Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 8 - nnez
204 Plays1 month ago
riptide & nnez discuss his secret to becoming a top 15 ranked bug hunter with Immunefi and earning $1,000,000 in bug bounties, meritocracy in crypto and why that is a good thing, bounty negotiations, why bounties are easier than contests, defi security with TradFi participants, what protocols to look at and how to find bugs, looking outside of solidity, an ALPHA drop, and much much more ...
Recommended
Transcript
Introduction and Guest Background
00:00:07
riptide
Welcome back to bounty hunters life on the blockchain. I'm here with N N E Am I pronouncing that right? All right.
00:00:16
nnez
Yeah, sure. This is actually the first time that it's been grown pronounced out loud.
00:00:22
riptide
And I got, I gotta just, just, uh, ask because I have a suspicion that I'm right, but are you Thai?
00:00:30
nnez
Yeah, yeah, sure.
00:00:31
riptide
I could tell i love Thailand the best land of the free.
00:00:32
nnez
I'm tired.
00:00:35
nnez
Thanks. Yeah, definitely.
00:00:39
riptide
Can I ask what what region you're in, if you care to reveal?
00:00:42
nnez
so Bangkok yeah but just Bangkok alone is pretty hard to pinpoint where
00:00:45
riptide
Okay, straight straight in the heart. Yeah, Bangkok is like, yeah, I'm in i'm in Tokyo. Okay, find me.
00:00:55
nnez
yeah
00:00:56
riptide
That's cool, man. ah Well, hey, thanks for coming on.
Achievements in Bug Hunting
00:01:00
riptide
you i found you. I think I'd been following you, but you popped up on my radar somehow. And I'm like, who is this dude? Who is this in an EZ?
00:01:09
riptide
And then I look into you and you're just a monster. You're just cranking out like you have.
00:01:13
nnez
hunt
00:01:15
riptide
I'm just looking on ImmuneFi, 14th all time rank, over a million earnings, 15 criticals. critical And these are from audit audit competition reports, which I'm going to say, just for fairness, are slightly easier than like raw ah bounties, non-audit competition reports to find
00:01:23
nnez
yeah I just
Challenges in Audit Contests
00:01:35
riptide
a correct, am I right?
00:01:37
nnez
me yeah got yeah for me back body is lot easier
00:01:40
riptide
try Try to downplay it.
00:01:48
nnez
than like audit contest because I don't know when I do audit contest it takes a lot of focus like on the same course code base and you have to like identify all and entry points or features within the scope and sometimes it overwhelms me and I just got get bored and stop looking
00:02:16
riptide
Yeah, I agree with you on that. I'm doing the Euler. Not Euler, Euler. I'm doing Eigen right now.
00:02:22
nnez
Oh, I get later. Yeah. Yeah. Yeah.
00:02:23
riptide
Yeah, and it's like one of the ones where i first, I've really dove into it for a while. And I tell you, man, like I just get things rejected. Maybe I'm not that great at contests.
00:02:34
riptide
But you got to go all through the rules and the scope. And then you have invariants. You have all these kind of like, oh, it's not this. It's that. This is out of scope. So, yeah, I see what you mean.
00:02:44
nnez
yeah yeah They have this very straight rules now in like conditional context right conditional part to be able to um submit a critical call you have to find something that could drain in one percent of the TVL or something like that and that's the only critical that they access accept
00:03:11
riptide
I saw and then I was like, well, so and then that you have to profit from it. So you can't just say you say you could burn 1% of the TV out. No, it doesn't qualify. That would be a high.
00:03:21
nnez
Really?
00:03:22
riptide
Yeah, which is weird.
00:03:22
nnez
I mean... Yeah, money lost in money lost right? It doesn't matter
00:03:27
riptide
I know, right?
00:03:31
riptide
It's weird, man.
00:03:31
nnez
What? Really? Yeah, i didn't know that. Hmm...
Transition from Web2 to Web3
00:03:34
riptide
So maybe you can give give everyone a little background, as much as you want to share, but like how did you how'd you get started with ah bug hunting? Because you're you're definitely not a noob. You know what's up.
00:03:44
nnez
I think buff hunting?
00:03:45
riptide
How did you kick this off?
00:03:47
nnez
I actually transitioned from Web2. i was doing that for like a year and then yeah, my friend just introduced me this ImmuneFi and yeah, I saw bounty amount and it was, yeah, even back then four years ago, it's way more than Web2, but like 10 or 100 times, so I just decided to like, yeah, get in and I was kind of
00:04:13
riptide
Amen.
00:04:18
nnez
getting bored on web2 bug bounty like at a certain point
Security and Transparency in Projects
00:04:25
nnez
it becomes just a routine for me I just did things on my checklist or something like that and I didn't get to be creative because most of the time you have to test things like in a black box because you don't have access to the code so you don't actually know what's happening in the background so ja just have to like poke and poke until you find something yes and yeah yeah something like that yeah yeah and that and that's is weird right you want to you want us to to do a security review on
00:04:57
riptide
that That sounds like unverified contracts and then some of the closed source projects that we find, too, that are cross-chain. Like, we won't release the relay or code.
00:05:15
nnez
on a smart contract that involves cross-chain messaging but you yeah don't open source your off-chain that is used to process all kinds of these things. ah It's gonna be impossible to to actually pinpoint the vulnerability if some components are like missing.
00:05:39
riptide
Totally. do you Do you go by that kind of that old ethos, the security by obscurity? What do you think of that?
00:05:52
riptide
Even in Web3, it's still prevalent, big time.
00:05:57
nnez
it It doesn't prevent black hat or malicious actor to fight and attack even if you hide behind the obscurity yeah
00:06:11
riptide
Yeah, there's there's always some cracked dude in a basement well who will go to the bytecode and just just find out exactly how your closed source system works, as we've seen since you know the inception of computing, to be honest.
00:06:25
nnez
and yeah with dp, rk and everything they are determined to hack you
00:06:34
riptide
yeah Yeah, if you think a bounty a public bug bounty is motivating to us, okay, well, how about your entire TVL? How motivating is that to a state-sponsored actor?
00:06:45
nnez
yeah have you seen...
00:06:46
riptide
Yeah, that's crazy. So you – go ahead.
00:06:50
nnez
sorry
00:06:50
riptide
No, go ahead.
00:06:51
nnez
ah Have you seen the latest tweet that guy Nick Franklin?
00:06:58
riptide
Oh, yeah, the the fake.
00:06:59
nnez
Yeah, yeah, he was exported to the DPRK and he's he's been in this space for like a year trying to build a persona.
00:07:00
riptide
Yeah, yeah.
00:07:06
riptide
Yeah.
00:07:07
nnez
Yeah, that kind of determination.
00:07:10
riptide
Dude, these guys, I mean, you can't put it past somebody that that's their job and duty to hack and to infiltrate. Like that is, that's any intelligence agency or or a state run group.
00:07:22
riptide
I think people are used to working for a company or working on their own.
00:07:22
nnez
yeah it's that survival so
00:07:26
riptide
no, no. no Like this guy's sole job is to do that. Yeah. and ah Yeah, these these guys are wild, man. i don't I don't hire anybody, but I hear hiring the the devs and you know tell them Kim Jong-il sucks.
00:07:40
nnez
yeah yeah yeah i've heard that they infiltrate into your company something like that
00:07:48
riptide
I wonder if they can compete for bounties as well. like That's a side project. They hack protocols and then ah you know we'll we'll submit bounties too.
00:07:55
nnez
Yeah, yeah, I wonder so
00:07:57
riptide
Fake the KYC.
00:07:59
riptide
So like Web2 for you, I mean, it sounds like there's there's a lot. I mean, there's some carryover, I guess. It's JavaScript, solidity solidity, stuff like that. And then some of the closed source aspects, you don't know what's going on behind. But um I mean, there's a lot of differences too. What would you say was the biggest challenge for you switching over to to crypto?
Web3 Bug Hunting vs. Web2 Testing
00:08:22
nnez
eight I actually find it easier for hunting on web3 than web2 because we get access to code and we can kind of see all things at once like how this thing works how many components there are on the protocol something like that or in web 2 sometimes do you also have to like do some recon like how many assets this protocol have something like that yeah it's a lot easier and web 3 because everything it is just out in the open
00:08:59
riptide
it's
00:09:03
riptide
Yeah, I think we take it for granted. If you've only done Web3, you can do a full SIM of, you could fork the blockchain.
00:09:12
nnez
yeah yeah yeah yeah fucking the chain is a game changer like yeah there's no nothing like this in web 2 i guess
00:09:12
riptide
How cool is that?
00:09:22
riptide
No, nothing nothing like this in real life where you just, I'm going to rob the bank. All right, let me try 50 different attacks on it
00:09:27
nnez
oh yeah yeah true yeah
00:09:29
riptide
Okay, security responded. I got killed. Let me reset. I mean, it's just nuts, man. Yeah, I think it is easier like that when you think about it. That's why it's so cool. So you got into it for the money initially, and then that obviously doesn't.
00:09:45
riptide
I mean, that's always a driver. But would you say, i mean, you know, with with your record here, you can't just be in it for the money. You're also got to be in it because you're you're interested in
Thrill of Solving Complex Bugs
00:09:56
riptide
the code.
00:09:58
nnez
yeah it's I'm interested in the code and also i love solving puzzles yeah something like that every time I find a box and it turns out to be a valid one I get this adrenaline rush something like that that's why I'm still doing it mean of course for the money
00:10:24
riptide
what's what's ah yeah What's a higher adrenaline rush on the back of a scooter, half drunk in Bangkok, or life critical?
00:10:35
nnez
e not sometimes something in between i guess
00:10:43
riptide
You're used to it, man. You're used to it. So...
00:10:45
nnez
yeah but even i don't wish myself that much ah if i can choose ah yeah i don't ride on a motorbike
00:10:47
riptide
so
00:10:57
riptide
it's probably good idea.
00:10:59
nnez
yeah
00:11:00
riptide
Are you allowed to talk about your most recent bug?
00:11:04
nnez
my most recent bug is ah
00:11:06
riptide
Yeah, you posted a critical a month ago.
00:11:09
nnez
yeah yeah it's actually on the same program like I submit 4 or 5 criticals but yeah it's on category 3 so I don't think I can like review much information yeah
00:11:26
riptide
Okay.
00:11:29
riptide
You I mean, if you could reveal anything, you don't have to talk about the project or anything, maybe kind of what bug was it?
00:11:35
nnez
oh oh the one that I posted is just a simple cross function reintransit
00:11:44
nnez
I yeah when I submitted it I got this like and anxiety that it's gonna be a duplicate because i the program has been on there for at least almost a month and when you like find something like this is
00:11:44
riptide
Always a good one.
00:12:06
nnez
it's gonna be this thought at the back of my head that can this can someone submit this before me something like that yeah cause I say ah had one or two experiences like this that a critical call was a duplicate and yeah it's devastating like
00:12:29
riptide
That's the worst feeling.
00:12:31
nnez
yeah yeah yeah
00:12:34
riptide
You spend all the time and then yeah they they ought no they close it out of scope or duplicate or something. Duplicate's the worst. I've had, I think, two.
00:12:41
nnez
yeah it's a second adrenaline rush
00:12:42
riptide
And there's just such a bummer.
00:12:48
riptide
When you get the immune by email, yeah, you're like, oh shit, this is it. No, closed.
00:12:52
nnez
yeah yeah the first one was you fire when the second one is oh it got rejected yeah
00:12:53
riptide
Oh,
00:13:00
riptide
that's the worst, man. and so So this was cross-function reentrancy, which I think everyone knows about. But I think it's overlooked as well.
00:13:11
riptide
And especially I like its it's big brother, which is the cross-contract reentrancy, which is really cool when they have a shared storage.
00:13:15
nnez
a yeah yeah and then
00:13:19
riptide
I think that one's really overlooked. I saw a posting from somebody. And I don't know if you could define it like this, but he was like ah cross-chain reentrancy.
00:13:31
riptide
Did you see that one?
00:13:33
nnez
oh yeah I saw that one but I haven't had a chance to look at it cross chain right
00:13:39
riptide
Yeah, I just kind of like glanced over. I'm like, well, how can you have that? i did i didn't look look at I did look at the details.
00:13:46
nnez
Yeah, yeah, I mean, interesting.
00:13:48
riptide
Cross-chain reentrancy.
00:13:51
nnez
Next level.
00:13:51
riptide
yeah So that's still a thing. As of a month ago, so new guys listen to this podcast as well. I get a lot of messages from people that are up and coming. How do you do this? Coming on the on the alpha drops.
00:14:03
riptide
And yeah, if you're a new guy, man, I mean, we've We're still not at Solidity version one. Let me just put that out there. We're still still in the beta as I look at it. But we have we still have reentrances.
00:14:14
nnez
Yeah.
00:14:16
riptide
And maybe not like even – I mean we have basic reentrances, but we have yeah know the cross-function and cross-contract ones are more obscure. But they're still out there.
00:14:26
nnez
yeah yeah yeah true
00:14:27
riptide
Like the same old bugs still apply.
00:14:33
riptide
Like, how – give me your approach. When you when you say I'm going to go hunt for bugs, what do you do?
00:14:41
nnez
what do i do? um ah usually choose the protocol that interests me like this is something i want to look at and then yeah just look at the code base or maybe that documentation, the white paper, gather all information as much as I can and then try to understand the protocol at a higher level like in my mind when I want to hunt for bats I tend to think about the impact first like
00:15:20
nnez
If I want to and for theft of funds or permanent phishing of funds, I hunt for that. Like,
00:15:31
nnez
how do I put it?
00:15:35
riptide
you Do you have a critical mindset where you're just like, I'm just looking for crits?
00:15:40
nnez
Yeah, something like that. I'm just looking for this specific impact on the code base, something like that.
00:15:45
riptide
Mm-hmm.
00:15:47
nnez
which is a different approach when you are doing an audit contest where you're just looking at the code line by line. Is this correct? Can this lead to anything?
00:15:59
nnez
but When I'm looking for critical, I'm kind of trying to figure out whether the code base could give this result.
00:16:11
riptide
Mm-hmm.
00:16:12
nnez
Something like that.
00:16:14
riptide
Yeah, I've had this contested before because I would tell people, you know, when I do a security review, I'm just looking for things that will blow the protocol or that will cause a funds loss to users or owner or whatever.
00:16:22
nnez
Thank you.
00:16:30
riptide
And I say, I just look for highs and crits. And somebody's like, you know, But shouldn't you just look for everything? I say, you know, if I if I note something, OK, maybe I'll jot it down. But I just I just don't focus on that. I'm not looking at gas savings. I'm not looking at lows. I'm just looking for things are going to bust it versus an auditor who's going to go through every single thing.
00:16:54
riptide
And they want to have that report as long as possible with as many informationals as they can.
00:17:00
nnez
Yeah, yeah.
00:17:01
riptide
But I think it can detract from from finding big bugs.
00:17:02
nnez
It's
00:17:05
riptide
That's my thought. Wasted brain power.
00:17:08
nnez
yeah, true. It's trying to verify the code just for the correctness of it. is It consumes lot of focus, attention, and yeah brain power.
00:17:22
riptide
Yeah, yeah, I'd agree, man. That's definitely something
Negotiation Challenges on ImmuneFi
00:17:25
riptide
to it. do you go to fight exclusively? Or do you just pull up a block and and open up transactions?
00:17:33
riptide
how do you search for bugs?
00:17:35
nnez
e At the start, I go ether scan, BSC scan and look at verify contract and the one because back then I don't have much experience so I try to like read through every contract that is and but now they are exclusively on emote file because I and don't want to deal with the and negotiation part I mean even on emote file it's still a pain to like to have to negotiate and
00:18:11
nnez
if i have to do that outside of the protocol outside of ImmuneFy don't think i
00:18:22
riptide
what do you What do you do if they come back and they lowball you through a Immune Fi?
00:18:29
nnez
sometimes i just gave up black yeah yeah i use it a lot actually
00:18:32
riptide
do you do you Do you use the internal mediation team instead because you don't like be in negotiation team? That's pretty cool.
00:18:41
nnez
yeah but I got lowball like so many times now that kinda used to it there was this time that the protocol just said it outright that if they pay me this amount they are gonna go bankrupt
00:18:59
riptide
Was it native token or stables or?
00:19:01
nnez
no non-native token USDC and they're just out of funds or something yes
00:19:07
riptide
Oh, God. That's what they all say.
00:19:10
nnez
yeah because of the bad market we don't have enough funds to pay you or something like that we are just starting so can you accept this this amount which is half of it yeah
00:19:26
riptide
should have said, yeah, put me in a – how about a time-locked vest? How about that? I'll wait until you're successful.
00:19:33
nnez
yeah let' let's do a bond right yeah
00:19:38
riptide
That's something. Yeah.
00:19:39
nnez
yeah
00:19:41
riptide
Yeah, negotiation. I don't think anybody likes this. Maybe a few few dudes just love it. Just love it.
00:19:47
nnez
Really?
00:19:47
riptide
I mean, i think these negotiations are very different because you can't – like how you'd win a negotiation in in my eyes is you have the power to walk away.
00:19:58
riptide
And you've already given up your bugs. You can't just walk away.
00:20:01
nnez
Ah yeah yeah
00:20:03
riptide
That's the big problem. It's very one-sided.
00:20:06
nnez
Yeah the power imbalance, I think it We have that in web 2 too like you don't have the power to negotiate because you already submit everything to the other party and once you have done that you lost all your power right?
00:20:26
nnez
they can just walk away yeah
00:20:26
riptide
Yeah. Web 2, then they give you a $300 bounty.
00:20:33
nnez
or maybe they don't they can just walk away
00:20:34
riptide
Jesus. What a chip.
00:20:40
riptide
Hey, let me ask you this. You mentioned you look on and I don't want to say it BSC chain, which is like all what I think BSC. I just think Asia.
00:20:51
riptide
Is that true? Do you know people that?
00:20:53
nnez
will
00:20:54
riptide
Yeah, I hear it. Here it was. ah It was kind of a joke when it came out and then it turned into like a DGN gambling chain. And now I think, I don't know anybody that uses it. And any project that I see on it is, it's usually Chinese that I'll see, but they'll have some English translations. But I say mainly that's in Asia.
00:21:16
riptide
What do you think?
00:21:18
nnez
a
00:21:20
nnez
I and didn't notice that Really it's all like in Chinese language and translated to English But but I kinda know it like back then before Solana is
00:21:24
riptide
Really?
00:21:31
riptide
yeah
00:21:36
nnez
it's a host for meme coin and cheat coins on BSE
00:21:43
riptide
What year did you start doing auditing or bug hunting?
00:21:48
nnez
auditing probably two four years ago is 2021 right yeah routed DeFi summit in Bangkok
00:21:58
riptide
Okay, so you you were here for DeFi Summer, right?
00:22:04
riptide
Summer. five No, DeFi Summer, which was like categorized as I think.
00:22:07
nnez
you find somewhere oh yeah yeah yeah i was there luna and stuff
00:22:10
riptide
Yeah, yeah, okay. but that that was, yeah. I think BSC was booming then. Maybe BSC, I i feel like I've been in this space too long.
00:22:20
nnez
yeah yeah back then it's pancake swap right yes yeah yeah back then you yeah back then you heard about pancake swap like more than the name uniswap
00:22:21
riptide
Yeah.
00:22:24
riptide
Yeah, yeah, yeah, yeah. When all the forks are coming out there and everyone was was crying about it or else make money. What about? Yeah,
00:22:36
riptide
yeah, it's true.
00:22:37
nnez
yeah
00:22:38
riptide
was blowing. And the same validator meme that goes around with hyperliquid was going around with BSC. like Oh, it centralizes that people don't care, to be honest.
00:22:50
riptide
They just want to gamble.
00:22:50
nnez
yeah yeah users join never trying to but still
00:22:53
riptide
What about Tron? Do you use that? Yeah.
00:22:59
riptide
Never.
00:23:01
riptide
Me neither. That's a big Asia-centric thing, too, is Tron.
00:23:06
nnez
ah
00:23:08
riptide
Never. You're not a Tron fan.
00:23:10
nnez
yeah maybe I'm not in Asia yeah
00:23:13
riptide
i don't I don't know where you are, but you're on the blockchain. That's all that matters. i just feel like different parts of the world. I know I want to talk to someone from South Korea because I hear that's a different animal as well as far as the chains.
00:23:27
riptide
Maybe they're Big Tron users.
00:23:27
nnez
ah yeah heard that too they have like this big crypto community and yeah so many projects that we don't know.
00:23:41
riptide
Yeah, but what's cool is everything is in English. And so you get on the, you get on, check the contract code. and It's like, you don't know.
00:23:48
nnez
ah Yeah, yeah. Yeah,
00:23:49
riptide
yeah i mean, even the comments, I don't think I've been in some code where the comments have been in, you know, any other character set. It's all, everything's in English, which is good and bad.
00:23:59
riptide
You know, it's hard to determine where the project is, but for, for like, you know, ease of readability, it's fantastic.
00:24:02
nnez
yeah.
00:24:08
nnez
and a but I think I have seen some contrast with coming with the Chinese language or something like that or Russian but it's rare mostly they are in English
00:24:24
riptide
yeah if if you see the chinese characters in there it's i don't know every everything i've looked into it's been like a rug looking project like it looks very dodge and sometimes it's obvious yeah or fucking tron who knows
00:24:37
nnez
oh yeah and it's on BSC. Yeah.
00:24:44
nnez
Yeah.
00:24:46
riptide
It's some things i haven't looked at, man. Like, honestly, I've never, never gone on Tron. I think I've gone on, I want to see every other blockchain, but now I know how many are on there. If I just pull up chain list, God, i probably lost count.
00:25:01
nnez
yeah
00:25:01
riptide
Oh my God.
00:25:02
riptide
There's so many, man. This is crazy. If you pull up chain list, you can literally just scroll. There's hundreds, hundreds of chains that I've never even heard of.
00:25:16
nnez
L1 page is not enough now.
00:25:18
riptide
what
00:25:18
nnez
We're gonna run out of chain ID soon I guess.
00:25:22
riptide
Dude, I don't even...
00:25:22
nnez
have so many.
00:25:23
riptide
Are people using these? they can't Pepe, Chain, Main... Who the fuck is using this? No one uses this shit.
00:25:29
nnez
Yeah.
00:25:31
riptide
Yeah, this is crazy.
00:25:31
nnez
But yeah we can have so many L1 chains. As much as we want.
00:25:37
riptide
This is nuts, man. So yeah what do you think about this? like are you Are you kind of bullish Ethereum? Do you think that's going to be the global settlement layer and everything's going to – do you think that thesis plays out?
Ethereum's Role in Global Finance
00:25:50
riptide
Do you do you have any insight on that or you just focus on security work?
00:25:55
nnez
Mostly I focus on security work, but my my thought is that yeah, maybe it's gonna become global sentiment later and I wish that it happened.
00:26:08
nnez
i mean, just inclusivity of it. in finance aspect it's just mind blowing I mean before ethereum there's no what's something like this like you can trade options trade perp on chain and you can see like everything that's happening you can track you can trace the money so everything is out in the open transparency at
00:26:20
riptide
Mm-hmm. Mm-hmm.
00:26:44
nnez
It best something like that. And this never happened in traditional finance like ever.
00:26:51
riptide
Yeah, it's the biggest game changer.
00:26:52
nnez
and So I hope it it becomes a global sentiment layer.
00:26:57
riptide
I think it will. I think it's just everything takes time because having worked in banking, it's such an archaic kind of design they have.
00:27:04
nnez
Yeah, yeah.
00:27:04
riptide
They work on Excel. Like everything's just so legacy and and I think it'll happen. just takes time.
00:27:12
nnez
yeah maybe five or ten years
00:27:16
riptide
Yeah, and I was thinking about that yesterday. you see the MIM exploit, the Abracadabra project, one of their cauldrons?
00:27:22
nnez
oh yeah yeah that's all in one
00:27:23
riptide
Yeah, and i was ah thinking about that, and this is not the first time they've been hacked, and they they're like, oh yeah, you know exploit, here's what happened, blah, blah, blah, and they say, oh I was audited by these guys, these guys were monitoring, and still we got hacked.
00:27:41
riptide
And i I put out a tweet. I'm like, you know where do you think the blame lies? and And ultimately, I think that it lies straight with the devs no matter what they do.
00:27:53
nnez
Yeah, the responsibility definitely with the depth I mean they push the button right
00:28:00
riptide
Yeah. Yeah. I mean, you can outsource that stuff, but it's your project. Like, you're going to reap the rewards if it's good. And if it sucks, it's on you.
00:28:07
nnez
Yeah, you can you can't just like put a trust like 100% that yeah after we get this audience it's gonna be 100% hundred percent ki
00:28:18
nnez
is
00:28:18
riptide
Yeah, they love people love putting the audits up there because great marketing like, oh, we ought to to buy whatever, but it doesn't you know you and me both know it's like, okay, doesn't mean everything's caught.
00:28:25
nnez
yeah
00:28:31
nnez
yeah i mean on the other hand if they have to marketing like that it means that our industry get hacked so much that you have to use this point as a marketing yeah
00:28:45
riptide
Yeah, oh, absolutely. Yeah, I get it. I'm just thinking about how, you know, we're talking about if it's a global settlement layer, how traditional finance and how they look at that when, okay, we have our assets in, you know, say it's the biggest player I think right now is Aave.
00:29:03
riptide
do it i think it's great project, great team, great code base, BGD Labs.
00:29:06
nnez
yeah
00:29:08
riptide
they They're really great. I've tried to.
00:29:10
nnez
yeah and they are always like in development
00:29:13
riptide
Yeah, it's just a good setup, man. Like I've tried so many times, I'm sure so many people do is try to find bugs in there. And it's, it's just, it's well done. And they they're all over it.
00:29:24
riptide
But I'm like, projects like that are going to attract capital. But it's like, when it gets hacked,
00:29:29
nnez
Yeah. you.
00:29:31
riptide
you know We have Nexus Mutual, we have some insurance things that are kind of not fully scoped out yet. I don't think they're they're that well used. But
DeFi Security Perception by Traditional Finance
00:29:41
riptide
how do you think this looks from from ah traditional finance kind of viewpoint?
00:29:41
nnez
yeah
00:29:48
riptide
If you're a big bank or you're this and that, how do you think that looks? it This thing that you have all this money it's supposed to be trusted just gets hacked.
00:29:54
nnez
hey
00:29:57
nnez
like for the institution to come in
00:30:02
riptide
Yeah.
00:30:03
nnez
like I think they are still seeing this as a risky strategy if they want to like invest in Alve for example because they can never be sure that if Alve were get hacked
00:30:24
nnez
they're gonna get compensated in whole and they might have to, I mean given that they are institution, they may have to just write that off, write that off because if they are institution, we can expect that they're gonna invest a large sum amount of money, right?
00:30:46
riptide
What do you think about, because I imagine they'll get it all sorted with either insurance on chain or off chain. But what about
00:30:54
nnez
Yeah. Hmm.
00:30:55
riptide
say, convincing someone to use something? cause it's hard enough convincing the end user to use DeFi or even a security researcher because we've seen the bugs.
00:31:03
nnez
yeah
00:31:06
riptide
So to to introduce people outside the ecosystem to come in, like how do we prove that something is secure? How do we go about doing that? Is that, would you say Sertora is on a path to do that?
00:31:20
riptide
Like, what are your thoughts?
00:31:24
nnez
I think the test of time is the only metrics that we have now. I mean, if the project
00:31:33
nnez
is is operating for amount of time and they don't get hacked, maybe we can have some certainty that it's secure, but I don't think we can ever have like a hundred percent secure, but also we Maybe we don't need that like 100% secure. We just need to make it secure from catastrophe, a catastrophic bug that could like drain in the protocol.
00:32:08
nnez
And that is enough, right?
00:32:10
riptide
Mm-hmm. That's a big, big wall to climb. Make it secure. Not 100% secure, but just so no critical bugs are in there.
00:32:19
nnez
Yeah, yeah. Just to something that is not recoverable. to prevent from something like that yeah
00:32:25
riptide
Test. Yeah, test of time. I don't know. I like it, but we've all seen old protocols and the bug was out there for, you know, years and then suddenly someone finds it.
00:32:39
nnez
yeah yeah that's supposed to true
00:32:40
riptide
I don't know what the metric is. I don't know what we look for. I like i like the prover. I like how they're doing that. They're proving that mathematically, hey, this this can't be – you can't violate this invariant.
00:32:54
nnez
yeah yeah but you have to be like good with coming up with constraints right if your input set is insufficient it's gonna miss something
00:32:59
riptide
Mm-hmm.
00:33:07
riptide
yeah
00:33:07
nnez
i mean basically hacking is just finding an input that would produce an unexpected output right yeah so you have to like be really good with coming up with inputs and yeah invariants
00:33:25
riptide
I think that's another tip to bounty hunters that see Sertora and think... oh shit, that's there's zero bugs. Look, it's been proven. That's more marketing bullshit because it depends what you're proving.
00:33:40
riptide
It's just like if you're writing a test and you look at our test cover, look at our suite.
00:33:40
nnez
yeah
00:33:46
riptide
It doesn't matter, man. If you're not asking the right questions, you're not proving the right things, then there's still a bug. So you can have everything you want. It doesn't mean that you won't find an exploit.
00:33:58
nnez
yeah yeah true
00:34:00
riptide
Yeah, but that – I mean that trips people up though because people see all these names and when they don't know what the prover is or or what it's supposed to do and they get – it's easy to get psyched out, wouldn't you say?
00:34:12
nnez
yeah it's it's mad right
00:34:17
riptide
It happens, right? You look at something and even me, man, I get psyched out, especially if I haven't found a bug recently. And I'll look at a protocol and I'm like, oh shit, look. Look at all these people that have looked at it.
00:34:29
riptide
Oh, they're flexing on X that they've looked at it too. there's Some audit firms, I'm like, oh fuck, man. There's no bugs in here. you know It's so easy to psych yourself out.
Avoiding Burnout in Bug Hunting
00:34:39
nnez
yeah yeah ah
00:34:42
riptide
but Like, what do you do? How do you avoid that? do you just say, fuck it? Do you not even look at the audits? do you eliminate all the comments? What do you do? what are your tactics?
00:34:54
nnez
i just look at the code but yeah sometimes i see big names i avoided it is
00:35:03
riptide
Are there any?
00:35:03
nnez
but only only in like all the context but for bug bounty I still try it because maybe I get to learn something new because the codebase already interests me yeah I tend to avoid codebase that doesn't interest me because will get bored and it won't lead me to anything
00:35:05
riptide
Good.
00:35:29
riptide
Yeah. Like if I give you a fork, a compound fork, fuck, kill me.
00:35:34
nnez
Yeah and gonna be a no for me We have so many compound fault right now right
00:35:35
riptide
I'm never looking at that again. Yeah. Yeah, I can't say that.
00:35:42
riptide
Oh, man. I'm doing – so I do some audits on the side, and I get pinged from random people. i don't know who they are, but the recent one I've been doing is just like these NFT 721s. And I'm like – I don't It's just like it gets really repetitive.
00:36:02
riptide
I just – I do not enjoy it. I'm just kind of doing it just – you know, out of kindness, like, right, yeah, sure. I'll help you out. Sure. I'll help you out. Uh, but yeah, it's, it's just the same thing over and over again.
00:36:14
nnez
Yeah the repetition is it burns you out sometimes it happens to me.
00:36:19
riptide
Yeah. Is that why you don't do, do you do private audits on the side?
00:36:26
nnez
Never yeah I don't know why but yeah never happened that big.
00:36:27
riptide
Okay.
00:36:30
riptide
I'll tell you why. Cause they say, Hey man, you need to audit art. You need V three fork. You just say, Oh fuck.
00:36:37
nnez
yeah
00:36:37
riptide
Okay. I have to, yeah, it's, it's different, man.
00:36:39
nnez
yeah
00:36:46
riptide
So what are you, what are you looking at now? Can you share?
00:36:51
nnez
what i'm looking at um
00:36:52
riptide
Yeah. What, what, what do you have open in VS code right now?
00:36:57
nnez
i really scored it's actually from the last audit competition on the Moonfight yeet yeah it's called yeet right yeah it's an audit competition on immune file yeet yeah yeah that one yeah yeah yeah
00:37:08
riptide
yeet?
00:37:13
riptide
okay yeet? y-e-e-t yeet okay yeet fucking yeet
00:37:24
nnez
yeah i got into that because i saw i saw many tweets finding critical like this is the first time i found critical in Immune 5 yeah i just deduce that it must be this this protocol on Immune 5 yeah
00:37:43
riptide
Okay. this This was the first critical you found on ImmuneFi, you said?
00:37:49
nnez
i'm sorry no no it's someone saying in
00:37:50
riptide
You said this was the first critical you found on ImmuneFi?
00:37:57
nnez
Twitter that yeah this is yeah yeah the first recall and there were there were so many tweets like 4 or 5 yeah yeah so I just yeah so I just deduced that it must be this one because it's unlikely that there would be many unique criticals right now on the platform
00:37:58
riptide
Oh, that was their first critical. Got it.
00:38:07
riptide
Oh, no. you know it's easy picking.
00:38:26
riptide
Yeah.
00:38:26
nnez
I mean, it happens, but yeah.
00:38:30
riptide
Let's see.
00:38:30
nnez
Yeah.
00:38:30
riptide
I'm pulling this up now. Yeet is a gamified DeFi protocol on Barachain. Ah, yes. It's core feature, the Yeet game.
00:38:38
nnez
Yeah.
00:38:39
riptide
Oh, yeah. this This looks like a very high. This should compete with Aave. Very high-quality project here.
00:38:46
nnez
yeah
00:38:46
riptide
and this is This is good stuff. $30,000. kind of low for the reward pool. why do Do you choose just anything that's interesting, or you look for high pot bounties?
00:38:56
nnez
I choose that one because I'm on this Immune 5 game Immune 5 Iceland Season 2 yeah yeah so we get points for a valid bug and critical give you give you 250 yeah so just
00:39:02
riptide
Oh, right.
00:39:14
nnez
yeah
00:39:16
riptide
I've seen them trying to incentivize this game on there.
00:39:17
nnez
i just
00:39:19
riptide
So why are you doing it? well why does this incentivize you? I have to ask.
00:39:24
nnez
I just want points and I want to get some swags yeah I saw Loli slot get one with no
00:39:27
riptide
Oh, some swag. All right. If ImmuneFies listening, this is how you motivate people. Give swag. Swag. Maybe projects will just do this fucking a big bounty just put up. We'll give you swag.
00:39:43
riptide
Critical gets hoodie.
00:39:43
nnez
that doesn't work no it never worked for me it should be Hudi and
00:39:44
riptide
Yeah. critical gets a hoodie
00:39:51
nnez
this it it should be who the end 100k or something like that
00:39:56
riptide
yeah do What do you think like about like an appropriate bounty size? Is there one?
00:40:04
nnez
body size?
00:40:06
riptide
Yeah, for for a project to advertise a bounty, do you think there's an appropriate amount? Like a calculation do you have or how do you kind of look at that?
00:40:15
nnez
me anything above fifty k is okay for me but this this a bit trolley for me like i think this number just sounds okay to me and yeah yeah yeah month
00:40:30
riptide
Yeah, I mean, it's a lot of money. 50 grand a lot of money for looking at some code. And maybe you spend, I don't know. It all depends, right? A week, two weeks, a few months.
00:40:42
riptide
But yeah, 50 grand is is a lot, especially in Thailand. It's a lot of money. But 50 grand is no joke, man. I mean, a lot of people make, you know, in the Western countries, 100 grand a year.
00:40:54
riptide
Well, you can make half your salary for yeah maybe a month of work.
00:40:59
nnez
Yeah
00:41:00
riptide
If you find it or else you threw away your time. Such is the life.
00:41:03
nnez
Yeah, given that you find it Yeah, were nothing Go big or go home
00:41:04
riptide
ah Such is the life. Yeah, what? That's right. what What would you say um about? I like to ask about this, about the long game.
00:41:17
riptide
lot of guys. And I can't get them on the podcast yet. Lonely Sloth. This guy's talking about how he's.
00:41:23
nnez
Yeah, I really really want to listen to him talk Yeah, legend
00:41:25
riptide
Hey, I'm trying, man. I'm trying to get him on. This guy's, he's a sloth. He lays low.
00:41:33
riptide
He is a legend, but he's like, you know i I have a bug that I'm looking at in the contracts for like a year. he like he's just He just sees something. he's waiting for some variable to change and making some some notes, and he's like the sloth in the trees just waiting.
00:41:46
nnez
Yeah, yeah
00:41:51
riptide
Do you do that? Do you keep tabs on things?
00:41:55
nnez
Yeah on some but eventually I just gave up that's a therere There are new projects launching like almost every month
00:42:05
riptide
Mm-hmm. Mm-hmm.
00:42:07
nnez
I only do that on projects like and will be with a really big code base lots of activity on the GitHub yeah and that only happens like blockchain or DLT assets i don't get that on smart contract assets like you only see um development like a new commit commit to github on smart contract it's not happening a lot yeah
00:42:22
riptide
and
00:42:50
riptide
That's true. Yeah, if they have some back end, that's definitely updated a lot more. Do you look at that or do you focus just on Solidity?
00:43:01
nnez
yeah i think about 40% of my bounties came from blockchain asset i mean Golang, Rust and yeah Golang Rust
00:43:09
riptide
In what language?
00:43:19
riptide
Which do you feel is less secure, Roster Golang?
00:43:23
nnez
I would say Golang maybe but maybe they are equally secure it's just that most of the bugs that I've always more of like logic bugs so it's not something that language specific yeah yeah so depends on the depth more than just for the language
00:43:46
riptide
Mm-hmm.
00:43:52
riptide
Do you feel like there's as many trap doors as you'd find in solidity?
00:43:59
nnez
i i like shooting yourself in the foot kind of stuff
00:44:04
riptide
Yeah, like, oh, God, I think solidity is like a funhouse. There's all kinds of fucking trap doors.
00:44:11
nnez
yeah yeah that I can say I'm not that fluent with those languages I actually never wrote golang or Rust like before never just be able to read the code something like that but now that we got LOM I just task it to do something that I can't
00:44:40
riptide
Like what? Like drop a POC for you?
00:44:44
nnez
not a full POC but if I cannot figure something out that sometime I try to write a POC and I got this compilation error or something I just ask the algorithm to fix it
00:45:00
riptide
Yeah, it's so good. which's What's your preferred LLM for coding?
00:45:06
nnez
anything that's free sometimes I just go to Gemini or something like that
00:45:08
riptide
Yeah, it is great.
00:45:12
riptide
Yeah, it's such a, it's it's like it's like competing in a sport and and not trying to ah maximize your potential like taking steroids or EPO or growth hormone or something like that.
00:45:26
riptide
Not using an LLM as a tool is just you're leaving something on the table to help you do things more efficiently.
00:45:33
nnez
Yeah, you're gonna be at a disadvantage if you don't use it
00:45:41
riptide
Yeah.
00:45:41
nnez
that But I use it a lot in audit context like to write a report or something like that Because it's it's a lot faster, you can just throw context at them and just instruct them to write a report and then you just edit something
00:45:50
riptide
Yeah, it's and fantastic.
00:46:01
nnez
a little bit and submit the bug yeah same here
00:46:04
riptide
Yeah, I think that was but one of my most detested things to do was write the report. I never liked writing the report.
00:46:15
riptide
LLM. I love it, man Even though and you could even my guys just amazing technology. What can I say? I just like to to know that I was around pre LLM report writing and then post LLM report writing.
00:46:29
nnez
yeah things changed like yeah i i got back and read my report from pre-elm era it's a lot different in terms of like quality and yeah
00:46:33
riptide
I just. Mm
00:46:41
riptide
hmm.
00:46:50
riptide
Yeah, it's... it's a That's something else, man. i I feel for the guys that are looking at the reports though, especially during in these contests and stuff because everyone, like back in the day, if you didn't know what the bug was before GPT, then you just wouldn't write a report or it would be crap.
00:47:11
riptide
And now everyone's able to submit things that look at least on the surface legit. And so these guys have to read through all this stuff that kind of looks like, oh, LLM reports.
00:47:21
nnez
Oh yeah, yeah.
00:47:23
riptide
But hey.
00:47:23
nnez
Yeah, it's gonna be harder for judges to filter out those.
00:47:31
riptide
Yeah, yeah. But what about move? You ever looked at that?
00:47:36
nnez
Move.
00:47:37
riptide
Yeah.
00:47:38
nnez
Yeah, I've been talking with this guy that I'm going to participate but yeah i've been talking for like two weeks now but
00:47:49
riptide
You're not, you're not doing it. You're not looking at move.
00:47:52
nnez
i don't know i'm postponing yeah so
00:47:56
riptide
Oh yeah. I don't get it, man. Like all these projects, what the fuck is the point of all right, Cairo move. Everyone's got to come up with a new language.
00:48:07
riptide
Why? Why is that done?
00:48:11
riptide
Marketing.
00:48:12
nnez
you or new technology I mean I get Cairo that they're trying to up with a language that is that you can prove the execution of the code something like that like a new features but do we really need that yeah that is the question
00:48:25
riptide
Mm-hmm.
00:48:36
riptide
Yeah, I guess someone's going to do it. Someone's going to try to and yeah, improvements and all that. Great. It's just, man, it's an uphill battle, especially in such a a growing new space like this where Solidity has a foothold.
00:48:42
nnez
Yeah. Yeah.
00:48:52
riptide
Look how hard it is for Viper to get a foothold, even though I think it's a better language, more secure.
Challenges for New Programming Languages
00:48:59
riptide
ah Now try to try to get move out there. Something where one project uses and some fucking scam blockchain one cares about.
00:49:08
riptide
I don't know. Good luck.
00:49:10
nnez
yeah
00:49:12
nnez
Yeah, it should be simple or else you want attract any developers to use your language, right?
00:49:21
riptide
Yeah.
00:49:21
nnez
If it's too complicated.
00:49:23
riptide
Yeah. ah ah let's So let's let me shift here. Let me ask you did you prepare any alpha for the alpha drop?
00:49:35
nnez
ah
00:49:38
nnez
No specific things that I could tick off. What?
00:49:42
riptide
Nothing. What a terrible guest. You got no alpha ready. Jesus Christ.
00:49:47
nnez
Yeah.
00:49:47
riptide
Okay. All right. i'm I'm dropping an alpha drop. And it is, it's a very simple one. Maybe this will jog your memory. Maybe you have something you look for. ah
00:49:57
nnez
yeah
00:49:58
riptide
It's a free podcast. All right. You do whatever you want. ah My alpha drop today is something that I was looking at today, which is very simple. But it is operators.
00:50:09
riptide
So I'm looking at something now where there's a bug and it's as simple as something should have been a less than, but it's a less than and equals. So less than or equal to.
00:50:23
riptide
So sometimes a bug can manifest in the simplest way, but if you look at an array and how it calculates the length um combined with maybe some assembly outside of it, you could get a little
00:50:24
nnez
i
00:50:38
riptide
A little unauthorized or unexpected access of some memory due to certain things, reading outside of where you expected them to read. So that's my drop.
00:50:50
nnez
the Interesting.
00:50:53
riptide
Let you have your memory.
00:50:53
nnez
So
00:50:54
riptide
Got something?
00:50:56
nnez
yeah actually found something like this but it's yeah it was a low security but it's interesting it's this smart contract that used to verify valid block from bitcoin and usually for a block on bitcoin to be valid the nonce has to be less than
00:51:25
nnez
the hash or the hash has to be less than the nonce or something the hash of the block and the spec from Bitcoin they defined is that if the hash is equal to the nonce it's also valid but this smart contract this protocol will reject it because they use a less than symbol instead of less than and equal
00:51:47
riptide
and
00:51:51
riptide
There we go.
00:51:51
nnez
but it's worth low severity because it's gonna be really really hard to find a block of bitcoin that has a hash that equals to a nonce yeah something like that
00:52:06
riptide
good, though. ah You never know what what might manifest out of it.
00:52:11
nnez
yeah
00:52:12
riptide
Yeah, very cool. And I want to ask you also, your do you have any favorite tools that you use on a daily basis?
00:52:20
nnez
tools VS code VS code and um...
00:52:21
riptide
Tools? Yeah, of course.
00:52:29
nnez
post-law yeah that one is really great too foundry does that count?
00:52:35
riptide
What was the last one?
00:52:37
nnez
foundry, bosh is foundry yeah
00:52:39
riptide
oh Oh, Foundry. Yeah, yeah. Of course. So just the standard stuff.
00:52:47
riptide
Okay, nice. Nothing special. Not sharing any of your your hidden tools. That's all right, man. That's cool. I don't expect everyone I share a bunch of shit, man, because it's just – I think there's – I'm going to drop some old man knowledge here too.
00:52:54
nnez
I don't have one.
00:53:05
riptide
It's like there's so much opportunity out there on the blockchain, on the 10,000 blockchains according to Chainlist. for everybody to get a piece of this industry.
00:53:14
nnez
Yeah.
00:53:16
riptide
And I think if I gave all the tools I use, it wouldn't make a difference to my earnings versus the next guy because the space is so big. And this coincides another point that I'll make is like people, some people get mad at people for making money.
00:53:27
nnez
yeah
00:53:35
riptide
So say say you make a million bucks and you'll find that in life, some friends or family will not like that and they get angry and it makes no sense because what you've done hasn't taken away from their earning capacity so they're upset for jealous or some other reasons but instead they just say hey great you know i'll go make a million bucks now as well so i don't know i think those are kind of the same things you know with the code all these secrets give out whatever it's like hey man just just go get it and i'm gonna get mine and we're not really competing
00:54:12
riptide
In life, it's just ah how do you improve on yourself and your skills from a year ago to where you are today. So it's it's you verse you in this space. It's not really PVP, I guess, unless you're in an audit competition.
00:54:26
riptide
That's that's your exception.
00:54:28
nnez
yeah yeah true sometimes people tend to think ah digital will up of this wall like it's a zero sum game there's gonna be a winner and a loser yeah and when they become a loser they are a sore loser yeah
00:54:49
riptide
Yeah, that's a good point. That's a good point. And it's it's it's all on it's on the individual. I love this space because it's meritocracy.
00:55:00
riptide
It's like, I mean, you could be a scammer. You could do all these things, but you still, it's it's on you, man. It's very individualistic.
00:55:09
nnez
yeah yeah i love this space because of you you can be good at stuff and be recognized for your skills and only your skill people don't care where you come from just that you are good enough
00:55:28
riptide
yeah and And to some people, that's scary to know. i think especially like the privileged class goes to the yeah im going to Harvard. I have this big family that's known I should be respected.
00:55:41
riptide
And they try to compete in this space. And it's like, dude, you know, the guy that just blew you up was from fucking who knows where in the world. And he's just got a laptop and a little mud hut.
00:55:55
riptide
But he's got he's got grit, man, and he's just coming for you.
00:55:59
nnez
yeah an 18 year soul can beat you in this space like easily
00:56:05
riptide
Hell yeah. Hell yeah. They know all the time in the world. It's it's a scary thought. But it is what it is, man.
00:56:10
nnez
yeah yeah and it's a good thing that the next generation is getting better and better i mean that's the goal right
00:56:11
riptide
I mean, you want to compete or you don't.
00:56:22
riptide
Yeah, absolutely.
The Future of Blockchain with New Generations
00:56:24
riptide
Yeah. And they have all these tools. They have LLMs. They have fucking internet. They have blockchain. All this stuff they're growing up with now. and they're just going to be light years ahead.
00:56:33
riptide
Great, man.
00:56:33
nnez
yeah i can't wait for jnaufa to like come into this space and do things yeah oh yeah it's all already
00:56:42
riptide
Yeah. It's so cool, man. Well, cool, man. We hit an hour. um Anything? i know. I didn't even look. See, this is what I'm talking about, man. Just have a fucking chat about whatever.
00:56:55
riptide
Yeah, anything you want to talk about?
00:56:56
nnez
yeah
00:56:59
riptide
Hey, were you at East Bangkok at all?
00:57:04
nnez
yeah I didn i didn't go just because it was too close to home yeah but then heard anger is good
00:57:09
riptide
It's in your backyard. I do the same thing. i never go anything nearby. Yeah, that's a shame. ah Yeah, it was good, man.
00:57:20
riptide
It was good. Anything else on your mind you want to ah chat about?
00:57:25
nnez
yeah I got lost in that something came up and It's just gone now. Sometimes it happens to me.
00:57:35
riptide
and fuck it.
00:57:36
nnez
Like a lot, really.
00:57:38
riptide
All right. Well, drink some Yakult, man. That's all I got for you. All right.
00:57:44
nnez
Yaku?
00:57:46
riptide
Yakult. It's the little – yeah, the yogurt drinks, the 7-Elevens.
00:57:48
nnez
Yeah, yeah.
00:57:50
riptide
All right. All right, man. We'll cut it off there. Hey, thanks for coming on the podcast. We will see you next time on the blockchain.