Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 7 - riproprip
261 Plays1 month ago
riptide & riproprip discuss his $500,000 bug find on Raydium's CLMM, hunting bugs solo and the pitfalls of contests, how printing out calldata can help you find bugs, leveling up as a new hunter, finding your motivation to devote time to bug hunting, and why to get and remain ripped and totally jacked at a young age with the first physical ALPHA DROP in the history of this podcast ... and much, much more anon
Recommended
Transcript
00:00:05
riptide
Hey, what happened to my intro, man?
00:00:11
riptide
It is not playing. There we go.
00:00:16
riptide
Hell yeah.
00:00:16
riproprip
Is it working?
00:00:17
riptide
It malfunctioned. I don't know. We had to get the intro going.
00:00:21
riproprip
I can hear the intro just fine.
00:00:23
riptide
All right. Double play the intro because it's double awesome.
00:00:27
riproprip
Do we need to do it one more time or not?
00:00:29
riptide
That's a good idea. I'm hitting it again. I'm hitting it again.
00:00:35
riptide
Yeah. Oh, God. I'm so pumped now. I'm so fucking pumped.
00:00:43
riproprip
No, we had it three times.
00:00:45
riptide
Oh, yeah.
00:00:45
riproprip
I'm hyped.
00:00:46
riptide
All right. You better be pumped. Next next podcast, I'm going hit it three times. That's a new beginning. all right.
00:00:52
riproprip
I had it three times now.
00:00:52
riptide
I am i'm on the pod here with Ripro Prip. Is that how we pronounce it?
00:00:59
riproprip
Yeah, you can pronounce it however you like.
00:01:01
riptide
All right. Ripro Prip, who's the king here, 28th on the Immunify leaderboard with a million buckazoids in earnings. Two criticals.
00:01:13
riptide
The Beast. Welcome to the podcast.
00:01:15
riproprip
Yeah, thanks for having me. it's ah It's kind of humbling to be on your show. I never told you, but I think I kind of owe you a few beers maybe because that one million wouldn't have happened without you, I think.
00:01:30
riptide
Get out of here. Tell me.
00:01:31
riproprip
Yeah, and no no, no, no, for real. like I think it was the Degachi podcast. You were doing some podcast. I don't know. I can't remember with whom, ah but you were basically saying it's completely fine to just hunt bugs on your own time, like do bug bounties 100%, you don't need to do contests.
00:01:52
riproprip
And at the time I was like ah grinding contests, I was doing okay, ah but I just didn't feel happy doing that shit. And then I like, when you kind of said that, i it was kind of like a permission for me to say, well, why don't I go hunt some bugs in like different projects, right?
00:02:14
riproprip
and uh so without you that wouldn't have happened because i would have would be still grinding contests yeah i'm i'm not kidding you
00:02:20
riptide
Really? This is a humble Chad success story. I've successfully influenced you to go bug hunting. That's awesome, man.
00:02:28
riproprip
yes and now we can maybe insert some other people who are listening right now to do some back hunting
00:02:34
riptide
Dude, this is what I hope to hear because as you know, as I know, it's fucking hard, man. I mean, you have the highs and you've got the the bottom of the barrel under your basement lows where you just don't find shit and you feel like shit. like How do you deal with that?
00:02:52
riproprip
I don't know, i just like looking at codes. I like to take some time off some, like if I don't feel inspired, I'm not gonna look at code. I'm gonna build stuff. ah Like there's lots of stuff in my life to figure out. Like I can do whatever I want.
00:03:08
riproprip
And, but sometimes like i wake up and I want like look at some code, see if I find some bugs and then I do that shit. And that's what's making me happy. And I think if,
00:03:17
riptide
when do you When do you call it quits?
00:03:21
riptide
Like for the day, when when do you say that? Fuck it, I'm out. I'm i'm closing the laptop. Nothing's happening today.
00:03:27
riproprip
Oh boy, I ah kind of wish like my latest bug on Immunify would be like, I have no idea if I'm allowed to talk about that. I think like it's fair to say ah like it took me like a year, something like that, like the 100K.
00:03:44
riproprip
i looked at that code base. I looked at it some more, maybe I submitted some bugs, I don't know. And... Like one night I woke up and had that, what if, like I woke up and saying, what if I could do this at that project? And I e like i usually text that stuff to my wife.
00:04:04
riproprip
She doesn't mind waking up with crazy bug hunting ideas, big but yeah, yeah, it's like that.
00:04:08
riptide
ah Get out of here. Does she give you valuable input?
00:04:12
riproprip
Oh,
00:04:13
riptide
Like, what are you expecting as a response?
00:04:16
riproprip
she's kind of smart, but she doesn't give a fuck about InfoSec, so... She's basically just a notepad and the reminder because then in the morning she would go, what the fuck did you send me last night?
00:04:27
riptide
did Did you check the zero address?
00:04:27
riproprip
I'm laying right next to you. Sorry?
00:04:31
riptide
ah She says, did you check the zero address?
00:04:35
riproprip
Did you take care of the birthday paradox?
00:04:39
riptide
So you you bounce it off her and then – I don't know how that works for you, but but then that –
00:04:44
riproprip
That was basically just a notepad because I wake in the middle of a night. I want to go back to sleep. I'm a parent. I need my sleep. I just need to write it down somewhere. And usually like my phone these days is just for communicating with my with my wife.
00:04:57
riproprip
And so it's like, I just need to unlock my phone, text it in there, go back to sleep.
00:04:58
riptide
Mm-hmm.
00:05:04
riproprip
And then the next morning I'm going to find it. Right. And so for me, like you at least need to, you know, the code base by heart. Right. So there there needs to be some kind of point where you can close your eyes, you're standing in the shower and you can see like the connections. Like I think in graphs and um I think if you do that and have like, don't know, you don't need to be a visual thinker to have some kind of graph representation in your head, right? And if you have that, you can stop looking at the code, I think.
00:05:36
riproprip
that's That's when I let go. Sometimes like I let it sit and rest in my mind for two, three months and then look at it again. not sure like where the best stop-off point is
00:05:48
riptide
Yeah, this reminds me of when Obrant was on here and he was saying he took a walk in the mountains and did some mushrooms. And then he came up with this he came up with this amazing bug, but he's like, you could only come up with that if you have the code base memorized.
00:06:04
riproprip
oh yeah Yeah, that's true. Also, like, don't do mushrooms and walk through the mountains, I think. I'm not sure. I don't know the guy if it's, like, gonna end well with everybody.
00:06:15
riptide
It could be good.
00:06:15
riproprip
it
00:06:16
riptide
Yeah, it depends on the code base.
00:06:18
riproprip
Yes, really. Like, imagine you, like, ah thinking, you were thinking about Meika, and then you take some shrooms. Like, maybe you're even, like, completely losing your language.
00:06:25
riptide
Oh, fuck. No, no, no, no, no. yeah you still
00:06:29
riproprip
You're splishing and you're splashing.
00:06:33
riptide
Don't do Maker. No, no, no. We don't do that.
00:06:36
riproprip
Yeah, no, never. Like, don't even look at Maker, just ignore it until they like rename their stuff. It's like horrible.
00:06:45
riptide
So this, so I was looking at your ImmuneFi protocol. I showed you had, and I know everyone does bugs outside of ImmuneFi, but it showed you had two crits. And we were talking in the chat about your you're ah one you made public, I think two years ago with Radium.
00:07:00
riptide
Is that two years ago?
00:07:00
riproprip
Yeah, yeah, yeah, yeah.
00:07:01
riptide
Okay, so that one.
00:07:02
riproprip
They were asking me to, if if they can make a write up and I didn't know enough to tell them no. Yeah,
00:07:10
riptide
Yeah, that's weird. Like you didn't even do the write-up. The ImmuneFi team did it for you.
00:07:15
riproprip
yeah, yeah. I think they wanted to get deeper into the Solana ecosystem and I'm not sure if they knew that I could have written that.
00:07:20
riptide
Mm-hmm. Mm-hmm.
00:07:23
riproprip
Also like, I'm not sure if I would have like spent the time to do that, to be honest. because this was like the the first one. I'm not sure which one they wrote up, but this was basically two quick bucks in succession, the first week, and I think the second or the third week, the next five hundred k And to like, then they came back and were saying, can we do a write-up? And I didn't know anything. So I would just said, yeah, sure.
00:07:49
riproprip
Give me the money. yeah it's
00:07:51
riptide
so So Radium radium was 500, and then you say two, three weeks later, you got another 500 on
00:07:52
riproprip
I'm going to sort shut up.
00:07:58
riproprip
yeah yeah yeah i'm not sure if i'm allowed to say that but um let's say uh if you divide the if you divide the dollar amount it's pretty clear where the second buck came from like there were buck hunters yeah yeah it is uh it was really nice like the first one was like hitting the lottery
00:07:59
riptide
on the same protocol?
00:08:03
riptide
Or can you discuss?
00:08:09
riptide
if you can't If you can, don't worry about it.
00:08:15
riptide
Okay. Wow, that's that's back-to-back pretty big.
00:08:25
riproprip
And then the second one was like, don't know, healing data lottery. and i'm not I'm not sure. It felt wild to me.
00:08:33
riptide
Do you still classify as a euro poor or not any anymore?
00:08:34
riproprip
like
00:08:38
riproprip
Yeah, sure. Saved by seven figure had from my government, right? and
00:08:44
riptide
That's right. That's right.
00:08:46
riproprip
<unk> No, but ah to be serious, like I don't really think. I don't care about the money. It was just awesome to find the box. For me, like I'm fairly old.
00:08:54
riptide
Yeah.
00:08:58
riproprip
I'm not sure if I qualify as a it an older gentleman, but I know you're a bit older yourself. And to me, it's like um I'm settled in life.
00:09:09
riproprip
Finding the box is awesome. The money is awesome too. But like the feeling of finding it critical in a life system is like, It's doing it for me.
00:09:21
riproprip
I'm not sure.
00:09:21
riptide
Yeah.
00:09:23
riproprip
like I don't know what you do when you find one.
00:09:25
riptide
It lights up the dopamine receptors, definitely.
00:09:28
riproprip
Yeah, yeah, yeah. I basically go back and play the Dragon Ball theme song.
00:09:31
riptide
i
00:09:35
riproprip
um Every time I find a bug, I'm ripping it down here.
00:09:42
riptide
du I looked up my but the analytics for the pod, and it says most listeners are 18 24.
00:09:50
riptide
all male.
00:09:50
riproprip
I'm so jealous of you.
00:09:51
riptide
And it's it's very young. Like my my audience is very young. i honestly don't know if they listen to it at 1x. It's probably Zoomers like for x you know, multitasking, looking for bugs at the same time.
00:10:01
riproprip
Yeah. Go as fast as you possibly can.
00:10:04
riptide
But yeah,
00:10:05
riproprip
Don't waste time with us.
00:10:06
riptide
But, you know, yeah, it's it's all age ranges, really. Like, you know, you're not the only guy I know who's um who's not, you know, a super young guy that's hunting bugs.
00:10:18
riptide
In fact, I was just speaking to him recently about your bug. I forwarded him the Radium write-up, and I said, this is, i don't know, CLM, I pronounce this CLAM, the CLMM stuff.
00:10:28
riproprip
Yeah.
00:10:29
riptide
Yeah, so he did, and don't know if you read his Kyber write-up. that he a hundred proof.
00:10:35
riproprip
Who was it? Who did you forward Oh yeah, sure, sure.
00:10:39
riproprip
i know also.
00:10:39
riptide
Yeah.
00:10:39
riptide
So he thought his, uh, he thought your, the radio bug was pretty, pretty cool. And you know, some similarities there. He's just like, yeah, those are, those are so specific and you do one tiny thing wrong and then it blows the fuck up.
00:10:55
riproprip
yeah, is should we talk about the back?
00:10:57
riptide
Yeah, sure, man. Good. ahead
00:10:58
riproprip
kind of have like a learning experience for people.
00:10:59
riptide
and And I, and I,
00:11:01
riptide
Yeah, and I put it on – so I launched – let me shill this too. So I launched a Discord for the podcast. It's on the link tree, and I put bug write-ups in there, and I just pasted your link so we have that.
00:11:13
riptide
And then podcast discussion, all that stuff. So if anyone wants to join there, you can you could find more – his write-up in the bug write-ups section. So go ahead. Talk about it.
00:11:24
riproprip
Yeah, sure. so Can we like um assume the 100 proof write up is like known to people? i think 100 proof was on and like you already, I think you guys talked about the CLLM stuff, right?
00:11:39
riptide
ah Yeah, I think we mentioned it. um i't Yeah.
00:11:43
riproprip
All right, so.
00:11:44
riptide
Go back to that that episode, guys, if you want to jam to it.
00:11:47
riproprip
Yeah, so if you're hunting right now, you should have looked at Uniswap V2 and after you've had your mind blown uh check uniswap v3 and uh like cry a bit uh at least that's that's what i did when i uh checked that thing the first time because like to me i can't make hands and tails right i'm i'm positively retarded like i'm not smart i'm uh i'm decent i guess but uh like i'm not able to comprehend the uniswap v3 paper right so i look at the math symbols like
00:12:19
riproprip
I feel a bit woozy. I can't do anything anymore, right? But looking at the code, like, then you can maybe figure some stuff out and then you read the 100 proof right up, right?
00:12:32
riproprip
So, and then you figure out that... ah Uniswap B3 is like multiple Uniswap B2s next to each other and they are delineated by ticks, right? So there's a tick range and then you figure out after reading the 100 proof write up again and again that it's somehow related to liquidity and if you can like cross a tick without kicking in or kicking out the correct amount of liquidity, then Uniswap B3 is done, right? So it's like the that's the the winning move condition.
00:13:04
riproprip
So, and um i wrote I read those, I like felt like I could reproduce the stuff, like I understood it right enough, but I never saw like another project having like a big bug bounty for this.
00:13:21
riproprip
And then one day I checked the immune file thing and I saw the radium bug, or the radium CLMM, and
00:13:22
riptide
you
00:13:29
riproprip
and Within that, I was like kind of trying make to make a comparison between the bugs I knew about or the write ups and how they did it in Solana, right? And Solana, you guys know it's Rust base and the Rust base basically tells you, you can't take the straight solidity. So what's like different between the EVM and the SVM and there's like remaining accounts
00:14:04
riproprip
do we Do we need to talk about similarities between SVM and EVM?
00:14:09
riptide
You know, I'm unaware of it because I don't look at any anything Solana. So go ahead and mention it.
00:14:17
riptide
If you have it ready, if you don't, then, you know, don't worry about it.
00:14:21
riproprip
I'm not sure if anybody is going to be able to follow my thoughts. and like I kind of think we need to do that. So can we just assume people know the EVM?
00:14:27
riptide
Sure.
00:14:30
riptide
Yes. Safe assumption.
00:14:32
riproprip
yeah perfect so I guess like this storage like you know the the Ketschek stuff you take an index Ketschek and then you have like storage that stays on the chain that's different in SVM land and in Solana you kind of need to supply accounts um and when you supply those accounts you can like Those are the only things that you can read and write to, right? You need to specify the transaction. This is what I want to read. This is what I want to write.
00:15:03
riproprip
This is, I think you can also say execute or at least there's some way to to not execute just plain data. And some when you do a swap, ah you need to supply accounts for every tick.
00:15:15
riproprip
And there's basically not a good way, like in the current Solana ecosystem to supply a bunch of accounts, or at least they didn't used to be, and you could just supply like an array of accounts and those weren't checked. And now if you take, if you assume you could manipulate the storage of the EVM for the things like liquidity and then take that with a hundred proof, fuck you can maybe possibly see how that worked.
00:15:49
riproprip
um like Am I losing you or am I just rambling?
00:15:54
riptide
No, no, no, this is good.
00:15:56
riproprip
Yeah, okay, so basically you could you were able to supply your own piece of storage basically saying. This bit here is different than it's actually should be and that's all you needed to cross like a tick boundary and then it's just following 100 proof.
00:16:13
riptide
So he was your primary inspiration for this whole idea.
00:16:18
riproprip
Yeah, sure, sure. I think it's like, if you don't read like prior art, you're doing yourself a disservice. Like you need to read the write-ups. Whenever a live bug happens, you need to like open up the Explorer, check it out, see if you like ah can actually catch the bug. Then you open up the code and then you see you try to put yourself in the mindset of somebody fresh and say, how would I have been able to to find that bug? What should my mindset have been?
00:16:49
riptide
And did you focus on Rust beforehand?
00:16:54
riproprip
No, yeah. I wrote it a couple of times, I think like, And it's more secure. You possibly should write in it. I'm not really good with it, but like I knew enough to read the code to me. Like what I mentioned, I'm older.
00:17:10
riproprip
it Once you've been through enough programming languages, they're the same.
00:17:11
riptide
Mm-hmm.
00:17:16
riptide
And what did you what did you first start on?
00:17:20
riproprip
My first programming language, basic.
00:17:22
riptide
Yeah.
00:17:25
riptide
I thought you were going to say Pascal.
00:17:27
riproprip
no no no
00:17:29
riptide
ah
00:17:30
riproprip
It's like basic. And then I did some assembly because it was supposedly cooler. So like I'm old school that way.
00:17:38
riptide
Yeah, yeah, that's cool. Assembly was always always something that i I just looked at when I was younger and I just said, I don't know what the fuck this is talking about. and And there were no good resources. It was like, go to the library and get a book on it.
00:17:52
riptide
Yeah, right.
00:17:53
riproprip
Yeah, I guess like it's like hugely related how close you were in age to like a brother or a relative who had a c sixty four And then like did you get a handbook or not?
00:18:09
riproprip
like
00:18:09
riptide
Yeah, I had nothing.
00:18:10
riproprip
That's all you need to know to to program a machine. And like luckily enough, like one of my best friends, bigger brother, had access to a machine. And like at night, we could sneak in there and try stuff.
00:18:22
riptide
Oh, that's cool, man. At least you had access. Like, know, I mean, nowadays, I think we take it for granted because everyone has a computer. Everyone has the internet. Everyone has now they have LLMs. But I mean, my God, the ease of learning things has gone down significantly. So significantly that it's hard to even compare my childhood with a kid's childhood now, except I think one trade off is that the kid doesn't know.
00:18:49
riptide
he just has so many things vying for his attention. There's too many things to learn. So he has to be selective and and focus, stay focused rather than.
00:18:56
riproprip
Yeah.
00:18:57
riptide
Yeah, yeah I guess it's.
00:19:00
riproprip
You kind of need to reduce ah the the noise for them sometimes, I think. Like turn off the TV, hide it, throw the remote remote way away.
00:19:06
riptide
I would agree.
00:19:11
riproprip
Like you need to do multiple things, I guess, too to like ensure that you can just like your kid is like starved for information like you were when you grew up. Because they will never have a problem of not having enough input.
00:19:25
riptide
Yeah, and I don't think that this whole multitasking thing that a lot of people do, that everyone seems to do, is that great because, you know, I got mocked initially because I printed out the code. And I would just sit there offline in a library reading the code with a pencil just because it's a great way to focus because there's so many distractions on your computer.
00:19:44
riproprip
yeah yeah yeah isn't whatever works for you right so like if i sit in a library i know i need to be silent i need to read what i have in front of me i don't need to do anything else can turn off the phone like i don't do that but i totally understand why it worked for you i guess
00:19:45
riptide
And I think it's great.
00:19:46
riptide
I think it's a good strategy.
00:20:05
riptide
Yeah. Yeah. I guess it depends what you're looking at too. If you're, if you're pattern matching, then you're going to fly all over the place. Yeah. know Look at the VS code, regex, stuff like that. But if you're really digging deep, sometimes you got to go offline.
00:20:19
riproprip
Yeah, it's also like a good way to like get that graph in your head, right? So, because like eventually you're gonna get tired of switching pages and you're gonna figure out a way in your own head to like retain the information.
00:20:32
riptide
Yeah. do When you look at a protocol, do you you have a complete understanding of it before you think you can really find bugs?
00:20:42
riproprip
No, ah basically I just opened up the code in an editor And then I try to go sources and things.
00:20:51
riptide
Mm-hmm.
00:20:51
riproprip
ah Basically what's the input? What do I define to be the output? the The output should be like aligned with invariants, right? So if I say I want to liquidate somebody, I try to see what inputs can of kind of like touch the liquidation invariant.
00:21:13
riproprip
And then I'm good to go. Like I try to don't read comments. Like comments are always liars. Like there's no point of them. Either the code is readable or it's not.
00:21:24
riproprip
I'm not shitting on Maker again here.
00:21:28
riptide
I know DanielVF, I think is his tag is, is he he shared some, was it a plugin or a command where he could just remove all of the comments in VS Code just immediately.
00:21:28
riproprip
I don't know.
00:21:44
riptide
And that was that's pretty cool.
00:21:44
riproprip
yeah
00:21:45
riptide
It's a pretty cool idea.
00:21:47
riproprip
I guess, like, depends on where you are in your journey, right? So if you like have trouble understanding code when you come into a new code base, read the comments, do whatever works for you. But at a certain point, I think it's like, then if you should read the comments to to comprehend the project afterwards, you need to ask yourself, did the comments lie to me?
00:22:08
riproprip
Like, is the code actually doing what the the comments are saying?
00:22:12
riptide
Right, right. No, definitely. Hmm.
00:22:16
riproprip
Yeah, so... like be as quick about it as you can get into the code look at the code that's the only thing that ever worked for me
00:22:27
riptide
And do you do you say, like say it's a any protocol, do you immediately say, all right, external functions, just going to look at you know high touch functions where there's mutability?
00:22:38
riptide
Or do you say there could be bugs in a view function that lead to a different function? Do you just look at everything or do you specifically target like what everyone else would look at?
00:22:49
riproprip
It really depends like ah what my daughter nice to me in the morning.
00:22:57
riproprip
It's like, I really do whatever floats my boat. Like throat most likely it depends on do I think I know the the field? Like, is it a landing protocol? Do I have like a like a good concept of what landing protocols need to do?
00:22:57
riptide
Thank you.
00:23:11
riproprip
And if I do, like I might be bolder and like go into stuff. I like, if you, how can I put this past? Like, there was a time when Uniswap V2, like, there were a bunch of derivative contracts on multiple chains, and, like, it was almost weekly, there's a new Uniswap V2-like swap contract, and after a while, I just knew, I checked the the fees, because there were so many bugs with fees, and, so like,
00:23:41
riproprip
Why would I look at anything else? It's easy to compare to other things. You can just diff the two files against each other, something like that sometimes works. But if it's like an actually new product or a new idea, some some new niche project, like it's okay to to just like be stupid about it. Just check all the inputs first, then think about what could invariants actually be, and then think, can I actually manipulate the inputs to get to the invariants and break them?
00:24:10
riptide
Hmm. Yeah, I think it depends is is really, really what happens. Yeah. How do you feel like what's what's your your vibe on this project? ah The complexity?
00:24:23
riptide
Yeah, you name it. I think my approach changes no matter what I look at.
00:24:24
riproprip
Yeah.
00:24:28
riproprip
I think it should evolve, right? So, like you grow, your knowledge grows, whatever works for you should change. Like there shouldn't be some rigid construct. Like I have a list and I go through it every point, every time for every project, for every blockchain. Like that's, in in my opinion, that's like suboptimal.
00:24:49
riptide
Mm-hmm. No, definitely. ah Let me go ahead.
00:24:52
riproprip
But that being said, like, I'm still trying to like like put myself in the boots of younger people, right? So if I were new, yeah.
00:25:03
riproprip
if If you follow a recipe, why why don't you do it? Like you can um ask yourself afterwards if the recipe was serving you or not. And then adjust and go from there.
00:25:14
riptide
Yeah, and you don't know that unless you have experience doing it and you've seen results or or no results from it.
00:25:18
riproprip
Yeah. Yeah. You need to put the time in. Like if you imagine yourself being a book character, you have to constantly ask yourself, it's like this ridiculous.
00:25:31
riproprip
what like Why would the the the character, the main character find the big buck, but never have looked at code before. So just look at the code, man.
00:25:40
riptide
That's a good one. It's true. i get guys messaging me saying, how do i get started? I'm doing this. And I say just honestly, I i say how I started. I read a bunch of audit reports.
00:25:54
riptide
I read a bunch and then I'd go look at code and I'd try to find those bugs that I saw the auditors find. And I thought that was a good combo. Just keep reading audit reports. you You kind of see the patterns, you get used to seeing all the patterns and and then you start reading them. And then eventually, you know, like you say, you just put the time in and then becomes like muscle memory.
00:26:14
riproprip
Yeah, yeah. That being said, I know nothing. So why should you ever trust me about this?
00:26:22
riptide
I want to ask you a couple questions from the, so there's a podcast discussion channel on the discord and this guy, pseudo TX wanted to ask you couple things. Are you ready?
00:26:35
riproprip
No, never, but shoot anyway.
00:26:35
riptide
Very, very easy questions. Yeah. Yeah. He just says, have you ever found a bug that made you think, how did this even get past an audit? What was that like?
00:26:45
riproprip
Oh yeah, that was awesome.
00:26:50
riproprip
Cause so much responsibility got handed to me. Basically I was, I was interested in how some balancer function worked. Like we didn't talk about it, but like I came to this from like, I did MEV before I did auditing.
00:27:08
riproprip
And I was basically just checking out markets and how they interact with each other. And I was basically printing out all the call data for multiple ETH blocks and then just grabbing for signatures and seeing like, can you come up with commonalities?
00:27:24
riproprip
And there was like one balancer extension that's call data looked completely different to all the other things because there were like target keywords in there. Like there were...
00:27:35
riproprip
There were addresses in there that shouldn't have been in there and stuff like that. And it was easy to see just from the call data, this is a bug. This can't be anything but a bug.
00:27:48
riproprip
I used to do some tracing and you can also like change the Reven code sometimes and like say, was this cat sharked? And then like I could from the call data and and from the extra debug output tell Like nobody checked this call data and it's basically user supplier.
00:28:08
riproprip
And then I like tried to actually identify the project, which like it was hard. Like you just have a contract address. the The ether scan didn't take it. So I had to figure out how like who deployed the vulnerable code.
00:28:25
riproprip
And I like got in touch with them and then figured out it was audited by some firm I'm not gonna mention.
00:28:32
riptide
Name and shame.
00:28:34
riproprip
No. It's the one you think about, right?
00:28:37
riptide
Yeah, yeah.
00:28:40
riproprip
So back at that time, I didn't know about their reputation.
00:28:40
riptide
ah Yeah, go ahead, go ahead. good
00:28:46
riproprip
I was just happy I found a bug.
00:28:49
riptide
Do you, i was gonna say like it's it's kind of pointless to name and shame any audit shop because independent auditors, I think, what is that?
00:28:58
riproprip
shit.
00:29:02
riproprip
where either the Russians are invading or they're just testing stuff.
00:29:07
riptide
See, this is that audit firm, they're coming in hot.
00:29:11
riproprip
but
00:29:11
riptide
i'd I'd say, honestly, don i don't like to name it shame.
00:29:12
riproprip
I don't know.
00:29:14
riptide
I like to do a humble flex on on if an auditor misses a bug because everyone misses a bug, right? But only if they're – it happens, man.
00:29:21
riproprip
Yeah, yeah, I've missed bugs.
00:29:24
riptide
That's why you've got to get multiple audits.
00:29:24
riproprip
Yeah.
00:29:25
riptide
The best flex is when you see three audits and then you find something that none of them got.
00:29:32
riproprip
Yeah, yeah, yeah, that's good.
00:29:34
riptide
Yeah, those are good. Those are always good. Yeah.
00:29:37
riproprip
But I take the W, right? So i don't care who it was audited by, how many people audited. I just care somebody else other than the devs looked at it and didn't see the bug. So that's the win for me.
00:29:51
riproprip
have my fun. like ah like I didn't even get paid on that bug. if They basically paid me in their own shit coin, which was never worth anything. But I was just happy to find the bug, right? I mentioned like money is fine. I like it, but to like I'm like, I'm hunting because I like the feeling, not not the money.
00:30:11
riproprip
Like you have to be clear on your priorities when you do this.
00:30:15
riptide
That's a very good point because you may not make any money. Oh shit, they're still coming in. Calm em down.
00:30:23
riproprip
You also, like you moved to Europe, right?
00:30:23
riptide
All right.
00:30:26
riptide
I did. Yeah.
00:30:27
riproprip
Okay.
00:30:29
riproprip
Sorry.
00:30:29
riptide
um
00:30:31
riptide
No, go ahead. Oh, so sorry. He's got question number two. All right. Last question here. Have you ever collaborated with another hunter on a find? How did that change your approach? If so?
00:30:42
riproprip
I did so.
00:30:45
riproprip
I likely don't think I'm compatible. Like I'm blessed with autism. Like I don't think I have somebody else like who's autism is compatible. like I tried it really hard at at one point. I tried like getting an apprentice.
00:30:45
riptide
Lone Ranger.
00:31:00
riproprip
Like I sifted through all the messages in my DMs and like basically try to find somebody who I could like value in line.
00:31:00
riptide
Thank you.
00:31:07
riproprip
Right. So because If I tell somebody a buck, they could submit that stuff. So I tried to like figure that out. like Were they honest? Were they intelligent? Did they have drive? like I figured out... It never came to anything. but I don't want to shit on people, but like to I tried and failed hard.
00:31:28
riproprip
So I don't do that, unfortunately. I imagine it's awesome if you have somebody who who you jive with, right? So you have the two Austrian guys on, like I'm jealous, like it's possibly loads of fun having another person like who you can bounce ideas off.
00:31:44
riptide
Yeah, and and to be honest, I don't think they were Austrian. I think they i they were they were in the Austrian Alps, but I think they were from somewhere else.
00:31:53
riproprip
Sorry guys.
00:31:53
riptide
They could be anybody.
00:31:54
riptide
Who knows? now i said I told them, I said, now now you're Austrian, no matter what
00:31:59
riproprip
uh yeah maybe i don't know like maybe i heard some bratwurst accent i'm not sure yeah yeah i'm german
00:32:05
riptide
what. What's your accent? i'm mean it German or or Austrian? German, okay.
00:32:12
riproprip
usually the austrians can understand us but like we like fail to understand them sometimes like i had mixed reactions at the slopes
00:32:12
riptide
and
00:32:22
riptide
Everyone who's not from that region, just we bundle you all as just either German or Austrians.
00:32:28
riproprip
and No comment from my side.
00:32:32
riproprip
On this sense, I have to keep my mouth shut.
00:32:36
riptide
No, it's that's probably for the best. But I, to your point with getting an intern, I tried the same thing and I tried it one time and it just failed miserably. i won't name the guy because I guess he tried, but I kind of, I tried to pull him in to help collaborate on something so I could put his name on the bug report. I was trying to, to have him, it was like a learning experience and he just, he wasn't able to do it and it was complicated to be honest.
00:33:01
riptide
um But it didn't work. I think if I were to partner, i would partner with somebody who I know has a rep, I know is legit. Like someone that's been on this podcast, you know, I could probably partner up on a bug, but I'm like you. I just, I just, I just go solo, I guess so far.
00:33:20
riproprip
yeah i like to I think Immunify is doing this island and i like let me preface this by have no idea what it is but I see a bunch of people fighting on the same team. I'm not i'm not sure if that like helps people work with each other.
00:33:35
riptide
i don't I don't know what it is. i saw it posted. Isn't it just you just find a bug and then they keep you on like during that period?
00:33:44
riproprip
I have no idea.
00:33:45
riproprip
I just saw a bunch of people talking with each other, playing team games. Like, imagine your score, like, you divide a group of people into two, like, team blue, team red.
00:33:45
riptide
<unk> I don't know either.
00:33:58
riproprip
One team gets points when whenever one of their researchers submits a bug. The other team gets points when the other team submits. Like, maybe there's, like, camaraderie and people cheering for the bugs. I'm not sure. Like,
00:34:10
riproprip
I would need to be incentivized. for like I would have to kind of care about my team winning than than then I could maybe collaborate with people I like usually wouldn't, I'm not sure.
00:34:20
riptide
I try to maximize my my free time. So if if if I don't see any upside to doing it, you know already have enough things consuming my time. If that's like some extra extra thing that doesn't lead to anything, i wouldn't do it.
00:34:34
riproprip
Yeah, give it but at the same time, like if you're younger, like,
00:34:38
riptide
Oh yeah, you got all the time in the world.
00:34:40
riproprip
Yes, exactly. like like We probably optimize for time.
00:34:44
riptide
Thank you.
00:34:45
riproprip
um um I'm not sure how open you are about your like private life, but like once you have kids, ah time is the only valuable resource that you ever have.
00:34:56
riproprip
And you don't give that away. But at the same time, that if you're young and don't have to care about anything, you can hunt seven days straight. I would do that shit. Why not? You could learn something.
00:35:07
riptide
Yeah, absolutely. I mean, we have, you know, the older guys and younger guys, we have different mindsets, right? The young guys want a few things. They want a stack of cash in their pockets.
00:35:20
riptide
They want to be jacked and they want girls and they want all the things to go with it. You know, the fast life, fast cars, travel, luxurious, all these things. That's what you want in your youth.
00:35:33
riptide
When you get married, you start getting older, you want different things, especially when you have kids. You want financial security. You want ah control of your own time.
00:35:44
riptide
And you want time to spend with your family, enjoying your life. But you're you're less focused on Lambos and all that material shit.
00:35:48
riproprip
yeah
00:35:52
riptide
And you should always stay rooped and jacked, by the way. But everything else kind of takes second fiddle, you know?
00:35:55
riproprip
oh yeah that's kind of like that the alpha drop like if your body ain't healthy can't hunt like i'm fighting with back pain all the time like that shit sucks like establish a routine that you follow and you you don't give a fuck if you if you like
00:36:03
riptide
Oh my God, is that true? i know. Yeah.
00:36:15
riproprip
Last night, you sort of a bug idea. You get the time in the gym in first and then you hunt. Like take care of your body and that will take care of the bugs finally.
00:36:25
riptide
one hundred percent correct i
00:36:28
riproprip
Yeah.
00:36:29
riptide
i hope I hope young guys take heed of this. You see that meme with, why does my back hurt? It's like a prawn you know curled up on the computer chair in front of the computer. and that's That's a lot of guys, man. Get out there, jack some weights, do some calisthenics, run, do something.
00:36:45
riptide
And the flip side is it helps you find bugs. Just to get outside, run around, will fire off all these the synapses in your brain, and you'll just start connecting the dots.
00:36:57
riproprip
Yeah, yeah, yeah. Most definitely, like, do something, like, go rowing, take a long jog, something like this, like, where you can tune out your mind and just think about the project while you do some stuff that's training up your body.
00:37:12
riproprip
And that works for me.
00:37:14
riptide
it's It's a natural endorphin release, and you also get a natural dopamine hit because people sit at the computer all day and they want a pound sodas, coffees, monsters, whatever. But that all has your limits.
00:37:27
riptide
And then you head to cocaine. You head all these different drugs trying to get the same high. When the real high is just go outside, run around and you can never beat that. And it's good to just, just think about that sometimes, try to tone it down, dial back for a couple of days, whatever you're doing and just go totally natural, go run, just, just get the body's natural response, re-triggered and it kind of resets you and makes you feel a lot better.
00:37:54
riproprip
That's a good alpha drop also.
00:37:56
riptide
It's fucking physical alpha drops.
00:37:58
riproprip
Yeah, why not? There's a range to this, right? So there's either, I tell you what exactly a bug is and you can go submit it or like you can go like, move away from it in dimensionality.
00:38:11
riproprip
And then in stuff like this, you have to keep your body healthy to find a bug. Should we talk about more concrete alpha drops?
00:38:16
riptide
Yeah.
00:38:19
riptide
Sure, I actually just thought of an alpha drop because I did not have one prepared and I'm actually doing it right now and seeing how it works.
00:38:23
riproprip
Here, go.
00:38:26
riptide
All right, but this sounds good. So go to, and if you find a bug, give me ah give me a hat tip, right? So go to go to the Solidity compiler bugs list on Solidity's website And some of these things are very complicated. They're very rare edge cases.
00:38:44
riptide
And I'm doing this right now. but So I'll interfere with it with any bugs I may find, but I probably find zero, like most bug hunting. But select everything, throw it in an LLM and say, hey, generate a regx for finding this bug.
00:39:00
riptide
And it'll pump out a red regex and you could search through all your code libraries, even on code sloth, you make it an RE2 regex and maybe you'll find something. Maybe there's a bug out there, some obscure thing that triggers this Solidity compiler version bug.
00:39:17
riptide
I'm going to say it's it's a one in a thousand, maybe one in 10,000 shot, but could be good alpha.
00:39:25
riproprip
why not like and now there's like the derivative of this you could also like i'm thinking you probably do this on ethereum i guess or where would you do it
00:39:37
riptide
um I mean, any any EVM compatible chain, yeah.
00:39:42
riproprip
and this coast law like hooked in with that or like no no no
00:39:46
riptide
You don't use code slaw. Code slaw, it's pretty good for checking the chain. So they have, I think six or seven chains on there and just lets you do a normal text search or you can also do RE2 regex, so limited regex.
00:40:05
riptide
And it's cool, man. I mean, it doesn't index every single contract, but ah whatever the algorithm this guy's using, is is pretty good. It hits a lot of the popular contracts and it lets you just just search it.
00:40:19
riproprip
Do you actually like code yourself?
00:40:23
riptide
I used to, i um'm i have a side project. I'm making a DeFi protocol, but I'm i'm not um'm not putting as much time into it as I need to.
00:40:29
riproprip
Ooh.
00:40:33
riptide
So it's it's a side project right now, but I'm using a cursor to help me do that, which is pretty cool playing with that.
00:40:36
riproprip
All right.
00:40:41
riproprip
Okay, yeah, like I'm old school. This is like old guy screaming at clouds. I'm not sure how helpful that is for younger people. like But I already mentioned like the print out the the blocks, like print out the call data, print out the subcalls, like put it all into a big text file and then write some Python.
00:41:02
riproprip
Like you can do the same thing. And if you like think about the dimensionality of what you can reach by code's law, and if there's anything you can't do on there, maybe like figure out how you could do it in Python yourself. And that's alpha also maybe, I'm not sure.
00:41:21
riproprip
Like for me, that kind of stuff works usually. Like yeah you have to think about the the meta, like what's easily accessible. was hard to reach and sometimes you have to say, well, I want a quick and easy win and you use what's exists like what exists already in the world.
00:41:38
riproprip
And sometimes if there's anything you can't do on code slot but could do with Python yourself, maybe it's worth to do that, I'm not sure.
00:41:49
riptide
And are you are you just implying that just searching just connecting to an RPC through Python and then conducting queries that way.
00:42:01
riproprip
uh yeah yeah basically like um the i had on my own server uh there were like rpc calls i could do to get the whole blocks uh then i could get like all the transactions like and then it's like a little bit of magic like printing out all the stuff it's not it's not hard uh like but it works it works like uh this this one bug uh there was uh
00:42:04
riptide
Yeah.
00:42:27
riproprip
auditors and the guys who paid me in shitcoin this one this bug I found it kind of like that I was trying to write something I didn't know that somebody else had like already programmed the solution for this probably would have saved me a lot of time but also like um like I learned internals that a bit maybe who knows
00:42:30
riptide
Thank you.
00:42:50
riptide
No, that that's a good tip. I think use whatever tool is necessary. I was suggesting codes law for say you say you have a vulnerable you function that you found some pattern in and you want to search deployed contracts just quickly throw it in codes law because if you if you query the chain through an RPC through Python, you would have to.
00:43:11
riptide
I mean, you have to have a database of verified contracts to be able to to do that search right.
00:43:16
riproprip
um know we can
00:43:18
riptide
Like if I wanted to do a text ah text search for a for not not a function name, but say just a string of text within a contract.
00:43:27
riproprip
Ah, yeah, so so you're talking about like the contract code itself, right? And I was just talking about the the call data, right? So the EOA sends a transaction and that kind of triggers sub transactions after that.
00:43:41
riproprip
And those, like just to call data, like
00:43:42
riptide
Mm-hmm.
00:43:46
riproprip
from whom, like who's the caller to what's the contract you're calling, what's the call data, what's the gas supplied, what's the um Ethereum value supplied, like put it all into a big CSV, like just a text file with hex data in it.
00:43:57
riptide
Mm-hmm. Mm-hmm.
00:44:03
riproprip
And then you search for the signatures you care for, right? So sometimes you can search for transfer froms, and then you can see like, do I find a transfer from in a sub call? And then in the parent call,
00:44:16
riproprip
do I see that's like kind of, this is a free argument that anybody could supply them. And then um sometimes that works.
00:44:26
riptide
Yeah, no, so many different methods of doing that. I think that's ah that's a great idea. that's Do you use ah Glider of ah at all? Have you used their their query tool?
00:44:36
riproprip
ah absolutely
00:44:37
riptide
Or have you heard of it?
00:44:38
riproprip
no No, I think you guys mentioned it, right? But I haven't tried it, so I don't wanna talk about it.
00:44:43
riptide
I mean, it it makes me just think of what you're doing. It's just a they've beautified it a bit and made it a bit more specific to to looking through, you know, just where you can customize it so you can look through this function, this sub call.
00:44:57
riptide
It's very structured, whereas you could do the same thing, know, the way you're doing. It's just this is kind of a different interface, a little yeah more user friendly probably. like
00:45:08
riproprip
Yeah yeah and user friendly is good right if you can't do anything on your own use the user friendly one.
00:45:08
riptide
But whatever works.
00:45:13
riptide
Thank you.
00:45:14
riproprip
And if you like want to figure out how the stuff works like sometimes it's good to know like everything's a tool and you need to know if your tool is like the best thing at the job or not like um I don't know and I actually don't know those.
00:45:28
riproprip
tools so I like this is not me shitting on this, but if you find out that there's something that you cannot do with that tool that might be something like if you implemented yourself nobody else has looked at because it was so easy to look at the other stuff sometimes you have to find your niche right.
00:45:45
riptide
That's right. I picture your your computer in front of you right now. You have a Lynx browser open and you're – not many know that, right?
00:45:54
riproprip
Stop talking me man.
00:45:57
riptide
No, it's whatever works, man. I got this Mac and I was running Linux for so long and I feel guilty. I feel like i feel like a normal user just using a Mac because everything just works. like i feel it's just I hate it sometimes. I just want to fire up some Linux and just have immediate Wi-Fi problems and and all the displays.
00:46:21
riptide
I just, ah, I got to have my Linux problems.
00:46:26
riproprip
yeah to be completely honest like I tried getting on this show with my MacBook but I couldn't get the microphone to work like I couldn't get the the the microphone pick up like let's let's table with this but basically I had it easier not using my MacBooks this is where the industry is going Tim Apple is lacking
00:46:47
riptide
And then you fired up Debian and then everything worked. I doubt it.
00:46:51
riproprip
yeah it did it's wild
00:46:55
riptide
ah let's Let's talk about this. We were talking on X about this. It was dealing with contests. i we I think I posted something, POC or not the POC. What was this thread on?
00:47:09
riproprip
Yeah, I think Immunify was saying they they don't require POC anymore.
00:47:09
riptide
We were going to talk about it.
00:47:15
riptide
Right. And I said, i was just thinking, well, you know why not? i mean, do you have is there low participation in these contests? Why else would you say, fuck POC? as What was your take?
00:47:25
riproprip
Yeah, well, man.
00:47:25
riptide
You had some backstory.
00:47:26
riptide
Whatever you want to share, go ahead.
00:47:29
riproprip
yeah what man
00:47:31
riptide
You don't you don't have any bosses, so just share whatever you want.
00:47:32
riproprip
like
00:47:35
riproprip
That's kind of true, but at the same time, like yeah I try to be constructive while while ranting. So let's go. um I think they changed the POC guidelines because one of the few, one of the contests, contest project, I'm not sure, like the the party that's basically supplying the code and wants to have it audited, like they're wearing They were being very, but let's say, defensive about their code. like It was regular fighting within the comment section.
00:48:11
riproprip
like You were making good arguments. The the project was shutting them down, which is fine, I guess. And then like at a certain point, like I'm like lifting my hands and just saying, Immunify, please. I have given enough arguments for why I think this is a real bug.
00:48:29
riproprip
I don't care how much text they write back. ah Please come save me. And I think there might be like incentive problem at contest providers. I'm not sure.
00:48:46
riproprip
Because yeah, so you also don't have a black a boss, right?
00:48:46
riptide
Well, yeah.
00:48:50
riptide
Of course.
00:48:52
riproprip
You also like beholden to no one.
00:48:53
riptide
I have no boss. oh
00:48:55
riproprip
All right.
00:48:55
riptide
I don't even have any advertisers.
00:48:57
riproprip
Yeah, that's good, baby, right? so So we can talk about stuff. And I think that it's just a suspicion of mine. i like I can't like supply any... I don't have evidence for this, but I kind of feel like some contest providers are more involved in the judging than others, right?
00:49:18
riproprip
There's multiple reasons for it, right? So if the project gives the money to the contest, and contest provider, let's say, Nunify, Cantina, whatever.
00:49:31
riproprip
And so like they then themselves can decide what's a bug and what's not. Like that's gonna give you totally different outcomes compared to the project themselves, keeps the money and then gives it to the researchers.
00:49:44
riproprip
Because like in that case, the the the platform that you're hunting on Like it's not really involved in the judging anymore, right? They're just providing a platform where two parties can meet and they're trying to be in the middle because that's where they get their money.
00:49:53
riptide
Thank you.
00:50:01
riproprip
And, but but like they don't they don't have to ensure a good judgment, right? So like, and they also say they can't force a project legally to pay out for stuff that the project doesn't want to pay for.
00:50:14
riproprip
But then that's like completely different experiences for hunters. And um I think this latest POC not needed anymore, like was largely related to some of their latest boosts being like ah like too much fighting in the comments and they like either like weren't enabled or didn't feel responsible enough to to step in and say, no, no, no, I'm i'm like the trusted third party here. I decide if this is a critical or if it's not.
00:50:46
riproprip
And like when I made the judgment call, like the the project paid out. And so but like one of your previous guests is still fighting in the discord just for the project to respond to him.
00:51:00
riproprip
So it's wild.
00:51:02
riptide
Oh, my God. I think the – I get your point. I think the point of the POC initially was was because – don't know if you've judged. I've judged one um contest, and there's just so many submissions, and that was before LLMs.
00:51:20
riproprip
yeah
00:51:20
riptide
So now, my God, I mean, if you don't even need a POC, you could throw anything into any LLM and it's going to give you what looks to be a legit kind of gripe.
00:51:29
riptide
So you really have to go through and filter all of those. kind You know, they look legit. So you have it that would take just so much time to screen through everything. So I don't know how well thought out that is.
00:51:41
riproprip
I would think i would go the other way.
00:51:41
riptide
I like the idea of of posting up.
00:51:45
riproprip
I would like go completely the other way. I, as a platform provide like a framework against which you can fire transactions. Let's say like it's a like EVM based project. You can just sign transactions.
00:51:45
riptide
Which way?
00:51:59
riproprip
We execute them. And if like you can move funds, then it's a grid. And all the the hunters can provide like a single transaction.
00:52:09
riptide
Mm-hmm.
00:52:10
riproprip
Done. like And either you have moved the funds or you haven't. like We don't need to talk about it if you have. And we don't need to talk about it if you didn't. Either there's a way for for for you to steal the funds or there's not.
00:52:22
riproprip
i don't I don't think that's like talking about it much, like change anything. like Especially if you like take into consideration all the points you erased earlier with LLMs. and So there might be a response that sounds very logical, but unless you ran the code, you don't know if there's a bug or not.
00:52:41
riptide
That would apply in in some scenarios. But all right, so I'll give you an example. I'm doing um'm doing a ah contest for once, and and it's not something I do.
00:52:49
riproprip
J.B. Which one.
00:52:51
riptide
um'm I'm on, what it, Eigenlair on Cantina. And so I'm, yeah, yeah, big number.
00:52:56
riproprip
What's it 2.5 million. yeah. J.B.
00:53:00
riptide
And, well, you know, I want –
00:53:01
riproprip
Isn't it awesome that they're putting up this kind of monies.
00:53:04
riptide
I wanted to look at it because I'd looked at Eigenlayer before and was okay, so I'm going to check it out.
00:53:07
riproprip
J.B. Okay.
00:53:09
riptide
And so so I found a couple of findings and I submitted it. I found three, right, so far. And one was invalid. I missed something. Okay, cool. ah Second one is I found one and then the guy says, hey, this is expected behavior.
00:53:25
riptide
And he points me to one of the markdown files on the contract. And i'm like I read through, I'm like, wait a minute, this, you know, it's still, I ah can invalidate these invariants that are posted on this other file that you gave. So I'm like, the invariants would feed into formal verification.
00:53:44
riptide
So wouldn't, you know you know, it's like code comments really don't mean shit, but if you're giving us invariants to validate, invalidate, like that, that holds weight. That's the source of truth, not this.
00:53:57
riproprip
Yes, otherwise what's the point of giving them to
00:53:57
riptide
And so so now, right. So now what am I doing? So I'm having this back and forth. I don't know how this gets resolved. But in my mind, every finding, you should put a bond up. You should have to put some bond up.
00:54:09
riptide
I don't care what it is. 25 bucks, 10 bucks, something.
00:54:10
riproprip
Vandenbergheiser Guycourt- who burns the bond who's able to burn the bond.
00:54:13
riptide
I don't fuck. Whatever. I don't know. Figure it out. But there has to be some sort of like limiting factor rather than just anyone can submit everything. There should be just something. Just put anything up so you got some skin in the game.
00:54:26
riproprip
Yeah, it makes sense. But I feel like the party in the middle is responsible for this. They have to be like, um they should be able to burn the bond or like enforce the behavior.
00:54:38
riproprip
Otherwise, like, it's too close to an audit, right? So contest shouldn't fill the gap of of an audit. Like, in order the project can also like give feedback, back like essentially, like,
00:54:54
riproprip
If you push comes to shove, they could also say we didn't ever order this audit, right? So they they can also like disavow the report. And to like back when I was hunting on Code Arena, I liked that the judging was like, they were putting themselves in the middle and they were saying, this is a bug, this isn't, done.
00:55:13
riptide
Yeah, they the judges, right?
00:55:14
riproprip
Maybe that's the good old days. I'm not sure. I haven't been hunting on there for a while, but like back then the that felt kind of easier. Because I knew whenever i found bug, I could just submit it.
00:55:26
riptide
Yeah. Well, imagine this, right? Imagine this, this eigenlayer thing, right? Where they have some structure of, um okay, it's two and a half mil, but it only gets unlocked if there's yeah this high or something like that. So imagine these guys, they're like, hey, look how much money we're kicking out the door if we confirm one high bug.
00:55:46
riptide
Like imagine that pressure on the team. Yeah, we committed to it, but really it's kind of just to bring guys in like Euler, Euler.
00:55:52
riproprip
and Yeah, sure, sure, kick the hunters.
00:55:53
riptide
And, you know, no one wants to pay shit out, competition or not. They don't want to pay it out. Money's money.
00:56:04
riproprip
Like ah for me, like there's a complete value chain and ah well, this could be ranty. If if we go and onto this tangent, like this will be ranty, but don't care. So I think there are people, like a bunch of people having a bunch of incentives and one of the few aligned people in the whole ecosystem is the bug bounty hunter. If I go to a project and say, this is a bug and somebody else like says, this is really a bug, you didn't lie.
00:56:31
riproprip
They should pay out. And like, I also don't like the ceiling, like 10% of TVL upwards to a maximum of blah. That doesn't really make sense to me. Like, because if the black hat would have like found this, they would also be offering the 10% without an upper limit.
00:56:47
riproprip
And like to me,
00:56:49
riptide
Mm-hmm.
00:56:50
riproprip
uh like trying to uh like put myself into the i'm not sure if you like zoom out and see this from an ecosystem perspective you can't reward one set of uh actors like more than another and um that doesn't make sense right and and the bug bounty hunters are the only ones uh who actually like Whenever they have a piece of info and it's valid, like that's actually valuable, right?
00:57:19
riproprip
So it's it's it's not like um you pay an audit and you don't know how many findings you get back. You don't know if you caught all of them. But when a bug bounty hunter gives you a crit, you know your your project would have died.
00:57:32
riproprip
so and And I think that should be rewarded.
00:57:33
riptide
Mm-hmm.
00:57:34
riproprip
And if you don't like find a way to do that as an ecosystem, if you don't reward the only really aligned, like, potentially bad parties, that's going to bite you in the ass later on.
00:57:49
riptide
Yeah, yeah, I agree. And it's such a hard thing for a protocol to stomach when when it happens because you're the protocol. You you have 100 mil TVL. That's not yours. That's people's yeah your users' funds that they've deposited with you.
00:58:04
riptide
Okay, it all gets drained. And now you're begging the black hat and you're just going to offer, okay, hey, just get, yeah, we'll we'll basically make an agreement without the user's permission to say, yeah, keep 10%, give us the rest back because we don't have any options.
00:58:19
riptide
But then if I come to you and say, hey, look, I have an exploit, you're like, well, all we can offer is this. i mean, I get it. ah totally get it. But I also get your point.
00:58:30
riproprip
Yeah, so from from my perspective, there might be some things that we can do to change the incentives in the ecosystem, right? So if if you imagine there would be like a meta protocol where whenever you LP into whatever, ah you could also say, I'm willing to pay 10% to an honest bug bounty hunter.
00:58:47
riproprip
And kind of like have this meta protocol at the gate. So whenever somebody wants to withdraw, it has to go through this. And they could basically like ensure that I as an honest bug bounty hunter, I hacked the contract, I transfer all the funds to the meta protocol and then withdrawing could like the people who pre-committed themselves to withdraw like 10% less, they could get their funds and the other stuff. i don't I'm not sure if they should be burned. I'm not, that would certainly not be legal
00:59:26
riproprip
But I would like to have kind of the signaling function where people would say, i supply my money and I care about security so and so much. And I think if you do that long and long enough, like you can as an LP decide, do I want to join other people who never are going to pay out honest actors?
00:59:45
riproprip
um And like if you join that pool, you open yourself up to the bigger likelihood of blackheads like exploiting you. Because whiteheads are not going to look at your code because why would they just, let's say 5% of the the the other LPs said I'm willing to put up 10%.
01:00:09
riproprip
So like there's no incentive for whitehead to look at it. and And this way, maybe we could make things more transparent. I think we can let markets decide this.
01:00:20
riproprip
Does it make sense?
01:00:21
riptide
I like that idea. Have you heard of Nexus Mutual?
01:00:26
riproprip
insurance protocol, right?
01:00:28
riptide
Yeah.
01:00:31
riproprip
Did it work?
01:00:32
riptide
I, I, they're still around and people still use them. I thought it it blew up toward the the DeFi summer days and then went away, but it's still there. People still use it. And I was just thinking, all right, so in, in the meat space, right?
01:00:47
riptide
You have, at least in the US of A, you have a bank that has It's deposits insured by the federal government. And so the user, they don't care about Bank A, Bank B, C. It's all the same because they're all ah chartered and insured.
01:01:04
riptide
They don't care about losses up to whatever X amount of insurance.
01:01:09
riproprip
Yeah, and you guys should figure out what the X amount of insurance is.
01:01:09
riptide
But in the... in
01:01:11
riproprip
Otherwise, like Silicon Valley Bank happens, right?
01:01:15
riptide
but Yeah, I mean, 90% of depositors don't care because their deposits are under whatever the limit is 250 or, or whatever it is nowadays.
01:01:22
riproprip
Not our listeners in the future.
01:01:23
riptide
But
01:01:26
riptide
But I say that on DeFi, we have this this different – and I don't think that incentive of structure is good because it's – I don't think the government should back – that's a different conversation. Anyway, in DeFi, we say, all right, we're going to go to Aave, and you have a position there.
01:01:35
riproprip
yeah
01:01:41
riptide
And I think you can buy Nexus Mutual coverage against – you that protocol being hacked. So you take out your own personal coverage for it, but it's not like protocols are out there buying Nexus Mutual insurance for their protocols so the users don't have to.
01:01:59
riptide
I think that was their intention, but I don't i don't think that's that's been a big driver of usage in that you know in that in the DeFi insurance space.
01:02:09
riproprip
Yeah, so here's a startup idea I'm going to give away to somebody who actually wants to do this because I talked to a bunch of people in the industry and like and I couldn't be bothered to actually implement.
01:02:19
riproprip
But the once you have a done audits or a contest, there should be like something that auditors can put up as a bond.
01:02:22
riptide
Yeah, I agree.
01:02:32
riproprip
Like basically saying, I'm this in this percent sure.
01:02:35
riptide
yeah
01:02:36
riproprip
um that this ah protocol is safe.
01:02:37
riptide
i agree
01:02:39
riproprip
And afterwards, users could look at the pricing and say, wow, 99% of people who look at this code are pretty sure there's not gonna be a bug in this. And right and they could take like the they could buy the counter position, they would have insurance, they would actually be informed by the actors of the system And um we could actually also see, like, do users actually care about buying insurance? Because, like, in my mind, that's still an open point.
01:03:07
riproprip
Like, do they just care about the casino or do they actually care about protecting their their funds? And, like, both views are completely okay. I like just to to make them open and transparent and and then you can like create markets around those and everybody can like profit. right So if I care about the security, the the insurance is cheaper, it's going to be cheaper for me. right and So we have automatically an adjusting price point for people. like If I supply value into a project,
01:03:38
riproprip
where 99% of the auditors are saying um saying there's no bug and nobody else of the other LPs cap cares about buying the insurance is going to be infinitely cheaper for me to buy the insurance. And on the other hand, if like there are a bunch of LPs and they all want to buy insurance and there's just 99%, maybe it makes sense to get some more views on this. So it's like 99.9% auditors said this is fine.
01:04:02
riproprip
uh and to like and i think there's a market in there and i think we could use those concepts to adjust um let that markets adjust the safety of the ecosystem
01:04:16
riptide
You know, I've heard this idea, at least a piece of it before. i don't know if someone tried to build it, but I think it's a great idea. Definitely. We just need somebody to go go build it. It's not going to be me.
01:04:26
riproprip
yeah yeah possibly me neither i i
01:04:31
riptide
Somebody get out there. There's some money to be made.
01:04:33
riproprip
Yeah, I wish I i will with with names because I also talked with two guys who were doing this before and nobody really cared much. I was so tired talking to a VC.
01:04:43
riproprip
he He was saying he would like like to to launch this with with projects, but also like it's it's not obvious to me that spending my time on this is more like preferential to just hunting or doing all the other stuff I like and in in life.
01:05:00
riptide
It doesn't sound as fun.
01:05:03
riptide
Yeah. Yeah, leave it to someone else.
01:05:06
riproprip
Yeah, so there's a project idea for you if you're young and hungry. i think like from a game theory perspective, it sounds to me like using markets to adjust all things should be valuable. like to To me, this is like the stuff the Ethereum Foundation should actually be thinking about.
01:05:26
riptide
Yeah. Yeah. Agreed. At least they have a Twitter account now.
01:05:34
riptide
All right. Mr. Mr. Ripro Prip. I'm going to wrap it up. Thank you for coming on. I appreciate it. And we will see you all on the blockchain.
01:05:41
riproprip
Yeah.