Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 6 - kankodu
286 Plays2 months ago
riptide & kankodu discuss his bug hunting techniques to keep him in the top #20 of the immunefi leaderboard, a deep dive on his recent $250k Balancer bug writeup that he kept under wraps for 2 years, bounty negotiations and how to shoot yourself in the foot with the dilution effect, the truth about the existence of the Indian bug hunting mafia ... and much more!
Recommended
Transcript
Introduction and Guest Introduction
00:00:07
riptide
Rock and roll. I'm here with Ken Kodu, who is 18 on the ImmuneFy leaderboard. The King with 17 criticals. How are you, sir?
00:00:20
kankodu
I'm doing good, how about you? How are you doing?
00:00:22
riptide
I'm good. I'm good. it's ah That's an opener, man.
00:00:25
riptide
I mean, I looked at your, ah you know, there's all these guys on, i like to just use the ImmuneFi leaderboard just as like a ranking, even though we both know that bugs are are submitted, you know, off ImmuneFi to protocols directly and other protocols, but it's such a big platform that I think it's a good marker and definitely a good advertisement for any bug hunter.
00:00:26
kankodu
but
00:00:48
riptide
yeah. I didn't even know who you were until recently. i'd seen you on on X. ah Your name popped up a few times, but i didn't really i didn't i didn't link you to anybody until I saw, I was like, oh, who's this dude? Oh, he's with Spearbit. He's at LSR.
00:01:04
riptide
He's 18th on the leaderboard. And then I looked at your profile. like, holy shit. This guy's for real.
00:01:11
kankodu
ah That's a great and also this is a great intro to the podcast, the music that you have. It's really good.
00:01:19
riptide
You like that?
00:01:20
riptide
Awesome. Awesome. That's that's homemade. That's not AI.
00:01:20
kankodu
Yeah.
00:01:25
kankodu
Yeah. Thanks for the intro.
00:01:28
riptide
oh Hey, man. um Thanks for coming on. so you know, give me, before we start, Chad, I mean, give
Ken's Journey: From Student to Bug Hunter
00:01:36
riptide
me give me some background. How did you get in this bug hunting game?
00:01:41
kankodu
so i I actually in 2018, 2019 when I was doing my computer science degree that's when I got interested in blockchain ah and ah right after graduation um i i just uh i started with doing uh programming on blockchain so solidity uh doing smart contract development i was doing some freelancing uh and stuff uh and so i was a smart contract developer first and i was always interested in security
00:02:25
kankodu
And the first, the actual thing that got me into security was i actually found a live bug in in a protocol where like I from the first time I got thrown into the deep end where like it was an immutable contract 20 million dollars were at risk at the time and we had to white hat hack it so it was a really stressful 24 hours that I spent in a war room with bunch of other people um trying to make sure that
00:03:03
kankodu
um NoBlack had discovered the attack and we white attacked the funds and it was it was quite an experience.
00:03:15
kankodu
It just...
00:03:16
riptide
And which which protocol was this?
00:03:19
kankodu
This was and like, I would like... So I reported this bug with my real identity. So I would like to not disclose it.
00:03:32
riptide
Got it. Got it.
00:03:32
kankodu
um
00:03:34
kankodu
But yeah, it was like, that's what god got me interested in the in the security. So the adrenaline rush and all of the, like the, but yeah I was up for 24 hours and i didnt know ah I didn't even feel tired at the end of it. So yeah, it was,
00:03:56
kankodu
I wanted to chase that feeling and i just dropped all of my development and went full time into bug hunting. So I was ah was using, i was browsing Immunify, trying to look at any interesting projects and if I find a bug, I submit.
Leveraging Development Skills in Bug Hunting
00:04:19
kankodu
So that's how I got into smart contract security.
00:04:23
riptide
Just like that. So do you think you're your knowledge as ah as a dev kind of helped you find that initial bug?
00:04:31
kankodu
Yes, definitely. So i was I was developing on top of that protocol and that was the only reason I was looking at their code and that's how i found the bug.
00:04:44
kankodu
But yeah, definitely because I knew about the protocol, that that's why I found the bug.
00:04:53
riptide
Why do you think no other devs spotted it? Like, do you think that there's, was it some other guy's code or was it, were you reviewing your own code or do you feel like devs and bounty hunters or just third parties kind of have a different perspective on, on being able to find bugs?
00:05:09
kankodu
Yeah, that's right. I feel that once the contracts are deployed, that's when um lot less. ah So before the contracts are deployed, they they are audited and lot of other people that have not developed the code.
00:05:28
kankodu
they look at the code and try to find the bugs but after the contracts are deployed it it gets hidden under a ui and nobody looks at the contract the smart contract code anymore um so i guess i was just the reason that i found it was um just i i was just looking at the code i i as
00:05:50
riptide
Thank you.
00:05:51
kankodu
I think that there was a lot less people ah looking at the looking at that code, otherwise they would have found it as well.
00:06:03
riptide
You think maybe that's an interesting point where you said that once a protocol is deployed, the contracts kind of hide behind the UI and no one looks at it.
00:06:05
kankodu
Yeah.
00:06:13
riptide
And I never thought of it like that because I never use the UI protocols, to be honest, except for maybe a lending protocol here.
00:06:19
kankodu
Except for us.
00:06:21
riptide
This.
00:06:21
riptide
yeah Yeah, like I'm on just โ I'm on Etherscan and I'm just โ all I see is the logic. And I've reported bugs too where they've been silly where the devs have relied on the front end to control inputs, which we know is ridiculous.
00:06:22
kankodu
Yeah.
00:06:37
riptide
But I've seen devs do that, and i think in their in their thought process, they're like, dude, no one is going to do this.
00:06:41
kankodu
Yeah.
00:06:46
riptide
No one is actually interacting with the contracts except for i don't know what percentage of of the user base. You know, but yeah, that's us. That's cool. And I noticed on your GitHub, which is very cool. Everyone should check it out. you You seem to be slanted more towards, because you do audits on the side, it looks like. You do your spare bit work.
00:07:06
riptide
But ah you're still heavily weighted on, like, primarily bug bounties. Is that right?
00:07:13
kankodu
Yeah, that's right. It's a full time bug bounty and audits on the side. that's the That's the current situation right now.
00:07:23
riptide
Hell yeah. And how many hours and how many days week do you spend hunting?
00:07:29
kankodu
ah Yeah, it's it's full time. So ah it it kind of depends on how interesting the protocol is and if I'm getting somewhere. ah If I have a thread to pull, then I go for hours. And if i I don't have anything interesting, then I just hop from code to code. So it depends.
00:07:50
kankodu
um
00:07:51
riptide
this This sounds like I'm talking to myself. This is a good method. that's and But still, it looks like your focus, because I'm looking at yeah Gearbox, Saddle, Aave V2, Liquis, all these, and it looks like a lot of them, correct me if I'm wrong, are AMM bugs.
00:08:07
kankodu
Yeah, that's right, AMM and lending protocols. Those are the ones that um ah you where everyone knows on the high level what they are supposed to do.
00:08:19
kankodu
But when when it comes to the actual implementation, there are some edge cases that developers miss.
00:08:27
riptide
And do you look at this from, like, do you use particularly a fuzzing suite for these kind of bugs?
00:08:36
kankodu
um Not really. So I i use Fussing Suites only if I know I have a suspicion about a bug and I i actually don't want to do anything.
00:08:50
kankodu
i don't want to. ah manually try random inputs until I trigger the bug. So that's when I use fuzzing, but otherwise it's mostly ah just ah reading the code.
00:09:08
kankodu
And ah if I have a suspicion, then I write, I make a proof of concept.
00:09:16
riptide
Yeah, and this these are these are interesting because I think as you've shown, I mean from your portfolio, there's a lot of bugs in here and I think because you really have to start looking at the edge cases and you really have to be comfortable with the numbers and know the precision and rounding and the math to really care about these bugs and find these exploits because at a high level most guys will look at this and say ah you know that some big brains found this out like this this looks legit and they might not dig into it as far as you've dug into it
00:09:51
kankodu
Yeah, that's right. It's just um a matter of like, ah you have to ignore everything else and just look at the code. ah You can't look at who audited it or who developed it.
00:10:07
kankodu
is just code and just assume that there is a bug and ah just ah don't stop till you find it basically. But yeah, that sounds good, but it's but not practical, of course. You have to put a time limit there.
00:10:24
kankodu
um But I go with my intuition ah in that if ah if I tried a lot of things and it didn't work, then I lose interest and move on to the next code phase.
00:10:37
riptide
And how do you how do you find your targets?
Tools and Platforms for Bug Discovery
00:10:41
kankodu
Finding targets, I of course use Immunify. Immunify doesn't really have a good category filter, but I go to Defy Llama, which has a really good category filter.
00:11:00
riptide
Oh, fuck. Another DeFi Llama shout out. just start getting paid for these shout outs, DeFi Llama. This is popular.
00:11:07
kankodu
Yeah, but it it it is actually helpful.
00:11:08
riptide
Okay. Yeah, that's a good spot.
00:11:11
kankodu
in discovering new protocols and also if you if you have an idea on how to break a lending protocol, then you can go on DeFi Llama just go through all of the lending protocols code and see if any one of them is wonderful.
00:11:30
riptide
Right, right.
00:11:30
kankodu
and also on the Twitterverse ah because i'm um I just ah look at the announcement and if any of one of them sounds interesting, then I take a look at their code.
00:11:45
riptide
Do you do any, any like discord hunting telegram groups, uh, stalking githubs?
00:11:52
kankodu
ah no No, not really. I have a different code if i have ah ah like um I have reported a bug in a protocol, then before reporting the bug, of course, I'm in their GitHub, going through their history, trying to make sure that the bug that I'm thinking of hasn't been already thought of ah in the conversations or something.
00:12:20
kankodu
But if I have reported a bug in a protocol, then I'm already in the Discord and I don't really leave after I've gotten paid.
00:12:32
kankodu
So if there is an interesting announcement, then I take a look at take a look at the new code that they added because I already have some context there.
00:12:44
kankodu
So it has to be a project that I have already reported bug to.
00:12:44
riptide
Do you use, go ahead.
00:12:52
riptide
And do you use any agents? Do you use agents or monitoring tools to keep on track of changes to code bases where you've already reported bugs?
00:12:52
kankodu
That's when I become a stalker.
00:13:02
kankodu
um No, not really. um Because it's not like I don't have any, um I don't, I have enough code bases to look at basically. So I don't need, I don't have to um ah use any, any monitoring system to, for, to get, yeah it's just too much out there.
00:13:27
riptide
there's just too much out there.
00:13:30
kankodu
So,
00:13:30
riptide
Yeah. what What do you feel is like the worst part of bug hunting? And I'll give you my example. Like, what i I think when I have no threads to pull, as you'd call as I call it, like no leads to track down, if I'm just looking for a project or a contract or something that where I see a low or I see something, some opening, when I'm in that hunting mode where I'm just looking around, that can go on for a long time.
00:13:57
riptide
And I think to me, that's one of the worst parts. And one of the best parts besides finding the actual bug is when you pull that that string and there's something there and you could start deep diving
00:14:11
kankodu
Yeah, that's right. I also agree there. but For me, the worst part is the negotiations. As in, like the project always seems to try to downgrade for like for various reasons.
00:14:21
riptide
oh yeah
00:14:32
kankodu
ah But those that that's the worst part. um uh it's just uh it's just that you are just one one person negotiating and over there there is a team of people uh so it's stressful for you as an individual ah you want to make sure that the work that you did gets compensated fairly and it's a little bit stressful.
00:15:09
riptide
Absolutely. yeah Suddenly you're thrown into high stakes negotiations for hundreds of thousands of dollars or more, and you're trying to make the right calls.
00:15:14
kankodu
Yeah.
00:15:20
riptide
it's It's extremely stressful because you may need to pay the bills or you may just, these guys may try to walk it back where you don't get paid that amount. Hell yeah. I think that's a huge, huge part of the program. That's, that's really, it's tough for a lot of people to do it because you could be a great bounty hunter, but you could be a terrible negotiator.
00:15:42
kankodu
Yeah, definitely. Yeah, it's something that you have to learn. um It just, ah it doesn't get taught in the and the security like roadmap.
00:15:59
riptide
do you Do you think there's room for ah some guy, like a third party, to negotiate on your behalf? and And that could be, you know, you pay him whatever finder's fee or a flat fee and and he handles all your negotiation for you?
00:16:15
kankodu
ah The thing on that side is like there is already something like that where emunify mediations or the platform that you are reporting the bugs from they negotiate for you kind of like they they are your last resort if you
00:16:33
riptide
Or against you.
00:16:34
riptide
Right.
00:16:35
kankodu
yeah or against you uh but the thing with that is if someone else is ah negotiating on behalf of me i feel like i am the best person who understand this bug in and out because i have already tried like i i know about the project and um
00:16:51
riptide
right
00:16:56
kankodu
everything so I feel like no no one else would really be able to ah understand it perfectly at least that's what I have found ah for the ah bugs that matter kind of where it's not really clear ah how much amount is at risk in those cases
00:17:22
kankodu
yeah I feel like
00:17:23
riptide
Those are some of the worst.
00:17:24
kankodu
Yeah, it's one of, it's, if you can just put a number, ah then and then it's it's all well and good. ah Then you just know that if the project didn't pay, then they were bad actors and if they did pay, the they are good.
00:17:43
kankodu
But if if it's uncertain about how much funds are at risk, then it gets um really bad.
00:17:55
riptide
Do you
Case Study: Major Bug in Balancer V2
00:17:55
riptide
have any bad actors you want to dime out on the podcast?
00:17:55
kankodu
ah you you don't know.
00:18:00
kankodu
No, not really. It's just, um
00:18:05
riptide
Name of the game.
00:18:06
kankodu
yeah, it's just part of the but of your job as a bug bounty hunter.
00:18:08
riptide
Yeah. Yeah. ah Let me ask you this. So but you reported this ah really cool bug. And one of the reasons you came to my attention, wanted to have you on.
00:18:22
riptide
And it's this million dollar bugs and where to find them. And it's about Balancer V2. and the interest And I'll let you talk about that bug in a sec. But the interesting thing and I saw with that was this was around the same time that I reported a bug for Balancer as well. It's February 2023.
00:18:38
riptide
So you had this bug that you reported two years ago and yet you couldn't say anything till now.
00:18:39
kankodu
Yes.
00:18:46
kankodu
yes
00:18:49
riptide
Is that because of the V3? Like, tell me why.
00:18:49
kankodu
yeah
00:18:54
kankodu
Yeah, it's it's because of the nature of the bug where the project felt that ah just the funds weren't at risk ah instantaneously where attacker can just hack it and take it in their wallet.
00:19:17
kankodu
Attacker have to do some preparation first, wait, and then they can take the funds. and and for this type of um ah bugs the bug the project actually actually felt that once the attacker executes the first part they would detect it and block it from the UI and make sure that nobody um ah deposits funds say in that particular part of the code.
00:19:39
riptide
Thank you.
00:19:50
kankodu
So maybe if I go specific ah but ah more specific about the bug, it would make sense. so um
00:19:58
riptide
Yeah, just just maybe a high level, give give kind of the gist of the bug. and and like I mean, I thought it was so cool. I'll let you talk about it. But it's a very simple kind of thing.
00:20:11
riptide
But like any bugs, you just had to kind of connect all the dots. And so maybe give a high level on the bug and you can give as much details as you like.
00:20:20
kankodu
Yeah, sure. ah So these, this bug, I feel like if, if they had a competition now, it would get duplicated like tens of times. um But at that time it was ah novel kind relatively novel bug pattern where if a balancer it's a, it's a permissionless decentralized exchange and in that anyone can create a pool for any token.
00:20:51
kankodu
and they have a vault which keeps track off all of the all of the tokens for the user and the pool. And if you want to deposit in the into the vault, you call the deposit function and the vault pulls funds from your wallet.
00:21:07
riptide
you
00:21:12
kankodu
And in that, ah it because there are a lot of ERC20s that don't actually follow the ERC20 standard, um the ah balancer, it's a standard practice that they have to do a low level call.
00:21:31
kankodu
And in that, the solidity checks and make sure that the contract that is being called, if it doesn't have a cool doesn't have code, then it reverts.
00:21:44
kankodu
ah But in low-level call, um it doesn't. And um for guess optimization, Balancer didn't put a check to make sure that the contract exists.
00:21:59
kankodu
um So what happens if, if if attacker knows where token will be deployed ah then before the token is deployed they call the deposit function on the vault vault tries to pull the fund from the wallet by calling the transfer from using the low level call and it succeeds because there is no code there
00:22:13
riptide
Thank you.
00:22:25
kankodu
um and balancer increases these attackers internal balance in their vault. So ah this way if if this token actually gets deployed and then there is liquidity ah in get if that if normal users they add liquidity in balancer pools, then attackers can just use their internal balance that they got for nothing and just empty all of the tokens.
00:23:00
kankodu
So this was the bug where in this specific bug, as as you can imagine, all of the tokens that are already deployed are not at risk.
00:23:03
riptide
Thank you.
00:23:09
kankodu
and only the new tokens ah that ahtaker um only the new tokens that will be deployed in the future are at risk.
00:23:21
kankodu
So this is why Balancer team decided that they could just monitor for this type of attack where if attacker executes this attack for a new token,
00:23:34
kankodu
then Balancendeave will make sure that there is no pool created and no liquidity added for that token in Balancr basically. And it never got triggered in two years.
00:23:48
kankodu
ah And now that they have Balancr v3, they can recommend Balancr v3 for new tokens. And now I was able to publicly disclose the bug.
00:24:03
riptide
Very cool.
The Art of Negotiating Bug Bounties
00:24:04
riptide
And I'm going guess, based on my experience, Balancer team was was pretty cool about it.
00:24:12
kankodu
Yeah, the ah the negotiations were stress stressful ah because yeah, as I said, it's not all of the funds currently are not at risk.
00:24:25
kankodu
um If X, Y, Z happens in the future, then funds would have been at risk. And this is always the always harder to know how much this information is worth.
00:24:40
kankodu
now ah when the actual bug hasn't been exploited.
00:24:47
riptide
And let me ask you this, if this is related, you had a tweet about this dilution effect. Was that related to this bug?
00:24:54
kankodu
Yeah, definitely. i got to know about dilution effect the hard way.
00:24:59
riptide
Okay, and so high-level overview. And you said if you have two strong points and a weaker one, then you're saying your argument could actually weaken by including the extra point. you better off not mentioning the weaker point.
00:25:11
riptide
So did that happen with Balancer, and would you be able to share what the weaker point was, or is it relevant?
00:25:17
kankodu
Yeah, sure. i um I actually, like after the negotiations were over, I came to know about the dilution effect and then I went back and looked at the chats and I saw that I made an argument where um it was, ah i can't remember the exact argument, but it was ah around,
00:25:43
kankodu
um the In that argument, I mentioned a specific scenario where only a few thousand dollars would have been at risk, ah considering that Balancer V2 had been live for two years prior to that.
00:25:59
kankodu
So if you look at the history, the specific scenario that I mentioned, only a few thousand dollars would have been at risk. And I was i i would have been better off not mentioning it, I feel.
00:26:13
riptide
Yeah, you're looking at that thinking, oh, fuck.
00:26:15
riptide
I shot myself in the foot. I think I've done the same thing. I can't recall the project, but I'm pretty sure that I probably did that same thing. I think in real life too.
00:26:15
kankodu
Hmm.
00:26:25
riptide
i mean This isn't real life. It is. But ah in other kind of negotiations, I think I've done the same thing. So I i agree with that. I didn't know was called dilution effect, but โ I would absolutely agree with you. Be careful.
00:26:38
riptide
Be very careful on the arguments you're making. And really, i think a good tip is to take your time. Once you submitted it and you're you're doing the negotiation and back and forth, feel free to, when you get a message, don't immediately respond, but kind of even sleep on it.
00:26:56
riptide
And just just get emotions out, kind of think through the problem, and then respond thinking about, What is the intended outcome that I want from this response I'm going to give?
00:27:08
riptide
And how are they going to perceive you you need to think through a lot of angles before you say some things, because if you don't, you end up looking back in your history thinking, did I just cost myself some money?
00:27:20
kankodu
Yeah, definitely. Actually, the on this, I have a good story about, so you know about a bug, um but you also have to find out how to exploit this bug to cause the highest impact, like to show the project that this is how an attacker would do it. Attacker wouldn't go for any other ah scenarios. They would go for the highest impact scenario.
00:27:46
kankodu
And so the actually what happened was I submitted a bug in in a protocol ah and um ah they closed it as duplicate and they gave me the ah they gave me the original report the that the other researcher reported as a proof that yeah this is the ah this is the original bug ah that the other researcher reported and that's why we are marking this bug as duplicate.
00:28:19
kankodu
And so I looked at the the report, they had the say similar POC as me, so they knew about the bug, of course, but the impact that
00:28:26
riptide
Thank
00:28:31
kankodu
that they showed didn't really make sense. So what happened was i actually met that, I had a talk with that other researcher um after some time.
00:28:44
kankodu
And what they told me was that project did something weird where ah what what happened with that other researcher was that I put this together after we talked basically is project ah they received the bug report from the first researcher.
00:29:05
kankodu
ah They closed it ah because they didn't think that ah this bug ah really mattered basically. They closed it, they are like, we are not going to fix it.
00:29:17
kankodu
And then they received my bug report, where I reported the same bug, but showing how it would affect them immediately, like right now. And that's why what they did was they marked my bug as duplicate and paid the other researcher.
00:29:36
kankodu
So yeah, so but ah only only difference between us was that I showed um actually how how it would affect affect them ah currently and project felt that the first ah researcher actually disowned the ah bug bounty because they reported it reported it first. i'm okay I was okay with that.
00:30:01
kankodu
At least someone got paid. But basically, the impact bug impact matters in project ignoring you or rewarding you.
00:30:13
riptide
Absolutely. So they fixed, they didn't fix it, but he showed say like a low impact. Then you showed ah a higher impact.
00:30:20
kankodu
I showed higher impact and then they fixed it.
00:30:23
riptide
ah You should have got paid for that.
00:30:28
kankodu
At least someone got paid. in this
00:30:28
riptide
he so He's like, yeah, yeah.
00:30:31
kankodu
In this case, like project if project was a bad actor, they could have just marked my report as duplicate and then never paid the first researcher.
00:30:44
riptide
Yeah, i'm I'm actually surprised you got the report. I've gotten duplicates and they've just said, oh, yeah, it's a dupe. And then I've had to kind of chase them down, show me proof. And they just said, oh, look, it was reported.
00:30:56
riptide
But I never actually got to see the guy's report. So that that's actually pretty cool, pretty transparent.
00:31:01
kankodu
Yeah, this was transparent and also because it was easily shareable. ah the ah The first research researcher reported as a gist, so they just in their message included the link of the gist.
00:31:16
kankodu
So I guess that would have been one of the reasons why Project shared it.
00:31:17
riptide
Okay, that's cool.
00:31:22
kankodu
yeah
00:31:23
riptide
Yeah, that's that's a great โ that's actually what I share. When I reported some of my first bugs, I sent like โ what did i send? Like a text file. I didn't even know it just โ I call it a gist.
00:31:34
riptide
I didn't know it existed.
00:31:36
riptide
and They schooled me. They're like, hey, man, you could just securely share it through here. Oh, okay, cool. And then I have all my bugs, like a big list of them, and you can have access to see who sees them. And that's it's actually a really great tool if you're not using that.
00:31:36
kankodu
Yeah.
Testing and Validation in Solidity
00:31:50
riptide
so ah So on this balancer bug, I'm curious, you had you said um it all started with the simple curiosity, what happens when delegate call is made to an address that doesn't have any code?
00:31:51
kankodu
yeah
00:32:02
riptide
Well, I already knew the answer. I wanted to confirm it. When you have questions like that, and there's a lot of them with Solidity, where do you go to test? Do you just fire up Remix? Do you just build a quick contract? you go to Foundry, Hard Hat? What use?
00:32:16
kankodu
Yes, remix. that's For this one, that's where I went basically i just to confirm it, just to make sure that what i understood about the ah solidity but about solidityity was correct.
00:32:35
kankodu
ah But yeah yeah, if it's more complicated than that, ah if I have to interact with some other live contract, then I go to Foundry.
00:32:45
riptide
Foundry.
00:32:45
riptide
Okay. I actually met the Remix team at ETH Bangkok. i don't know if you go to any events, but it was just a couple guys and just extremely based guys. They're just like, yeah, what what features are we missing? Hey, would you like the product? Just it really cool. It's such an underappreciated tool that I think everyone โ Aaron think everyone starts on they start looking at contracts through there and it's just it's just so handy and they have the desktop environment now and it's.
00:32:46
kankodu
Yeah.
00:32:46
kankodu
Yeah.
00:33:08
kankodu
yeah
00:33:13
riptide
Aaron Ross Powell, still use it all the time to just kind of brainstorm different ideas just to double check behaviors and it's such a great free tool. Aaron Powell, Ph.D.: I don't know if they get I think they're actually funded by the by the theory and foundation correct me if i'm wrong, but.
00:33:28
kankodu
Yeah, they are, I think.
00:33:29
riptide
Aaron That's so cool. I love tools like this. if Foundry is that's been a game changer and that's by paradigm who I mean the that's just I went to some so I looked at a project recently.
00:33:44
riptide
um It was the one Obron and DeadRose just reported a bug on. It was, um was it some cross chain bridge or something like that.
00:33:55
riptide
But I was looking through their tests and my God, it was all hardha hard hat, hard hat type script.
00:34:00
kankodu
Oh my God.
00:34:00
riptide
And i so I thought, oh my God, I haven't looked at this in so long. And when you do, you realize how much of an upgrade doing everything in Solidity is.
00:34:11
kankodu
Yeah, it's been a game changer for sure. I was, yeah, the first bug that I reported, I made a test case in hard ed, but yeah, it's just, Foundry is just better for me.
00:34:27
kankodu
So, I just upgraded to Foundry and now I make all of my proof of concepts in Foundry.
00:34:34
riptide
the The one, well, there's two downsides about Foundry that I still don't like. So, and I've reported, I so i think 90% of my bugs with hard hat because I just, once you figure out the bug, it's you know usually not too complex to just modify one of my hard hat tests and just kind of show it in there.
00:34:51
riptide
But I've started move to Foundry, but a couple things I don't like, and I think it's changing because I use hard hat tracer, a great extension to see all the S loads and S stores
00:35:00
kankodu
Yep. Yep.
00:35:02
riptide
And I could trace the whole thing and it's fantastic. And Foundry didn't have that. And then the other thing is when you're testing and compiling. So any change you make to a test, you have to recompile in Foundry. In Hardhat, you don't have to recompile. It's just gonna run that TypeScript and and it executes usually quicker.
00:35:22
riptide
But you'll get all kinds of problems with like JavaScript, like memory issues on a massive machine. It'll still have fucking problems. So I think apart from the tracing and I think Foundry's figured that out, just need to look for it.
00:35:23
kankodu
yeah
00:35:38
riptide
I definitely lean towards Foundry. I think like everybody else now too.
00:35:43
kankodu
Yep, Foundry. Foundry works best, especially for already deployed contracts. um Like you...
00:35:51
riptide
And what do you do? Do you do you do clone on those? Like how do you approach if it's already deployed and you want a test?
00:35:57
kankodu
Yeah, that's right. I just clone them so that I have it in locally and then I run all of my, ah ah if if it's ah like, if it's limited to that contract, then it's even much easier ah to just run all of my tests.
00:36:17
kankodu
Otherwise like the forking and the local development, they they are almost,
00:36:18
riptide
Yeah.
00:36:24
kankodu
ah ah they They feel the same if you have like decent internet. So yeah, it just works best for me
00:36:35
riptide
Do you have any, any foundry tips that, that you think are really helpful that you could share?
00:36:41
riptide
Any unknown commands that aren't that common that, that really help your flow or.
00:36:46
kankodu
me. I don't have any.
00:36:49
riptide
Off the top of your head, random foundry commands.
00:36:54
kankodu
I don't have any commands.
00:36:58
kankodu
come on
00:36:58
riptide
Yeah, don't worry about it. Don't worry about it. Dude, I just, it's like, it's so feature packed. I randomly find things on X. People are like, oh shit, I didn't know about this function.
00:37:09
riptide
And then I'm looking at that. I bookmark it like, wow, what is this? Pretty cool. Like they're just always iterating. Anyway, a lot of love for Foundry there.
00:37:18
riptide
All right, so let's go ahead.
00:37:18
kankodu
Yeah, the fours like on that, sorry, the four selectors, the that's really helpful.
00:37:26
kankodu
So if you want to.
00:37:26
riptide
I just used that yesterday for the first time. That's so cool. Yeah, if you look for collisions, you want to see all the selectors, boom, it it does it right there.
00:37:34
kankodu
Also, ah like for custom errors, like some sometimes you just see four bytes and you don't know which error message it represents.
00:37:45
kankodu
So you just do the four selectors and you know all of, you have the list of all of the error, custom error selectors and you you can just grab for that specific error.
00:38:00
riptide
Oh, yeah. I was still using the website for that. Whatever the four byte. I don't even know what the bookmark is, but I didn't know it was built into Foundry. That's awesome.
00:38:11
kankodu
Yeah.
00:38:12
riptide
All right, let's, we're going to move on to, I still don't have the sound effect, the alpha drop.
Lessons Learned and Personal Insights
00:38:19
riptide
So alpha drop, if you've listened to this podcast in the past, it's where myself, Riptide, and the guest, we drop some bug hunting alpha for all bug hunters to share and learn from and hopefully implement in your day-to-day bug hunting.
00:38:35
riptide
I was divided on this one. um So I kind of had two, but I'm i'm gonna go with the easier one. um This one is when, and I think I've encountered it maybe once and maybe it was in Salady or something like that. I think I read about it in an audit and I just think it's a great idea and it's overlooked.
00:39:00
riptide
But if you have an assembly block that, because obviously we look for unchecked blocks in and ah normal solidity, but then when you also have a block of fuel where you could have, um you could, I mean, addition, all everything's unchecked.
00:39:17
riptide
If you store that to a variable and then that variable is then read by the contract outside the assembly block, you could have that rollover.
00:39:28
riptide
So just that disconnect between assembly block and then outside the assembly block, look at the math closely. Some edge cases, you might have a rollover, you may be able to cause a rollover, especially if you're able to provide any inputs that may add to that computation within that assembly block.
00:39:28
kankodu
Mm-hmm.
00:39:47
riptide
So that's something to look at. ah Sir, do you have one to drop?
00:39:54
kankodu
um I don't have anything like that specific. ah Like one of what I would suggest.
00:40:01
riptide
It could be general, whatever you like.
00:40:03
kankodu
Yeah, general is what I would suggest is if you have been doing security for a while, um consider doing some development. For me especially, I've been doing some development recently and ah like in the past I have thought like how could developer miss this and now ah yeah, I miss this basically.
00:40:26
riptide
Do you have an example on that?
00:40:29
kankodu
Example, like I i made an NFT contract ah and um ah I just didn't, it's an NFT contract. So the metadata and everything is ah very important, of course, for an NFT. And i i never I never mentioned the URI.
00:40:52
kankodu
ah So I just never inherited, like never implemented the base URI function. And that meant that on all of the wallets and NFT marketplaces. It just showed ah a default picture, basically. So
00:41:12
riptide
What's the name of this collection? Oh,
00:41:14
kankodu
yeah, it's it's not a collection. That's why I missed it. It's not a collection. it It represents a position in ah in a DeFi protocol.
00:41:18
riptide
okay. Okay.
00:41:23
kankodu
So that's ah it's not that important to the functionality, but it's a basic thing. Like if you if you are minting an NFT to a user, at least show an image, right?
00:41:36
riptide
Yeah, I agree. I think this is, this reminds me of being back in in high school, to be honest. Like you you write that essay and then you read through that essay on the screen.
00:41:47
riptide
And then once you print it out, you start seeing some errors or give it to your give it to your classmate, right? Hey, can you look it over? And he's like, what the fuck is this? And it's something about like, you're talking about being a dev, not seeing this, but I bet if you had pulled out that dusty old printer,
00:42:03
riptide
printed that bad boy out and looked at and said, what the fuck am I doing? Or just giving it to another guy, you know, like do you, do you ever do, get, I know a lot of guys work in teams on bug hunting. Do you ever do that where you say, I can't find shit.
00:42:17
riptide
Do you want to take a look at this?
00:42:19
kankodu
Yeah, definitely. So but at least for auditing. Hey, can you hear me?
00:42:26
riptide
Yeah.
00:42:27
kankodu
Okay, ah yeah, so I work with Spearbeat, so we actually do work in teams there. ah So that's where I just, what I do is I just ah talked through talk through the code base and in talking through the code base, we sometimes find a bug um somewhere.
00:42:53
kankodu
And also and if if it's a live project or something, I have some,
00:42:59
kankodu
some friends here who are security researchers.
00:43:07
kankodu
So that's why those are helpful just talking talking about the project, like what am I doing, what I'm trying to achieve. ah Even doing that helps in discovering some um new threat to pull.
00:43:24
riptide
who And is there, if you want to confirm or deny, give me the Glomar response, um is there an Indian auditing bug hunting mafia similar to the Bulgarian?
Community and Collaboration in Security Research
00:43:40
kankodu
i At least in my circle, all I see is security researchers. So I don't know the proportion.
00:43:47
riptide
Uh-huh.
00:43:50
kankodu
My worldview is kind of biased. I'm a security researcher. All of my friends are. So I guess like if you are asking me, yes, everyone around me is a security researcher.
00:44:05
riptide
There's a mafia.
00:44:06
riptide
Nice. Nice. I want to maybe we'll talk later. but Maybe if you have some guys that that would also be a good guest, maybe we should talk and and get them on as well.
00:44:07
kankodu
Yeah.
00:44:17
kankodu
Yeah, sure.
00:44:19
riptide
Very cool. All right. ah Thank you for coming on. This was a ah great chat and we will see everyone else on the blockchain.