Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 27 - patrick collins
176 Plays7 days ago
riptide & patrick Patrick Collins (co-founder of @cyfrinaudits, @soloditofficial, @codehawks, and @cyfrnupdraft) discuss how he got here and why he's building in crypto, web3 security and where its going, contests and codehawks, properly incentivizing bug hunters, how money drives decisions, his motivation behind educating bug hunters, a juicy ALPHA DROP for the gym, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction and Sponsorship
00:00:00
Speaker
Bounty Hunters. Life on the blockchain.
00:00:08
Speaker
Welcome back to Bounty Hunters Life on the Blockchain. We are back with episode 26 with my man Patrick Collins. Before we get started, our sponsors, we are brought to you by ImmuneFi, the biggest bug bounty platform in Web3.
00:00:26
Speaker
If you're a white hat, this is where you can earn some real money and make crypto safer. Don't know where to start? Hit the feeling lucky button and let the hunt choose you.
00:00:36
Speaker
Also brought you by Rare Skills. Get 10% off a boot camp. Go learn some bounty hunting skills. Go make some serious cash. Go to rareskills.io forward slash Riptide.
Patrick Collins' Background and Career
00:00:49
Speaker
So without further ado, episode 27, we have Patrick Collins on, who is the co-founder of Cypherin Audits, solid and official code hawks, Cypherin updraft. I hope I got all your company, sir.
00:01:03
Speaker
Welcome. it's It's all just Cypherin, but yeah, those are some of the main products. Yeah, how's it going? Nice to ah be on the podcast. Dude, I can't believe such a famous YouTuber like yourself has has graced us with your presence. Oh, you oh you know you hit me right in the YouTuber. Remember, we're mortal enemies based on X, if you recall.
00:01:23
Speaker
yeah we have ah We have a beef going back years. <unk> Yeah, anytime ah you you put like the first time you posted like, a oh, you're just a YouTuber for like a hot second. I was like, haha, that's funny. But then a part of me was like, is that really what people think? I'm just a YouTuber? Oh, that feels bad. YouTuber.
00:01:41
Speaker
You know, you you are the only guest that has had a proper microphone. I'm noticing because you have a setup at your house. It's just it's amazingly clear. i love it. Audio is important. Otherwise, ah people aren't going to learn security if I sound like crap, you know.
00:01:54
Speaker
That's right. Dude, so ah yeah I've actually followed your account for a while and and I like what you're doing in this space. A lot of people love what you're doing. so I'm curious, you know give me some background on Patrick. like When did you get in this this game? When did you start out?
00:02:08
Speaker
Yeah, sure. So um before I got into crypto, I was working on a hedge fund for a couple of years. And ah so, yeah, like traditional finance, I was a big idiot. I was like, you know, maybe two years out of college just trying to learn traditional finance.
00:02:24
Speaker
And It was pretty eye opening experience, but it also showed me like a lot of the weird issues that traditional finance has. And i I got introduced to crypto from, you know, this random company was saying, hey, like, we're looking for financial data. I know you work with financial data. We're trying to get it on the blockchain.
00:02:45
Speaker
And I remember thinking like, that's so stupid. Why would you want to put financial data on Bitcoin? That doesn't even make sense because at the time I didn't know. And Then that was that turned out to be Chainlink. And I was like, whoa, this is actually really cool. I learned about smart contracts and just kind of fell down the rabbit hole.
00:03:02
Speaker
And I've been loving smart contracts and what they have to offer ever since. And then two and a half, almost three years ago now, I was working at Chainlink Labs.
00:03:14
Speaker
And ah had been kind of frustrated like for you know every single month. I was like, security is such an issue. It's blocking like big enterprise and big institutions and big money from getting this space. And like, why won't somebody take this seriously? And everyone's like playing this super competitive game and nobody's sharing any alpha and this sucks and everyone sucks at security and all these audit firms are shit. Why would anyone do anything?
00:03:39
Speaker
And then I decided instead of bitching about the problem, I should create something to help Solved the problem and Cypher was born. So we do security audits and education. So yeah, Cypher Updraft is the number one platform for going from zero to professional you know developer or security expert in the space. We have the most users in the industry and um yeah And then Cypher and Audits, we do ah security audits for you know a lot of the top groups in the industry, ZK Sync, MetaMask, and ah make sure the industry is safe. So we take the approach of not only helping one by one, you know protocol by protocol, but also you know looking to level up
00:04:21
Speaker
everybody in the space, which is where, you know, Cypher and Updraft comes into play, which is our education platform. So I kind of segued into a pitch there. I didn't mean to do that, but let's see where we are. So so did you did you kind of launch this thinking, hey, this is going to be a public good? Or did you also say, hey, look, I can build a business here as well with the audit streams and and all that?
Business Philosophy and Education
00:04:41
Speaker
Yeah, great question. So this is actually something I learned from Chainlink Labs um and a mentality that I subscribe to still today is your focus should always be on creating value when building a business and the creating value for others and then the value for you will come.
00:04:59
Speaker
So Or like I usually tell the team, hey, let's create value. We'll figure out how to monetize later. So that's kind of always what we do. How can we create value? How can we help people? And then we'll figure out how to monetize it. So updraft was something that, you know, I had always done YouTube videos.
00:05:16
Speaker
I felt like they're a really powerful way to Help people scale up because in our industry, we do all this weird shit that people outside this industry aren't used to. Oh, like download a browser extension that you put money in. That is the most bizarre foreign concept.
00:05:32
Speaker
And like if you read it, you're like, no, this can't be this can't be real. But if you see someone doing it on a video, it's a little bit easier to digest. Yeah. Imagine if we had these kinds of resources, I mean, yeah, three years ago, four years ago, just, just getting a POC going in truffle in Brownie was yeah such a pain in the ass, just nothing out there.
00:05:51
Speaker
And like, you know, in, in some respects it's gotten so much better with security and the resources available and the transparency. And thanks to guys like you and, and other players out there. I mean,
00:06:05
Speaker
It is light years ahead of where we were. And that's good. yeah and In other ways, it's terrible too. I think securities, it sucks as well. But I mean, we have we have improved quite a bit when you think about that. The the availability of this one's kind of highly niche spot of information. Now, and's you like guys like you, man, it's all out there on YouTube. too I remember when, um I mean, formal very very yeah formal verification for a while was this super foreign concept.
00:06:32
Speaker
And I remember thinking like, oh it was like TrelloBits was doing it. And like a couple of like, you know, tier one firms, you know, back in the day were and where we're doing it. And I was like, this is so, or yeah, TrelloBits or Tora.
00:06:45
Speaker
i was like, this is so niche. um And you got to be like a gigabrain to do it. And then I dug into it and I'm like, oh no, this is actually like, pretty straightforward. Like, okay, building the tools is really hard, but like the tool using the tool is actually straightforward. There's just all the resources on how to use them like suck.
00:07:02
Speaker
So um yeah, like all that stuff is way more approachable now, which is fantastic. like Yeah, definitely. ah Like, what would you say, like, I mean, you've been here for a while. What's what's kind of the end game for you with with crypto
The Future of DeFi and Financial Inclusion
00:07:17
Speaker
in general?
00:07:17
Speaker
is this Is this to get your Lambo fleet like passion or are you trying to educate the world? at At this point, I'm so deep in it. Like, um like there's not really an end game. Like, I mean, this is this is also like, this is my work and my hobby.
00:07:32
Speaker
That's a problem. It's definitely a problem. That's a lot of us. Yeah. It's yeah. Right. Most most of us lunatics are like, yeah, what are you doing in the weekend? um I'm coding. Is that what you did all week? Yeah. Or I'm i'm reading contracts like, oh, ah cool, I guess. Yeah. um But ah yeah. So like long, long, long term for me is and it's it's it's feeling shorter every year, to be honest, which is good, which means we're making progress.
00:07:57
Speaker
is traditional finance runs on crypto rails, like period. Like the fact that the stock market exists still while we have this I think basically objectively superior form of, you know, trading securities like ah is, is insane.
00:08:19
Speaker
You know, like if, if the stock market just got replaced by Uniswap um that would be awesome. Now, granted I'd said securities, but it's cause stocks are securities, but you know, not maybe maybe not token. And i don't want to get into ah legal stuff there but yeah like uh stuff like ave collateralized lending is just ah in my opinion objectively better you have full transparency you have uh non-custodial um yeah like uniswap even stuff like stable coins um you know, are just this amazing thing that, you know, historically, if you're born in the wrong country, can I swear on this podcast? Yeah, absolutely.
00:08:57
Speaker
If you're born in the wrong country, you're financially fucked. You will never have financial freedom because you rolled a bad set of dyes when you were born. If you're born in the wrong country, your country's economic stuck.
00:09:09
Speaker
It sucks. You're fucked. ah today and the last like few years is like the only time in history where you can be born anywhere on the planet and have access to the same financial products of anyone in the world thanks to DeFi.
00:09:21
Speaker
yeah To me, Endgame is... all the financial rails of the world run on crypto because we have this credibly neutral platform. And for me, that's the end game. And that's actually why I got into security because I said, okay, well, all of that sounds amazing.
00:09:39
Speaker
However, if we keep losing a billion dollars every other freaking week, Uh, we're not going to get there because, you know, if you look at like DeFi TVL, I don't know what it is right now. Maybe like 75 billion, 150 billion, 200 billion, whatever it is.
00:09:53
Speaker
That is like, that is like the size of like a midsize, like hedge fund. That is, it's so funny. We have thousands of people working on DeFi. And like, yeah, like a 50 or $100 billion, dollar yeah, like a $50 billion dollars hedge fund can be can be run by like 120 people.
00:10:11
Speaker
And that's like the scale um that we're working with here. So we we we still have a lot of work to do. Oh, yeah. and And a note on that, like I used to be in traditional finance as well. And I saw kind of the underbelly of how it works. And it's so archaic, as you know.
00:10:25
Speaker
And it's like people estimate these things like, you know, you get on crypto Twitter and it's, oh, yeah, we're we're going to... ah The dollar is going down like ah we're going to replace everything with crypto and their timelines are like a month, two months, a year. that That's so fucking ludicrous is the problem. AI is going to replace everyone.
00:10:45
Speaker
Dude, have you been outside your computer room? I'll tell you what, like all these tech, all this tech is there. Yes. And will, ah is it superior? Absolutely. But there's so many legacy institutions that are middlemen that are just rooted in the ground.
00:11:00
Speaker
Like the, the, what's that, that entity, the clearing corporation, whatever for stocks and the wire houses, all these things, man, it's just so old school. And same with AI. Like I live in this old Italian town.
00:11:15
Speaker
oh yeah it's gonna take the world three years shut the fuck up man like the fucking 90s haven't gotten here you know like like chill out chill out but as far as like um you know i agree with you i think it's a great goal is is that should be the end game like we need need to modernize this infrastructure and i think give everyone an equal playing field because it it doesn't make sense you roll the dice you're born here you get an advantage and um With this, you have this beautiful decentralized system where as long as you have some IQ points and you're willing to take a chance, you can just get on that Cypher and YouTube channel.
00:11:55
Speaker
And there you go Bang out some contracts. and Yeah. I mean, even if i lambo even if you don't have IQ points, you know, like... That's a problem. I know. You go to Solana then. Oh.
00:12:07
Speaker
ah No, no, no. Much love for Solana. But like... um I mean, so security, like, okay, like there is probably like, um, like, like security is tough. Like you, you do need to obviously like put a lot of work in into, to get good, but for a lot of this stuff, you like don't need to be, ah in my opinion, you don't need to be like super,
Challenges in Security Research and Audits
00:12:28
Speaker
or super intelligent. You can just like kind of put in a lot of work, you know, like if you put in more hours than somebody else, you will probably do better.
00:12:37
Speaker
Like, I feel, i I feel very strongly about that because, you know I mean, myself, I don't really consider myself the smartest guy, but I'm like addicted to what I do. And ah you know if I put 40 hours into something, I'm probably going to do better than the person who puts 10 hours in. You could pick any topic in life.
00:12:55
Speaker
you know Once you get older, you kind of realize that. You just put the time in and shit works out. you know Just keep showing up and shit works out. And the less you really want something, the more you get it.
00:13:05
Speaker
The less you're chasing money, you just start to get rich. Unless you're chasing that girl, she's coming to you. yeah You know, that's, that's, these are old man, uh, old man lessons I'm going to pass down here to the podcast because most of my users, my listeners are 18 to 24.
00:13:21
Speaker
I believe it. Yeah. Believe it or not. Yeah. Yeah. No, I mean, it make makes sense that people trying to get in the space, um, you know I mean, it's the same thing with Psych for an Updraft, right? Like most of the students are, yeah, like late high school, kind of like and so early college age. Yep. Trying to just change their lives, you know, and I think that that's fantastic.
00:13:39
Speaker
Yeah. right, well, dude, so I saw a tweet from you guys and this was and whoever's running that account, maybe it's you, it was very well-timed. So I had a banger of a post.
00:13:50
Speaker
It was like 50,000 views. And it was about how we got screwed with their Solana competition. And so we we developed this AI security tool over the past year and it's it's proven to be very, very good.
00:14:03
Speaker
And so we submitted some findings and we ended up getting ah the top spot. and the sponsor confirms the findings. And let's let's take this in the context of CodeHawks, right? Like how you see the business.
00:14:16
Speaker
So they confirm the finding and and so we're like, hey, great, you know we're gonna be on top, it's gonna be good PR. And then with really no rationale, it's overridden in downgrade.
00:14:28
Speaker
And then we get we get nothing. And not just us, but it was other researchers that found those findings that were confirmed, downgraded, and there's no comms at all. And I think they suck with the comms.
00:14:40
Speaker
And ah pre pre-ownership change with SOX, this is different. But overall, they have terrible PR, and i don't know how they survive going forward.
00:14:52
Speaker
Having said that, I saw your tweet and I know Kodak's been around a while, but unfortunately, I don't think it has the market share. They do. And I'd love to see that improve. I think, I know Mitchell Immunify, I think their model is good as well. I'd like to see them take more market share. So,
00:15:11
Speaker
You know, tell us how does your platform go kind of kind of go above these guys? does it stand out? I mean, i have I have so much respect for C4. um I mean, they were the ones who kind of pioneered this space, right?
00:15:24
Speaker
um But I also understand, you know, someone like yourself who's frustrated with with what they're doing now. um But so, yeah, so to kind of give some backstory on Kodaks, so...
00:15:39
Speaker
Kodaks was started because we were a little frustrated with the judging experience on competitive audits ourselves. um So one of my co-founders is Hans Fries. He was the number one guy on C4 for like that either the the second half of 2023 or the first half of 2023.
00:16:02
Speaker
Guy is a is a machine, absolute lunatic. I'm so happy that I get to work with him. And yeah, we got together and um we loved the competitive audit model. We thought it was so cool, um but we were really frustrated by ah judging because there can be so much bias.
00:16:22
Speaker
um So there would be there would be like reports of people saying like, yeah, I'm not gonna compete in that contest because the lead judge doesn't like me and they're gonna downgrade me. oh yeah, the voting... um excuse me, the submissions are aren't anonymous. So, you know, like I'm not even going to bother because yeah, same thing. They know who I am. They don't like me.
00:16:43
Speaker
um The protocol who's running the contest doesn't want to pay out. So I'm not going to contest because I know they're going to say, oh, yep, no, no highs are critical. So, you know, we get this, this lower conditional pot and just all that stuff.
00:16:59
Speaker
I felt was incredibly unfair to participants. And so we said, okay, we're going to make a platform where it's it's basic it's really, really difficult for us as the moderators to fuck people over.
00:17:16
Speaker
um So we had anonymous submissions by default. um We had no conditional prize pools because we that you know we've we so we've seen it way too many times where you know, a protocol goes, goes yeah, yeah, we want conditional price pools. So, um you know, they find every excuse to just pay the lower price pool. And a lot of like platforms will say, oh, we did that because the client wanted it. We're super client focused.
00:17:45
Speaker
And i so ah my my my response to that is like, okay, You know, um well, you're kind of undercutting your future clients because future auditors are going to see that, know they're going to get screwed over and just not participate.
00:18:01
Speaker
So you have two bases, right? You have your paying clients and then you have your users, your customers. Yeah. yeah it's And you have the balance set. Yeah. you have it Right. So like you can be hyper, hyper client focused. Yeah.
00:18:15
Speaker
But I think I just think it's very short sighted, like you're you're abusing the ah the audit community is a great way to not get ah people to come and and participate.
00:18:27
Speaker
Now, the end to me, that almost leads into like, oh, OK, well, we're going to pay people to show up. um I'm like, I'm like, OK, great. Well, now. you're just an overexpensive private audit.
00:18:37
Speaker
If like the people who are actually showing up are the ones you've paid to be there, um that, you know, it doesn't feel, it doesn't really feel like a competitive audit anymore. The,
00:18:48
Speaker
the the the economics ah it don't work out quite the same. So, I mean, that's how we feel. um And that's why, yeah, CodeHawks from day one has been, you know, tried to be the super, super, you know, auditor focused, you know, platform.
00:19:05
Speaker
um And, you know, ah but maybe at the same time, you know, it it could be the the reason why, you know, we haven't had as many contests. So we were, we had like decent market share um last year.
00:19:19
Speaker
um But a lot of these to to kind of go into the, you know, that this the, the, the backstory here, a lot of these competitive audits are usually pretty big bidding wars between platforms and, um, at some time, maybe, maybe like nine months ago or something.
00:19:39
Speaker
Um, you know, pretty much everyone was like no platform fee only do the, you know, only do the prize pool because that was like the, the way to get clients and everyone was just like, let's just, let's just dominate the market.
00:19:53
Speaker
And then we'll, you know, we'll be able to turn the fee switch back on. So everyone was kind of racing to the bottom. And, you know, we have as a company, you know, we have our private audits, we have our our education platform, you know, we have a whole bunch of open source tooling.
00:20:08
Speaker
um And I think we kind of spread ourselves a little bit then and from, yeah, just to kind of get go into like the business decisions, we said, okay, like, you know We're spending a lot of time, a lot of like you know human hours on all these BD calls trying to you know close these deals where everyone's racing to the bottom.
00:20:27
Speaker
It doesn't really make that much sense. So if people want to do something on Kodaks and they come to us, like great. But we're not going to get into these giant bidding wars where um you know we're we're already we already make so much free shit.
00:20:43
Speaker
um it's It's hard for us to ah to be honest. Yeah, it's it's it's hard for us to make ah more more free shit, right? So Updraft is 100% free, right?
00:20:55
Speaker
We have a whole bunch of open source tooling that's all free that we work on. Um, you know, solid it is free. Uh, we have a static analysis tool, a Darren, you know, we have a Viper, ah version of foundry.
00:21:07
Speaker
um we have all this stuff and, um, yeah, at the end of the day, you know, we're, ah we're small.
Market Competition and New Researchers
00:21:13
Speaker
30 person team without any VC funding. And it's, it, we said, all right, it doesn't make sense to go up against these people who have raised, you know, five, 10, $30 million dollars who are just burning cash to, to get a competitive audit. So it's, it's kind of sad, but um yeah, I mean, to this day, i think, ah you know, it maybe I'm obviously very biased. I think Kodaks is still the best platform ah because of our hyper, hyper focus on making sure the auditors,
00:21:42
Speaker
have a great experience. And I think that that actually translates to the competitive audits being top, top quality. um Whereas like, yeah, and on other platforms, sure, you know, maybe they're paying for people to come and show up. And and I think that that is good.
00:21:57
Speaker
But I think you get worse economics here. And and I'm sure like some some PhD on game theory could, you know, prove me right or prove me wrong here. But yeah, when you when you pay for someone to show up in my mind, it's like kind of like moves more towards like a private audit.
00:22:15
Speaker
And then at that point, you might get better bang for your buck by just paying a bunch of ah people to show up. So that that's kind of that's kind of some of my thoughts on it. um But again, like I don't i don't i don't hate the other platforms. You know, like I said, I have a lot of respect for C4. You know, um I don't agree with some of the things that they do.
00:22:37
Speaker
um But all the platforms, you know. Cantina as well. You know, i i don't agree with doing conditional prize pools. I think those are very unfair, you know, I think. um But, you know, they also still do a lot of good stuff, right? So I i don't agree with with everything they do.
00:22:54
Speaker
I think CodeHawks is the best. But so I also, you know, don't have the... Yeah, we don't... we don't We're probably... You know, we're not going to... Like I said, if people want to come and do competitive odds on CodeHawks, awesome. It's there.
00:23:06
Speaker
um But we're not going to spend a ton of time on it. That's interesting. No, I don't have any any hatred towards Rug Arena at all. it's what ah what i what a What a sentence. I don't have any hatred towards a Rug Arena. I take the emotion out of it. it's What it is, it's it's disappointing is all it is. it's It's disappointing when I see behavior like that.
00:23:29
Speaker
And I just don't like seeing, because I get a lot of feedback from because I have a lot of bug hunters that listen to this show. And they messaged me and they tell me about the contest. I really didn't do any contests before. And they just tell me how, you know, just treat it unfairly. And some of these guys, like if they make a hundred, 200 bucks, it's that's a fucking win.
00:23:50
Speaker
Like that's a big win. And to see people get chipped. Yeah, over little things, I would just hear it I'd say, oh man, that's that sounds like it sucks. And then when you experience it yourself, you're like, oh, oh you this is really shit.
00:24:03
Speaker
So so i let me let me even like pull on that thread a little bit more. so So as of right now, um so even though I said we're not spending a ton of time on CodeHawks, we still are running our first flights.
00:24:15
Speaker
ah program, which is where we do every single, every two weeks, we have a a miniature code base that we put up and then we run it like a real competitive audit. Like we have a judge.
00:24:27
Speaker
who like actually judges things like a human being, like not like an AI um and gives feedback to, you know, a lot of these newer auditors trying to break into the space, trying to like get some experience, like put some reps in.
00:24:40
Speaker
You know what I mean? So we are still spending time there. um So i I know I just said, oh, we're not spending time on Kodak. So that's actually, that's a lie. I lied, I'm sorry. ah We are spending time on CodeHawks. um But yeah, more as part of this like security education ah branch here. um And what you just said is actually so important.
00:25:00
Speaker
That first $200 is huge. It's like the difference between a new security researcher a new security researcher saying wow, this is something I want to pursue and go harder on and fuck this industry is stupid. I'm never coming back.
00:25:18
Speaker
Yeah. And I think that that's super, super important. And so getting gypped I think is, is extra bad because we're pushing away the newer talent. Getting paid on a competitive audit is so hard.
00:25:33
Speaker
It's so challenging because they're, you know, they are competitive audits, right? They are challenging. They are hard to do. ah or Before Light Chaser, right? you you might You might be able to get 10, 20 bucks easy for zero addresses and that. right He wiped the floor. He took the bottom out with that. which which which Which I actually, you know, a lot of people were like, oh, that's so bad. I actually think that that's good. It is good.
00:25:55
Speaker
and we We should still be raising the bar. But when somebody finds something and they should be rewarded for it and they get... you know, it gets removed for whatever reason, like, Oh, conditional prize pool or, Oh, like, you know, the, the protocol changed the scope or some, some, something like that.
00:26:12
Speaker
That is it. That that's like a big, like, um, a big, uh, like, hey, like new security researchers like go away. And that's going to like remove some of this new talent that we need really, really badly. So part of like what we do on Cypher and Updraft, like our our education platform is I'm always trying to get people to an aha moment to some type of win.
00:26:37
Speaker
Right. So like when we do ah Solidity, the aha moment is deploying a contract and seeing it on the explore or seeing it on remix. Doing that for the first time is like a big like, whoa, this is like cool. This is like real.
00:26:54
Speaker
um Same thing with security, like an aha moment is finding your first bug in a competitive audit. That's why we did that's why we do first flights. It gives them that like, you know it gives like a goal, like ah like a like a step to reach. If your first like aha moment,
00:27:10
Speaker
takes you two years to get to, that is so long and so many people will drop off before they get. So we need we need to have aha moments in between. um so like, you know, and if you say, if you're like, hey, like here's this aha moment, it's right here and someone reaches for it and then you go, ah, ah, change the rules. It's actually over here now.
00:27:32
Speaker
That sucks. They're gone. they're gone you can And you can only handle so many of those and like, you know, the feedback i normally get, when I say this, it's like, oh, well, we only want the most hardened, you know, badass people and they should just grit their teeth and blah, blah, blah. You know, people can't go, you know, two, three, four years and stay dedicated. Like, like all the people saying that, I, I guarantee you, like, you know, they're,
00:27:56
Speaker
they're They're full of shit. they They didn't have, they didn't go four five years of getting nothing. And, you know, people will be like, oh, well, if you had a, you know, PhD candidates, they take forever. It's like, well, they they had like a guaranteed, you know, thing at the thing at the other side um this This security thing doesn't feel guaranteed and feels even less guaranteed when we say, here's the here's the next milestone. Oh, just kidding. It's over here now. oh That sucks.
00:28:22
Speaker
Yeah. And like to to be honest, when I first started, i was helped along through ImmuneFize. They had like a, forget what was called, white hat internship program or something. Nice. And it was so helpful, man. I mean, i could not like I just got laid off and I was like, I'm going to go all in on bug hunting.
00:28:40
Speaker
And they they said, hey, we have this stipend program. I signed up and that took off so much pressure. And all I did seven days a week was hunt. I'm thinking of doing something like that with the podcast. It's just like, you know, set it up as like a public good type thing and have some pot. Maybe people could donate, but just have, um, for a lot of these people, man, a grand a month is all they need to take all the stress off. Like yeah that's it.
00:29:04
Speaker
yeah That's it, man. So if we have that, I don't know where these guys come from, but the people I've had in the past 25 episodes are from all over the world, from India to Europe to Asia.
00:29:19
Speaker
You don't know who's going to be the shit. Yes. This game. You do not know, man. And so, yeah, like you say, you know, get these. I love this first flights idea. This is really cool. And those, the mini code bases, those are actually real code bases.
00:29:33
Speaker
Yep. So originally um when we first launched it, I just like every two weeks, I would take like a day and then build like a project end to end, basically. I mean, it wouldn't be, you know, I've made so many, so many dummy projects at this point. Like it would be pretty quick, but like, I was like, oh, I'm taking a full day to make this free thing. This is kind of a lot of work.
00:29:51
Speaker
But now it's been fantastic. The community has actually stepped up and they are like making these projects and it kind of works out really well where like ah a student will finish kind of the development portion of updraft or they'll be into the security portion. They'll go, oh, cool. I have an idea for a cool bug.
00:30:08
Speaker
They'll make like a first flight. And then a lot of the first flights now have actually been community created projects, um which has been awesome because then they're also getting feedback on their development and like,
00:30:19
Speaker
It's almost like they're they're helping each other. Developer gets to like get feedback on the development. Security researchers get to practice, you know, ah actually finding bugs in ah in a code base where the bugs are easy to find. ah So, yeah, it's been it's been awesome to watch people level up, you know, with the first flights.
00:30:34
Speaker
that is That's really cool. And like I think about this whole thing with the markets about i just look at human incentives and I'm like, well, yeah To me, you're talking about the platform's bid. So if if you have, say, Uniswap, say we're going to do our comp.
00:30:52
Speaker
And so you guys all would reach out with your BDs and then kind of say, just race to the bottom with fees. Like, we'll host you for this. And then but like you know from the Uniswap point of view or whatever protocol, I'm just thinking...
00:31:07
Speaker
My goals are I want as many bugs found as possible, which means I want experienced security researchers ah hunting on here. i also, yeah from from an an honest business type point of view, i would want to pay out as little as possible, but I'd also want to make sure that it's fair.
00:31:28
Speaker
So maybe that's where these conditional pots started is kind of like an escape hatch. where which I think is a a road to ruin. that's It's terrible because there's you can't have that. You need a fixed amount that say, hey, this is our expenditure and we're going to put it out there and that should incentivize SRs to say, look, we're going to spend our time two, three weeks on this code base to compete for this bounty amount.
00:31:54
Speaker
That's it. End of story. I think, um yeah. So like in theory, the conditional prize pools make sense. Like exactly to your point. Like, hey, Through the business, it makes sense. from well from a bit Well, also from like... um Hunter doesn't want that.
00:32:12
Speaker
ah Hunter doesn't want that. But but in theory they they they in theory, they are fair, right? In theory. But in theory ah only. You know, like, hey, like, if there's no highs, um I want to pay out less.
00:32:25
Speaker
ah But in practice, it's just, oh, cool. This is my escape hatch to like not pay out anything. But also, hey, we we have a $10 trillion prize pool, the largest prize pool that's ever. And I don't think competitive. By the way, ah if you don't find any highs, it's $10,000. You it's it's.
00:32:43
Speaker
you know it's it's ah And it's like, oh that that is so tempting. you know And i've been on I've been in the room where you know you have a VC breathing down your neck about you know spending cash.
00:32:57
Speaker
And they're like, you know what do you mean you spent this much money on on this thing? Is there any way to lower that? And you'd be like, well, like you know I've been in the calls. It's it's so tempting you know as a you know from the business side for you to go, well, we could like, I guess we could like justify that this is a medium. And the VC is like, yes, it's a medium, like make it a medium, you know, like, so like business daddy could be forcing you to to play your hand.
00:33:24
Speaker
um You know, you as a, as a, as a business owner, you know, you're, if you take VC money, you're on the clock, you know, you have, it's ah It's a resource allocation game. you know Maybe you say, oh, cool, well, if we don't pay out that $100,000, we can use that to hire another person and that'll make us go faster and blah, blah, blah. So it's it's just so tempting and it's so easy um to say, oh, we have this potential escape hatch.
00:33:50
Speaker
ah I'm always gonna take it. I'm always take little guy is getting fucked. which Which I hate to see and I hate to see happen. And right so and i understand I understand the mechanics. I know. You're you're absolutely right.
00:34:01
Speaker
like if if you're yeah like you know Exactly to your point, you know you spend two, three weeks on a code base expecting that there's this large price pool and they go, oh, never mind. We're cutting in half or whatever. It's like, okay, well, you know clearly ah you don't value my time. right You don't value our time. We're kind of this conglomerate of anonymous people who don't deserve respect. And I think that's that's very unfair.
00:34:28
Speaker
Yeah, and this has changed a lot too. is the The more formal our space gets, because I remember closing bugs with teams, anonymous teams over Telegram. And it was so easy because you're dealing with a two dev team and they understood.
00:34:41
Speaker
and they're like, yeah, legit. When you get all the business types evolved, that's all it is. It's just, let's think about the money. Fuck this guy. You'll never hear from him It'll die down in a week. just Just that's it. There's no ethos. There's no culture behind It's just money.
00:34:56
Speaker
it's it's it's It's tough. And it's ah it it makes me sad because i it makes me sad. you know I've seen a lot of really fantastic you know security researchers have to play the politics game.
00:35:09
Speaker
They have to like... you know ah And it it kind of sets a bad precedent because now all these security researchers are like super defensive, right? So, you know, we've seen ah examples where, you know, a security researcher finds a bug, they reach out to the protocol, they say, hey, your bug bounty program says you owe us this much money.
00:35:27
Speaker
Protocol goes, you know, now I'm kind of switching to the bug bounties from competitive audits here. The protocol goes, yeah, no, F yourself, you know, we're not going to pay you. Thanks for the free security idiot. And now the security researcher has some choices. Okay, well, they can go on the offensive and go, you better pay me, otherwise I'm gonna expose.
00:35:46
Speaker
ah Or they just like have to like shut up and you know so like take it. you know or Or next time they black hat it and you never hear about it, no one ever hears about it, because that's what happened.
00:35:59
Speaker
And I don't advocate for that, but that's where you push people when you behave ridiculously like this. I i actually don't know how true that is. There's no stats on it.
00:36:12
Speaker
I mean, that's what I was going to would love to see, i would love to figure out how to do some stats on that, how how that actually pushes people to become non-ethical hackers. I actually don't.
00:36:23
Speaker
i I have the instinct that if you're... an ethical hacker, you're going to ethically hack. And if you don't care about ethics, you're going not ethically hack. But, um you know, in my opinion, if you push away the ethical hackers, well, then you your shit's going to be not secure and you're going to, you know, just get wrecked.
00:36:43
Speaker
But yeah, like, you know, so you put security researchers in this position of being defensive and like having to like argue with the projects or threaten the projects that you're trying to secure.
00:36:56
Speaker
And that's like really bizarre. And I've seen newer security researchers think that that's like what they should do because they've seen all these stories where a security researcher is like,
00:37:07
Speaker
I threatened them that if they didn't pay me the $100,000 that I was going to blow expose them and I had to expose them. but but And so i I get emails now from new security researchers who go, I found this bug from blah, blah, blah. Like, I know, you know, them reach out to them so that they they pay me. And I'm like, oh, like, yeah, and then I'll look into the bug and it's like garbage.
00:37:28
Speaker
And I'll be like, but but then I feel bad because I'm like, I know. that you're doing this because the precedent has been set that you kind of have to. And I think that also sucks.
00:37:39
Speaker
Yeah. It's, that's the, the, uh, the old saying, squeaky wheel gets a grease. I mean, if you're not willing to, it's like anything, if you're, if you're bargaining in that market and you don't, you don't bargain, you take the list price, they're going get fucked.
00:37:54
Speaker
You know, anything, man, you always got to push back a bit. and this space has put a lot of people on the defense initially, which you have to kind of, you have to take every situation as neutral because with bug hunting, you contests, anything, you have to forget about the past and you have to say, listen.
00:38:12
Speaker
Yep. Let's, let's just clean slate, be very professional, no emotions. If you get emotional, sleep on it, come back the next day, chill the fuck out, do a bench press. Yep. All right. You know, hell yeah just come there and say, listen, it's, it's all business professional. If they decide to, you know, some fuckery happening. All right.
00:38:31
Speaker
You, you deal with the case by case, but I tell you, While the bad cases get a lot of publicity, I've had plenty of no-nonsense transactions where it's been just fine. yeah So you just don't know what team you're going to get involved with. yeah And that's the thing.
00:38:46
Speaker
um Hey, so I want to grab some questions and answers from Discord. Yeah, let's do it. Yeah. So, all right. So Q&A, my man Flacco, Bulgarian, amazing, big brain.
00:38:59
Speaker
He says, first of all, huge thanks for all Patrick's done and doing for Web3. there you go. Humble thanks. Will we see more new competitions on CodeHawks in the future? And why has CodeHawks been hosting so few comps in the last few months?
00:39:13
Speaker
Yeah, great question. So I kind of addressed this at the beginning. um Basically, yeah, like CodeHawks is up. ah You know, we're we're happy to do competitions. Like I said, i i to this day, I think it's the the most fair, ah the best competitive audit platform because we treat all of our auditors with respect and we don't, you know, change the goalposts mid audit.
00:39:33
Speaker
um So yeah, if if a protocol wants to do a competitive audit, awesome. We are happy to host, um but we're not really going to get into this this, these bidding wars anymore. You know, I've been on these, I've been on all these calls where, you know, a protocol is talking to every single competitive audit platform and trying to get the best deal. And, ah you know,
00:39:53
Speaker
I have, we have better things to do, you know, like we're, and I know that sounds like kind of cringe, but it, you know, you know, we have, you know, 200,000 people on Cypher and Updraft who are trying to learn security and get break into the space. You know, I'm not going to. 200,000. That is awesome. Congrats.
00:40:09
Speaker
I'm not, i appreciate it. I'm not going to waste. I'm not going to punish them because I have to like you know ah you know to explain to a protocol why conditional prize pools are not cool just so that we can make zero dollars. What we're going to on we're going to...
00:40:28
Speaker
get Get CodeHawks out there as far as, you know, I didn't even really look at it before I just saw it. So we want to make people, the SRs that listen to this, we want to make sure they know about it. So when you do get those clients, we're going to get some good high quality bug hunters over there. Cool.
00:40:43
Speaker
oh Yeah. yes that That would be awesome. Awesome. Yeah. Like, like, yeah. So it sounds good to me. If, uh, if a protocol wants to work with a, with a, with a audit platform, competitive audit platform, that's going to be super fair to the the auditors. Awesome. We're open for you. If you want to, uh, kind of like talk to everybody and have all these conversations about, uh, uh, you know, conditional price pulls and this, that, you know, we're probably not for you.
00:41:07
Speaker
Yeah. Um, like I like it. like it. all right uh next question from alex who runs get recon.xyz forward slash riptide uh always dropping the fuzzing comments current thoughts on fuzzing versus formal and ai versus manual any input there yeah i mean i've made so many videos on this topic ah Yeah, I mean, so they're both ah they're
Security Techniques: Fuzz Testing vs. Formal Verification
00:41:32
Speaker
both important tools. They're both tools and they both have the use case.
00:41:35
Speaker
ah You know, it's Jocelyn, who used to be at Trailer Bits. um Had him on the podcast. Hell yeah. he I have so much respect for that guy. He's awesome. he He was the first one to tell me, oh, like...
00:41:49
Speaker
fuzzing is better 99% of the time than formal verification and formal verification is kind of niche. And he he would follow that up saying, and it feels bad for me to say, cause I have like, he goes, I have my PhD in like formal verification or something around that.
00:42:05
Speaker
And I remember him telling me that and um I was kind of like, hmm. and Well, maybe you're wrong. um But now that I've done so much, I've really like, you know, in the past few years, been like, no, he was 100% spot on.
00:42:20
Speaker
So as a developer security researcher, you should pretty much always fuzz everything. And if you're using Foundry or Hard Hat, it's so easy these days to make your test fuzz test.
00:42:32
Speaker
And formal verification is good, but it's much more niche. um you kind of in my opinion you kind of have to do a lot of form of verification to know where it's actually useful because uh fuzzing is gonna find the bugs 99 of the time and it's easier to write a fuzz test than a form verification spec um and But but there is there is a there is a use case for formal verification. It's just much more niche. you know
00:43:03
Speaker
um One of the things I don't like about formal verification is oh some of the marketing around it is like it's a silver bullet. right it is It is not. like Like saying, oh, our contracts are formally verified is like,
00:43:19
Speaker
kind of a dumb thing to say um and What was verified? What was verified? you know Form verification, you can formally verify one very specific thing.
00:43:30
Speaker
So saying our contracts are formally verified is like, It's like saying, you know we um we we put ah ah we put like a single black dot on a giant white piece piece of paper and said we colored it black.
00:43:46
Speaker
But think about saying that on ah on a call with investors when you're a CEO of a protocol. Yes. Think how good that sounds. We are yeah formally verified. Yes. Right, exactly. But it's like, sounds so good if if you're in the know, you're like, well, we are fuzz. we are fuzz. Yeah, it doesn't sound. That's actually super funny. yeah were yeah like Like saying we are formally verified sounds really good.
00:44:10
Speaker
But like if you're in the security fit space, you're like, you maybe don't know what that means. Yeah. um Yeah. It's good marketing. ah His last question. Do you think solidity is still going to be the most popular in two, three years? Or do you see a change in the space?
00:44:28
Speaker
Oh, dude, for sure. um Sounds like a Viper enjoyer. mean... i mean I am a Viper enjoyer. I also am. Yeah. how Oh, are you? didn't know that.
00:44:40
Speaker
I love Viper. Sure. you You don't see it enough. No one uses it. I like. I remember like um when I was breaking into like assembly and like compilers and stuff, I like.
00:44:52
Speaker
that was like super eye-opening when i was like, whoa, Viper's doing all this like cool stuff. Why, wait, why doesn't Solidity do this? This is like, like stack too deep is the dumbest thing that's ever, like why don't you just stick the variables in memory? Like after the stack, what, what?
00:45:09
Speaker
um Dude, have you ever talked to the Solidity team? ah I mean, I make issues on the Solidity repo, but I haven't really spoken to them. ah ah That's not true. i ah From time to time.
00:45:22
Speaker
Okay. certain Certain people on the team, why? I met a couple guys at ah one of the ETH events, and they were from the Solidity team. And I was like, wow. And I was like, and this was when, you remember when Wildcat ah deployed and he had this big rant, the dev on like all his gripes with Solidity and he's tagging their Twitter account, whatever. And I said, hey, did you see what they're saying about you on X? And they're like, huh?
00:45:47
Speaker
Yeah, we don't even have accounts on that. i don't know who runs that. And like they had, and and I showed him, he was like, holy shit. They had no idea like the bad press they get. And they're just kind of like in their own lane.
00:46:00
Speaker
But, um, I think to some degree that's actually kind of good. Like, you know, ignore the noise. Um, and, and this is why, you know, I think, um, most like make, make issues, make discussions, right? Like that's really how, you know, you should, uh, you know, go to where they are. Right. Okay. Like, um,
00:46:19
Speaker
i I think I either made this as an issue or i or i like brought it up as a discussion. i was like, Solidity should have a flag to stick all variables in memory and ignore the stack, ah like a compiler flag or something. um And I remember, I'm pretty sure they were like, yeah, we're not going to do that. And I was like, okay, that.
00:46:39
Speaker
That's kind of what I expected. Fair enough. Yeah. um But yeah, no, ah no, I love Viper. But, you know, even though, you know, it's kind of easy to shit on Solidity, you know, Solidity at the same time has done, you know, so much good for the space.
00:46:53
Speaker
Yeah, I think there's a lot of improvements to make on Solidity. um If anyone is a compiler, Chad, and wants to go check out Solex. So the ZK-Sync team.
00:47:03
Speaker
is so Solex. Solex is kind of cracked. um i haven't taken as much time as i should to like really really really dig into it but um they were like hey like do you have any feedback on uh on stuff we should add to solex and i'm gonna get kind of in the weeds here and i was like yeah solid solidity puts all these free memory pointers all over the place i don't freaking do anything like it it wastes like seven gas or something stupid like that it but it it pisses me off when i'm reading assembly
00:47:34
Speaker
And they were like, okay, bet. And they got rid of that in there in their compiler. And I was like, whoa, this is sick. And then, yep, they have ah their compiler smart enough to stick variables into memory as opposed on the stack. So you can avoid stack too deep using Solex.
00:47:51
Speaker
Solex is really, really cool if anyone wants to ah check out like another compiler. But in any case, um yeah, I think the Solidity language is... ah it's It has such a moat. It has such a moat. Huge moat. um Huge moat. you know like I was kind of thinking you know you know back when we released our Viper course last year. So we have a Viper course in Cypher and Updraft.
00:48:16
Speaker
I was like, all right, cool. going try to get all these AI Pythonistas over to Web3. And we're going to use Viper and Python as the the catalyst to do that. um And it's in its ah it's in it it didn't work as well as I thought it would work.
00:48:32
Speaker
um I mean, we still got we still got a decent chunk of like Python devs like come adopt Viper and you know get into Web3 through that avenue. But yeah, Solidity has such a moat. There's so many contracts written in Solidity.
00:48:47
Speaker
If you're a security researcher or smart contract developer and you want to integrate but with any other contract out there, you kind of have to learn Solidity at this point. Yeah. you You know, if you're like, oh, like I want to build the DeFi protocol and I'm going to build it in Viper or Rust or some other esoteric language.
00:49:06
Speaker
Well, ah what should I do to prep for this? Well, you should learn Solidity and go look at the Solidity implementations first so that you can kind of understand what's going on there and how they did it. And you can compare architectures. So It's almost like to to be a developer in this space, you kind of almost have to learn Solidity so that you can at least like understand what's out there.
00:49:29
Speaker
So I think that like really, really helps Solidity. So I expect Solidity to be you know dominant for quite some time. think they have like 85% of all smart contract value as of today. um Yeah, it got to be something like that.
00:49:43
Speaker
so Something like that. I think Viper comes very easily after you know Solidity and yeah basically basic Python. I mean, yes. It's so easy. It's so easy
Smart Contract Languages and Complexity
00:49:52
Speaker
to learn. I feel like Viper could very... Yeah, I feel like if people just go, oh yeah oh, you know what? I'm going to do this in Viper now. like Viper could could definitely game adoption. I think the the more interesting conversation is like you know Rust versus you know other ecosystems, ah languages.
00:50:09
Speaker
I know a lot of people are like, oh, like Rust, it's a programming language in other areas. So that'll make it easier to pick up and write. And a part of me thinks like yes and no.
00:50:20
Speaker
You know, it it feels very like JavaScript everywhere mentality where, you know, JavaScript in the, again, I'm getting into the weeds kind of here. And for people who don't know JavaScript, this will be, might go over people's heads. I think people come out of the womb knowing JavaScript now.
00:50:36
Speaker
Fair enough. But um you know JavaScript in the browser versus Node.js, in my mind, are like completely different in like every way. And um you know knowing JavaScript in the browser might actually hurt you for JavaScript with Node.js because it's like it's like the same but different.
00:50:58
Speaker
And it's like different enough where it's actually very confusing. the the For me, my my biggest gripe with JavaScript was always I would go to Stack Overflow to like learn how to do something. Yeah, way back in the day when you know people used Stack Overflow.
00:51:12
Speaker
And I'd be like, oh, how do you do this in JavaScript? And someone would give me an answer. But it's like, and I would try I'd be like, oh, it didn't work. And they would be like, oh, it works for like this version of JavaScript in Node.js.
00:51:24
Speaker
And we're using like this different ec ECMA version. And I'm like, oh, what what is ECMA script? Is that JavaScript? They're like, well, kind of. um and it's just it was this so fractionalized and i feel like that that same type of thing could happen um with rust where it's like oh yeah this is like rust but it's like smart contract rust so it's different and that actually might be more confusing um but javascript everywhere you know worked you know what i mean like you know people you know it's it's been a virus it's like a virus it's it's been the dominant thing for for years um i think that that
00:52:01
Speaker
I think for smart contracts, kind of that mentality is kind of bad. I i think smart contracts should have a domain-specific programming language because it is so different from you know regular programming.
00:52:14
Speaker
But now I'm kind of like ranting on a tangent here. look yeah i'll I'll break you out of your tangent. Yeah, yeah, please. I'm curious. It just made me think of something. Where do you think we see bugs going forward? Because I feel like...
00:52:27
Speaker
Solidity, I think we're we're getting that. even we're We're almost at version one, right? We're almost at 0.9. But like a lot of the Solidity bugs, like no one's come up with a new good bug class for me past like the read-only re-enters-y stuff.
00:52:41
Speaker
I haven't seen like a new bug class. like I think we've got it sorted out for now. I'm sure something will come up. But like I see a lot of bugs coming out of like the bigger bugs you see out of the composability space.
00:52:53
Speaker
Like, yeah thought you know, you need to look at Solidity, the Rust backend, and then maybe a protocol that talks to that. Those bugs, I think are still wild, still in the open. Those are the hardest to get. But I think like baseline, ah Solidity, you know, the bugs that come out are really stupid. It's just just human errors.
00:53:10
Speaker
Yeah. But it's nothing like, I don't know, like, where is do you see the same view, like where you see bugs going forward is is kind of the more but out there on the complexity scale? Yeah. Yeah, well, so so block threat um blockth threat intelligence does a great job of kind of like keeping track of what classes of bugs are happening in the industry.
00:53:29
Speaker
And for me, it really feels like, yeah, like exactly to your point, we are getting a lot better at... doing audits and security on Solidity smart contracts themselves.
00:53:40
Speaker
um But humans are still stupid and humans are still ah dumb. and um oh and and And AI obviously is making those those lower class, those simple mistakes you know easier to catch.
00:53:54
Speaker
you know kind of You started the podcast saying you know you you have an AI tool you work with. feel like every security industry in the space, excuse me every security company in the space is working on some type of like AI tool to help with audits as well.
00:54:06
Speaker
And um some of those are or the dumbest things I've ever seen. And most of them are. And Slither is like basically what they're what they're running.
00:54:17
Speaker
but But some of them I'm sure are actually providing value, AI, something. In any case, yeah. So the the protocols are getting more complicated um as you kind are pointing out with like composability.
00:54:30
Speaker
You know, they have more stuff attached to them. Maybe they even have like off-chain services attached to them. And, you know, the more complicated you get, the more service area you have to make a mistake.
00:54:45
Speaker
So, yeah. But yeah, right right now, ah kind of one of my my my more recent tirades is like, you know, humans are just kind of lazy with their wallet security and, you know, the buy bit hack at the start of the year. Oh, 88% of hacks are private key compromise. Yeah, I mean, it's to me, that's kind of the the biggest issue ah right now is where people are yeah being super flippant you know with their wallets. And I think we as an industry kind of are to blame for that. you know we are Yeah, like stick your private key in your.env file. like Yeah, it's cool to have it in plain text. like
00:55:23
Speaker
That's super normalized. It's like, what the hell did we do for it? what the What the hell have we been doing? You know, not your keys, not your crypto, but like, yeah, like leaving in plain text. Dude, but look, it's gotten better. Like I was cleaning up my filing cabinet. Listen, I'm cleaning up the filing cabinet yesterday and I pull out this photo that I had and it was from 2017. And I just happened to look on the back of it.
00:55:45
Speaker
It's a fucking private key. I wrote down for some ghost chain. i don't know what this was. ICO season. And I have no idea. Even LLMs couldn't find it. i was like, oh shit, man.
00:55:56
Speaker
I have no idea. Maybe pure coin. have no clue. But at least we moved to like seed phrases, hardware wallets. It's a little bit better. A little bit, but hard hardware wallets, I got a whole rant on those, but maybe for another time.
00:56:10
Speaker
Yeah. All right. So this kind of segues into Zero's Cypher, right? He's got a question. Do you think majority of Web3's SEC work would be eliminated by AI in the next three years? And I want to just say one thing for your point of this is like,
00:56:23
Speaker
i think it's I think we're going to see, and this goes on to human laziness, is people default to the easiest option. And they just won't even code. And AI is going to be coding. And as long as that's making mistakes, you're going to get more and more AI mistakes.
00:56:41
Speaker
And they're going to have AI fixing these bugs ah at a higher rate than humans can address them. So I think, i think no, not at all. I think there's always going to be web through security work.
00:56:54
Speaker
I mean, to be honest, same. You know, I think... AI is going to help a ton, making it easier. um But I think for a long time, you know, ah there there needs to be a domain expert to help these AIs improve, help these AIs get better.
00:57:13
Speaker
um ai is phenomenal at, you know, being trained on kind of existing bugs and stuff, but new stuff is, it's still a little bit challenging.
00:57:26
Speaker
ah AI is also very susceptible to you know, marketing. So like, for example, if, ah you know, I'm going to use like, like Coca-Cola ah paid some researchers to say that sugar doesn't make you fat.
AI in Security: Opportunities and Challenges
00:57:40
Speaker
um If all of a sudden AIs believe that, yeah, like formal verification is way better than fuzzing. You should you should only formally verify. well um yeah that's That's something where a human will come in and be like, well, actually, no, that's ah the AI kind of being trained um incorrectly or corrupted.
00:58:00
Speaker
That's a challenge. Yeah, that's true. And then like hacking the AIs, you know, um finding a way to, yeah, people will find ways to corrupt your AIs so that, you know, you miss stuff and...
00:58:15
Speaker
Yeah, I think there's ah or like um or or or doing things that an AI might not think of um because the the surface area of crypto is you know huge. Maybe like, know, there's there's all these weird examples of like side channel attacks that you might think of that an AI might not like. You know, there there was those. ah What was it?
00:58:35
Speaker
you if you You could like listen to a machine and get the private key from like the worrying of the fan or some crazy attack. i I forget who it was, yeah maybe, yeah but I remember hearing that and be like, that is so creative.
00:58:49
Speaker
Couldn't they do this back in the day? I remember something. It was like they could look at the LED on your Ethernet cable port and like the flashes. they could write like Some geek is out there like, yeah, I got it.
00:59:02
Speaker
He typed in K. Right. It's it's like that ah that Linux bug where the Microsoft researcher was like, doing time benchmarks for like his database. And it was like a few nanoseconds off of what he expected. And he dug into that and this crazy like the next back door. It's like, you know, we we we need the, we need those nerds to keep doing that for for quite some time. That's right. a Very true. All right. Next question here is from Trad Mod.
00:59:31
Speaker
ah How, how does Patrick maintain work-life balance in such a fast moving space and remain obscenely jacked at all times? I threw that last part in, but...
00:59:45
Speaker
yeah you You wake up, you go to the gym, you put your time in, and you go to bed. That's it. You just do that day. What if you don't want to go? What if you want to sleep in?
00:59:56
Speaker
Just ah tell that piece your mind to shut the hell up and... do it tired. If you're tired, do it tired. You know, um, if you don't feel like you're going to be able to put in a hundred percent, great. Put an 80%.
01:00:09
Speaker
Like who, who cares? Just, go just show up. Just put it, putting in 80%, hundred percent of the time is a thousand times better than putting in, ah in a hundred percent, 50% of the time.
01:00:20
Speaker
There you go. Look at this spoken like a trainer. Just show up. Just show up. To work or working out. All right. He also says, when can we see genuine adoption of DeFi?
01:00:31
Speaker
Mostly DeFi users are DGENs, even SRs fear investing in Web3 products. Scott, is that true? that's a problem Are we going to see mass adoption in this space or is it going to remain DGENs and nerds only?
01:00:43
Speaker
No, i think I think we're definitely going to see mass adoption. When's grandma going to do a swap on Uniswap? Well, what's what's nice about the when's grandma is grandma doesn't really know how HTML works or eight what HTTPS stands for.
01:00:58
Speaker
um and And that's okay. Yeah. you know um So I think it'll come. I think we're we're getting better. Vitalik just put out this blog post about lo like low risk DeFi. We have fantastic protocols like Aave that have really got that Lindy effect going on. They've been around with a phenomenal security record. So um I expect it's it's going to come sooner sooner than we think, but also not soon enough.
01:01:26
Speaker
Yeah, it's going to be wrapped in like, you know, those cell phones for the elderly, the big buttons. It's going be wrapped like that so they can just hit boom, swap. Okay, last question from StrapOn10.
01:01:38
Speaker
What are the restrictions enforced by Cypher in order for a protocol to have their project accepted for a contest? Um, we don't really have a lot of restrictions.
01:01:50
Speaker
Um, to be honest, it's, it's mostly like, Hey, like what is the, the dollar per line of code? You know, is that fair? Um, is the, is the code base something that we think, you know, you're going to, that protocol is going to get.
01:02:07
Speaker
like a good security output from there's not really any restrictions. It's more, yeah, no, no real like hard rules. It's more like, yeah, like, do we think that the community is going to be able to show up and, and, uh, and give you good value for your money? You know, like if a product, you know, if somebody came up and was like, Hey, we're using this, this language that we created, we want to do two weeks of an audit of 20,000 lines of code. I'm going to be like, well,
01:02:34
Speaker
that's a waste of your money because no one's going to find anything. um ah But yeah, so no real restrictions. Okay, good. All right, there's one other feature that I didn't prep you about, but I do an alpha drop every episode and and that alpha is usually about a bug or something like that. But since we got Patrick Collins on here, I know he likes to, it's jacked like me.
01:02:55
Speaker
We're going to do some weightlifting alpha. Okay. So you follow my lead here. So ah my alpha drop is young lifters. Do not train your shoulders too hard because you have these small twitch muscle fibers in there.
01:03:11
Speaker
or were they fast twitch? I forget the terminology, but if you train them with too heavy of a weight, it's very easy to injure a shoulder and you could still get size by just training kind of higher reps, um, on your shoulders.
01:03:27
Speaker
You could do shrugs, but like presses, certain things don't do super heavy weights. I'm telling you shoulder injuries suck and they take ages to heal. Patrick, what do you got?
01:03:39
Speaker
Oh, like another weightlifting tip? Weightlifting or exercise alpha because no one is getting out of their chairs in this fucking industry. well that is That was some great alpha right there. ah so My tip is If you haven't found a workout routine that you like, keep trying other ones until you find one that you like.
01:04:04
Speaker
And by keep trying them, I mean stick with something for a week or a month before you decide if you like it or not. And once you find that thing, be consistent at least four days a week.
01:04:16
Speaker
And if you're tired, just do it tired. Make it part of your routine. It's going to help you be happier in life, look cooler in life. be fitter.
01:04:28
Speaker
And it's going to actually, it'll increase your bug finding rate. it's It's true. He's true. find more bug Totally right. And on that note, don't bring your phone to the gym. Thank you for coming, Patrick.
01:04:40
Speaker
We will see you guys next time on the blockchain.