crit in the first month, then got a few more during the few next months.
00:01:31
merkle_bonsai
Yeah.
00:01:45
riptide
I do have a day job, so it's more of a hobby. Is it still a hobby for you? Is this full-time?
00:01:50
merkle_bonsai
Oh no, it's still a hobby actually.
00:01:53
riptide
Oh, shit.
00:01:53
merkle_bonsai
Uh, oh no, it's not, it's not that bad actually because, uh, I switched it to building my own things based on about it. So it's more, more like a replacement for investments.
00:02:06
riptide
Beautiful.
Blockchain Innovations and Challenges
00:02:07
riptide
And so your biggest bugs were, could you remind us, i saw Oasis.
00:02:11
merkle_bonsai
Uh, yeah, actually, Oh, this was the biggest one and, uh, it got me to the, uh, the blockchains and distributed validators technology, DVT. and And it was really totally different world here because to be honest, I got kind of bored with EVM stuff because it's more like every second project is the Uniswap fork or something like that.
00:02:40
riptide
Mm-hmm. Mm-hmm. Mm.
00:02:41
merkle_bonsai
And the coolest things, the coolest bugs can find are happening in blockchains itself now, since everyone is doing their L2.
00:02:51
riptide
That's true. Yeah. and And they're always choosing, like I read your, your write up on Oasis. Maybe if you want to give a high level overview or, or however you want to talk about it, but, but that basically just, they didn't take, they didn't just say, Hey, we're going to copy everyone else.
00:02:59
merkle_bonsai
uh
00:03:06
riptide
They kind of made it very unique. Like you mentioned, they, they basically did their own kind of proof of work.
00:03:11
merkle_bonsai
uh yeah i actually wasn't correct about this uh guys corrected me because they actually forked uh bnb bnb logic it was a bnb but they had thrown away the validations in uh
00:03:14
riptide
Okay.
00:03:28
merkle_bonsai
in go part so they had a contract that are not validated but there was several checks in core itself and they just threw it away probably they didn't know what they were doing
00:03:43
riptide
Do you, because in your write-up too, you were kind of saying that you didn't know why they went with a certain method.
00:03:51
merkle_bonsai
i um I still do not understand the concept of this distributed Proof of Stake.
00:03:51
riptide
but And.
00:03:58
merkle_bonsai
I do not like the concept that you have more and more abstractions on a level of a chain itself.
00:04:05
riptide
Hmm.
00:04:05
merkle_bonsai
It feels like you're bloating a lot of stuff and what Light is doing his so seems a bit better for me
Understanding Blockchain Mechanics
00:04:15
riptide
or maybe Maybe give give everyone like a basic overview of of what their system, how it worked, so they kind of have some background.
00:04:15
merkle_bonsai
because ah you keep the calls more.
00:04:22
merkle_bonsai
ah Basically you have 24 validators and everyone is just basically staking their money. It's more like liquid staking, but you choose ah out of 24 guys or something like that.
00:04:36
merkle_bonsai
And the one as far as I remember, the ones who are getting the most asset stake or like biggest five guys are doing the validation job. so It's a bit of gambling, it's a bit of a liquid staking, and it's a bit of something else. And I really, for me, it really seems kind of weird here about how it works.
00:05:01
riptide
Okay, and and but this is one where you could still buy in to be a validator with a certain amount of token stake right or was it completely permissioned.
00:05:10
merkle_bonsai
oh ah I don't know the is current state of this those guys, because it doesn't seem they are doing some public stuff. And about the BNB chain, I don't know, honestly, I didn't dive into the BNB chain. I only checked that they have this thing secured, and that's it.
00:05:30
riptide
Yeah.
00:05:30
merkle_bonsai
Because
Skepticism and Appreciation of Blockchains
00:05:31
merkle_bonsai
I'm not huge fan of BNB chain, actually. I still do not get the idea why they need this chain. For me, it was more like they just...
00:05:39
riptide
To gamble, of course.
00:05:42
merkle_bonsai
I mean, what are the benefits of having your own chain that is kind of similar to normal one? I understand the base concept that you have...
00:05:53
merkle_bonsai
less gas price, smaller gas price, you have ah faster blocks and it's bringing us more to real times than something else. So base itself has a clear understanding why they're doing something and BNB still questionable for me. I'm not judging guys here.
00:06:13
merkle_bonsai
i just didn't get it. I didn't understand it and and nothing something else.
00:06:21
riptide
I think you'd want your and I mean, BNB has been around. That was the first kind of gambling high speed chain.
00:06:26
merkle_bonsai
You're right.
00:06:27
riptide
And I guess you'd want to do that if you want to control the ecosystem. They had the Nance as well linked up to it. You can you can cut the flow off if you get hacked, cut the bridges.
00:06:39
riptide
You can roll back the chain. I mean, you have complete control.
00:06:42
merkle_bonsai
Like Solana does.
00:06:45
riptide
As they say, I've never looked at it still. Yeah.
00:06:49
merkle_bonsai
Solana is, by the way, like really breaking my mind. I still try to understand this whole concept that you have addresses that are contracts, addresses that are storages.
00:07:00
merkle_bonsai
I mean, I get the idea and I even get the beauty of the concept that you can move any assets you want, how much you want, but just make the things correct in the end of transaction.
00:07:06
riptide
you
00:07:11
merkle_bonsai
And this is really cool. This is a totally different world.
00:07:16
riptide
Dude, what do you think like what do you think actually goes forward? Like all these technologies, you're talking Solana, you have Ethereum, you have anyone who wants to make a chain, L1s, L2s. And then different languages, you have Move, Cairo, Solidity, all these things.
00:07:34
riptide
What do you think actually makes it say five, maybe even 10? I mean, let's just say five years from now.
Predictions for Blockchain's Future
00:07:40
riptide
Do you think all these will will still be around?
00:07:41
merkle_bonsai
Oh.
00:07:42
riptide
Are we just in the phase where we don't know what's going to work?
00:07:46
merkle_bonsai
i think that I think that we will end up with something like Solity, something EVM based. Maybe everyone will switch to Viper, I don't know. But I guess that something EVM-ish will still be there because we have too much EVM everywhere and someone will clearly become a winner. And I think we will get something Rust related because ah Rust fanboys are everywhere.
00:08:17
merkle_bonsai
ah
00:08:17
riptide
I think you're right.
00:08:18
merkle_bonsai
not judging, but ah I don't know if you know or not, but TypeScript announced a few, maybe months or two ago that they are switching the compiler itself from JavaScript to Go.
00:08:19
riptide
yeah
00:08:32
merkle_bonsai
And ah you go to this tweet and you see instantly like 100 replies, why not Rust, why not Rust, why not Rust? So Rust fans are everywhere and we...
00:08:45
merkle_bonsai
We physically cannot ignore this fact. So something will be still written in Rust.
00:08:49
riptide
Are you are you a rust fan?
00:08:51
merkle_bonsai
ah Not a lot, but I generally prefer high level language. So at least it's better than c
00:09:00
riptide
Yeah, I wouldn't say it's too low level, but I've just dabbled in it a bit. I actually have the book here on my desk and I've read to page 10.
00:09:09
riptide
But i you know I've looked at it a bit and it doesn't seem that cryptic.
00:09:16
merkle_bonsai
oh No, I understand totally, but it's just more about you will either end up doing the simple stuff, you will either end up doing something that is very similar high level languages. i know you I don't know, you will start writing like in Go style or JavaScript style, whatever, or you will be doing the insane low level stuff And I clearly do not understand the whole concept. why
00:09:50
merkle_bonsai
Why use Rust or C if you're not doing really complicated things?
00:09:55
riptide
Yeah, I guess it depends what you want to
Personal Insights: Quitting Vaping and Productivity
00:09:57
riptide
do. do you think, you you know, ah vectorized? Are you aware of him?
00:10:01
merkle_bonsai
Vectorized ETH. Yeah.
00:10:03
riptide
ah Yeah. Yeah, the guy.
00:10:05
merkle_bonsai
ah yeah
00:10:06
riptide
and Okay. Do you think that guy can even look at a high level language? Or do you think his mind would just explode? It's just too simple for him. He has to, his mind functions like a, like an M4.
00:10:19
merkle_bonsai
uh uh it's it's a good question but uh ah yeah ah rick it's it's like memories loading it's a guy who wrote the cell lady contracts uh oh
00:10:31
riptide
Yeah, yeah, that guy. A beast.
00:10:36
merkle_bonsai
It's a really good question. ah I don't know him personally, so I cannot say for him. But what I see in his code is that he is more about optimization of stuff. And will be able to optimize some things on high level, he will probably do it.
00:10:57
merkle_bonsai
so it's not i do not feel that this guy is about doing something specifically on certain languages more about he is using as the tools uh i'm i um may be wrong it's just an impression here
00:11:09
riptide
Hmm. Yeah, maybe it's a certain mindset.
00:11:14
riptide
Yeah, true. ah Interesting. um I was curious about you talk about optimization. was scrolling through your tweets. And I saw that at some point, you said, Hey, I'm quitting vaping.
00:11:28
riptide
Is this still the case?
00:11:28
merkle_bonsai
Yeah. ah Yeah, I'm still actually using the nicotine chewing gum because I cannot like fully quit, but it was way better and i
00:11:43
riptide
do Do you feel like nicotine is is beneficial for for what you do, bug hunting?
00:11:48
merkle_bonsai
ah No, it's more about like, I'm ah taking the smallest amount and it's more about I don't know, it's something in the brain that's okay, I want it, I want it Then I take the chewing gum and I stop waiting for it.
00:12:04
merkle_bonsai
I actually feel that if I will be able to somehow replace ah real nicotine chewing gums with ah fake fake gums that has no nicotine, I will still be able to trick the brain, neck because I feel that it's
00:12:19
riptide
Do you drink coffee as well with the nicotine?
00:12:22
merkle_bonsai
uh it's not related actually i didn't like to take them together
00:12:24
riptide
No.
00:12:29
riptide
Do you? It's interesting because so I'm ah i'm a normal.
00:12:32
merkle_bonsai
yeah i know most of the people prefer to wake up have a coffee have a cigarette especially in Balkans i guess but no for me it was more about tea story so i like coffee
00:12:39
riptide
hmm.
00:12:47
merkle_bonsai
I love waking up and drinking the coffee, but I really didn't like the mix of this taste. ah That coffee taste is ah somehow interacting the flows the juicy and sweet flavors of a vape, and this doesn't feel good. Maybe for a cigarette it would be different, but I never smoked a cigarette.
00:13:12
merkle_bonsai
It just somehow started with vapes.
00:13:16
riptide
I need to start profiling people on this podcast to see if they stack like a monster plus plus regular rolled cigarette, vape. I need to do a big survey here. There has to be some optimal dosage of stimulants to to crank through all this code all day.
00:13:33
riptide
I don't know what it is.
00:13:35
merkle_bonsai
me I'm not advising to do this, but as far as I know, ADHD treatments can help here if you really have ADHD.
00:13:51
merkle_bonsai
Because for me, I was ah diagnosed with a mild version and some of treatments were really helping a lot.
00:14:02
riptide
Like which roommates? What do you mean?
00:14:03
merkle_bonsai
ah
00:14:04
riptide
Vapes.
00:14:05
merkle_bonsai
No, no, no, no, no.
00:14:06
riptide
Bigotene gum.
00:14:06
merkle_bonsai
I mean the pills for ADHD.
00:14:10
riptide
Okay.
00:14:13
merkle_bonsai
So I will not promote any specific brand to buy it off label. It's always better to ask the doctor. But if you cannot concentrate, you might be having ADHD and it's not like a bad thing.
00:14:28
riptide
Yeah.
00:14:28
merkle_bonsai
It's more about like thinking in different manner.
00:14:31
merkle_bonsai
But actually actually, I still feel
Negotiations and Self-Advocacy in Bug Bounties
00:14:32
merkle_bonsai
that I tricked the doctor because I feel that I just to have a big part of a brain allocated for totally different functionality than normal people. So it it feels, doesn't feel like what I see and what I read about other ADG guys. And it feels more about, don't know, that's, uh, I'm optimized for something else.
00:14:55
riptide
Would you say you're on the spectrum?
00:14:59
merkle_bonsai
Uh, no.
00:15:00
riptide
Would you say you're high functioning introvert or extrovert?
00:15:04
merkle_bonsai
Oh, damn it. It's really feels like a profiling. Uh, it's really hard to say because, uh, I'm, I'm totally sure I'm introvert, but my girl is absolutely sure that I'm an extrovert.
00:15:23
merkle_bonsai
So I re I really didn't know.
00:15:23
riptide
Who knows? Who knows? And you said you're in the Balkans?
00:15:29
merkle_bonsai
no, no, nope. nope
00:15:30
riptide
No? Okay.
00:15:31
merkle_bonsai
hey You're confusing me with a passion I guess.
00:15:32
riptide
Somewhere around there.
00:15:35
riptide
All right. Where you at? Can you disclose?
00:15:39
merkle_bonsai
I'm in Bangkok.
00:15:39
riptide
What region?
00:15:40
merkle_bonsai
I'm in Bangkok last few years. I really love this city and the vibes of this city. It's really good here.
00:15:47
riptide
And we missed each other then. I was at edith Bangkok.
00:15:50
riptide
Did not meet at all.
00:15:50
merkle_bonsai
ah Yeah, i was running it all across the DEFCON before, after a few days.
00:15:56
merkle_bonsai
So I guess you were there at the DEFCON, right?
00:16:00
riptide
yeah ah No, I missed it because I'm a moron. And then i I showed up just for the conference. Side events, whatever.
00:16:07
merkle_bonsai
ah Ah, only for a security summit.
00:16:11
riptide
Oh, yeah. Cool, man. Very cool. Well, hey, um let's, I want to talk about something else. so the Oasis bug that you you made a good chunk of change on, I think that is the new record for getting paid.
00:16:28
riptide
because So you said seven months you were in negotiation for this bug.
00:16:31
merkle_bonsai
Mhm. Mhm. Yeah, absolutely.
00:16:33
riptide
Is that true? That's fucking insane. Seven months you had to wait.
00:16:36
merkle_bonsai
up Well, it was more about, i really didn't know why they paid because they quitted the Immunify. And as far as I knew, there was even an issue with that, really big issue with that at some moment of time, but they solved it up somehow that some teams were coming to Immunify.
00:16:57
merkle_bonsai
They were set up in the bounties. A lot of guys were running in and reporting tons of bugs and instead of doing the payments, they were just quitting the platform without paying anything.
00:17:10
merkle_bonsai
And I was sure it was the case, but somehow even if I guys worked it out for me and make made the magic happen.
00:17:10
riptide
Right.
00:17:20
riptide
Somehow. So so yeah you think there're their internal mediation team, you pretty much had a positive result as long as you can factor in the time value of money there for seven months?
00:17:26
merkle_bonsai
Yeah.
00:17:29
merkle_bonsai
um' I'm absolutely sure that it's a really positive story, but ah if someone will encounter the same situation, I will definitely say that you need to do a lot of work yourself, because oh for Immunify, think it was still the time when they only had a percentage of payouts, so they were financially motivated to help me, but not that much, and
00:17:47
riptide
you
00:17:59
merkle_bonsai
It's always a story about caring about yourself. And if you are not caring about it, why anyone else should. So you will have to manually research on every part of their Zendesk guides and every part of public documentation they have to argue.
00:18:21
merkle_bonsai
So basically you find them the arguments, you find them why you're right. they do the rest. they They will do it slowly, but I guess this is a better thing.
00:18:34
riptide
I mean, I'm glad you got a good outcome on it. Do you, do you only go through the platforms or do you just like, how do you hunt?
Approaches to Bug Hunting
00:18:41
riptide
What's your method?
00:18:42
merkle_bonsai
Oh, ah it's really complicated thing, but what i definitely figured out is that first thing you need to really be curious about certain project And without it nothing will work because you will get tired of starting the project and that's it.
00:19:04
merkle_bonsai
And then after that you will have to isolate something you want to stare at hours.
00:19:15
merkle_bonsai
hours So I usually start just editing the code and removing each rewriting in a mo my own personal manner. Uh, I tried ai for this nowadays, and, uh, some of them are really good at st throwing away the ways of stuff and rewriting it slowly.
00:19:35
riptide
Wait, you take the code and then you rewrite it in your style?
00:19:36
merkle_bonsai
Hmm.
00:19:39
merkle_bonsai
ah Not rewrite, but yeah, partially a rewrite. I usually just remove all the comments, remove all the events because it's it's nothing to mess around with them usually except it's a breach.
00:19:55
merkle_bonsai
If it's a breach, I will only leave the events that matter.
00:20:00
riptide
Mm-hmm.
00:20:00
merkle_bonsai
oh Then I start to rewrite every if then through with a required because negative invariants are easier to check in my head than positive ones.
00:20:15
merkle_bonsai
And then I start... um when When I was ah just hacking from a laptop, it was more about some personal comfortable style, but now I'm just doing the every function declaration, every line on a single line on a large large external display.
00:20:36
merkle_bonsai
It feels really good.
00:20:38
riptide
How many monitors is your setup?
00:20:41
merkle_bonsai
ah Just one. ah It's 27 inch 4K display. I think it's Samsung, but I'm not sure. I really don't remember.
00:20:52
riptide
But do you find more bugs on a laptop or a big display? I've personally done more on a laptop for some weird reason, a 13 inch screen.
00:20:56
merkle_bonsai
oh
00:21:00
merkle_bonsai
too, actually. and ah For me, there is one more thing that works good. It's ah contextual story.
00:21:12
merkle_bonsai
So what I usually do when I come to a new city to do some stuff, I usually find some really cheap coffee shop or gafe whatever it has a has normal wifi, maybe outlets.
00:21:28
merkle_bonsai
And, I start working there and every time i come, I come down to this cafe or coffee shop, uh, I have a context in my mind that I'm time framed here. I'm ah in Bangkok. I usually take like until down.
00:21:49
merkle_bonsai
So it's more like six hours, something like that. Maybe eight hours, maybe four hours. Depends on when will I go there. I usually go for for dinner and start sitting there with a coffee.
00:22:04
merkle_bonsai
I take like two, three of them, maybe four. And I have in my head that I'm here to do this thing and when you're trained enough, your brain will start to force you into doing this thing every time.
00:22:19
riptide
Repetition is key. I agree.
00:22:21
merkle_bonsai
ah No, it's more like, I don't know, have you have you seen the NFC tags that do something that when you come, like, I don't know, come home, when you come to the work, you have some triggers and in our minds, it's also triggers, so You arrive somewhere and if you know that this specific context is associated with work, you will do the work.
00:22:51
merkle_bonsai
My friends, ah years ago had two absolutely identical laptops because the one was given him on a job and it was like macbook pro maybe 14 16 whatever so he really liked this laptop and was using it all the time but he understood that he cannot switch between work and personal things and He bought the ah identical laptop, like absolutely identical. And just like he has work MacBook, personal MacBook, they're identical, but he's switching the context in his mind when he closes one laptop and then opens another.
00:23:34
riptide
Okay. I can see that. Yeah. That's getting into bug bounty hunting mode with, with common behavioral traits and like a scenario around you and actions.
00:23:46
riptide
I like that gets you mentally fixed.
00:23:46
merkle_bonsai
ah Yeah. Mm-hmm exactly.
00:23:51
riptide
Okay.
00:23:51
merkle_bonsai
But, uh, generally about like searching for something, ah usually do the things that I open like 10, 20, 30 projects and look around for them, look around through them.
00:24:04
merkle_bonsai
I give myself some time to wake up in a months ago and like, aha, here's a bug.
Potential Ethereum Updates and Concerns
00:24:11
merkle_bonsai
Just because it's something processing and a background. I don't know how it works exactly.
00:24:18
riptide
So you open 20 to 30 projects at once from DeFi Llama, from ImmuneFi, what do you do?
00:24:22
merkle_bonsai
Usually, yeah. So
00:24:25
riptide
I
00:24:25
merkle_bonsai
ah so again, please, I got, can you repeat please?
00:24:31
riptide
ah i say, um you know, how do you get that first thread? Do you go on ImmuneFi and you pop open 20 projects or DeFi Llama?
00:24:37
merkle_bonsai
Oh yeah. i Uh, yeah, I usually go to immunifier or ours platforms like Contina. Uh, to be honest, I think that I have like 300 gigabytes of everything installed and it's probably at least half of all immunifier projects on my laptop.
00:25:00
riptide
Just so you could do keyword searches, stuff like that.
00:25:04
merkle_bonsai
Because it's everything is indexed and it's way easier to search around and it's way easier than use the source graph to search for something because you have at least a context that you know that all those projects have a bug bodies and you really care about them.
00:25:21
riptide
And do you have a cron job going like a daily get pool to update everything?
00:25:25
merkle_bonsai
No. I usually check for changes if I'm getting the idea of something. Oh, ah by the way, I wanted to ask you a thing.
00:25:38
merkle_bonsai
ah What do you think about the coming Ethereum updates? Do you think we will get a lot of hacks there?
00:25:45
riptide
With which update?
00:25:47
merkle_bonsai
ah I'm specifically looking at yeah EIP.
00:25:49
riptide
pettra
00:25:50
merkle_bonsai
Yeah, Pectra.
00:25:52
riptide
Oh, oh that's that's a great question.
00:25:53
merkle_bonsai
Next response one.
00:25:56
riptide
um that's what That's what the test nets are for. I know they spent a lot of time on this. I haven't seen the results of the competition. I hope some things have been found, but I know that there's always something out there, man. I mean, hopefully it's nothing devastating if there is a bug found, like with everything, but Is there going to be a bug in Pectra that's not found?
00:26:19
riptide
Yes, I will say that with very high certainty. But will it be found eventually?
00:26:24
merkle_bonsai
Mm-hmm.
00:26:26
riptide
Hopefully so. I mean, um this is just always the case. This is the nature of code and the nature of humans. But I think that with this big review and the time through test nets and everything that high level bugs the chance that they're reduced significantly is is quite high.
00:26:46
riptide
That's my hope.
00:26:49
merkle_bonsai
ah Yeah, I'm specifically thinking about several EIPs that are... I don't know, actually, maybe they even throw it away, but account abstraction and triggerable exits maybe be are sounding like something that can be exploited in the wild.
00:27:03
riptide
Mm-hmm.
00:27:10
merkle_bonsai
And probably some projects will be.
00:27:10
riptide
Have you looked at 4337 yet?
00:27:15
merkle_bonsai
Which one? 2.7? two seven
00:27:17
riptide
four three three ah four through three seven i think that's it it's the
00:27:19
riptide
4337.
00:27:19
riptide
I think that's it. It's the, what's it called? It's the entry point contracts.
00:27:24
merkle_bonsai
Mm-hmm.
00:27:26
riptide
I don't even know the name of the ah ah of the ERC.
00:27:30
merkle_bonsai
Oh, yeah, I got it.
00:27:30
riptide
I can't even think of it.
00:27:36
merkle_bonsai
Yeah, I remember it now. That kind of abstraction. Mm-hmm.
00:27:41
riptide
yeah Yeah, account abstractions, that's right. um Have you taken a look at anything? Because they've pumped out, I think they're at version 0.8 now, and they're just just testing in prod. But the interesting thing is, with this is, because I submitted a bug on Hack and Proof for these guys,
00:27:57
riptide
and nothing nothing big, just like a DOS bug and it was a duplicate, whatever.
00:28:01
merkle_bonsai
Mm-hmm.
00:28:02
riptide
But the funny thing is, is like they're putting out these contracts, they're saying, hey, go ahead and use these and projects are plugging them in and then they'll post 0.7, 0.8.
00:28:15
riptide
But the thing is like projects, they don't switch. Like you could go look at the early contracts and they're still being used. And so I don't know if the devs are aware of these bugs that have been reported.
00:28:26
riptide
And they're just using them anyway. It's not important to them. I'm not sure. but this is a good angle for people to look at is look at those entry point contracts.
00:28:30
merkle_bonsai
right
00:28:34
riptide
Look who's interacting through them and say, hey, yeah know, what bugs have been fixed and what haven't. And then maybe can find another bug, too, on the early ones and the projects that are using them.
00:28:45
merkle_bonsai
oh Yeah, I'm really just thinking about what will happen with transaction origin stuff
00:28:55
riptide
I think they've had a lot of time. Everyone's had a lot of time to look at that and prepare for it.
00:29:00
merkle_bonsai
ah I'm not sure that much. I mean that... CRM team itself and the biggest protocols are safe of course, they updated in time. But we have a ton of projects that are running, some of them are kinda dead, but some tokens are logged there.
00:29:19
merkle_bonsai
And so we can expect wave of hacks I think, after in May, something May.
00:29:19
riptide
Mm-hmm.
00:29:26
riptide
or there might be, it might be a battle with white hat rescues and, and hackers. Right, right.
00:29:33
merkle_bonsai
yeah um oh but by the way uh the seal team and immunify that's launched a safe harbor huge respects from me it's really good initiative in that case i wasn't involved in a safe harbor because
00:29:33
riptide
When it goes live, everyone's got their scripts ready.
00:29:50
riptide
I agree. Have you been involved in any of those projects with safe Harbor?
00:29:59
merkle_bonsai
Honestly, on one hand, yeah, you can try to see save the funds. It's not a good behavior for me, but I would prefer to not interfere because if you will do something wrong, you can do something worse.
Exploration of ZK Bugs and Cryptography
00:30:14
merkle_bonsai
And if I will see something going on, i will probably reach some someone from SEAL team instead.
00:30:23
riptide
i I would agree. I don't have the skill set that these guys do with that immediacy where where to intervene like that.
00:30:30
merkle_bonsai
who
00:30:31
riptide
And I think if I did, i would be, you know, too under a time crunch and and possibly fuck something up. So, yeah, I would definitely, unless you know what you're doing and you want to do the White Hat Rescue, just just talk to the guys who do it all the time.
00:30:40
merkle_bonsai
he
00:30:48
merkle_bonsai
Last time I was, ah spent half an hour trying to recall how to actually execute transaction in Foundry. So it's probably way better to report
00:30:58
riptide
Yeah. I don't know how these guys do it. Like when a hack comes out and then the guy there, there, I mean, there still is, there's like a race for, for just cred to flex on Twitter and say, I'm the first one that found out how this hack was carried out, man.
00:31:06
merkle_bonsai
Mm-hmm.
00:31:12
riptide
Some of the guys that do that are just really, really good because I dig through it and it takes a lot of time and it props to the guys that put it out very quick.
00:31:22
riptide
I always love reading them, but I'm not the guy for that. No way. I like taking a lot of time to look at things.
00:31:30
merkle_bonsai
Yeah, on one hand, yeah. On another, I guess it's more about being familiar with nice tools. I think that Tenderly is helping a lot in that case and EVM storage have been helping with it a lot, but sadly it's discontinued now.
00:31:48
riptide
It's gone.
00:31:49
merkle_bonsai
Yeah.
00:31:49
riptide
what are your What are your alternatives? Do have something good?
00:31:53
merkle_bonsai
Nope, I'm still there searching for, I tried the Ddub version today and it just failed.
00:31:54
riptide
Yeah.
00:32:04
merkle_bonsai
It was like I'm unable to deconstruct the state object. Sorry pal.
00:32:10
riptide
Do you use Slither? They're tools to pull your slots.
00:32:12
merkle_bonsai
Oh, not really. Not a lot. um ah As I said, I'm mostly in ah blockchains and all all things around right now. su Contracts are more like... I really like diving into the pre-installed contracts, the Genesis contracts, and they are acting weirdly sometimes, and they are relying on an installed memory.
00:32:40
merkle_bonsai
I don't know how to call it, but they're relying on it engine memory instead of actual slots and stuff.
00:32:47
riptide
For the precompiles.
00:32:48
merkle_bonsai
Yeah, yeah, yeah. No, no, no, no, no no non deb pre compiles ah in some projects they will have a contracts um that are literally so undity contracts but the already exists at certain and address no ah youssis event and They sometimes may be handled in a different manner. So you have a contract and for example, like in other stories, they had ah extra checks before executing the contract that are executed in Go.
00:33:26
riptide
Okay.
00:33:27
merkle_bonsai
So this kind of thing. but Right now I'm fighting by my nemesis. I'm trying to find for one year already. I'm trying to find any bug in the D gate.
00:33:41
merkle_bonsai
I really want to find some ZK bug, but I cannot. i I just want to find ZK bug.
00:33:47
riptide
i thought you i thought you found something in D-gate.
00:33:51
merkle_bonsai
uh yeah yes and no it's like it's more about uh the bug that is already mitigated because and guys already solved the scene but this uh no no no it was more about the privileged accounts that operator may potentially steal something uh but
00:34:05
riptide
Was this the Exodus mode? Was that this?
00:34:14
riptide
Okay.
00:34:16
merkle_bonsai
It is wrong because operator needs to be, ah they needed to have a ah account zero with address zero for that. And they already initialize the address with an address.
00:34:31
merkle_bonsai
So it was more like, oh yeah, we didn't expect it this way to exploit, it but we already mitigated it for another reason. Thank you.
00:34:42
merkle_bonsai
Goodbye. So they paid like a fraction some, but I usually just like, you know, you just want to get the full bounties here.
00:34:53
riptide
Yeah.
00:34:54
merkle_bonsai
You feel not fully satisfied with such a report.
00:35:00
riptide
The D gate was at, I forget some crypto event I was at, maybe it was a EF Naples or something like that. I went to one and I was talking to him and, and I realized they had this 1.1 million bounty.
00:35:07
merkle_bonsai
Hmm.
00:35:12
riptide
And so I spent like, I don't know, the next four hours just looking at their code and um yeah, I'd love to find something in there. um
00:35:21
merkle_bonsai
Uh, I mean, I really learned a lot about ZK circuits while using them while playing around with them, but still not a lot of things to figure out.
00:35:21
riptide
Nothing yet.
00:35:35
riptide
But they, I mean, a lot of it was forked off loop ring, right?
00:35:39
merkle_bonsai
Yeah. And, uh, loop ring is, uh, I dunno, it's kind of zombie right now, think.
00:35:47
riptide
I think it was a Chinese project from what I recall.
00:35:52
riptide
I don't know what happened to it.
00:35:52
merkle_bonsai
ah
00:35:53
merkle_bonsai
i I saw some Chinese trails, I didn't know, it's maybe like partially funded by Chinese guys, maybe fully funded, I don't know. ah Maybe just the whole Chinese guys, but such such tools are usually working in a different manner.
00:36:13
riptide
Mm-hmm.
00:36:13
riptide
Oh, True.
00:36:13
merkle_bonsai
I guess because ah you you do not need to prove yourself with bug bounty when you can't prove yourself with your and identity being controlled by China.
00:36:25
riptide
ah yeah true
00:36:26
merkle_bonsai
I think this is a different way for them to mitigate each issue.
00:36:31
riptide
what What about, so you're talking about trying to find a bug in ZK. Do you have any cryptography background?
00:36:36
merkle_bonsai
Mm-hmm.
00:36:38
riptide
Do you look at circuits? You know, how are you, how are you kind of approaching that?
00:36:44
merkle_bonsai
e I actually was trying to mess around with the logical part, notes ah not the circuits part. but ah It's more about learning the thing, because I started to research and I figured a lot about elliptic curves.
00:37:01
merkle_bonsai
And actually what are you found out, it made everything very simple for me. Not on a math level, but on a logical level, like how it works.
00:37:12
merkle_bonsai
if If you want to I can explain you in like five minutes.
00:37:16
riptide
Yeah, no, go ahead.
00:37:18
merkle_bonsai
Okay, so we have a classic elliptic curves and what they actually do in functional abstraction way, They are giving you the ability to add one, add two numbers and see the result or subtract, whatever.
00:37:37
merkle_bonsai
And you can do it in ah two manners. You can do it on a... hidden layer and only visible layer and you always have something that matches here so that's why you can prove that if you add public key and signature oh if you get a private key and a signature you can verify it with a public key because it's a result of equation and you can do this addition operation really like anyhow
00:37:55
riptide
you
00:38:11
merkle_bonsai
whatever you need you can do it it's not not the big deal here and the keys are based on a different way to build elliptic curves uh i'm explaining a bit wrong but you will get the idea anyway uh they have not only addition but multiplication and since all the elliptic curves are actually but actually have boundaries that are making them not just direct line like 1, 2, 3, 4, 5 but they have it's like a ring it's actually called the ring in mathematics that you reach the biggest number the threshold number and you get again zero that's why you cannot have values higher than certain value
00:39:00
merkle_bonsai
And basically with this value, when you have addition, you can add also subtraction, but when you have a multiplication, you can do a lot a lot a lot of operations here because when you have addition, subtraction and multiplication and
00:39:08
riptide
you
00:39:18
merkle_bonsai
everythingver is ah sort everything is looped here you can implement the primitive logical machine you can implement the code like assembly language because assembly language is actually mostly operating with such terms and you have again this virtual layer hidden layer and exposed layer and you also can prove that inputs and outputs of equation are working in a certain manner that's it
00:39:53
riptide
I feel like I'm not the smartest person on the podcast. You have now taken that crown. I'm the guy that would listen to this lecture and then I'd need to actually physically look at the paper like with with pictures and and play with it because it would just fly right over my head.
00:40:11
merkle_bonsai
The concept of rings is really like, it's a, it's so just like a buffer overflow. You have zero X F F F F. You add one, you get zeros.
00:40:22
riptide
Right.
00:40:22
merkle_bonsai
That's a basic green. That's it.
00:40:26
riptide
I need to look more into it, no doubt.
00:40:30
merkle_bonsai
I understand totally because if you will get inside the Z key circuits and the math behind it, ah You will get your mind blown because it was more like for something like ah eight-dimensional space on a sphere in terms of mathematics.
00:40:53
merkle_bonsai
I got my mind blown off and I had to study for a lot of times to figure out simply how it works. I still do not get the math part. because ah I'm not sure anyone the world already is getting the math part fully about the elliptic curves.
00:41:12
merkle_bonsai
They're really insane and strange. and
00:41:16
merkle_bonsai
Okay, maybe maybe I'm wrong, maybe someone is fully aware of it because otherwise we wouldn't be get it we wouldn't be getting the new ones. But for me it's...
00:41:25
riptide
It's probably a handful, a handful of guys that really get it.
00:41:28
merkle_bonsai
Yeah, yeah. ah
00:41:32
merkle_bonsai
I actually have a nice story about such as a group of people.
Complexities in Global Positioning
00:41:36
merkle_bonsai
ah So you know you know how GPS works, right?
00:41:41
riptide
Right.
00:41:42
merkle_bonsai
Wrong. Because ah GPS,
00:41:44
riptide
what What did I get wrong? Satellites orbiting the earth?
00:41:47
merkle_bonsai
ah yeah, but ah GPS is ah calibrated for a certain certain points on the world that are located all across like Europe, Asia, America, whatever.
00:42:05
merkle_bonsai
And the question of, like, you have a few physical points on a sphere and they are used as a basic points for all the coordinates.
00:42:18
merkle_bonsai
And sometimes they are moving because, like, tectonic, ah movements or something else, whatever and there is only 11 people in the world as I was told who can the solve the equation that is answering if this station moved actually ah relevant to the satellites or the satellites moved relevant into this station because ah imagine you have like it's start to report that this station is 5 centimeters to the left
00:42:55
merkle_bonsai
And you need to figure out if the station itself is moving or satellites are broken.
00:43:03
riptide
but Well, hold on. So if I have a GPS and I get a 10 digit grid, that 10 digit grid will still point to the same spot on earth.
00:43:07
merkle_bonsai
Okay. Nope. okay ah
00:43:15
merkle_bonsai
nope oh
00:43:17
riptide
With what kind of variance?
00:43:17
merkle_bonsai
gps is GPS is giving you the coordinates in ah imaginary Earth, that is ah like virtual Earth, that is working for satellites.
00:43:29
merkle_bonsai
And there is like pins in physical world, these labs that are connecting real Earth to virtual Earth.
00:43:42
merkle_bonsai
because ah you will get the address in this virtual earth, but you will need to take some time to figure out that you're really at this location because if the continent is drifting or you have you got earthquakes that change the terrain and gravity points started to move, you need to fix all this.
00:44:02
merkle_bonsai
So, so...
00:44:02
riptide
What the fuck? I'm so confused.
00:44:04
merkle_bonsai
yeah
00:44:05
riptide
I feel like I need to get highs anything.
00:44:05
merkle_bonsai
so
00:44:06
riptide
i don't even understand what's going on right now. There's a virtual. the fuck
00:44:12
merkle_bonsai
uh
00:44:12
riptide
This is a good this is a good off topic conversation, though.
00:44:15
merkle_bonsai
yeah so basically what i was told i'm not i don't know if it's true or not but there is 11 people in the world who are able to understand how this all works and solve the thing because it cannot be solved automatically it needs to be solved manually for certain cases to understand if the satellites are like Imagine have a meteorite that flew around the solar system and moved the satellites with its gravitational power and you need to recalculate where they are exactly now.
00:44:51
merkle_bonsai
Because...
00:44:51
riptide
and And is that ZK moon meth?
00:44:54
merkle_bonsai
ah Yeah, some something like that. So it's really like
00:44:57
riptide
If you could figure that shit out, you can hack D gate and collect a giant bounty. I think that's what he's trying to tell us.
00:45:04
merkle_bonsai
oh ah It will be a really cool thing if someone will be able to because ah I'm really curious. I feel that there is something but I cannot find it
00:45:15
riptide
Hey, so when you look at this, have you ever looked at some of the JavaScript libraries for producing some of these proofs? Because they've come out with, like I've seen bugs pop up where they look, you'll have all this complicated math, but then the bug that was that was found was like, oh, we we forgot to hash one of the leaves.
00:45:37
riptide
Like just just a very simplistic type of bug. And so some of these libraries have had publicly known issues. Have you looked at that vector at all?
00:45:45
merkle_bonsai
yeah i heard about it but i think this is not the case uh i i was planning to look for all across the scroll because i wasn't ready at a certain moment of time but i think i'm kind of ready now for zk layers and zk chains but
00:45:46
riptide
Hmm.
00:46:05
merkle_bonsai
for the gate, there is no library that's is relevant to the thing. It feels like ah they have everything checked in the key checks.
00:46:17
merkle_bonsai
I don't know how to tell because I found, yeah, I just found few bugs there, but all of them are handled, but what I was considering over complicated proofs.
00:46:19
riptide
Do like good
00:46:31
riptide
you feel like this is this is a good, healthy obsession to like pick one protocol and just be totally obsessed about it?
00:46:37
merkle_bonsai
um i'm not I'm not saying that I'm doing it every day, it's more like I'm coming back to this thing every few months when I understand that I know more now.
00:46:50
riptide
Good tactic. I do the same. I have a lot of things that I've revisited so many times.
Governance Tokens and Security Risks
00:46:56
riptide
Cellar bridge, piece of shit. How many fucking times I've looked at the same protocols just because I think they're really interesting.
00:47:05
riptide
And then secretly, they probably just pissed me off because I can't find any vulnerabilities in them. I definitely have these.
00:47:13
merkle_bonsai
Yeah, it will be nice.
00:47:16
riptide
All right, let me let me transition here. I want to get, and I hope, god damn Merkle Banzai, you better be prepared, a little alpha drop for the podcast. And i need I need a sound right here, alpha drop.
00:47:28
riptide
Do you want to go first? do you have anything, sir?
00:47:30
merkle_bonsai
Yeah, i it's not like a really full alpha, but ah what what I understood about those AI assistants like Courser, Windsurf, everything that is subscription is shit.
00:47:43
riptide
Mm-hmm.
00:47:47
merkle_bonsai
Because every time you pay 20 bucks to Courser, they actually try to optimize all the queries and you are getting worse responses, you're getting worse quality.
00:47:58
merkle_bonsai
and only really good ai assistant for the code i found is cloud code because it's billing you every time and they are financially motivated to make him think more and gives a better result because it consumes more tokens
00:48:16
riptide
Claude code. What is this?
00:48:17
merkle_bonsai
yeah uh that this is a different it's uh something that you're yeah
00:48:17
riptide
I just use Claude 20 bucks a month. Is this a different plan? Oh, I have the shit one, right? i'm I'm in the same thing as Carson.
00:48:25
merkle_bonsai
No, ah claude oh oh Cloud, OpenAI and other guys that are like giving you the direct interface are good because it's for them to show you that they're good, they're high quality.
00:48:40
merkle_bonsai
I do not think they're trying to cut the cost. Instead, they will probably cut the limits for you.
00:48:46
riptide
Uh,
00:48:47
merkle_bonsai
But if you're using some tools that is API build, API usage build, it's probably going to give you way higher results than something that is subscriptional like IDs CloudCard is a CLI tool that is giving you the interface like normal Cloud, but It's just going across all your files, it can look for them, it can read them, write them if you accept it.
00:49:18
merkle_bonsai
And I'm actually using it to explain a lot of things like this is a file, no idea what's going on here, just explain me. It really helps.
00:49:30
riptide
Okay, yeah, this is new to me, Cloud Code. This is a new product for them. Cool.
00:49:35
merkle_bonsai
Yeah, they released it like months or two ago.
00:49:35
riptide
I didn't even notice this.
00:49:39
riptide
Ah,
00:49:41
riptide
There's always something. And do you do any local AI?
00:49:44
merkle_bonsai
Yeah, I actually did a lot of local AI. ah Only issue I'm getting is that I'm using a MacBook and it's getting overheated every time I'm trying to run some modal.
00:49:57
merkle_bonsai
So I usually do it when I'm working on a with a monitor on a table, so it's overheated, I don't care. But for a cafe working, I'm not using it because it's like...
00:50:11
merkle_bonsai
taking the whole battery in 30 minutes.
00:50:13
riptide
Right. And what are you using it for with regard to finding bugs?
00:50:14
merkle_bonsai
i
00:50:17
merkle_bonsai
ah I actually just connected it to my local IDE. I'm a huge fan JetBrains products. I prefer them way more than VS Code, but it's just personal. And they have, ah even if you're not paying for AI features, you can actually connect the local Ollama models or Gen models And they will be simply running on your laptop, doing the same thing.
00:50:46
merkle_bonsai
You can download the deep seek, you can download l Lama, whatever called Lama Mistral, and it will be running. I should specifically bought this insane Mac with a hundred and 28 gigs of frame specifically to run large models and turn out it was worse because some models are 70 gigs large.
00:51:10
riptide
Yeah. Why do you use JetBrains ID? I've never heard of this. i'm looking at it now over VS Code.
00:51:16
merkle_bonsai
Uh, yeah, it's, so there have, they have a bunch of tools all around and, one for C plus plus one for, ah for Java, one for a JavaScript.
00:51:29
merkle_bonsai
I just purchased whole set and using it for me, it's more like.
00:51:36
merkle_bonsai
I don't know how to explain, but it's able to index everything across a project and you can find anything with this. Not by regex, not by something else, but you can literally do everything and you can find everything from it.
00:51:52
merkle_bonsai
ah There may be some days that I'm not even switching back and forth to something else. I can spend the whole work day just within this IDE because it can do everything for me.
00:52:06
merkle_bonsai
terminal, search, git interaction, whatever.
00:52:11
riptide
I bet they're very comparable, but I have to try JetBrains. Never heard of it till now. Maybe it's something cool.
00:52:18
merkle_bonsai
um You definitely can try, ah at least give a try for IDEA. It's their flagship product that can do everything except Icing c plus plus
00:52:30
riptide
and Okay, cool. All right. I'm dropping some alpha. It's a very simplistic alpha compared to what but Juicy Alpha has just dropped. I'm going to just say that during โ I guess we're in a bear market again until all these tariff โ questions get answered and blah, blah, blah, who knows what it'll pump up again.
00:52:52
merkle_bonsai
Um,
00:52:53
riptide
But low token prices for governance tokens. I always think this is so interesting because it's overlooked. And when we go mega bear, if we go mega bear,
00:53:04
riptide
And if you look now, I mean, token price discounts for popular governance tokens, especially for smaller projects, can be at a crazy discount for the power that they offer. So they might guard massive multi-sigs or time locks that no one thinks about ah might be vulnerable for these governance attacks. And I think...
00:53:24
riptide
you know, while technically if you submit a bug for a governance attack, it might be tough to get it kind of confirmed, but these are vectors to look at.
00:53:33
merkle_bonsai
here I agree.
00:53:35
riptide
Yeah, I mean, it's okay, it's theoretical, but a whale's a whale.
00:53:37
merkle_bonsai
you
00:53:40
riptide
You want to buy a token for a couple million and then maybe you have 50 million you control with that power uh is quite possible some government's tokens were two bucks and maybe now they're eight cents and you know the quorum none of that stuff is usually updated at all so very cool thing to take a look at very interesting
00:54:01
merkle_bonsai
Mmm, that's smart. I never said about it, actually.
00:54:04
riptide
oh shit drop an alpha
00:54:04
merkle_bonsai
I was totally sure that every token is representing at least the amount of TVL.
00:54:12
merkle_bonsai
Like, it's really stupid if you have a token total amount that is less than your TVL. It's why, just why?
00:54:21
riptide
I think things just fall to the wayside and a lot of the Dow decision-making processes get, get in the way.
00:54:26
merkle_bonsai
Mm-hmm.
00:54:30
riptide
and But there's also, if you just browse time lock contracts, like I think the open Zeppelin implementation is great, but,
00:54:36
merkle_bonsai
Mm-hmm.
00:54:37
riptide
It depends on the inputs, right? People can have things with zero delays, very short delays. There's all kinds of weird inputs that people could input, especially with voting power, all these things. that That's why it's good to not just check the code, but actually read the storage, check what variables are set.
00:54:56
riptide
And you never know what weird angles you can come up with or if you can take over governance.
Speculation on the Lazarus Group
00:55:02
merkle_bonsai
that's i hope this then will not happen actually and uh i'm more worried about this lazarus story um actually i feel really i'm not saying that zach and the other guys are doing the bad job but it's really so so convenient to blame the north korea for everything
00:55:29
riptide
Absolutely, yeah.
00:55:30
merkle_bonsai
And like it's so easy to say for everyone because you will not get to do anything else except state that it's North Korea.
00:55:30
riptide
yeah
00:55:40
merkle_bonsai
I mean, I personally think that Lazarus may have some relation to North Korea, but... What I feel is more like they may be just using North Korean government as I know they can give them money laundering services and they are not actually North Koreans.
00:55:59
riptide
you
00:56:01
merkle_bonsai
ah I think this is a more likely case here.
00:56:06
riptide
I haven't checked all the receipts that Zach puts out there. i met I mean, the guy has some pretty in-depth analysis on on these hacks, how they actually trace it to North Korea.
00:56:18
riptide
I assume they have a method. Honestly, when I don't what i don't know about a topic, i just I'm staying neutral on it. I don't know. I assume they've done their ah diligence on it, but, you know, could be right.
00:56:30
merkle_bonsai
ah I also i was trying to figure out the details and the only thing I was able to find that North Korea was bragging around having super cool hacker team and that's it.
00:56:47
merkle_bonsai
That's basically what everything is based upon. and ah the This team may not be really North Koreans, they may be just collaborating something else. And for North Koreans, it's a good thing to brag about. They can show there their power in the net space.
00:57:07
merkle_bonsai
And for team, it's better because no one is searching for anything in North Korea. For investigators, it's better because you can just close the case.
00:57:16
riptide
Yeah.
00:57:17
merkle_bonsai
oh Like, it's really very convenient. I don't know... I don't know why, but it feels like really too convenient to be true.
00:57:27
riptide
You know, I'm kind of skeptical as well, and I do like that because it makes sense. And that's what governments would do is is point everyone towards ah just a big a big actor that's, oh, hey, look, it's very evil.
00:57:40
riptide
Look, they're hacking all the protocols. It was them again. But hey, man, you know, the field of intelligence and everything is is a specific craft.
00:57:48
merkle_bonsai
Yeah.
00:57:50
riptide
So if we are being deceived, we wouldn't even know.
00:57:55
merkle_bonsai
Yeah, so I really feel that to get this kind of knowledge to understand how things work, you need to work in that field for quite a while to participate in public projects and private projects, but it's not something you can just come from from a side.
00:58:16
riptide
Yeah, yeah. No, I hear you.
Conclusion and Appreciation
00:58:19
riptide
Well, cool. Mr. Merkle Banzai, we have hit one hour. Anything else you'd like to say to our audience before we see him on the blockchain?
00:58:27
merkle_bonsai
Just thank you for the invitation.
00:58:30
riptide
a My pleasure, man. Thank you for joining. All right, everyone. That's it for today. And we'll see you next time on the blockchain.