Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 26 - alix40
148 Plays15 days ago
riptide and alix40 discuss soloaudit: his public good contribution to the security space where devs can find independent security researchers for hire, why valkyrisecurity is offering web2 & web3 security reviews, web2 bug hunting vs web3, web2 defi attack points, how we make this space secure for both grandma and JP Morgan, AI audits, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction and Solo Audits
00:00:07
riptide
Welcome back to Bounty Hunters. After a long break, we are back. And we're coming back with a vengeance. I don't know, but it's been a while. And it's good to get back on the microphone doing a podcast.
00:00:22
riptide
We have today no sponsors because I don't know. I'm taking a break for today. So instead, we have Alex40, who is part of Valkyrie security.
00:00:39
riptide
And this guy is from, I brought him on because he started solo audit.com. And I saw a lot of bug hunters signing up and putting this out there. So welcome, sir.
00:00:52
alix40
Hi, happy to be here. thanks you Thank you for hosting me.
00:00:56
riptide
Hey man, my pleasure. Um, dude. So, you know, saw you on the blockchain and saw a lot of guys. i mean, dude, what a great idea. Solo audits. So a lot of researchers want to get paid and they don't want to work for somebody and get nothing so they can buy more Lambos for their founders.
00:01:16
riptide
ah So they want to just go direct to the customer. And it's kind of more difficult than it seems. Because if you don't have a brand, if you don't have your name out there, you're just one of many and people really don't know if you're good, you don't have referrals. So just starting out.
00:01:34
riptide
And even even if you already have a track record, and like having this visibility um from this tool that you built, just basically a job board kind of thing for auditors, I think is just such a great idea, man. So I saw that. Maybe you can kind of give me some background on on yourself and and how you came up with this.
00:01:54
alix40
Yeah, awesome, man. Thank you. So, yeah, I started working
Challenges and Benefits of Solo Audits
00:02:00
alix40
on Solo Audit actually this August, so maybe two months ago or so.
00:02:05
alix40
um Yeah, myself, I am like an auditor. I used to do a lot of contests. I dabbled a bit in Bank Bounty, but only found like two bugs with my teammate. Elhaj was like a high and low.
00:02:23
alix40
but nothing extremely good but yeah this year ah kind of like stopped doing contests and I also like asked about this on Twitter and like I talked to many as us almost non-still did contests which used to be like a lot like people
00:02:41
riptide
and And why?
00:02:41
alix40
is
00:02:42
riptide
Why did you contests? Uh-huh.
00:02:45
alix40
it kind of died somehow I don't know it was like hey this is a contest with 30 000 SLOC if you find the medium it's 5k if you find the high is 20 it's 20k you know and you can you kind of if you have like a brand yourself or you know
00:03:00
riptide
hu
00:03:05
alix40
uh how I think like for private audits you basically need to have connections I don't think like even if you're if you are not that good and you have connections you will find work if you are extremely good have zero connection does nobody would find nothing that's like sadly the truth um but yeah I did a lot of private audits and
00:03:12
riptide
right
00:03:29
alix40
I kind of like back from August, like I saw like people like making 80% margins and stuff like that, like basically paying us peanuts, you know?
00:03:40
alix40
And yeah, I was like doing a lot of solo audits back then.
00:03:43
riptide
Yeah.
00:03:44
alix40
And I was like, I want this thing to be more, uh, more like uh mainstream yeah it's like if i saw like everyone from from my friends like quitted the the freelancing world or like the
Shifts in Auditing Practices
00:04:00
alix40
being independent is is our started like basically joining companies one after the other like everyone i know is like i've joined uh one company started working full-time you know what i mean and i was like ah we need to i need to do something about this i need like something
00:04:14
riptide
Mm-hmm.
00:04:18
alix40
that will that will help the dream of being independent and living this lifestyle of being free. um So the contests are dead.
00:04:30
alix40
No one does them anymore. ah For you to have customers, ah you need to have BDs. But like, you I think you also had have to talk to many
Valkyrie Security's Integrated Approach
00:04:40
alix40
SRs, especially the good ones, like they have like 200 followers on Twitter or something like that, you know?
00:04:49
alix40
And that's like the issue.
00:04:50
riptide
ah Yeah, but that's the deal.
00:04:50
alix40
It's like...
00:04:52
riptide
Yeah, it's true. you're You're very correct about that. Well, these guys are really good at what they do, but but they're sometimes really bad at marketing themselves.
00:04:57
alix40
So...
00:05:04
alix40
Yeah. I mean, it's kind of... It kind of comes from, for example, the people who excel at competition. It's like because they put their whole focus on it. On like, they ignore...
00:05:16
alix40
all the noise. So they literally,
Security Incidents and Lessons
00:05:20
alix40
that's like the kind of person who really do well, who is able to concentrate a lot, put in a lot of work and find like the most unique bugs.
00:05:29
alix40
So yeah, back to the story. ah Yeah, I ah it was like asking, I need something like this for me because I was like doing solo audits and I thought like I didn't like basically want the dream to die of being independent. I didn't want to see like everyone join a company and basically, you know what I mean?
00:05:51
alix40
um
00:05:52
riptide
Mm-hmm.
00:05:52
alix40
So yeah, I started this public good platform. I was like, no one's going to do this because it's public good. You are not going to make any money out of it. And there is no incentive. If you can sell, yeah it's it's better to just like start your own company, take some margins.
00:06:11
alix40
And it's way better than like basically giving your leads for free. so And I was like,
00:06:18
riptide
i think I think it's it's really noble, man, that you do something as a public good. you know i i would even i think everyone deserves to get paid for their work. I would even say, like you know I don't know how simple it is, but hey, you're going to add yourself on here. like It's going to cost $10 in stables, whatever, and and you just pay with your wallet, connect. like You
Future of Security Audits and AI
00:06:40
riptide
know, I know it's a little barrier and it's it's a little friction, but I think that, or or put a wallet on your page, put something, man. Everyone should get paid for making something like this.
00:06:51
alix40
I appreciate it, man. But like i I would be honest with you. i also like I think like it should be pro any project to be like sustainable long term needs to make to make some type of money.
00:07:02
alix40
But at the start of it, I was not thinking of making money. I was like maybe trying to fix a problem. It's kind of personal. that' like the the thing yeah It's like you have some personal emotions out of it.
00:07:12
riptide
Mm-hmm. Yeah.
00:07:14
alix40
So it's like something for me, something I would need myself. So... And yeah, so at that stage of my life, ah start of August, I was like...
00:07:28
alix40
ah You know the state of mind when everyone asks you to do something, you always say yes. Like, do you want to climb the mountain? Yes. Do want to start this company? Yes. Do you know what I mean? I was like in that state of mind, execute, execute, execute.
00:07:43
alix40
And yeah, I actually like developed the whole platform connected with the SRs, prepared the strategy for the launch and everything in like in a week.
00:07:45
riptide
Mm-hmm.
00:07:56
alix40
So, it was just like 10 12 hours
00:07:59
riptide
Dude, that's really good. And how many guys do you have on there now?
00:08:03
alix40
yeah i think more than 80.
00:08:04
riptide
80. 80.
00:08:09
alix40
most of them like i i wouldn't i could have never expected that i would assume like everyone would ignore me to be honest you know what i mean it's a i assumed everyone will
00:08:11
riptide
a
00:08:19
riptide
No, because you're telling guys, you're like like, hey, do you want to make money? And these these guys love making money. So you got a lot of interest. This is great, dude. You have a lot of well-known dudes on here as well.
00:08:32
alix40
yeah that's um That's a big honor, to be honest. I am really happy about it. And it also like ah brings in a bit of like a feeling of responsibility.
00:08:43
alix40
i ah So many people trust in the idea. i need to make it happen. I need to make it work. And that's like the dream. um So yeah, I started everything.
00:08:57
alix40
lot of my friends, I talked to the people. I have like a lot of friends. And there's ours. There's a lot of people who believed in it. We started it. We launched it very quickly. So because this was like a public good, I was not going to wait three months to do it.
00:09:12
alix40
It's just do it now.
00:09:15
riptide
Mm-hmm.
00:09:16
alix40
I think like i did I did a very good job, to be honest. I designed the website.
00:09:23
alix40
Kuzmajeevich Nadeemaharajan. Made launched the onboard the s ours. took some feedback improved a lot of things and I launched I launched very quickly. two months like looking at this, do you have any questions before like I move to the current state or.
00:09:41
riptide
No, just looking at it. It's just so simple in execution. It's just like, you know, there's no hidden tricks, nothing. it's just like, hey, boom, click here, connect. They put their Telegram, Twitter, GitHub, and people would just reach out right there.
00:09:56
riptide
It's just, it doesn't have any transparency on pricing. And I mean, that's unique to every project, I guess. So I guess a client would come here and choose an SR based upon how good their profile is.
00:10:11
riptide
um and i mean, whatever whatever kind of things they value, I guess, how good your profile is. And if you could show show all the receipts of all your work, I think that, that yeah, guys will get some some good work here. Do you have any way of tracking ah which guys are popular?
00:10:29
riptide
Like who's getting leads?
00:10:31
alix40
Um, yeah, I mean, the only, the only way for me to know is like basically through Google analytics. So you just basically see, uh, who the person, uh, who gets like the most reviews or profile visit, but other than like the.
00:10:39
riptide
Mm-hmm.
00:10:48
alix40
Person telling me I got the lead or something, it's like a bit difficult, but yeah, I mean, I mean the idea for like solo audit for the platform. is like let's say I am a customer i only have like 10k so to say to like to do an audit
00:11:02
riptide
Mm-hmm.
00:11:05
alix40
oh is it like better to just like not find like two srs who will do the audit it for you like zero commissions and just like find persons like who excel at your niche let's say a staking contract find you go to the soloaudit.com website you filter through the skills i made it like uh obligatory for everyone who joins to select a maximum five skills so like basically you would know who are the people who like uh which niches do they have and like basically filter out a filter put the filter for staking pull out three four five
00:11:34
riptide
Yeah.
00:11:47
alix40
see their portfolio, what they did, what are the achievements. Like all of this is like transparent and basically contact them. And for 10K, you will get two audits for 10K with another.
00:11:57
riptide
And what does it mean? what does What does it mean when you have this vetted star
00:12:00
alix40
Yeah.
00:12:03
alix40
Yeah. I mean, it's not it's not like it's an invite only platform. It's like kind of gated.
00:12:08
riptide
okay
00:12:10
alix40
So i everyone who comes in is like needs to be vetted by me. i have I have some strict guidelines. I sadly cannot say tell them in the podcast because they can change, but there are like some guidelines to make sure you are capable.
00:12:28
alix40
So basically, if a customer comes and so and finds you through solo audit, I can have like the peace of mind of knowing that you will go do a good job, that you know your shit, in other words.
00:12:42
alix40
so Yeah, that that was the idea.
00:12:44
riptide
and
00:12:47
riptide
Is there demand for, i hate this KYC. ah i know why you have it, but I i fucking hate KYC. And I hate that the platforms require it. And I hate everything in about KYC.
00:12:59
riptide
Is there anybody in, I've never had, so I've never had a project that, want to KYC me unless they have, they're, they're big enough where they have some business rationale for it.
00:13:12
riptide
Right. Any, any base dev doesn't give a fuck.
00:13:14
alix40
Meme
00:13:16
riptide
You know, it's only this within the past year or two where everyone's like, Oh, you got a KYC, even as though it's the biggest fraudulent bullshit ever.
00:13:17
alix40
token.
00:13:25
riptide
Oh man. I just, just seeing these three letters, just, it it gets me going, man.
00:13:26
alix40
mean to
00:13:30
alix40
Yeah, I mean, i' in so i'm not doing I'm not doing any KYC for like, sr but like what I did, because it's like a kind of ah for those like open platforms, you kind of need some some ways to make the customer feel safe or comfortable.
00:13:33
riptide
I'm triggered.
00:13:47
alix40
Yeah, I'm trying to vet everyone. That's like the first thing. So it's like I'm not putting North Korean hackers in the website. And
00:13:58
riptide
they They could bullshit your KYC anyway, man. They could bullshit KYC on all this.
00:14:01
alix40
Yeah.
00:14:02
riptide
but
00:14:03
alix40
And yeah, so they did they did well.
00:14:03
riptide
but But let's pretend they can't.
00:14:08
alix40
I talked to them. They talked to me. I checked like their portfolio, the contest they did, what type of bugs they found, stuff like this, you know, and their Twitter page.
00:14:18
riptide
And are you are you planning on vetting every guy going forward?
00:14:22
alix40
I mean, I'm already at 80, so I think like I have already like vetted most of the legit guys. Maybe I think like the...
00:14:30
riptide
Yeah.
00:14:32
alix40
because like a lot of people have joined companies to be honest with you like that's also a thing some people are not like are not interested in private or solo audits anymore um yeah so for just like to clarify one thing about the kyc it's like it's something that I added like I said to make like to bring in more trust to the platform but like it's basically if you join code arena or cantina
00:14:35
riptide
Mm-hmm.
00:14:44
riptide
I'm good. Mm-hmm.
00:14:57
alix40
which is where it is like basically mandatory to do KYC. I will put in the tag and say KYC. this this This auditor has done KYC by this and this platform.
00:15:08
alix40
It's like, you know, so it's not KYC by you exactly.
00:15:11
riptide
Yeah. Yeah. No, no, hear it. Yeah. I think what you, what you chose to do though, by, by keeping this very high quality, by vetting every single person on here and making sure they're legit was a great decision because I could already see it just go into trash.
00:15:27
riptide
like If anyone could just create some profiles. So you've kind of curated this. And I think what you've got here is really like, you know, top of the top of, ah security researchers here. This is really cool, dude.
00:15:43
alix40
I appreciate it. Like, and also like part of the reason why I launched it so quick, it was like, if I invested a lot of time, like let's say three, four months, I will not be able to launch it as a public good.
00:15:56
alix40
You know, I will be pressured into and making it like profitable some some way or some another.
00:15:58
riptide
Mm-hmm.
00:16:06
riptide
Look, what we got to get up there, we got to get a banner up top.
00:16:06
alix40
Yeah. Just.
00:16:09
riptide
We'll get a Bounty Hunters podcast banner and we'll kick you over some cash to to contribute to the project. I think that'd be great if you're up for it.
00:16:20
alix40
yeah i mean why not
00:16:22
riptide
Cool, cool.
00:16:23
alix40
We can talk about it later.
00:16:24
riptide
Yeah, man.
00:16:25
alix40
but
00:16:25
riptide
ah Hey, so but also, right? So what was also interesting, I i checked out your your Valkyrie security. You guys are doing this, what I think is like, um so just just step back. So I was at ETH Sophia.
00:16:40
riptide
um That's why I wasn't doing podcasts. I was traveling too much. I was in Singapore. I in Sophia, was in Sophia and I was doing a panel there and we're talking about how to secure the next trillion dollars on chain since everyone's coming on chain institutions and companies, everyone. So yeah,
00:17:01
riptide
And our our security is a joke, to be honest, like like how much is lost in hacks.
00:17:04
alix40
Okay.
00:17:07
riptide
um I looked at the numbers and it was like around 20% was smart contract bugs, hacks, and the rest were all private key compromise.
00:17:19
riptide
And I don't even know what to say about that. All we could really do is, is like I handle the Web3 side, so the smart contract stuff, but a lot of the private key compromise is really, that's a Web2 thing.
00:17:33
riptide
you know it's It's not somebody coming over and opening your your vault and reading your seed phrase. like It's all Web2, phishing, all this stuff. So your firm... with your buddy Audron, I think his name is, who couldn't be here today.
00:17:48
alix40
yeah yeah
00:17:49
riptide
You guys are focusing, it looks like a holistic approach, right? You're you're doing web two, web three. do you wanna tell me about that?
00:17:56
alix40
yeah i mean i actually have a lot of things to talk about this like about the subject specifically i can like start with something personal about it um i don't know if you if you remember tapioquia the project oh man
00:18:07
riptide
Sure.
00:18:10
riptide
Oh yeah. Tapioca. That was a great, great example. Yeah.
00:18:14
alix40
That was a personal thing for me that that shocked me to the core because like I know so many people like, you know, Alex, Alex, like kind of mentor someone like i highly respect and he like worked really hard in securing their stuff like he won two contests, I think, and like helped a lot and a lot of SRs have invested heavily in securing tapioca.
00:18:38
alix40
and They were I also like did okay.
00:18:38
riptide
I was one of them. Yeah.
00:18:41
alix40
but
00:18:42
riptide
yeah Yeah, and an investor.
00:18:42
alix40
if
00:18:43
riptide
Yeah. So it was it was terrible news.
00:18:44
alix40
Oh, man. Yeah, and I like i saw like the hack ah was reading through it. And like I was expecting maybe some smart contract, because like when they started, they had 150 medium or high issues found in a contest.
00:19:01
alix40
yeah And they like worked through it, added a lot of testing, a lot of audits, made it secure.
00:19:03
riptide
Mm-hmm.
00:19:06
alix40
I was like thinking maybe they missed some bug in the smart contract. and then i found that it was basically social engineering linkedin offer or something if i remember right and it got like yeah
00:19:18
riptide
It was a dev who was looking for ah a job. Yeah. He got phished. Jeez.
00:19:26
alix40
yeah man it's like very sad like i was struck to the core to be honest i reading that it's like what it was like maybe eight months ago or something But like I think that was, sadly, a nail to the coffin of a great project, a project that a lot of SRs, hopefully, they will make a comeback.
00:19:44
alix40
But that was like very hard, I think.
00:19:46
riptide
they They are actually relaunching. We're working with them on on their final audits, but they're relaunching and rebranding.
00:19:50
alix40
ah Awesome. then
00:19:52
riptide
Yeah.
00:19:52
alix40
That's a great news. But I think like that definitely didn't feel bad. and It felt good to me. It really shocked me because like I know a lot of friends who worked really hard for that.
00:20:03
alix40
And yeah, i be that brought in the idea of like, why are we only focusing on smart contracts? And like fast forward to eight months ago, also in August, when the star so I I think like, you know, Audron?
00:20:22
alix40
Audron is like a Web2 penetration tester. He has like a lot of experience, like finding CVEs in Web2, back bounties.
00:20:26
riptide
Mm-hmm.
00:20:32
alix40
and stuff like that. And he was like dabbling in the, ah in the branch of doing wallet security. I think like I reached out to him because like I was in the mindset of doing, just doing, executing. And there was like, Hey man, do you have any ideas how we could like make the space safer or something? I forgot what I told him, but like I started a conversation with him and he got back to me, like,
00:21:02
alix40
two weeks a later or something and he was like we are building Valkyrie I am doing it with Ahsan Ahsan is like I don't know if you know him but this dude like have 1500 confirmed backbound a web 2 backbounties he's like one of the big stuff
00:21:21
riptide
Okay, shit.
00:21:22
alix40
yeah
00:21:23
riptide
Sounds good.
00:21:24
alix40
it He was with me in Sofia and like was like connecting with Bulgarian SRs. And he was like, hi, guys. like I literally like hacked every bank in Sofia. He was naming banks.
00:21:37
alix40
This bank, I found SQL injection.
00:21:40
riptide
Oh, shit.
00:21:41
alix40
This bank, I found a remote code execution. Yeah, some some crazy guy.
00:21:45
riptide
Wow.
00:21:46
alix40
So yeah, that's... And we started working on Valkyrie. So we basically have very both Odron and Ahsan have ah lot of connections to a lot of the very good S.R.s in the space.
00:22:01
alix40
uh like the web 2 srs and I personally because of solo audit and because of like the two years plus experience I also like know a lot of uh very good web 2 security web 3 security guys and we thought of like making something out of it like ah tackling this um security problem differently from holistic approach ah one of the reason I think why like you said only 20% of the biggest hacks were actually smart contracts and 80% were like off-chain stuff the actual thing I think is like basically because smart contract auditing got so good I think that's like the main reason
00:22:22
riptide
Mm-hmm. Mm-hmm.
00:22:42
alix40
attackers found find it like now a lot more difficult to hack smart contracts but they need to fill out their quota so they need to still be hacking they need to still be making money you know so they basically
00:22:51
riptide
Okay.
00:22:56
riptide
Yeah, we're we're always going to look at at the easiest link. This is like just just classic kind of physical pen testing. I mean, you see a fence and you just walk around the fence till you see something like, oh, this is a little loose. It's the same thing with any target.
00:23:11
riptide
And I mean, it's good. Like it's a good signal with the contracts seem to be getting better ah because i think i think with that analogy, like the contracts are um kind of like a brick wall.
00:23:26
riptide
And the rest of this shit show, it's just like, it's like that other meme where you have a door on ah on a sidewalk in the middle of the park. And it's just, you know, park closed.
00:23:37
riptide
And you could just walk around the door. Like, you know, we we joke about all the the multisigs ending up in one room on a conference or... Or just guys watching you know porn on their on their computer when that one should be for security reviews or managing a multisig.
00:23:52
alix40
it
00:23:55
riptide
it's It's a joke. It's ridiculous. And this is the truth.
00:24:00
alix40
Yeah, man. Yeah. I come personally also from Web2. I was like a Web2 pen tester before like I switched. And like I used to work ah with banks.
00:24:11
alix40
like i worked I don't know if I can say this, but like I worked with the central bank of one of the biggest countries in Europe as a pen tester or tester, so to say.
00:24:21
riptide
Mm-hmm.
00:24:25
alix40
And man, you will hate yourself to see like how many things I needed to do and how small access I had in the computer that I was connected like to do the work.
00:24:40
alix40
it's I mean, it's insane. Like, you know, if you want to install a Python package, you need to basically someone needs to download it before you test it out, make sure it's legit, and you can use it.
00:24:51
riptide
Oh yeah. Yeah. Yeah. Yeah. I've, I've, I've been in those environments.
00:24:54
alix40
this
00:24:57
riptide
Yeah. You can't do anything.
00:24:57
alix40
it yeah and that's that's like for a reason like because uh web web 2 pentest web 2 hackers have already been there they they still make a ton of money uh it's not like web3 is only like a small sections of the hacks that appears globally like They still are doing a lot of work to make money, to make like basically ransomwares, encrypting all your customer or your company details so you need to pay a ransom or something like that.
00:25:27
riptide
Yeah.
00:25:31
alix40
they They are making money and they are hustling very, very hard. The way they find to hack a company is like insane.
00:25:36
riptide
yeah
00:25:39
alix40
And for for this reason, especially banks, the people who hold all the money, they have like this very, very, very strict OPSECs. And the comes back to us in Web3 Security, you will have like somehow a dev who has the private key that controls half a billion literally of money just literally like like you said watching a porn or like downloading files or like applying for jobs from the same computer it's like insane this is like
00:26:18
riptide
Yeah, i see that I see that fading out as with with how formal the space is getting. like where you had the I think the most famous one is probably the Polygon multi-sig, which I think was like three, I want to say three or four guys, and it was they had a billion or a few billion people.
00:26:34
riptide
in the bridge at one point years ago. I don't know what it is now, but I see that as as the centralization risk that's always flagged in audits as crucial that we've ignored.
00:26:46
riptide
um I see that kind of being taken more seriously now, the more of these hacks we get, which is good. It's the only way it gets better is we have these hacks, to be honest, because everyone, you know human mentality is just, it's yeah, it's not a big deal until it really is.
00:26:53
alix40
Mm-hmm.
00:26:56
alix40
Reality check.
00:27:01
riptide
So, you I think it's good. um you know, what what would you say like the best web to attack vector is right now on like a defy protocol?
00:27:13
alix40
to be honest with you um there is an attacker he will look at your protocol or let's say lending protocols he will not see only the smart contracts and or he will not only see the website he will see it from whole like whole stack perspective and he will try to look for the easiest way or the Like from an attacker mindset, like how can I take money from this?
00:27:38
alix40
Okay, let's let's check the smart contracts.
00:27:39
riptide
Mm-hmm.
00:27:41
alix40
Audited 17 times by this and that and this and that and this and that and there is not enough complexity. Okay, ignore this. what What else do I have? Okay, I saw in the smart contracts, the admin can actually like steal money or something like this. This like what you said about centralization risk.
00:27:59
alix40
Okay, how can I ah find the private key? uh then comes like some stuff like spear phishing when you will have like people literally like acting and writing scripts on how to target a specific person um and like to to basically have access to the to the private keys if that if let's say it's very uh there's no centralization at all and even if you are an admin you cannot like steal money or anything
00:28:32
alix40
Then they will look for things like, for example, do you guys run bots on one of the cloud infrastructures? Like that holds money, for example.
00:28:41
riptide
Mm. Mm-hmm. That's a good one.
00:28:43
alix40
Do you guys...
00:28:44
riptide
Yeah.
00:28:45
alix40
Do you guys like ah take the security of your website seriously? Meaning can I like putting putting the payload or something that will be executed for other customers, like something for phishing campaigns where, because like a lot, it is like possible if you,
00:29:05
alix40
If you can control it to some degree what appears to other users on the website to actually like make them sign malicious load steal all their money. So even if the attackers can't, you can steal directly from the protocol, you can use your website to steal from other customers who will use or trust your.
00:29:22
riptide
Yeah, like like the Gnosis Safe, the Gnosis Safe one that happened recently. That was a scary one to read about.
00:29:28
alix40
Yeah. Yeah. That's, i i mean, dude, like that's central intelligence type of hacks, to be honest. That was...
00:29:39
riptide
Dude, i mean, I feel kind of embarrassed, right? Because, but you know, as smart contract auditors, you you submit a bug and and I'm sure everyone's had the thee the occasion where the client's like, well, you know, the front end doesn't allow it. Like when they they so utter those embarrassing words, like the front end doesn't allow it.
00:30:00
riptide
we're We're kind of chuckling like, oh, you know, we don't even look at the front end. Like, I don't know what your front end looks like because it doesn't matter. But then on the flip side, it it really matters a lot. It's not about taking money from the project, but it's about taking value from the users on that side. And it's just something that I've never really cared or or looked at.
00:30:21
riptide
But my God, it's such a It's such a terrifying vector. Like when I use DeFi um you and I want to use some new protocol, I'll go to like CoinGecko or DeFi Llama ditch to knowingly, you know, I trust the websites they have in there that are going to be the the right ones. And everyone has some wacky domain.
00:30:42
riptide
So good luck keeping up with whatever the the trendy domain is. but But if you good luck if you Google something. I mean, you're fucked. The first five results are going to be scam sites.
00:30:53
riptide
And they look exactly the same.
00:30:53
alix40
ye
00:30:55
riptide
And if you're not looking at what you're signing hardware wallet, like it doesn't matter. And I think that's like it's like to me, Web 2 right now is, um say um want to say, a bigger risk than like the Web 3 side.
00:31:10
riptide
What do you think?
00:31:13
alix40
I will tell you like honestly what I think. I think like people underestimate how hard Web2Hackers work. like it is It is difficult to find like ways to like destroy protocols using like the web to attack vectors.
00:31:28
alix40
But you have like people literally like working 18 hours a day.
00:31:29
riptide
Mm-hmm. Mm-hmm.
00:31:32
alix40
It's not auditing, yeah? It's like black box testing. So when you are auditing, let's say like you read code base for eight hours or six hours, you will just like stop. You will get brain.
00:31:45
alix40
brain a brain like pain or something like that. you cannot You cannot focus for eight hours, but for like black box testing, you are basically executing tests. You are like doing manual work. Some type of it like requires concentrations, but some part of it just like executing stuff, running fuzzers, running scripts that like try to get stuff.
00:32:08
alix40
or maybe like you like you said like for uh spamming or spear phishing campaigns you are like literally studying a person linkedin profile and doing stuff like that so they actually can work a lot they work a lot harder 18 hours a day 12 hours a day i was like we're talking with ahsan he's like what i told you about and the dude like have been working 12 to 18 hours a day for the last 10 years like i'm not joking this is like how
00:32:28
riptide
Mm-hmm. Mm-hmm.
00:32:35
riptide
gee
00:32:35
alix40
Web 2 people, you know, they they really are trying hard is like the idea. Also like the hacks that happens, it's not easy, but like it only shows like that people that the hackers are finding like extreme ways to make damage or street damage or stuff like that.
00:32:54
alix40
But as you said, like smart contracts, like we in the Web 3, we try to assume that it's only the smart contracts that that are important, but like, from an attacker mindset he sees everything yeah he will try to find a way a creative way to just basically make money and he will look everything or everywhere to just find that like I said, cloud, OPSEC, front-end, mobile app, website, anything. like Anything he finds, he will try to extract some value out of it.
00:33:31
alix40
And this is like ah very there is a lot of very hardworking Web2 hackers who don't eat literally who don't sleep are executing stuff like
00:33:41
riptide
Yeah, mean' but there they have they have such a bad reputation as far as the spamming goes. Like when they're submitting reports, you thought the Web3 AI slop was bad. People are like, no, no, no, that's been around forever.
00:33:53
riptide
It's called like Web2 slop. And people just spam the fuck out of these programs to try to get $20 payment. you know A lot of these guys are in poorer countries from what I've heard.
00:34:03
riptide
And so if they can get 20, 50 bucks, like you know that's some good cash where it's worth their time to to do this kind of shit.
00:34:09
alix40
that's a weak work yeah yeah you can survive for a week out of that yeah it's also like it's like us
00:34:12
riptide
Shit, a week, god damn.
00:34:18
riptide
Yeah, but most bounties are are what? Like 10 grand, five grand, like they're pretty low even for some significant ah vulnerabilities, right?
00:34:27
alix40
yeah I mean, i would i would be honest with you, like, about, like, we have two bank bounties, because, like, I talked to, like, the people who did this mainly, and specifically Aldron and Ahsan.
00:34:38
alix40
it's It's true. It's like, you as you said, like, you know, like, Ahsan, like, found basically an SQL injection in one of Bulgaria's biggest banks. You know how much money they gave him?
00:34:49
alix40
10K. It's like, you know.
00:34:51
riptide
Oh yeah.
00:34:55
alix40
But...
00:34:55
riptide
This is like, this is like this the centralized exchange bounties on web three. They give you like 10 K or found one and there was like, um, i know what it was. It was with hack improves, like 40 million at risk.
00:35:08
riptide
And they're just like, oh yeah, here's, here's 10 grand payout. Okay, man. Thanks.
00:35:14
alix40
yeah I mean, but like, you also like need to know something like Ahsan, for example, when he submits, he doesn't submit one report, he submit like 60 valid reports, you know, and 60, 60, I mean like
00:35:26
riptide
60 reports. What the fuck?
00:35:31
alix40
Because like the a lot of it is automated because he already like have the knowledge and like he knows how to find bugs. So he later then writes scripts how to catch that bug.
00:35:40
riptide
Mm-hmm.
00:35:41
alix40
You know what mean? So that's like how basically Web2 security people make money for but from bug bounties. They don't make a lot of money from a single bug bounty.
00:35:52
alix40
But they find like 30 or 50 in like two months.
00:35:55
riptide
Okay.
00:35:56
alix40
that But they still don't make and and enough money compared to the Web3 security guys, I would assume, like are like excelling at bounties. But you will find people who make over a million from Web2 back bounties.
00:36:10
alix40
And they will find ah thousand.
00:36:11
riptide
Yeah. if If you, if you find some, some one click, yeah.
00:36:12
alix40
du
00:36:14
riptide
One click, Apple, Apple bugs, maybe they'll pay you for that. I don't know. So, all right, so you you're going to do web two, web three. Are you going to be the first one that is also doing the physical side? You're going to knock on doors.
00:36:30
riptide
Tell me yes.
00:36:30
alix40
What? Putting USB sticks in front of of the door of devs or what?
00:36:32
riptide
Like, well yeah, like, hey, check in the guy, yeah check his windows, you know, check his Airbnb.
00:36:38
alix40
Yeah, I mean...
00:36:44
alix40
yeah i mean
00:36:45
riptide
That would be cool. No one's doing this.
00:36:47
alix40
yeah it's also like a part of the web3 web3 culture like each protocol he will have like five devs and each dev is in another continent so to say just kind of not as easy you know because like you will have a lot of freelancers the devs someone will be from usa one from europe one from asia and It's not like as in Web2 where everyone will go to the office.
00:37:14
alix40
So you can try out some stuff like this. But definitely there is like some service we are like trying to prepare, which is basically called, it's like a Web2 service already, which is like red teaming.
00:37:17
riptide
Mm-hmm. Mm-hmm.
00:37:26
alix40
which we will basically do what an attacker tries to do. You will try to make some convincing offers or job offers to the SRs or like, run like specific emails, scam emails to the devs or the people who are working on the protocol.
00:37:46
alix40
and the goal of it is like it's not to basically do harm to the protocol but it's basically to educate the devs because like you could bring them to a course don't click don't click links don't do this use your work laptop only for work related stuff you know what i mean but everyone will ignore it but but if the same dev will just like fall in in one of the traps from direct team engagement it's like
00:37:47
riptide
Mm-hmm.
00:38:12
alix40
way better learning experience, so to say, you know, so
00:38:17
riptide
Yeah. are Are you, so you're offering what I think is a unique kind of value prop. And I think other firms, the the ones I've spoke to said, oh yeah, we're going to start doing this too.
00:38:28
riptide
Are you, are you already doing this with certain clients? Are you offering them web two, web three combination packages or, or is this just something you just started? Like what's the level of interest?
00:38:41
alix40
I mean, like, to be honest with I think like this is the perfect time for them in the market to start something like this. And we have already, like I told you, like I started at the end of August, I think. We started with Valkyrie and we already have like three customers.
00:39:00
riptide
Awesome.
00:39:00
alix40
It's not as, yeah, that's that's more than expected, to be honest.
00:39:01
riptide
Awesome.
00:39:04
alix40
And it's like a lot of work. I think like the idea works because like, But it's like still not quite mature. I think like you need still need to be making ah more content or like bringing more awareness to this type of stuff.
00:39:20
alix40
um We are not doing full stack audits yet, but we will do like, for example, smart contract audit here or like front end
00:39:34
alix40
frontend like audit there. We still didn't like have a client where we did like everything together. are also like trying to do something, which I think like has a lot of value specifically like for protocols and doesn't like cost much.
00:39:49
alix40
Some people, are they don't have to they don't do Web2 audits for a reason. yeah They don't have either the money or that's like the main reason. If they have like extra cash more than they need,
00:40:02
alix40
And they still don't do that they don't audit like their cloud infrastructure, their font, and that's dumb. But like there are of people who actually don't have the funds. All the funds that they had, they ran a contest, hired three three like smart contracts, a firm, and stuff like that.
00:40:18
alix40
And this they still don't have any money left or way too late to do like little to the webto part of it.
00:40:20
riptide
Mm-hmm. Mm-hmm.
00:40:25
alix40
And what we are like proposing is like threat modeling. We will basically like look at your... We'll have like two people, one who is a Web3 smart contract auditor to basically map out the centralization risks, and another, which is like the Web2 specialist, someone who has like deep experience with Web2 stuff.
00:40:49
alix40
And we will look at your protocol from a whole stack perspective and map out all the possible risks So basically all the attack surfaces, because like it's also awareness. You know what I mean?
00:41:02
alix40
Some people don't know, for example, if you don't secure a front end, some people can use it to do harm to other to other like persons or stuff like that.
00:41:12
riptide
Oh, dude, there's so many, there's so many angles. I think that's, that's very important.
00:41:16
alix40
exactly the season
00:41:18
riptide
Yeah. Yeah. I mean, even from like, I have a background of, of, you know, I've been in using computers my whole life and from setting up my own web domain, you know, a couple decades ago to, you know, changing the MX records and setting up a Telnet connection on my own mail server, like all these random things I've done, but a lot of people haven't done,
00:41:41
riptide
all of it, right? They've done, they specialize somewhere, they've done this, this, this, but to know about the different, like how many people until recently knew that, oh, you could just get your domain name hijacked, you know, like, like where these DeFi protocols like, oh, whoops, sorry, the domain got hijacked.
00:42:00
riptide
It's like, that's fucking terrible. That's like the front door of your business. Someone opens the door and they're in like a pawn shop in Morocco. It's like What with the fuck? Like, where am I?
00:42:13
riptide
and It's so fucking terrible. It's a big black eye on your protocol, but to their, you know, just, just to be lenient on them. It's like, there's so many different vectors to kind of secure. And if you don't do web two security, you don't even to have a clue.
00:42:30
alix40
Yeah. And then that's basically the idea. so at least you don't have the money to do it. At least be aware of what can happen. So this is like the minimum, you know, at least know that this and this can happen.
00:42:41
riptide
Yeah.
00:42:43
alix40
So maybe if you have some funds in the future, you can prioritize. You can like say we didn't do that yet, but maybe you will like secure the spot. in like in three months or something like that.
00:42:56
alix40
So at least be aware of like what shit can happen in the future. This is like basically what we are trying to also push, which is like threat modeling. Because like mm-hmm.
00:43:06
riptide
and what what What's... Oh, go ahead, go ahead.
00:43:10
alix40
I had like both experiences. Like I worked as a smart contract auditor and I worked as a penetration tester. And as you said, for web two, it's way, way, way more complex, way more difficult. And there's a lot more angles.
00:43:25
alix40
Like the backend, for example, it could be written using 300 different frameworks, languages, stuff like that.
00:43:35
riptide
Oh, man.
00:43:37
alix40
Cloud pro different cloud providers.
00:43:38
riptide
Yeah, it makes looking at a Solidity contract look look simple. I mean, if you've ever looked at, just just do an inspect on on a random website nowadays and just try to process everything, you know, the console log network in and out.
00:43:46
alix40
Yeah. yeah
00:43:51
riptide
And it's just even browsers. Browsers have become the computer now. And so everything's running through there. And there's just like, yeah, you're right, man. More complexity, more bugs. There's just no avoiding it.
00:44:04
riptide
What is the scope on that? So if you're doing the web two side compared to the web three sides, say you have a DeFi protocol, average average scope, maybe it's like um under audit for two, three weeks, but from the web two side, you have a domain, the main domain, like is there, what would be the estimated kind of scope time for that just in general?
00:44:24
alix40
for for like for domain
00:44:27
riptide
Yeah, I guess the web two side of a DeFi project would just be, you know, their site, you know, I guess that's it, right?
00:44:32
alix40
it's it's it's It's different. It's different, and that's why we recommend doing threat modeling. Because like you can give us you tell us to do like an audit for a cloud that you only use for bullshit, so to say.
00:44:47
alix40
And like it doesn't matter either way, so you shouldn't be auditing that. But for example, let's say you only have a website. that is not like quite big, only have like certain features, maybe like one to two weeks, but it's different. Yeah.
00:45:03
alix40
You will i would also like recommend doing something which most people would also ignore, which is like making sure that your cloud infrastructure is hardened. I saw like one of the reports of Ahsan, he did like basically a cloud audit for like a Web3 protocol and they had like this cloud instance.
00:45:25
alix40
uh controlling which which had like a script controlling like a wallet that had like a lot of money in it and you know what type of bugs he found remote code execution like this is this is like some some really scary stuff so to say but as i said like you need to look at the protocol and see like where the funds are where are like the data uh well where users interact with the project, like in which a surface, like you identify those surfaces and you try to make it. I mean, for most protocols who doesn't tell don't have like a lot of stuff, let's say a simple lending protocols, you'll probably like get this done in under two weeks and like, yeah, cloud front end and like all the hardening stuff to make sure that no one can hijack any
00:46:23
alix40
so yeah
00:46:24
riptide
Jeez, man. Yeah, that's and who knows what the pricing would be on that. I guess the the market will decide on that. But I think what you guys are doing is it's it's a step in the right direction that we the whole industry needs to move to because whatever piecemeal solution is being done now, I don't think is enough.
00:46:42
riptide
until we stop seeing these these exploits. And, you know, like it's getting better. And and I talked about this at Sophia. It's like, we're always gonna have security problems, just like we have in a web two, because web three is even more permissionless where you can do whatever you want with no budget and TVL could flow to you.
00:47:01
riptide
And you could just not have a clue what you're doing with security on web two or web three side and bad shit's gonna happen, you know, unless you're lucky. And that risk is always going to be there. But it's about like, to me, it's about trying to make this more affordable and accessible for everyone so we can have a much safer on-chain experience. That's why umm I'm doing this AI audit um launch.
00:47:32
riptide
you that we We built this thing that's we think is able to find a lot of bugs for a fraction of the cost that that the normal human auditors do.
00:47:43
riptide
Because I think that's that part of the industry is ridiculously overpriced. And I think that will come down whether they like it or not. And that's only going to lead to more people getting better security because I've talked with so many devs and so many protocols where they have a limited budget and this is what they can afford. And even when they pay top dollar, they're still going to get bugs. And so it just pisses people off and it leads to hacks and projects going down and lives being ruined.
00:48:13
riptide
So I think the cheaper and more accessible we make this and, um, yeah know more available, like what you doing with this web two, web three package, i think it's just going to get better on the ecosystem.
00:48:25
alix40
I agree. I mean, there is a lot, there is like basically two sides,
00:48:31
alix40
currently on the how they see like the a the AI stuff for Web3 security. There are people who over type it. It's going to replace every SR and there are people who are saying it's just bullshit. There is no use to it.
00:48:47
alix40
I am more of the the like perspective. It's currently very smart move to work on this and like making it making it making some good product out of it.
00:49:00
alix40
The language models have gotten to a very good level. And it's now more about like of around the software on how you manage or how you use the LLMs.
00:49:12
alix40
So it's basically now down to the devs who develop those type of audits. I see a lot of value to in it, to be honest. And that's awesome.
00:49:23
alix40
ah I'm happy for you. That's like a very good timing to start working on that.
00:49:29
riptide
he's He's like, I'm happy for you. He's a mad face in the background of taking all your business.
00:49:33
alix40
Yeah. Yeah, you're going to make me jobless, dude.
00:49:35
riptide
No, just, no, man.
00:49:37
alix40
Like, out on the street.
00:49:39
riptide
ah It's, you know, it's it's not like that, but it's like, look at that Will Smith spaghetti eating video, right? We all laughed at it when when AI was doing that. And you look at it now and it's almost perfect.
00:49:53
riptide
And so if you're if you're in any sort of mindset where it's not going to keep improving and getting better and starting to eat into eat into your your market share, it's just, it's not true. So ah having said that, there's always room for humans. I think that there, especially bounty hunters.
00:50:12
riptide
i'm I'm talking about disrupting the mainstream audit space. And it's not like people can't compete and there's always going to be different firms. But it's about making it more affordable because these margins are ludicrous right now.
00:50:26
alix40
Yeah.
00:50:26
riptide
And so I think the money train is coming to an end unless you're at the top of the top and you can show that you add value and and be able to compete with these AI auditors. Like if you're finding new classes of bugs, right? For example, like let's just say asymmetric research and, you know, trail bits like, and and other hunters too, independent hunters. But if you could find new classes of bugs that AI doesn't know about,
00:50:50
riptide
hey, you're ahead of the pack, man. The AI only knows about ah what's already been reported. It's not creating up new things. So if you could find new unique shit, dude, you're ahead of the game. So this means top tier people are going to remain top tier, but this clears out a lot of underbrush that is you know just has to adapt to survive. And that's how technology always moves forward, unfortunately, or fortunately, depending on how you look at it.
00:51:20
alix40
I will tell you like how I see it, to be honest with you.
00:51:22
riptide
Thank you.
00:51:22
alix40
I agree, first of all, with almost everything you said. it It should bring the bars higher. It should be a positive thing for the whole space.
00:51:33
alix40
And it's like the right time to work on it. I will tell you about like what I think about human parts in this. i would I would have ah been more afraid if security was... it and like i I studied computer science.
00:51:49
alix40
I might butcher the names of the of the algorithmic stuff, but I think there there's like some but some problems that are like ah proven to be unsolvable or suffer this um something like this.
00:52:05
alix40
So basically, you cannot solve those problems. ah And I think security is ah similar topic or a similar thing. cannot so You cannot for sure know, like using math or anything, that there is zero bugs in this protocol.
00:52:23
alix40
And as long as you have that, that you cannot solve this.
00:52:24
riptide
Mm-hmm. Mm-hmm.
00:52:29
alix40
there will always be like room for humans to work. Because if it's solve up because like AI, it's basically statistics. like I mean, you will have true positive, false negatives.
00:52:42
alix40
you don't have like a 100% thing, you know, it will help you like find bugs for sure. It will make the make the bar higher, but it's not something that will find every bug, you know, because the problem it's ah it's not the problem with the AI, it's the problem itself. It's that the problem unsolvable.
00:53:02
alix40
So that's like the how I think about it. So even if you have like a very good AI,
00:53:08
riptide
I think anything where humans are involved you're you're going to have bugs yeah
00:53:13
alix40
Exactly. Oh, man.
00:53:17
riptide
Yeah. Well, hey, let's, I want to drop, I want to drop some alpha drop. I have not dropped any alpha in a long time. um And I didn't prepare you for anything.
00:53:29
riptide
So so think about it.
00:53:30
alix40
oh man
00:53:31
riptide
I'm but ah im gonna i'm just going to drop one from something I was looking at recently. And, you know, to be honest, I was making a quick comment here about like bug bounties and contests, right?
00:53:42
riptide
I feel like the whole space is tightening up. Like um bug bounties do not pay out as easily as they used to. And as I've said multiple times, like if you have any nuance in there in your report or in the in the bug itself, it's like they'll find any reason to reject that.
00:54:01
riptide
And even paying out lower severities is like extracting teeth. And I feel like contests that I don't often do. And the couple that we just did, it's it seems like the biggest, the stupidest game ever, like where you have a judge say, okay, this is valid. And then for God knows what reason this thing is getting, you know, pumped down because obviously they want to save some money.
00:54:29
riptide
It just seems like... Honest white hats that are trying to make a living are kind of getting rolled over on and getting fucked. So I hate to see that, but that's exactly what I've been seeing recently in the space. Unless you get, have clear cut bugs that, um,
00:54:46
riptide
you know not with contests, but with bug bounties where the one-click drain bugs and stuff that's objectively like, hey, I could have gone black hat right now, but I'm reporting it versus like, hey, this could harm your protocol if this scenario develops.
00:55:01
riptide
So those kind of ones. But... ah just Just kind of bad vibes I'm getting from you know from the space with regard to bug bounties, and and I hope that doesn't continue. I hope the good protocols are out there still and and good devs that reward security researchers. so Anyway, on to this alpha. So this bug that I was looking at was a Oracle bug.
00:55:26
riptide
And I don't think I'll submit it because I don't think I'll get paid for it. and I don't feel like arguing about it, but it was a stale price check. So if you have an Oracle and it has, you know, you're you're getting the price and you're not checking the freshness, the heartbeat of that Oracle, that price could be from,
00:55:49
riptide
five minutes ago, could be 10 minutes ago, could be a day ago, who knows? And in volatile markets, that is extremely important because if you have like a stale, low asset price, then you could buy, you could buy the collateral or whatever, an underprice rate, and then you could resell it at a market rate for profit. So there's arbitrage opportunities, there's liquidation problems that can happen. There's all kinds of weird problems that can kind of screw up your protocol. So,
00:56:17
riptide
If you see something like that, I would report it if if you could demonstrate. Well, first off, if you could see like, hey in the past, this price was stale multiple times. Like if you could show that behavior had occurred before,
00:56:33
riptide
And if you could show some, like a critical funds loss scenario from that exploit, ah that's where I'd report that. So that's my alpha is stale Oracle prices.
00:56:44
riptide
Not always checked. Alex 40, what do you got, man? Give us some alpha.
00:56:50
alix40
Oh man, you are putting me on the spot. I'll, I'll, I'll, I'll.
00:56:55
riptide
Hey, this this could be this could be a ah better way to do ah bench press. you know well
00:57:00
alix40
Yeah.
00:57:00
riptide
Whatever alpha you want, man.
00:57:03
alix40
It's like something i was thinking about literally 30 minutes before the podcast. And it's like about like working as like ah dev or working as a BD versus working as a security researcher.
00:57:19
alix40
as ah security researchers and security security researcher, you have like, let's say six hours a day and you are trying to have like maximum hours for that, for like for auditing, let's say six, seven hours, max time of concentration.
00:57:41
alix40
And like, because I did a lot of business stuff, launching solo audit and,
00:57:48
alix40
And Valkyrie, I like i noticed something. like When I work on business, it's like about tasks. So we have 10 tasks. I need to do them.
00:57:57
alix40
i need to do them in the next five hours, so to say. So am forced to work a lot in those for five hours to be very efficient about what I do.
00:58:10
alix40
And um it's quite a... of a
00:58:14
riptide
Yo, hey, hey, Alex, hey, hold on. It's like you changed microphones and you went inside of a toilet.
00:58:21
alix40
Can
00:58:21
riptide
Your audio is, it's so fucking bad.
00:58:24
alix40
you hear me now or what? Can you hear me now?
00:58:27
riptide
I don't know what you just did, man. No, you're in a toilet.
00:58:30
alix40
like me no It's now it's very bad to
00:58:34
riptide
Yeah, I don't know what you did, man. It's completely different.
00:58:37
alix40
watch. The battery of the microphone is out.
00:58:40
riptide
Oh, shit.
00:58:40
alix40
It's gone.
00:58:41
riptide
Okay. Okay.
00:58:44
riptide
All right, continue. Continue with this alpha and then we'll kill it.
00:58:46
alix40
thank You hear me.
00:58:48
alix40
Okay, okay, I'm sorry, guys. Sorry for the torture, but basically... I will need... Yeah, so basically, like, as a dev, you need to, like, prioritize doing more in, like, less time, and as an auditor, you will try to have as much time as possible.
00:59:11
alix40
And this, like, something I was, like, thinking about on how, like, to improve the efficiency of how you do all this. which would be basically to actually like also use the same approach. Which would basically do something like read or understand the smart contract, the smart contract, the smart contract, like make more like a best approach and try to do it constantly to like have more for the same amount of hours.
00:59:39
alix40
Yeah.
00:59:42
riptide
Yeah, that's good, man. All right. On that bombshell, we're cutting out.
00:59:48
alix40
Thank you.
00:59:48
riptide
Thank you for coming up. We'll see you next time on the blockchain.