Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 15 - milotruck
153 Plays6 days ago
riptide & milotruck discuss being #1 on the codea4ena leaderboard in 2023, working as an LSR at Spearbit, from an infosec background to competing in contests, dipping his toes in bountyhunting, why competitive audits beats collaboration, how contests have evolved, incentives and rewards, bug hunting tools, how security has gotten worse in crypto, and much, much, more ...
Recommended
Transcript
Introduction and Sponsor Shoutout
00:00:07
riptide
Welcome back to Bounty Hunters Life on the Blockchain. We are back fresh on the blockchain. We're always fresh. First, we're giving a shout out to our sponsor, Recon.
00:00:20
riptide
You can learn more about Recon at getrecon.xyz. Put in a forward slash riptide to get a little five grand off for our first time customers for an invariant testing engagement.
00:00:33
riptide
Recon offers high quality solidity audits powered by invariant testing. Having worked with leading projects such as Centrifuge, Liquity, and Badger, they also have a ton of useful resources for bounty hunters and protocol devs.
00:00:47
riptide
And best thing I like it is that from your GitHub, you can fuzz right there. So super easy.
Introducing Guest Milo Truck
00:00:54
riptide
And i just want to mention, so Alex is a co-founder of Recon and he just made his LSR title at Spearbit, which I've heard that's no joke. So the guy knows what he's doing. Obviously he's fuzzing the hell out of things to find all these bugs. So give it a shot.
00:01:10
riptide
Okay. so we have Milo Truck. Welcome to the show.
00:01:17
MiloTruck
Yeah, hi. It's nice to be here. i haven't done this in quite a while, so we'll see how it goes.
00:01:22
riptide
Oh, the man. Hey, is it Milo truck or Milo?
00:01:25
MiloTruck
It's Milo. So how the name comes about this, Milo is a drink. It's a soft drink in, I think, most, not most Asian countries, but in where live. It is.
00:01:37
MiloTruck
So that's how i got the name. But most people think it's like a Spanish name or something, so they call it like Milo. Yeah.
00:01:43
riptide
isn't it ah isn't it a chocolate drink
00:01:46
MiloTruck
Sort of similar to that. Yeah, but I think not really.
00:01:49
riptide
Milo. I think my my wife's from Australia. I think she mentioned Milo. It's like a you who type of thing. I could be totally wrong.
00:01:58
MiloTruck
Yeah, I think Australia has it. I don't know what Yoohoo is, but it should be should be that one.
00:02:00
riptide
Yeah. It's a terrible drink. So what you crank on these drinks all the time. So you got the name.
00:02:08
MiloTruck
I used to when I was younger. I drank a lot Milo, so my ah original you know like gaming name was Milo Truck. And then when I jumped to contest, I brought it over.
00:02:20
MiloTruck
So part of me regrets bringing this name over, because...
00:02:22
riptide
I love it. It's a good name. I'm always interested in people's handles. Like there's always some backstory that that is usually interesting. But some guys are just like, I just close my eyes and just type something.
00:02:34
MiloTruck
Yeah, like...
00:02:34
riptide
i Like NNEZ.
00:02:37
riptide
ah so Okay, yeah, just NNEZ. That's all it is.
00:02:40
MiloTruck
Like Simao, he just smashed a random sequence of numbers on his keyboard, and now he regrets.
00:02:46
riptide
ah Yeah, because once you're branded with it, I mean, that that's your rep. Unless you want to start all over.
00:02:51
MiloTruck
Yeah, that's it.
Milo's Career Journey
00:02:53
MiloTruck
Sometimes I do wish I didn't pick a nicer name, or something that separated me from like my past life, so you can't Osin me out, but it is what it is.
00:02:53
riptide
yeah
00:03:02
riptide
Start Googling you right now if I see pictures of you. No, no, I hear you, man. ah So those that don't know you, you are an LSR at Spearbit. You are, you hit number one on the Coderita leaderboard in 2023.
00:03:17
riptide
You used to work for, i don't know if you're still working for Trust, yeah his audit company. And primarily you're doing audits and contests, but I did see you had three bounties listed from a couple of years ago. Are you still, still hunting?
00:03:34
MiloTruck
As of right now, no. I do hope I do have the time to go back into Bounties because I never really put the time into it. So I think a bit of context, maybe a bit of small intro from what I've been up to since my previous interview, which I think was early 2024.
00:03:49
riptide
Tell us Tell us. Give us some background.
00:03:55
MiloTruck
It's been quite long. So after 2023, where I did like the long contest run, which wasn't really that long, and I hit number one on C4, I did audits for almost all of 2024.
00:04:10
MiloTruck
And during most of 2024, I was doing audits under the Trust and under Spearbit, and then also working on sort of small firm with Bytes and Holler and another Alex under the name of Renaissance, which we stopped doing this year.
00:04:31
riptide
Thank
00:04:31
MiloTruck
Yeah, so I was mainly doing audit work during 2024. And towards the start of this year, I decided to go fully with Spearbit because they promoted me to LSA.
00:04:44
MiloTruck
And Renaissance, we sort decided to split ways because we sort of had interest in other things. And yeah, when I joined Spearbit full-time, not full-time for the...
00:04:58
MiloTruck
fellowship, yeah, the Cantina fellowship, I had to stop working with trust because that's part of the rules. Yeah. So that's what i'm mean I've been up to.
00:05:09
riptide
Well, congratulations. i I hear the LSR rules. Everyone celebrates when they when they make LSR. So I guess a lot of people were after that. So that's awesome, man. Congratulations.
00:05:22
MiloTruck
Yeah, thanks. I think it's sort of like, as of now, it's sort of the highest tier that people viewed it view it as. So they celebrate when they reach. Although I think there's more, there's a lot more things to look for.
00:05:35
MiloTruck
And there's a lot higher you can go after reaching Alessa.
00:05:39
riptide
And you're not locked into Spearbit, right? You're just, that's the your kind of audit rate when you do work with them?
00:05:46
MiloTruck
So I'm in the Cantina Fellowship. Locked in depends on how you view it. But I would say they are my agreement with them is quite restrictive in the sense that I can't audit with other firms and I can't participate with like other platforms as well.
00:06:06
riptide
Mm-hmm.
00:06:07
MiloTruck
Yeah, so I think a lot of people in the space view it as quite a bad thing. What I view it as is, I can't really say, because I would get in trouble with Spearbit, so...
00:06:18
riptide
Don't don'll jeopardize anything. I think it's good because you have a good revenue stream because Canteen is pretty popular. yeah I'm sure there's good audit flow coming in. So from, I don't know what your standpoint is. From my standpoint, I see it as like, hey, man, it's good money.
00:06:33
riptide
You got good challenging
Bug Discoveries and Bounty Hunting
00:06:34
riptide
work and you got a good brand name. Why not?
00:06:36
MiloTruck
Yeah, I think mainly when I agreed to it, it was partially, it was a good deal for me. That's why I agreed to it. But I think a lot of people view it as against like the ethos of Web3 in the sense that it's not very open and you're like restricting people to lock in into your ecosystem.
00:06:55
MiloTruck
So you do their audits, you you do their contests, you do their bounties, but you can't do it with other platforms. So yeah, it depends how you view it.
00:07:04
riptide
So if you found a bug just out there and it was hosted on ImmuneFi, you couldn't submit it.
00:07:11
MiloTruck
Yeah, I can't submit it to Immunify. This is a point that I sort of don't really like, I would say. I think it's safe to say this as well. Because, yeah, our method of how we do it is we go through Spearbit when reporting the bug.
00:07:27
MiloTruck
So they will try to link us directly to the protocol. And if that doesn't work out, then but can we can work it out from there. And maybe they will allow us to report on Immunify. But I haven't explored this quite a lot. So I don't really know as well.
00:07:38
riptide
It's a ridiculous kind of restriction because, I mean, who's who's got multiple names on the leaderboards and can spin up anything? If you find a million-dollar bug, you're telling me you you wouldn't. Okay, but let's just say someone would spin up a new identity and just submit it.
00:07:55
riptide
I don't think Spearbit should be, you know, canteen should be that restrictive. That's silly. That's just kind of CYA, cover your ass type thing.
00:08:04
MiloTruck
Yeah, but...
00:08:05
riptide
But hey, what do you do?
00:08:06
MiloTruck
Yeah, what do I do?
00:08:07
riptide
What do you do?
00:08:08
MiloTruck
works up It works out with my audit deals with them, so I have the agreement.
00:08:11
riptide
Yeah. That's good, man. ah Let me ask you this. you So I looked at some of your audits. I noticed you're kind of big into the L2s.
00:08:21
riptide
Is that right?
00:08:23
MiloTruck
o I would say...
00:08:24
riptide
Or you were?
00:08:26
MiloTruck
I would say currently, maybe. It just so happens that a lot of my work has been with L2. Yeah, but I don't really like specialize in them. It just so happens to be like that.
00:08:38
riptide
Okay, all right. i was I was curious if you, I mean you're on Twitter like all of us. Did you see the one with scroll that White Hat Mage submitted?
00:08:46
MiloTruck
Yeah. I didn't really look into the bug, though. I just saw it was one-line mistake that cost 1 million, but I don't really know what went wrong there.
00:08:54
riptide
if It's always the case. It was a reentrancy. um i think it was it was because of 7702. So,
00:09:06
riptide
so So now smart smart contracts could interact with their gateway and then it wasn't blacklisted.
00:09:16
MiloTruck
Ah, I see
00:09:16
riptide
Before, yeah, after they did this Petra upgrade. So, you know, one line and then he was able to snag it in time. He must've been watching it. So super cool.
00:09:29
riptide
I just thought, I thought it was the coolest thing because the timing and, you know, cause everyone was looking at Petra thinking, okay, Teams have done their research. Any big team with any sort of security team would say, hey, okay, Petra, what kind of vulnerabilities is is this change opening that now EOAs could be contracts? and these guys didn't see it.
00:09:54
MiloTruck
Yeah, um I think what struck me the most, what was most interesting was how fast he actually found it. If you look at the timeline, I think he found it like the same day as the upgrade went live, I think a few hours after it.
00:10:08
riptide
Yeah.
00:10:08
MiloTruck
So it's pretty insane to me like how fast he just picked up on it.
00:10:12
riptide
ah
00:10:12
MiloTruck
Maybe he just so happened to be looking at it. I don't know.
00:10:14
riptide
No, no, he flagged it I mean, he flagged it and he put an alert and then he was, he was waiting to see what kind of change they made and then they made the change. White hat mage, correct me if I'm wrong, but I think that's what you said.
00:10:26
MiloTruck
So he was like... I know he monitors upgrades, but he was he monitoring specifically for like... Pactra-related bugs? Or he was just looking at the upgrade?
00:10:35
riptide
I bet he was. I bet he was, man.
00:10:38
MiloTruck
Damn. Damn.
00:10:39
riptide
I mean, have you ever done that? Cause I've done that in the past where I've looked for, ah you know, I sent alerts. I still have alerts coming in for my God, I got to turn this telegram bot off. I still get this one from balancer, some crazy bug I had.
00:10:52
riptide
I had thought that it was a bug. And so I set these alerts and then it started happening and I realized the bug was nothing. And I never turn off my telegram alert. So I still get reminded like, Hey, this is happening again. Some ad gauges call.
00:11:08
MiloTruck
I see. Yeah, I've never done it. I think the furthest I've gone was monitoring changes on Immunify, like the new assets and the new contracts and changes.
00:11:20
MiloTruck
This was before, I think, the public bot went live, when Bytes and a few other people launched their open-source Telegram bot for this.
00:11:29
MiloTruck
So I used to do it before that, but I really never... got fully into bounty so I didn't like look at the contract immediately after was live so it's just flooding my notifications and I turned it off eventually
00:11:29
riptide
and
00:11:42
riptide
So, but you did bounties for a bit you You dipped your foot into there. you you got a few, like, what was your reaction? Why did you do it? Why did you say hey, you know, auditing's for me, i'm going to do contests and audits.
00:11:56
MiloTruck
So for bounties specifically, I did it quite a lot, I think, while was doing contests back in the second half of 2023 and early 2024, before I did audits fully.
00:12:10
MiloTruck
So my biggest bounty was actually quite early on. This was before I actually got success in contests. It was like some NFT gauge thing.
00:12:23
MiloTruck
I don't really remember, but... It was something like you stake and then you get an NFT and then the bug was that when you merge two NFTs, the accounting goes wrong.
00:12:34
MiloTruck
They didn't account for some gap or something like that. Some time gap. Yeah. So that was my biggest bounty, which was very, very early on in 2023. But after that, I didn't really con continue on, sadly.
00:12:47
MiloTruck
Yeah. Yeah.
00:12:49
riptide
But what happened? Why didn't you keep going? If you got a positive signal that, hey, this works, why did you why do you switch gears?
00:12:57
MiloTruck
I think mainly... i just did contests more. Because my first... um Entry into... into Like... Web3 security... Or DeFi security was Coderina.
00:13:10
MiloTruck
Originally the idea... Stood out to me because... Like... You could just find a bug... And you would... Be guaranteed to get paid. This was like a pretty... Insane prospect... To me at that time.
00:13:21
MiloTruck
Because... I originally came from... Like... InfoSec. I was like... decent at it but not really good just starting out so like call the arena when it to me it was like such i don't say an easy way to earn money but it's like at the time it's such a like a new thing you know and the contest formula was like pretty interesting as well in a sense that you could report a bug and duplicates aren't a problem you'll get paid regardless of whether you found the bug alone or whether someone else found it before you so it was a pretty interesting prospect for me
00:13:57
riptide
Thank
00:13:59
MiloTruck
And so mainly my idea originally was to do contests and then maybe move into bounties after that. I think a lot of people have this idea as well, where contests are like a training ground for bounties.
00:14:11
MiloTruck
But I think I did contests for most of
Evolution of Contest Systems
00:14:17
MiloTruck
2023. And after 2023, after hit number one on C4, my idea was to go into bounties. But then I did all this instead.
00:14:25
MiloTruck
Because that opportunity popped up for me. so I just went with it.
00:14:31
riptide
Yeah, like if you're number one on Code Arena for the entire year, that's like, it's like, I don't want to say like Olympics, but it's like you're doing a competitive thing where you're saying, look at me, this is what I could do. I know I'm good. And guys are going to try to snipe you and try to put, whereas if you did bounties, it kind of actually doesn't make sense from a business perspective.
00:14:57
riptide
I think the route that you took makes much more sense because you say, hey look, man, you got to pay me.
00:14:57
MiloTruck
Yeah.
00:15:01
riptide
Look, I'm the boss. Look, I beat everybody.
00:15:05
MiloTruck
I think at that time, like the end of 2023 and the start of 2024, that era, becoming a solo auditor was very, very popular.
00:15:16
MiloTruck
It was the era where like Pashoff tweeted a lot, Bites tweeted a lot.
00:15:19
riptide
DM for audits.
00:15:21
MiloTruck
yeah Yeah, the DM for Audits era. So everyone wanted to become a solo auditor at that point. So I sort of got dragged into that bandwagon as well, where I wanted to, oh, I want to finish with contests and then start doing audits and print loads of money.
00:15:35
MiloTruck
but sort of got there but not really as in I still work with firms I don't really I'm not a full independent auditor kind of
00:15:45
riptide
And why not? you don't You don't like the business side?
00:15:48
MiloTruck
yeah I think it's not really for me after because originally during 2024 when we launched Renaissance the idea was to be a small firm sort of like the independent groups we see nowadays but I realized that I didn't really like dealing with
00:15:50
riptide
Mm-hmm.
00:16:03
MiloTruck
clients in a sense that i don't like chasing them for money working out the deals and everything yeah so i think like a lot of my effort can be better spent into like working on technical stuff instead of dealing with people because i don't think i'm great at dealing with people especially you when like you're asking people for money so yeah
00:16:22
riptide
Yeah, a lot of guys in this space are ex exact they're very introverted and they just just let me look at the code and that's all they want to deal with.
00:16:31
MiloTruck
Yeah, so that's why i think and the start of 2024, did want to like have the idea of like becoming a business and sort of launch a business.
00:16:43
MiloTruck
Because I think it earns you a lot of money, especially if you started that early. But yeah, slowly I did think it's really not for me. Maybe it's better to just be more technical in a sense.
00:16:55
riptide
but What do you think about? Because when in 2023, LightChaser around? Okay. was light chasr around
00:17:00
MiloTruck
think tree 2023, I think towards the start of 2024, Light Chaser was around.
00:17:07
MiloTruck
During the cold arena, like the board race era.
00:17:07
riptide
okay
00:17:10
riptide
Yeah, do you feel like the bar has been raised now for guy? Because you were saying like, hey, you can guaranteed make some cash. Like maybe it's 100 bucks, whatever you find some bug is it as a new guy.
00:17:22
riptide
But I think he's wiped away all of that, right?
00:17:25
MiloTruck
o I don't think so. I think, okay, if you're talking about the current contest landscape now, I think it's a lot different. And it's not really because of, like, Chaser.
00:17:40
MiloTruck
And it's more because of, like, contest has... evolved in a way such that they are no longer the same as they used to be maybe like two years ago yeah and then that's why i posted the contest update tweet and then like got a lot hate on it and then i posted the contest should disincentivize low-level auditors and then i got even more hate on it yeah yeah
00:18:02
riptide
Oh, I remember that. Yeah. Pulling up the ladder behind you. How dare you?
00:18:06
MiloTruck
Yeah, but maybe I can elaborate more on that. it's I really think that currently contests are sort of moving away from audits, and they are more becoming like bug bounties.
00:18:18
riptide
Mm-hmm. Mm-hmm.
00:18:19
MiloTruck
In a sense that in the past, when you used to be able to like find a bug, and regardless of what you found, as long as it's a higher medium, you get paid.
00:18:29
MiloTruck
Now, I don't really think that's the case anymore, because I'm sort looking... at contests is more less of like a last guarantee in a sense that they just want to find the meaningful stuff you can report some medium and they don't really care honestly yeah that's why it's sort like a bounty now you either go big or like you get zero
00:18:51
riptide
Yeah. Yeah. Cause back in the day, like honestly, in the beginning of code arena, you could say, Oh, you're missing the zero check and you'd get paid, right? Get paid a small amount, but you would get paid.
00:19:02
MiloTruck
yeah
00:19:03
riptide
And then it's just, it's just gone. you know, like you said, I think, I think it's good for the projects. I think it's bad for the brand new guys, but also, I mean, you have LLMs now you didn't have those. Then you have,
00:19:18
riptide
You've always had Slither, but now you have things like Light Chaser, which are a bit more advanced. And those little bugs, unless you could prove they do matter, they don't matter. Mm-hmm.
00:19:29
MiloTruck
Yeah, I think LMS are also an interesting prospect, especially the problem of spam. so was like Nowadays, contests have so much spam that it's getting ridiculous.
00:19:42
MiloTruck
That's also partially why I think protocols don't really want to do contests anymore. but You open your yeah um the contest platform page and then you see you have 2,000 findings to sort through.
00:19:54
MiloTruck
you No one wants to do that anymore, so they just give up.
00:19:59
riptide
This is a huge problem, man and I'm guilty of it. I did. I've done like two contests. and I did oiler and I tried three different GPT's just to like see where they were at. And I was bouncing them off each other and all my stuff.
00:20:13
riptide
i I was like, yeah, I'm really going to target it. I'm just going to. And none of it was valid, man. But I was like, oh, they're going to review these things. Some human is going to look at these things. And hey, you know, fuck it, man. It's their job. They're hosting the contest.
00:20:26
riptide
But. in In their shoes, I mean, my God, the amount of shit that must come in now that looks legit, that you really have to get in there to debunk is insane.
00:20:35
MiloTruck
Yeah. Yeah, it's an insane amount.
00:20:39
MiloTruck
But... There's a solution to that? Do you say that?
00:20:39
riptide
What's the solution to that?
00:20:44
riptide
I say, what is what is the solution to that?
00:20:46
MiloTruck
Well, you know, if you disincentivize all low-skilled auditors, you might fix the problem. But...
00:20:53
MiloTruck
but
00:20:53
riptide
But how do how do these new guys start then?
00:20:55
riptide
Like, how do they how do they prove themselves to show that, hey, look I'm good.
00:21:00
MiloTruck
Yeah, when I said that, I was soft. um Kidding in the sense that you shouldn't really like just give them zero. But I think my take is that the contest space is too lenient to people that don't really contribute positively to the security space and the security outcome of a contest.
00:21:20
MiloTruck
In a sense that you can just spam GPT findings and you will not get punished at all. At worst, your reputation goes down. But then the down only downside of that is that you just need to sum in here, prove our concept, which you can again generate with GPT, so there's no downside, essentially.
Competitive Auditing and Security Challenges
00:21:39
MiloTruck
So yeah.
00:21:41
riptide
That is a problem. And I wonder if more of the or more of the companies will say, hey, we want these, like the top tier, but like the Blackthorn, the what's Immune 5 things, the super...
00:21:55
riptide
Superheroes, I forget what it's called. Like these guys that are like, hey, we just want these real Gs working on our projects. We don't want any any noobs on here. These up and coming guys, you know they got to make a rep first and then and then they can come get paid and hunt on our protocol.
00:22:12
MiloTruck
Yeah. Well, by but in that case, you would just get an audit from them. So contests are kind of just done. If you think about it that way.
00:22:22
riptide
Well, can you have a contest between all the top guys?
00:22:22
MiloTruck
Right?
00:22:25
riptide
mean, that's a little different, I guess, right?
00:22:27
MiloTruck
That's true. Yeah. I think that's an option.
00:22:29
riptide
If you have them compete.
00:22:31
MiloTruck
Sorry if you have a what?
00:22:32
riptide
If you have them compete, because I'll see a Spearbit audit and it has five big names on there. And so they're all working collaboratively on it. But I think, I always think competition's good. I mean, wouldn't you want them competing against each other? Do you think you'd get a better outcome?
00:22:51
MiloTruck
I think definitely. Because you are soft. The amount you get is really tied to um the amount of value you provide. Because, like to be honest, audits, the problem with audits is that you are paid based on your time, and you are providing output that can't be measured.
00:23:10
MiloTruck
In a sense that, as a protocol, you get a report, and if it has $5, you don't know whether the auditor did well or he did bad, because you don't know if they're actually $10 $10.
00:23:10
riptide
I don't
00:23:19
riptide
the
00:23:22
MiloTruck
There are only five bucks. So that's the problem all this. But if it's a competition, will. As an auditor yourself, incentivize to work hard because you don't have a choice.
00:23:33
MiloTruck
Otherwise, you will get a fat zero for your paid out. So...
00:23:36
riptide
I love that. I love that. I think that's the other way, to be honest, because i i don't know what goes on inside Spearbit. I don't expect you to tell me anything. However, any platform that says, hey, we're going to pull together these top names that work independently and compete, and we're going to just put them all on one audit.
00:23:54
riptide
I guarantee you there's some guys that just check in and like, yo, my name's on there. I know I'm getting paid for these two weeks at X rate per week. And just push the work on someone else. I guarantee that shit happens. I don't know who I know on the inner circles ah talking, but I think they should just have it be competitive.
00:24:13
MiloTruck
Yeah, it definitely happens. I can guarantee you it happens. I think everyone knows, honestly.
00:24:18
riptide
It's got it. Why, why wouldn't you? I mean, you have the incentive as a guy to to just say, Hey man, I can collect, I don't know what the rate is 25 grand a week or something to just kind of kick back.
00:24:29
MiloTruck
Yeah. twenty yeah
00:24:32
riptide
It's good cash.
00:24:33
MiloTruck
Yeah. I mean, honestly, it's a pretty enticing prospect that sometimes I do think I should just create an out-account that just farms money and doesn't do shit.
00:24:43
MiloTruck
But, yeah.
00:24:43
riptide
You would never do that, Mr.
00:24:45
riptide
Milo Truck. He would never do that.
00:24:46
MiloTruck
I have a conscience, so I'm not gonna do it.
00:24:50
riptide
That's lacking in this space. ah Thank God for the white hats out there. But I just saw another hack on X11 million from Cork Protocol, something I've never heard of.
00:24:59
MiloTruck
Corks. Yeah, I just saw it as well. The interesting thing about that is I was actually looking at it like a few months ago. So ah part of me thinks that if I stuck to it, I could have found a nice bug.
00:25:13
MiloTruck
But I don't know whether to it was there at that time.
00:25:13
riptide
so
00:25:15
MiloTruck
So yeah.
00:25:16
riptide
Are these guys on mainnet? Do you know or some weird chain?
00:25:19
MiloTruck
I think they're on mainnet. They are... Yeah, they're on mainnet. The vertical is...
00:25:25
riptide
Someone put their own their own custom token in here. They didn't have a whitelist, it looks like.
00:25:31
MiloTruck
Yeah, it's a very strange... Okay, when I was looking at the protocol, it was quite strange in itself. Like, it's something like Pendo, where you have a token and you split it into two, and one one is the you and one is the principal.
00:25:46
MiloTruck
And they do some sort of, like, D-Pack protection-ish stuff. Yeah.
00:25:51
riptide
That reminds me AP wine. Was it the same guys where you could split it?
00:25:57
MiloTruck
I don't think so.
00:25:58
riptide
I don't know. Maybe the same idea.
00:25:59
MiloTruck
Yeah. Yeah, it's all the same idea.
00:26:04
riptide
Bummer. This is the name of the game, man. Where do you think this goes from here with, with, you know, now we're seeing, i mean, what let's see, what year did you get into crypto full time?
00:26:17
riptide
Would you say?
00:26:18
MiloTruck
Full time? I think halfway throughout 2023. So around June, I think. Before that, I knew C4.
00:26:29
MiloTruck
So before the half of 2023, I did C4 occasionally. Like very, very occasionally. Because at that time, I was actually still the military for my conscription.
00:26:43
MiloTruck
Yeah, my country is military conscription.
00:26:43
riptide
who
00:26:46
riptide
Are you in China?
00:26:46
MiloTruck
So no, I'm in Singapore.
00:26:48
riptide
Singapore,
00:26:49
MiloTruck
Yeah, some people think it's in China, but it's not. Fun fact.
00:26:52
riptide
okay. How many years did you have to be drafted for?
00:26:57
MiloTruck
Two years, yeah.
00:26:58
riptide
And what was your job?
00:27:00
MiloTruck
I was in the Air Force for um being a loadmaster. I don't know what you guys call it, but basically I...
00:27:09
riptide
Loadmaster, yeah, same thing.
00:27:11
MiloTruck
Ah, okay, yeah, nice. So I i was like flying on the C-130 as a loadmaster. That was my job.
00:27:19
riptide
Oh, very cool.
00:27:20
MiloTruck
Yeah, I think fortunate to have had a pretty nice job for the two years and instead of being an infantry year soldier. Yeah.
00:27:28
riptide
Yeah, yeah, that's cool, man.
00:27:31
MiloTruck
So for during that time when I was still in the military, i did look at C4 occasionally yeah and did get some like nice cash, but not really a huge amount.
00:27:44
MiloTruck
And fun fact, during that time, I actually did write a bot to just farm low and gas findings. So I would just run it on every contest and get some nice money. Yeah, but I only started doing full-time after I got out military, which is around June of 2023.
00:28:02
riptide
Okay. And so, so now we have big names coming in, like we have way more institutional adoption than we've had five years ago, two years ago.
00:28:14
riptide
um but we're still having the same security issues, like really, I'd even say worse security issues. Uh, what the hell do we do? Like, and and it's still like DeFi alone has a terrible usability problem.
00:28:30
riptide
the whole The whole ecosystem does, to be honest. It's even when I go do some DeFi, it's a pain in the ass and I make mistakes and it's confusing. And I consider myself a power user.
00:28:42
riptide
So like but how the hell do we get other people to use this? It's still like an engineering kind of test project and the average user won't touch it.
00:28:53
riptide
in my eyes, except for gambling on meme coins.
00:28:56
MiloTruck
do you... Genuine question is, do you not think the security is getting better?
00:29:02
riptide
I think it's getting worse.
00:29:04
MiloTruck
really?
00:29:05
riptide
Yeah, there's still there's still hacks all the time.
00:29:05
MiloTruck
i
00:29:08
MiloTruck
I think my my view is... Okay, I can only speak for EVM because i only audit EVM, unfortunately.
00:29:15
riptide
Mm-hmm.
00:29:15
MiloTruck
But I think it's gotten better, actually. like My view is that protocols solve have been learning to write like more bulletproof contracts. Maybe not for the small ones. The small protocols, of course, like occasionally you still have the small protocols that only go through one audit and then they...
00:29:34
MiloTruck
launch or they just change a line and they launch and then oh you missed out an authorization check your fund's gone but I think the bigger protocols are actually sort of learning how to write bulletproof contracts like the example I can give is you can look at EULA the EULA contest you would see that and then like the Unisop contest you see that the contest doesn't really have much huge findings they are mostly mediums so that's my view on like so security on EVM-wise.
00:30:07
MiloTruck
But in general, the space is... I agree with the usability problem in the sense that it's too technical. Everyone speaks about like mass adoption, but then like my grandma can't use DeFi. She doesn't know what MetaMask is, so she is not gonna use DeFi ever.
00:30:25
MiloTruck
Yeah.
00:30:25
riptide
Yeah.
00:30:27
riptide
All right. Let me give you a list that I just thought of. So, all right. From your perspective, I mean, you're talking about EVM security, like contracts, all that stuff.
00:30:38
riptide
I have a different take. So there's more, there's more knowledge about it. There's more agreement upon like, Hey, get three audits, do a contest.
00:30:49
riptide
get a product, like that is becoming more of a standard and you see that's adopted more, especially for the big protocols like Aave where they have a dedicated security company yeah looking at the contract, everything.
00:31:01
riptide
I think they do it great. But also people are saying, well, look, we got these audits, we're good to go. And they trust the auditors too much. They're they kind of, I've seen it where the devs just push it off to the auditors and they're not really keeping security in mind because they think, hey, that's the auditor's job.
00:31:22
riptide
I've seen that, that's a problem. ah Also, the devs will always change things There's still a huge amount of proxy contracts out there. ah That's another huge issue. That's against the whole kind of immutability concept.
00:31:40
riptide
um What's next that I just dealt with? You have Fiverr devs. So I was invited for a private security review of some little project. And it's just ridiculous when you see a high level critical of something that shouldn't even be there at all.
00:31:58
riptide
And so the Fiverr devs have no idea and they don't care because they're just hired on briefly the the owner of the protocol or whoever's growing it doesn't know. And they just think, okay, get an audit. Everything will fix everything.
00:32:10
riptide
um Next is a FIBE coding with these LLMs. I mean, it just fucks everything up. yeah Sometimes it works good for tests, this and that, but people become lazy and they become reliant on them.
00:32:25
riptide
And that's gonna lead to more security issues. And then outside the EVM, you have, I think, phishing scams and drainers. All that shit has gone through the roof, people losing money.
00:32:37
riptide
And then you have on top of that, like the AI ah voice changing, the KYC, like all this stuff is bad.
00:32:49
riptide
And where are they targeting? Crypto users, because they have a lot of money. there's a lot of money in this ecosystem. So I'm bullish on security. Like I hope it improves, but I think it's a fucking mess right now.
00:33:02
MiloTruck
Okay, that that I can agree with. That's a pretty long list. Yeah, was thinking of something to say, I forgot. But, okay, the vibe coding point.
00:33:13
MiloTruck
Fun fact is, I think I've actually audited a vibe coded protocol before. I actually don't know whether it was actually vibe coded, but it really did look like i was vibe coded.
00:33:24
riptide
how do you How did you detect that?
00:33:26
MiloTruck
Well, I cloned the repo and there was a cursor rules file inside, so yeah...
00:33:31
riptide
there There was what?
00:33:33
MiloTruck
so So when you use cursor, you can like they have the agent, right, that you can let it run and do stuff. You can write a rules file for it in a sense that you define what the agent can do and what it can't do.
00:33:45
riptide
ah And it uploaded that?
00:33:45
MiloTruck
Yeah. Yeah, and that was in GitHub, which you would never upload. You shouldn't be uploading in the first place. Yeah, and in general, the protocol is, like, quite messy.
00:33:57
MiloTruck
And in a sense that on the surface, I think this is the problem with, with like, LRAMs. On the surface, everything looks fine. Like, the code looks very nice and looks very clean.
00:34:05
riptide
Mm-hmm.
00:34:07
MiloTruck
But when you look at, like, the integrations and how the Like, the funds flow in the protocol, nothing actually works. It just looks nice. So I think that's the problem with five-quoted contracts.
00:34:18
MiloTruck
My view on that is that...
Fuzzing and Automated Bug Discovery
00:34:21
MiloTruck
o I think it would make security worse for, like, the lower, smaller protocols, but I don't think that bigger protocols would really rely on on them.
00:34:34
MiloTruck
Yeah. But we'll see how it goes, because right now it's still pretty new.
00:34:40
riptide
Yeah, ah i I played with Cursor a bit because I wanted to launch this DeFi protocol. And I was like, yo, I'm going to go Vibe code this protocol. And because I was just going to have it do like build the base.
00:34:52
riptide
And then I was going to, you know, code the rest and audit the whole thing, whatever. And I'm playing with Cursor and I just want to see what this thing could do. And yeah, it just it just started fucking everything up.
00:35:05
riptide
It's just like. Like it's really, for me, it's really hard to use. I say, okay, this is what I want. And it codes it up. And then I say, you know, I want it like this. And once you start making some changes, it's like everything just became a fucking mess. No tests would run.
00:35:20
riptide
And I just, I gave up with it. I was like, okay, when i have time, I'll just, I'll just code it from scratch or something like that.
00:35:27
MiloTruck
i think I think it... So my my view on this is I think actually does well in other languages. Solidarity is really bad to write with Vibe Coding.
00:35:38
riptide
Why? Why?
00:35:40
MiloTruck
I think that the the like the models like O3 and Clot is just worse because it wasn't trained on Solidarity. There isn't a huge database of like a lot of contracts compared to other languages like Rust or C. So it writes those better.
00:35:56
MiloTruck
But I don't really know. This is just from my personal experience of like using Cursor.
00:36:01
riptide
ah
00:36:02
MiloTruck
Yeah. Yeah.
00:36:03
riptide
What about, do you code much?
00:36:06
MiloTruck
I... Recently I do for, like, personal things. So I've been actually writing a fuzzer for, like, fun and maybe to try it out on, like, audits and bounties.
00:36:21
riptide
Oh, shit. Get recon.xyz forward slash riptide. How dare you?
00:36:26
MiloTruck
So...
00:36:26
riptide
what What is this fuzzer? Why are you writing your own when you have all these options out there?
00:36:32
MiloTruck
so Okay, a bit of background. Before I actually did DeFi security and web security, I was actually working InfoSec. I said that before.
00:36:44
MiloTruck
So my main job was actually working on fuzzing on Windows stuff. So that's my background. And I think a lot of my interest is actually not on manual review, although manual review is all I do with these days.
00:36:44
riptide
Mm-hmm.
00:36:59
MiloTruck
But a lot of my interest is in automated bug discovery. So you have like programming assist and like symbolic, I forgot what the term was for it.
00:37:14
MiloTruck
Yeah, like how most these kind of things. And fuzzing as well. So for the longest time in the past like two years when I've been doing audits, a part of me is always like wondering, ah can these be automated?
00:37:28
MiloTruck
And there has to be a better way of finding bugs than just staring at code and then like thinking. Because one of my worries is that one day I will just wake up on the wrong side of the bed and just miss a bug and it goes live and boom, your funds are gone. So...
00:37:43
MiloTruck
Yeah. So recently I've like gotten more time to work on what I want. And what I want to be working on is fuzzing and programming as this.
00:37:56
MiloTruck
So this is what i've been writing and playing around with recently.
00:38:01
riptide
And you're targeting EVM applications for this?
00:38:06
MiloTruck
Yeah, it's still EVM, because part my motivation was just to learn how to write a fuzzer as well.
00:38:07
riptide
Okay.
00:38:11
MiloTruck
So it makes more sense to write something in an ecosystem that I'm familiar with. Yeah.
00:38:19
riptide
Can and I'm just thinking back in the day, i used to use hash cat. Are you familiar with that?
00:38:26
MiloTruck
Isn't that the one for breaking hashes? Is it?
00:38:29
riptide
it's It's a password cracker that you could use your GPUs on.
00:38:33
MiloTruck
Ah, yeah.
00:38:34
riptide
I used to play with this you back in the day for just like ah trying to crack zip passwords and stuff. And I thought it was the coolest thing because I was like, oh I could use my graphics card for it. ae are you Is there any fuzzing software where you can, i don't know if you'd need to use this, but like, can you use your graphics card to fuzz to go crazy fast?
00:38:54
MiloTruck
Like, can you use GPUs?
00:38:57
riptide
Yeah.
00:38:59
MiloTruck
So there's been research on this. I think True Hobbits actually has a a blog on this. Currently, it's not possible. But they did try. It's a very interesting blog that I understood none of.
00:39:10
MiloTruck
Like, already was like, what was going on? Yeah.
00:39:14
riptide
i love I love when Terrell of Bits, some of their guys, man, they just flex on me with like a ah blog, some research thing, and it's just, they have some really great talent there.
00:39:23
MiloTruck
Yeah, they have quite a lot of talented researchers. Their research is very well done, actually.
00:39:31
riptide
Have you ever used mithril?
00:39:33
MiloTruck
No, Mithril was... I don't want to say before my error, because that makes it sound like Mithril was out of date, but I've never used
00:39:42
riptide
Yeah, no, it was, it was, I only used it maybe once or twice. I think the, the most I spent was on Echidna and yeah, it was Echidna, but the guy responsible for it, he was on Twitter.
00:39:54
riptide
He built Mithril as Bernard Bernhard Mueller. I tried to get him on the podcast, but he's like, no, I'm too.
00:40:03
MiloTruck
Oh, really?
00:40:03
MiloTruck
He's...
00:40:03
riptide
Yeah.
00:40:04
riptide
He's just like, I just go low key, but he's really cool. He made this other really cool tool and I shared it in the discord. It's called Legion.
00:40:12
MiloTruck
Yeah, I was...
00:40:12
riptide
And have you checked that out?
00:40:15
MiloTruck
Yeah, I was looking at it
AI Tools in Security Monitoring
00:40:16
MiloTruck
as well.
00:40:16
MiloTruck
It was...
00:40:16
riptide
i
00:40:17
riptide
It's a pain in the ass to get set up, but I set it up and it's pretty cool, man. So I have this Telegram bot running and it's running all these jobs and it's got a database going and it's scanning, updating, and it uses GPT to kind of look at, um look at Git commits for these projects.
00:40:34
MiloTruck
I think.
00:40:37
riptide
And you know the the description will be minimal maybe, But then I think it looks at the changes and it knows the code base a little and it it gives you, it says, hey, like security alert, this could be something and here's why.
00:40:52
MiloTruck
i think
00:40:53
riptide
And it's...
00:40:54
MiloTruck
Yeah, the most interesting thing I found was it can actually monitor, like, you can just ask the AI and the models directly about things about the entire unified code base, which is pretty insane.
00:41:08
riptide
Right, right. That's pretty cool too. Yeah. It's a fun thing to play with, man.
00:41:11
MiloTruck
Yeah.
00:41:12
riptide
I mean, I gotta say, you must be a power user to set this shit up. But if you're able to set up like, ah ah you know, repos that are cross-chain repos and complex test suites, you'll be able to do it.
00:41:27
riptide
It's just a ah pain, but it's it's pretty cool just to have another tool to to be able to reference, just look for bugs.
00:41:34
MiloTruck
is it Is it really that pain to set up? Because I did scroll through it I thought it was just like plugging in your API keys and then you run it and it's done.
00:41:42
riptide
No, it's more about like getting the packages, the dependencies going. Because he wasn't that clear on it.
00:41:46
MiloTruck
Ah, okay, I see.
00:41:49
riptide
And and I mean, depends on your system. i was I think I got it running on Mac, but I couldn't get it running on my Linux box.
00:41:57
MiloTruck
I see, I see.
00:41:58
riptide
So who knows?
00:41:58
MiloTruck
Yeah, I mean, I have a i haven't tried it, but it looked pretty like quite a monolithic project, I would say.
00:42:05
MiloTruck
Especially when he flexed that you can just like ask the AI about, oh, find me all like Uniswap V3 callbacks. And then it would just come out with everything that's related.
00:42:06
riptide
Yeah.
00:42:14
riptide
Yeah.
00:42:17
MiloTruck
That's quite insane to me.
00:42:19
riptide
it's It's cool. And guys like this are just very unique. Like these dudes just say, you know what? I just need to create this project. And they just put it on their GitHub. and it And you look at It's like, dude, how many hours did it take for this guy to make it?
00:42:33
riptide
And he doesn't give a fuck. He's like, this is just what I do. I do really geeky shit.
00:42:39
MiloTruck
I mean, he came back... I think... Okay, I don't know, but... He came back after retirement, right? Like, he retired for a year and then he came back to do stuff.
00:42:49
riptide
I don't know. Did he? Yeah.
00:42:51
MiloTruck
I think so.
00:42:52
MiloTruck
Because he has tweets about like why retirement wasn't good for him or something like that. I don't remember.
00:42:52
riptide
boy
Milo's Perspective on Auditing and the Crypto Community
00:42:57
MiloTruck
I don't know. Maybe I'm wrong. And thought for all you know, maybe he was working out as well. But yeah, I think it's pretty cool that he can just work on things that he wants to without like any stress of, oh, I'm not earning money and i I need to pay bills.
00:43:12
MiloTruck
Maybe I'm wrong. Maybe he actually is just like the rest of us. Yeah.
00:43:17
riptide
Well, I mean, okay, you're making 20 grand a week as an LSR. I don't think you're like the rest of anybody, man. And there's guys making million dollar bounties. Like there's, crypto is a crazy place with so many different levels of wealth.
00:43:31
riptide
But I think we can agree that like, even though Singapore is expensive, um you now have the freedom to kind of do what you have financial pressures off of you. Yeah.
00:43:43
riptide
And yet you're still doing auditing contests. Do you have any sort of end game or do you kind of, do you see yourself stepping back at some point to do something, you know, just in your interest, maybe outside this industry?
00:43:58
MiloTruck
So this is something I've actually thought a lot about because, okay, I'm going get, not hate, but a lot of people are going to be like, how can he be saying this? But actually don't really like auditing.
00:44:12
MiloTruck
I don't really like the prospect of staring at code for hours and just trying to find every single bug because it's such a repetitive process.
00:44:13
riptide
Right.
00:44:21
MiloTruck
I think originally when I was doing contests, I did like it a lot. But people always say that um if you do something you love for a job, it eventually becomes boring.
00:44:32
riptide
right
00:44:32
MiloTruck
And I didn't believe it, but now I do. Because I've experienced it for a year. Last year. Because I did a lot audits. Yeah. So... Recently, what I've been thinking is that maybe I should sort of, not say step back from audits, but sort put more time into looking into what I want to do and working on what really interests me because...
00:44:47
riptide
you you you
00:44:59
MiloTruck
I don't work well when the sole goal is money, which I think a lot of 2024, my sole goal of doing audits wasn't really because I was interested in doing audits, but more of I just wanted to hit a monetary goal of earning money and hitting a target of, oh, I can earn 1 million a year.
00:45:19
MiloTruck
I didn't, by the way, but yeah.
00:45:20
riptide
Thank you.
00:45:21
MiloTruck
but maybe coming into this year, one of my goals was like having the confidence and of the mind to work on what interests me without the pressure of like monetary goals.
00:45:37
MiloTruck
So like yeah when I was writing a father, this was something didn't want to pursue as well, but who knows what I would be doing. Maybe eventually I'll stop doing all this.
00:45:47
MiloTruck
you You never know.
00:45:49
riptide
you going to open up a canoe manufacturing business, handmade canoes?
00:45:55
MiloTruck
Yeah, I'll become a farmer. Go gold live in New Zealand and raise sheep. You'll never know.
00:46:01
riptide
what's So what's the scene like out in Singapore, the crypto scene?
00:46:06
MiloTruck
I actually don't really know. I think there's...
00:46:08
riptide
Never leave your apartment.
00:46:10
MiloTruck
Okay, maybe because of that, like I think from what I've heard, there's actually quite a lot of like DeFi crypto people here.
00:46:21
MiloTruck
But my take is that I think they are sort of like this quote unquote scammy bunch. As in they're just there to make money. You know you go to those like conferences and events and the vibe is sort of off. Everyone there is just trying to sell your product.
00:46:36
riptide
Oh, yeah.
00:46:36
MiloTruck
every Everyone there is like just trying to make money off of you. That's the vibe I get.
00:46:40
riptide
what When it's all female, that's usually sign to roll out. Marketing, marketing, marketing.
00:46:47
MiloTruck
Yeah.
00:46:48
riptide
well
00:46:48
MiloTruck
Yeah.
00:46:48
riptide
ah But you speak Mandarin as well, right?
00:46:51
MiloTruck
yeah
00:46:52
riptide
So what, like, because that's that's part of the blockchain that we don't see. the Like the whole Mandarin speaking side. Any insight you can give us, because I'll randomly hit projects sometimes and I'm like, oh, this is some Chinese making this one. This is interesting.
00:47:09
riptide
and But it's just like, and you go to their page and it's all in Mandarin. But what kind of insights can you share you know versus versus the West on how they're doing things in crypto? Like where's the money coming from, retail institutions, anything about that?
00:47:27
MiloTruck
Yeah, I actually don't know much about this because, yeah, I speak Mandarin, but I don't really, I'm not really connected to like China and like their, sort their space there.
00:47:29
riptide
Oh, fuck. God damn it.
00:47:40
MiloTruck
I'm pretty sure it's quite different from what we have over here.
00:47:44
riptide
Yeah, ah you you lay low.
00:47:44
MiloTruck
But yeah. yeah
00:47:46
riptide
you late You really are life on the blockchain. that's what i'm That's what I'm talking about. I forget what this podcast is sometimes. Life on the blockchain.
00:47:57
riptide
That's good, man. You're dedicated. That's the guy we need. Dedicated to the code.
00:48:04
MiloTruck
Yeah, mostly working on technical stuff.
00:48:07
riptide
I know. Dude, that's, it is what it is, man. I think we're in a society now in a world where everyone is is online and everyone is on their phones, the computers, everything. And it's just going more and more so.
00:48:22
riptide
So it's not like your scenario is unique at all, man. It's like everyone I talk to is, they're all locked in. It's crazy.
00:48:31
MiloTruck
I think... It might partially be because of our circle, honestly.
00:48:37
riptide
Yeah, why is it too?
00:48:37
MiloTruck
Everyone work with is a workaholic and we're all addicted to just staring at computers, so...
00:48:45
riptide
It's because crypto sucks you in with the promise of getting rich. And that's a big thing. And then it sucks other people in because they're like, hey, it's decentralized and it's geeky as hell and you can do whatever you want on it.
00:48:58
riptide
And so you have this clash of people that are out to just get rich quick and then other people that are there for the tech And some are on on the fence.
00:49:09
riptide
And I've never seen another industry like this.
00:49:14
MiloTruck
yeah I think most people honestly get sucked in because of the like the financial prospects because the amount money we are of like we usually talk about is insane this is not something you really see in other industries like we see people like oh I'm farming like a thousand percent APR I get 2k a day Do you know how many people like kill for this amount of money?
00:49:40
riptide
Yeah. And the risks are stratospheric, though. I love when you see some guy repping about some protocol, some new DeFi, DeFi primitive. And they're like, you could just loop your leverage in that like it's risk free.
00:49:54
riptide
And then it always happens. Something happens, whatever the fucking something de-pegs, whatever. And then people get liquidated and they say, how could this happen?
00:50:04
MiloTruck
Yeah, I don't know. I think the risk is people are, you know, greedy, so they don't really consider the risk. Whereas like for us, obviously I risk.
00:50:15
MiloTruck
That's why I'm very hesitant to use DeFi. I think, do you use DeFi a lot? The vibe I get from us you is you were originally like using DeFi and then you got into security that way.
00:50:26
MiloTruck
Is that correct?
00:50:26
riptide
Yeah, yeah, I was crazy.
00:50:28
riptide
DeFi, DGN, just like an idiot, you know, going nuts, but I was making money and I lost some money in a hack. And but yeah, now when I do do DeFi, I have to read the contracts.
00:50:40
riptide
I won't put any money in before I look at the whole protocol.
00:50:44
MiloTruck
Ah, I see. Yeah, that's sort the same as me. Even when I was using like a safe, I looked at the entire safe contract. Didn't find anything safely.
00:50:56
MiloTruck
Yeah.
00:50:56
riptide
Yeah, I just, it's more out of curiosity to see like how they're doing it.
00:51:03
riptide
Like, okay, I'm gonna deposit. how Like how's the flow going to gonna go here? What are you doing? And yeah, obviously you're you're making sure your investment's fine, but a lot of it is fueled by curiosity. And if I don't have that, to be honest, I'm out of this space.
00:51:19
riptide
like Like if you're talking, you don't like audits now, I mean, I think you should switch to bounty hunting because then, like, I couldn't do audits, man, where you're like, hey, look, here's a Uniswap fork, number 100.
00:51:27
MiloTruck
laughs
00:51:36
riptide
You need to look at it again. You must look at it. I just couldn't do it, man. I just look at things that I'm interested in.
00:51:43
MiloTruck
Yeah, i get what you mean. Because honestly, my view was that my view is that we don't see a lot of innovation in sort of like, not say DeFi, but the sort of the contract landscape.
00:51:56
MiloTruck
Everything is almost the same, I would say. So when you do a lot of audits, you kind of see the same thing over and over again. And that's where it starts getting boring.
00:52:07
MiloTruck
Whereas if you do bounties, you can just choose what you want to look at. So you can just look at the interesting stuff. So yeah, maybe that keeps it fresh.
00:52:16
MiloTruck
That's my view.
00:52:16
riptide
Yeah, absolutely.
00:52:18
riptide
and And the hope of like, oh, today's going to be a million dollar bounty. You know, that you walk away with zero, but it's like you come up to the gambling table and you see what you could do.
00:52:30
riptide
But on that topic, like where you see the same things and and and some people, so there there was this quote, it know if people still use it, but don't roll your own crypto.
Innovation vs. Reimplementation in Crypto
00:52:43
riptide
And that was in reference to people redoing things that are already done, that are already secure. Like you don't need another nose is safe, okay?
00:52:53
riptide
But I like to see innovation out there for different things, for certain things. But you don't need to roll your own crypto for like certain things that are already tested and proven. Like you don't need to write a new bytes library or whatever, things like that. and when people do dumb shit like that, I don't know why they're doing it.
00:53:14
riptide
Probably to for the challenge, for one, like they can optimize it. But there's things to innovate on and there's things you just let chill, I think. What do you think?
00:53:25
MiloTruck
Yeah, I think this is actually great good advice that I would give protocols. Because usually you see most of the things that a protocol would want to write has already been implemented somewhere.
00:53:39
MiloTruck
And I think you can save for like a lot of time and effort and like audit costs if you just look at what someone else did and sort of adapt it in your own way.
00:53:51
MiloTruck
And especially if it's something in the library. A lot people just don't look at what OpenZeppelin has and they just roll their own implementation. And then in the audit report, it comes out in my recommendation, 1.9.js used this when they wrote a whole contract for it.
00:54:07
MiloTruck
Yeah. So it's something that occurs quite often that I don't know why. i would say it's maybe like a knowledge issue where people don't know things exist. Probably. That's my take.
00:54:20
riptide
What about the double-edged sword here where they take something that already exists, but then what do you think they do? They modify it without knowing what they're doing. And then you get like this hybrid of something that's been audited to death. And then this guy's like, you know what?
00:54:36
riptide
I'm just going to make a little change here. And he potentially fucks up the whole security of everything.
00:54:43
MiloTruck
Yeah, like the thousandth AveFuck we're going to see and that gets hacked.
00:54:49
riptide
These devs are crazy, man. Like, ah I don't know what to say about the space. It's awesome. I love logging in every day and just seeing that some dude put out some new idea and it's gaining traction and you don't know what it's going to be like.
00:55:04
riptide
And to to just work in an industry like that where it's not gated and each day is crazy is is the coolest thing ever.
00:55:13
MiloTruck
Yeah, I think the cool thing about this industry and originally what drew me to it, other than printing loads of money, which honestly, if everyone everyone was honest, I think that's what drew them to the space, was that you're sort of at the forefront of like innovation.
00:55:30
riptide
Mm-hmm.
00:55:30
MiloTruck
and Especially back in 2023 when security was quite immature. You'll see like new things pop up. They are trying to sort of shape how contracts should be written and people innovate on how contracts should be written.
00:55:45
MiloTruck
Like ERC 4626. I think this is a quite good example of like innovation to make the safe malls secure.
00:55:56
MiloTruck
So you stop all the inflation attacks from happening. Now everyone just inherits Open Zeppelin's ERC 4626 and they don't have this problem anymore. So that's very cool to see, in a sense.
00:56:06
MiloTruck
Yeah.
00:56:06
riptide
I do like that.
00:56:07
riptide
I do like some of the standards when they're used correctly.
00:56:11
MiloTruck
Yeah, but you also have the deep side of, I think some standards are quite dumb, to be honest.
00:56:18
riptide
like Like which one? Name one.
00:56:20
MiloTruck
ah Okay, I...
00:56:24
MiloTruck
one
00:56:24
riptide
so Some of the OZ ones I don't like.
00:56:28
riptide
I don't i think some of the OZ ones are out of control. Like their signing libraries. Some of these things just go way overboard and it's just like a lot of clutter. You just want to, in your mind, just want to remove all this shit so you can see the actual code.
00:56:41
MiloTruck
have you Have you seen their governor contracts?
00:56:45
MiloTruck
is Their governor contracts.
00:56:45
riptide
Which one?
00:56:47
riptide
Yeah.
00:56:47
MiloTruck
it's a There are so many inheritors. The inheritance of that is like insane.
00:56:51
riptide
Oh my God.
00:56:51
MiloTruck
see
00:56:52
riptide
They love the inheritance patterns. Love it.
00:56:54
MiloTruck
Yeah. I mean, I get why it's implemented this way. Because you're writing a library, so like you sort of have to compose everything together. You can't write a nice one contract. Because if you write like one contract without any inheritance, people can't use parts of it.
00:57:13
MiloTruck
But I think has sort of gotten too much. That now when you like read the contract as a whole, no one knows what's going on anymore.
00:57:22
riptide
I enjoy reading Viper contracts. They're so straight to the point and it's just easy. Versus I pull up a Solidity contract on Etherscan and it's like one of 42.
00:57:34
riptide
i just search. I'll search for a function and then it's like, oh, this is the function. Oh, no, wait. Overwrite. Virtual. It's out. My God. It's fucking mess.
00:57:45
MiloTruck
Actually, this is it is a good point to talk about. Why do you think Viper hasn't gained traction?
00:57:52
riptide
um Well, it's newer for one. Actually, you know, I don't know how how new it is compared to Solidity. I know Solidity was first, but Viper has still been around quite some time because you've had the original CRV contract, ah the locker, everything's written in Viper.
00:58:14
riptide
But why hasn't it gained adoption, I guess, not as not as composable? Because you can't โ I mean, it's not as composable as Solidity.
00:58:25
MiloTruck
Yeah.
00:58:26
riptide
I guess โ I think that's why i would say it hasn't gained the adoption. Because I'd say security-wise, both have their โ have had their issues and still have their issues.
00:58:38
riptide
don't know. What do you think?
00:58:38
MiloTruck
yeah I don't know as well, but I think a lot of people sort of always say that we need a new language. Solidity is a bad language, but then we have a new another language, but I don't know, traction isn't there.
00:58:50
riptide
Mm-hmm.
00:58:53
MiloTruck
So this is sort of a question mark problem to me as well. Of course, Viper has had the the the re-entrancy problem where they have a compiler bug, which is quite a scary prospect to think about.
00:59:06
MiloTruck
like Imagine if Solidity ever had a like a huge, devastating compiler bug. The ecosystem is just wiped out completely, which is an insane thing to think about.
00:59:16
MiloTruck
ah yeah
00:59:17
riptide
Dude, I always tell people i'm like, Solidity is at 0.8 point whatever, two or something. it's like It's not even at version one. like we're We're still quite early to this whole thing. So hopefully there's not anything.
00:59:33
riptide
But you never know, man. That's how bugs exist. They're not there until they're there.
00:59:37
MiloTruck
Yeah. Yeah. I mean, I've read through some of the Solidity bugs, and honestly, some of them look quite, not say bad, but it's something you would see in a normal contract.
00:59:50
MiloTruck
I think the one that stood out to me the most is like, there was an issue with fixed arrays, where if you have like a fixed away array, let's say a UIN256 array of like a fixed length of two,
01:00:04
MiloTruck
something would happen with the optimizer where it would override the length. Something like that.
01:00:08
riptide
Mm-hmm. Right. Mm-hmm. right
01:00:08
MiloTruck
Yeah, I don't remember. But the problem, what stood out to me was that it's in pure solidity. It's not like ah another U optimizer bug where you do some obscure assembly thing and then it messes up.
01:00:24
MiloTruck
Yeah. Yeah.
01:00:25
riptide
I think what gets people more, because they'll have some extreme edge cases on those bugs. I think what gets people more is just the trap doors of solidity. Just it's it's interesting behavior. If you read the full manual, you know, you you're up to speed on it, but I don't think all devs really go all the way in depth.
01:00:42
riptide
Well, speaking of bugs, hold on before I forget.
01:00:43
MiloTruck
Yeah.
01:00:44
riptide
I almost forgot the fucking alpha drop, man. All right. We got to drop some motherfucking alpha here. all right Alpha drop. My alpha drop is going to be about something was looking at today. Messaging.
01:00:58
riptide
I cannot stress how cool messages are. So look, just just another thing to look at is all I wanna give is just ideas to look at. When you're looking for bugs, look at protocols that have functions that say like handle receive message,
01:01:14
riptide
send message, stuff like that, see how they're encoding the message. Is there malleability there? is there is Is everything being signed off on, all the variables? Can you do anything um to that message after it's been sent when you when you call to receive it?
01:01:31
riptide
Can you alter anything? Just cool things like that. I think messaging is kind of underlooked because people say, oh, no funds are being sent, but messages can be quite powerful. They can handle governance issues. They can do voting. They can even send funds um ah indirectly. So that's something to check out.
01:01:50
riptide
Milo truck, what do you got?
01:01:53
MiloTruck
Maybe not specific. I think my general alpha job is... So a lot of people recently have been saying you shouldn't um do solidity.
Advice for Newcomers in Crypto
01:02:03
MiloTruck
As in, if you're a newcomer to the space, investing in learning solidity and trying to do EVM security and solidity security is not worth it.
01:02:13
MiloTruck
But I think the way to look about it look at it is that you should of look at what is upcoming on in the space in general and then try to learn that as fast as possible and focus on that.
01:02:30
MiloTruck
An example would be when Solana was coming up, you should learn it as fast as possible and capitalize on that. And now currently, I think even if you look at Solana, it's quite crowded already.
01:02:43
MiloTruck
So you should focus on the upcoming things, which I think now chains are a good thing to look at. You'll see that WhiteheadMage, a lot of his bounties are on chains and blockchains.
01:02:55
MiloTruck
which there isn't lot of eyes on. ZK is also all coming up, so you could look into that. Yeah. But the general takeaway is that you should always... Don't just focus on like the security bubble, but look at what is the new upcoming tech that looks like it's going to be big.
01:03:11
MiloTruck
Even in the EVM space, you see that cross-chain messaging and cross-chain stuff is worse and currently is becoming a huge thing because...
01:03:23
MiloTruck
um Ethereum in general wants to focus on like the L2 roadmap. So it would be good to focus on that as well because it's upcoming. Instead of just like, oh, I should do something different from others, so I learn Cairo for the sake of it.
01:03:38
MiloTruck
And then it never takes off. And then you just learn something that didn't take off. Yeah, so that's my offer drop.
01:03:44
riptide
That's good alpha hyper liquid.
01:03:48
riptide
ah Hey, that's that's a good, that's a good, the Hyper EVM. Check that That's something new too. ah So we made it to an hour. Mr. Milo Truck, thank you for coming on. i want to give a shout out. Join the Discord channel.
01:04:00
riptide
Check out the sub stack. And if you are going to host a bounty on a competition on ImmuneFi, check out the link tree.
01:04:06
MiloTruck
Thank you.
01:04:07
riptide
I got a link on there. They'll kick us something back to the podcast. So anyway, get recon.xyz forward slash Riptide. And that's all we got. So see you guys next time on the blockchain.