Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 5 - zigtur
341 Plays3 months ago
riptide & zigtur discuss tactics on bug hunting in competitions, why learning rust, Go, and solidity can be a lethal combo, deep dives on Cosmos SDK including where to look for bugs, competitions vs. bounty hunting, how zigtur has been dominating the recent contests, some serious ALPHA drops and much more (like what is his preferred French cheese) ...
Recommended
Transcript
Introduction and Background
00:00:07
riptide
Welcome back. We are with Mr. Zictour. Is that how i pronounce it?
00:00:15
Zigtur
Yeah, that's it.
00:00:17
riptide
What does this handle even mean?
00:00:20
Zigtur
Bro, I don't even know. like It just came out of my mind when i did not even start. like It was even before I do any security on blockchain. So i i don't know. It just sounds good.
00:00:36
riptide
the ah It makes no sense, but fine. ah love it. yeah So Mr. Zigtour here is has got quite a background. He is basically, if you just pull up his Cantina profile, and I'm going put these links in the podcast, ah you are you have some impressive um accolades here.
00:00:59
riptide
I got to say, man, I'm very impressed. You are a king of rust, go, and solidity. And I looked at some of your side projects here, just humble side projects.
00:01:12
riptide
And I'm just guessing, I'm trying to guess what your background is, but it's so hard to tell. Is it, it's got to be some sort of, you love math. How much math do you love?
00:01:25
riptide
What's your favorite math book? There has to be something there because I'm looking at these side projects like, oh, just... fool around some BLS signature here. um Just, and the whole write up and all this stuff doesn't interest a normal person.
00:01:38
riptide
So tell me kind of where you're coming from.
00:01:42
Zigtur
So, yeah, I'm still pretty young, so i finished my studies like one year and a half ago, and it was just general cybersecurity studies.
00:01:56
Zigtur
And, yeah, during
Discovering Blockchain and Cryptography
00:01:58
Zigtur
the studies, there was some math, and i really hate them. Like, it was fucking boring and we were studying elliptic curve but really focused on the math part and I just did not like it. I had pretty good results but it was not for me and then i was surprised when I joined the blockchain side and just
00:02:27
Zigtur
really loved the mass, at least the elliptic curve mass that were behind. and But yeah, just one year before that, I was hating them. So I think that it's more about, ah I was aware of how it is used.
00:02:45
Zigtur
And so it was more practical approach. And so I enjoyed it. um And yeah, besides from that, I'm just, a monkey. i like I like to learn anything. So I'm learning Golang while I'm auditing Rust, while I'm auditing Solidity. I don't want to focus on one thing. ah Yeah, that's it. I just learn.
00:03:13
Zigtur
I love it.
00:03:15
riptide
That's, that's, that seems like a common thing among us intellectually curious. And i mean, God, man, I think in this field, I get older and older, every person I talked to, Jesus Christ.
00:03:30
riptide
That's awesome. um Let me ask you this, your accent is that French?
00:03:35
Zigtur
Yeah.
00:03:36
riptide
ah So why didn't you become a D5 founder? Because that's usually mandatory if you're French.
00:03:42
Zigtur
A what?
00:03:43
riptide
A DeFi founder, all the guys all the guys in DeFi. ah It's a joke, but they're mostly French. There's a lot of French in and crypto.
00:03:52
Zigtur
Oh yeah, there are a lot.
00:03:53
riptide
Yeah. And I don't think I've ran into a security researcher yet who's French. So this is a new one.
00:04:01
Zigtur
Oh, don't you know Sergic? He's a really great one.
00:04:05
riptide
Really? I haven't spoken to him yet. I know his name, but I haven't spoken to him yet. Another Frenchie. You're invading.
00:04:12
Zigtur
Yeah. There are some French in the the place. We were ah big team in Bangkok. It was
Learning and Competing in Blockchain
00:04:20
Zigtur
crazy.
00:04:21
riptide
And were you doing a hackathon.
00:04:24
Zigtur
ah We did not. We were just here for the the DSS. Were you in Bangkok?
00:04:31
riptide
I was there, but I missed the first part of the DSS.
00:04:33
Zigtur
Oh, OK.
00:04:36
Zigtur
Okay, then I think we didn't meet here. Yeah, I'm pretty sure. oh But yeah, that that was really nice event.
00:04:46
riptide
And so what what made you kind of kick off on, like, did you just do, did you see these bounty numbers and did you say, hey I'm going jump into Web3 security? Like, were you in crypto in high school? I mean, how did you kind of get into this?
00:05:00
Zigtur
Well... um I was interested in crypto in 2021 or something like that. And ah for some reason, I started a smart contract, but like for a week and then stopped everything for about a year.
00:05:20
Zigtur
But I was still interested in it. And so in my studies, there was just a project that we had to do. And so I took some friends and tell them, um hey, why don't we study blockchain?
00:05:35
Zigtur
But a good way to do it is to ah use post-quantum cryptographic algorithm um because like the NIST published in 2022, they published their results about three ah signature algorithm that are supposed to be unbreakable by quantum computers.
00:06:00
Zigtur
And so we just took one of these algorithms and implemented it inside of a blockchain. ah So as a blockchain, we took Nier. um The Nier blockchain, it's based on the Rust.
00:06:11
riptide
Mm-hmm.
00:06:13
Zigtur
um And the main argument why we took it is because we wanted to learn the Rust. ah And yeah, that that was it. That was a really good project. And i was like, okay, I want to do blockchain now.
00:06:30
Zigtur
This is for sure. So after this project, i just studied smart contracts with RareSkills as a student. I took the Solidity.
00:06:40
riptide
They're very good.
00:06:41
Zigtur
Yeah.
00:06:41
riptide
Yeah, ah like them.
00:06:43
Zigtur
But at the time, there was just they were just starting the company and it was a bet for me to ah to learn with them because they did not have the reputation that they have now.
00:06:57
Zigtur
ah And yeah, I did it. So it was pretty nice. And after that, I just went all in on Cantina and Like the two times, RareSkills started their company and I was looking for course.
00:07:13
Zigtur
So we grew up together and it's pre basically is the same with Cantina. They were just starting competitions and I was too. So yeah, that's it.
00:07:23
riptide
ah yeah and And why didn't you start doing, why did you go competitions instead of doing bug hunting?
00:07:34
Zigtur
Well, ah that's a good one. um So at first I was in a company, but ah as I was just, oh I had just finished my my studies.
00:07:48
Zigtur
Like at least in France, you are pretty locked to the junior level, no matter what you do. Even if you are the best in the company, like you will be...
00:08:00
Zigtur
junior for at least one year and half. And yeah, it was not for me. So I i started competition on the side because of Sherlock and Codarena. They
Strategies for Success in Competitions
00:08:13
Zigtur
were just famous at that time.
00:08:16
Zigtur
And and Cantina started. So I took competitions on Cantina. But I have to say that I did not even think about about bugging on iMunify or live projects.
00:08:35
riptide
It's, I mean, it so sounds like you were motivated pretty much by just the the technicality of it, just the ah complexity and the kind of, it's just very interesting, I think, is that Is that really what drives you towards doing, um I mean, just just digging into, it could be contests or, I mean, you wrote a whole, and don't wanna say a whole, is it a whole ZK book or just a ah portion of it for the rare skills?
00:09:06
Zigtur
Oh no, I just participated as a student. Like I did not write it.
00:09:10
riptide
Oh, okay. Oh, okay. Okay. i I misunderstood on your, I was looking on your cantina page. You have everything listed on there.
00:09:17
Zigtur
oh yeah, maybe it's confusing.
00:09:18
riptide
Yeah. Okay. But yeah, I mean, what, what motivates you? I mean, obviously the money's good, but is it more just, just curiosity? You like to, to kind of challenge yourself to see what other guys can't find, or is it just, just find the bugs? Like that's really cool for you. Or what would you say it was?
00:09:37
Zigtur
ah I think that competitions are better to learn in a quick way than bug hunting. um So maybe that now that I have a ah pretty good level in auditing, I could go into bug hunting.
00:09:55
Zigtur
But yeah, I think at first competitions are really good to just improve yourself and you You really know how you perform while bug hunting, it's pretty hard to know.
00:10:08
Zigtur
ah There is not a feedback loop that is quick. So yeah, I think it's one of the main points why I love competitions.
00:10:22
Zigtur
It's because you can learn really efficiently and in a quick way.
00:10:26
riptide
And what's the longest you you'd say spent on like one competition?
00:10:31
Zigtur
the like I think it's in weeks, but something like two or three weeks maximum.
00:10:43
Zigtur
So yeah, if I take all the history of my ah my contest that I did, there are a lot. um I did not have good results in all of them for sure, ah but...
00:10:58
Zigtur
yeah ah Yeah, as I said, I'm just a monkey and I love to learn. So sometimes I just stop one project to go to another and then come back because the other was not good. And yeah, maybe I would be more efficient if I was really focusing on one project at a time, but it's no fun to me.
00:11:21
Zigtur
So yeah, I think it's, yeah.
00:11:22
riptide
I think we all do this. Yeah, we all just jump around quite a bit. and love your I love your avatar. That's why i initially looked to you. was like this fucking deformed Spider-Man who looks retarded.
00:11:37
riptide
i love this thing.
00:11:38
Zigtur
Yeah, it matches the name. The name looks retarded. the The profile picture also...
00:11:45
riptide
It's so fucking stupid. I love it, man. No, but, and I'm looking at this Barachain one where, and obviously the the competition that I did, I sucked really hard.
00:11:57
riptide
It's just hard for me to kind of, I guess, lock in because I see, I always think, um like say I'm doing, I'm trying to do a competition. I'll pull the code base. I'll see a canteen in a competition and I just pull up the GitHub.
00:12:12
riptide
And I kind of skim through it and I'm just like, okay, does this look interesting where I could spend two weeks on whatever the the normal timeline is. And then I'm like, maybe I'll start looking at it.
00:12:24
riptide
And then it's just, I'll get so distracted with some, as soon as I hit the block explorer, I get ah get distracted with something else and then I'm like, oh shit, there could be a bug in this contract that I just pulled up somewhere else.
00:12:39
riptide
And I swear it's like a magnet and it just pulls me away. So how do you how do you stay focused on like, hey, um I'm going to talk about this barrier chain one because you dominated.
00:12:50
riptide
You beat... what's his name? Christoph, who was, I think, the first Cantina Fellowship guy, and he got a bunch of publicity, and you just dominated, man.
00:13:01
riptide
You had five high-risk, he had one, and Haxatron had three. So, how many weeks was that was that? Is this Go, or is this Solidity?
00:13:13
Zigtur
Yeah, it was Golang. Basically, it was just Cosmos' decay chain, but only for the consensus part and on the execution client part, they are using the EVM, the classic EVM ah clients like GoEthereum or Reth or anything else.
00:13:19
riptide
Hmm.
00:13:35
Zigtur
And the That was not the first time that I saw a code base like this because ah back in November, there was Omni. It was a 1 million competition and ah they were doing pretty much the same thing, interfacing from Cosmos SDK. So the Cosmos SDK blocks are sort of the consensus blocks that are used in Ethereum, if we can make the parallel.
00:14:03
Zigtur
ah And... And yeah oh yeah, I start to really understand how Cosmos SDK and the Comet BFT consensus protocol works.
00:14:19
Zigtur
So yeah, I was just able to to find bugs. And the funny thing about this competition is that so in Omni, I did Omni also and made a pretty good result, if I remember.
00:14:34
Zigtur
um But I found some bugs in Omni that were also in Berashane, but I did not report them in Berashane because I just forgot.
00:14:42
riptide
ha
Understanding and Engaging with Complex Code
00:14:48
riptide
Oh, really?
00:14:48
Zigtur
Yeah.
00:14:51
riptide
So you would have had more than five highs had you dropped some Omni ones in there as well.
00:14:51
Zigtur
So...
00:14:57
Zigtur
Yeah, I did not find a single medium, but I found like exactly the same issue in Omni before. So I would have maybe one or two medium at least.
00:15:09
Zigtur
um But yeah, that...
00:15:13
riptide
And what was your level of go understanding like before you went into this?
00:15:13
Zigtur
ah
00:15:17
riptide
Since you did Omni before, you were pretty competent, I'd assume.
00:15:18
Zigtur
aye Yeah, yeah. yeah ah Yeah, I mean, Go is pretty simple to learn.
00:15:31
Zigtur
um The first time I really focused on Go, it was for ah and another competition named Babylon. ah It was for BTC stacking on the BTC chain.
00:15:43
riptide
Oh, that's right. I looked at that. Yeah.
00:15:45
Zigtur
Yeah, and...
00:15:45
riptide
Are they holding a billion or probably more like 5 billion TVL?
00:15:50
Zigtur
Today, yeah, yeah, it's crazy.
00:15:51
riptide
Yeah, it's crazy.
00:15:54
Zigtur
and ah And yeah, it's just, I mean, as I have all the understanding of cybersecurity in general, like I know how the internet works, I know how a server works, how an operating system works. And when you have all this knowledge and you know one next generation language such as Rust,
00:16:23
Zigtur
then Go is pretty much the same thing, but yeah the syntax is different, that's for sure. But there are some concepts that are pretty similar. So I'm not lost with Godin since day one. So yeah.
00:16:39
Zigtur
and And I don't think that I'm finding issues related directly to the language, but more um how things are implemented and You also need lot of knowledge of how Cosmos SDK works, not about how Golang works, I think.
00:17:02
riptide
is there Is there some common kind of bugs or patterns that you look for when you look at Go projects?
00:17:10
Zigtur
um On Cosmos SDK particularly, you mean? ah You mean on Cosmos SDK or on Golang in general?
00:17:19
riptide
but I'd say in general, and then I guess Cosmos would be ah you know a whole separate kind of... system within you know that that Go would be used in. So you'd have your own unique bugs there as well. But like I'm sure there's, i haven't even looked at Go.
00:17:34
riptide
I'm sorry. like i don't know I don't know if things, ah if you can overflow integer. I haven't looked at any of that kind of stuff. So maybe, Like, what do you think? So let's, let's see, maybe we can focus on something relevant, like, because I see a lot of Cosmos SDK based projects out there. So maybe you can highlight something that, you know, maybe certain areas for people to look at if they see one of these projects.
00:18:01
Zigtur
Yeah. um So most of the time for Cosmos SDK code bases, they are using the commit BFT consensus protocol.
00:18:14
Zigtur
ah And it's pretty simple how it works. Like you have, let's say three steps. The first step is name prepare proposal and the It will just select one validator from all the validators in the network.
00:18:36
Zigtur
And it will ask him to generate ah proposal. So most of the time, it's a block. And then in the second step, this proposal that has been created by the selected validator is verified by all the other validators.
00:18:57
Zigtur
This is ah the process proposal step. And so at this point, every validator in the network will validate this block.
00:19:07
Zigtur
So if there is one missing check or something is done wrong here, um you are pretty sure that it will be critical issue.
00:19:19
Zigtur
ah And The final step, one once every every validator in the network has validated it, they will finalize the block.
00:19:30
Zigtur
um And this part, you will find... This is how you find discrepancy. If something is not checked in the process proposal, but...
00:19:42
Zigtur
there is something new, a new check in finalize block, you may find something that can crash the chain or things like that. So pretty critical issue. And that's why what I did for BearerShane.
00:19:59
Zigtur
I really focused on the process proposal part.
00:20:04
riptide
Okay. i have to I have to give this a look sometimes because I see this more and more. i think Baruchain was the most recent one. And sometimes those are intimidating when you see ah either a bounty or a contest for, I mean, these, because what happens is these teams will build these products over six months, a year, more than a year, and they've put all this time and thought into them.
00:20:28
riptide
And the design is complex. And then suddenly it's posted. It's like, hey, look, go find bugs in there. And it's easy to look at it and say, well, okay, let me just quickly jump in. But it's going to take, it could take you a full day to kind of wrap your head around it and say, okay, wait a minute.
00:20:45
riptide
Look at all these movie pieces. How does this actually work? And then just getting your testing environment set up sometimes as well. um If you're, you know, forking a chain here, running anvil over here, you have some agent you have to run.
00:20:58
riptide
yeah. And I think in my point of view, more complexity is better, obviously, because there's more more possible bugs that could arise and something that someone's missed.
00:21:09
riptide
But when you see those kind of things, like at a complex contest, how do you approach it? Do you have any sort of mythology mythology that you could share? Or is it just kind of go just try to understand it the best you could, and then and then go after it line by line? Like, what do you do?
00:21:27
Zigtur
um Yeah. So I like to do drawings. um And I do drawings that helps me navigate the code base.
00:21:38
Zigtur
um That's an important point of my review methodology. ah and And these drawings allows me to... So basically, when I was talking about Cosmos SDK and the four steps, the three steps I was talking about, i really add a drawing with these three steps and all the functions graph call.
00:22:04
Zigtur
And I could just navigate it and understand which step is coding what, ah which which part of the code. And ah so, yeah, i you really have to understand how it works.
00:22:21
Zigtur
um And I can... If I can't explain it to my mother, like I don't understand the code base.
00:22:30
riptide
Your mother.
00:22:32
Zigtur
And yeah, I mean i don't she she don't care she doesn't care.
00:22:33
riptide
and Oh my God.
00:22:42
Zigtur
yeah ah it's that's it. I need to have this knowledge of, OK, I know how it works now.
Balancing Private Audits and Competitions
00:22:51
Zigtur
And now that I know it, I can find bugs.
00:22:56
riptide
So you you come up from the basement and you you know your mom pours you some Frosted Flakes. Actually, French. she may She gives you a croissant. And then you're telling her, hey, mom, listen. All right. So I'm diving into this Cosmos SDK.
00:23:09
riptide
it's cosmo sdk
00:23:10
Zigtur
No, no, I don't talk to her about it, but let's say to a friend, ah friend that is a bit technical, if I can explain him and he has questions that are relevant.
00:23:22
Zigtur
And if I'm not able to answer um directly, then I don't know the code base enough.
00:23:29
riptide
Mm hmm. No, that's that's a classic i test. If you can if you can explain something perfectly, then you know your shit. But if you can't explain it, you don't know it as well as you think you know it.
00:23:43
Zigtur
Yeah, exactly.
00:23:45
riptide
Yeah, I think i I do that with my kids and no one listens,
00:23:52
riptide
which is why I go to crypto conferences and even on the podcast to talk about things is is good because not many people really have any clue what me and you are talking about, especially not our moms, at least not mine.
00:24:08
Zigtur
Yeah.
00:24:08
riptide
Maybe French moms built different.
00:24:10
Zigtur
No, I don't think so.
00:24:14
riptide
That's cool, man. So now you're locked into, don't know, how's the deal work with Cantina? They signed to you up like you're on a salaried role and then you only do contests with them?
00:24:26
riptide
Is it exclusive?
00:24:28
Zigtur
Yeah, I have like an exclusivity contract, but seeing like just by looking at the current market of security competitions, I think it's the right call to engage.
00:24:46
Zigtur
ah It was the right call to engage with Cantina because like they are crushing it yeah literally like a,
00:24:52
riptide
Mm-hmm.
00:24:54
Zigtur
I don't even know how many competitions were. Six-figures competitions in 2024, but it was like six or seven competitions. um So, yeah, I'm definitely overbooked with them. ah So I don't need to...
00:25:16
Zigtur
to go to Sherlock or Connery now anything else. um And yeah, I have some bonus that came in when I do good results in competitions.
00:25:27
riptide
And then you can you can also, like they can book you through, like a company can book for an audit with you through Cantina.
00:25:35
Zigtur
Yeah, exactly.
00:25:36
riptide
Is that how that works? Okay.
00:25:38
Zigtur
And also, Ask Cantina is also Spearbit. I have deals coming in from Spearbit.
00:25:41
riptide
Right, right.
00:25:45
riptide
Yeah, I don't know. i remember talking to Dead Roses. He was saying like his goal was to make a mill last year, and he hit that goal.
00:25:54
Zigtur
Yeah.
00:25:55
riptide
And he did, i think he broke it down like 250 from Spearbit. And then, i don't know, maybe the rest was competitions or something. like he was He was going crazy as well.
00:26:07
riptide
um Yeah, it's it's insane. like the matt And I think he's around your age, which is also very cool.
00:26:15
Zigtur
Yeah. Yeah. He's pretty young. I met him in Bangkok um and yeah, making one million a year is crazy.
00:26:27
riptide
but did I mean, at 13 years old, you know, what a beast.
00:26:27
Zigtur
Like,
00:26:31
Zigtur
yeah.
00:26:31
riptide
Guy's an animal. But i'm looking I'm looking at, have you been to thedailywarden.com?
00:26:38
Zigtur
Yeah.
00:26:39
riptide
Shout out to Alex, the entrepreneur who I met in Bangkok. He's an Italian guy who's, who's all over the place, but he set up this cool website. And just right here, I see three going on with Cantina right now and a hundred grand two mill for, with the Ethereum foundation, which is great to see.
00:26:58
riptide
And then another for 60 K. So that beats think every other platform up here right now, as far as dollar figure.
00:27:08
Zigtur
Yeah. And if you look back in, the just in January, there was a pair of chain that was a private competitions that you can access only if you are a fellow or in Spearbit.
00:27:22
riptide
Mm-hmm. Mm-hmm.
00:27:22
Zigtur
um There was also, so so there was pair of chains. There was the Ronin, Ronin blockchain. um So it was a
00:27:35
Zigtur
500k competitions that was private also. um There was Tori, that was a 1 million competition. So yeah, it was more than 2 million in in January also. So it's crazy how how they evolved.
00:27:50
riptide
And what do you feel about the competition?
00:27:53
Zigtur
do you mean? Like competitions with others?
00:27:55
riptide
that that That's how high up you are. You're just like, what do you mean competition? I don't see anybody else.
00:28:01
Zigtur
Mm-hmm.
00:28:01
riptide
No, I mean, when you like when you go and say, all right, this just launched. Like, all right, I'm looking at the Ethereum one coming up on, actually started a few days ago. That one is a big number, 2 million, and you know everybody's going to be on that.
00:28:19
riptide
So how do you feel like going into that? Is that intimidating for you, or do you just look at it like anything else? Or do you think like this is going to be incredibly
AI's Role in Auditing
00:28:26
riptide
complex? This is... You know, what's what's your view when you when you see something like that? And you have time and and like, do you even have time to pursue something like that? Or are you totally packed?
00:28:40
riptide
How does it kind of work for you?
00:28:42
Zigtur
Yeah, um these days I have a problem. I need to to choose between private audits and competitions like this. This one is crazy, so I try to book sometimes to do it.
00:28:57
Zigtur
um But yeah, I know that a lot of people going to participate in it oh But I don't really care if I can learn a ton in this project. And especially on the consensus part,
00:29:13
Zigtur
um because I know how the execution layer works, but I never studied how the consensus layer, all the engines that are available.
00:29:26
riptide
Mm-hmm.
00:29:27
Zigtur
I don't know how they work, so I need to study that and... I think it I will just focus on this part. um And if I do a good result, then that's good.
00:29:40
Zigtur
If I don't, then i would have learned ton. So that's the main point at the end.
00:29:47
riptide
Yeah, i agree. Just I can't think of a cooler thing to do than then do this competition, to be honest. Like just looking through the write-up right now, it just looks so interesting.
00:29:59
riptide
if you're If you're intellectually curious, and like you said, if you don't understand the consensus layer, well, look, what what a great way to incentivize you to try to understand it and break it.
00:29:59
Zigtur
Yeah.
00:30:11
Zigtur
Exactly. And I mean, the code base is so huge that even if you find a bug that is not part of the competition, because ah in the competition, there are um only ah the changes that are made for Pectra and the for the Pectra upgrade that are in scope.
00:30:29
riptide
Mm-hmm.
00:30:32
Zigtur
And if you find the bug that is not in the scope, then you have to report it through the Ethereum backbone platform.
00:30:43
Zigtur
So you still have an incentive to do so.
00:30:47
riptide
That's true. Yeah. ah What do you say about using? right I'm thinking about, I don't know if they use it with Cantina, but with Code Arena, they had that guy Light Chaser who came up with that bot that found all these low issues and everything.
00:31:03
Zigtur
Yeah.
00:31:05
riptide
Do they do that with Cantina as well?
00:31:07
Zigtur
yeah Yeah, like Chaser is ah also using his bot on Cantina.
00:31:09
riptide
So,
00:31:12
riptide
ah Which was pretty cool. I like that thing. And how and and i I don't know the mechanics of it, but I know he can just add in a little logic for different patterns. I don't know how complex it gets. I think it's just simple things, high-level bugs.
00:31:27
riptide
But with the introduction of – because he he made that before LLMs came out. So with if you combine that with LLMs and they're getting better and better – Like, and yeah like, look at cursor. i don't know if you've played with that as well.
00:31:42
riptide
How long do you think these are ah threat to, you know, where you just get, somebody's not going to be public about it either. They're going to be on the board and they're just going to dominate and they're not going to say who they are or why they're dominating.
00:31:57
riptide
Yeah. But like what do you think about that when there's the threat, the threat of machines taking over and and dominating these competitions for better for worse?
00:32:09
Zigtur
ah I mean, I think that if at some point an LLM is able to do what I'm doing today, so We would be so far in humanity that nobody would would walk. so um yeah i mean We are in a field that is so technically um complex, ah especially on code bases.
00:32:37
Zigtur
Sometimes you need context information and it's pretty hard to understand everything.
00:32:40
riptide
Mm-hmm.
00:32:43
Zigtur
um Yeah, like if if an AI can do it, i mean, there is not a lot of job in the world that they can't do. So yeah, I'm not afraid of that, to be honest.
00:32:59
riptide
I feel like it should be able to do it already. But ah maybe I'm just looking too far.
00:33:03
Zigtur
Hmm.
00:33:06
riptide
Obviously, I haven't found where it's been able to do it. and And don't think anyone else has yet. Maybe very limited things, like I said, you know like light chaser type stuff, high level bugs. Yeah.
00:33:17
riptide
But anything where you just because I was playing with cursor and I was I'm actually I'm trying to develop this little project on the side and So I was using cursor and LLMs and, you know, even then it, it still messes up and, and it's like, well, everyone keeps talking about how, how good it is and it is good, but not for this kind of task yet.
00:33:42
Zigtur
Yeah. Yeah. um
00:33:46
Zigtur
I don't really know. I think I do not master enough the LLMs, but... um
00:33:53
Zigtur
Yeah, like... As we are working directly on code and AI is code, maybe it will be the first thing that will be improved.
00:34:06
Zigtur
ah because developers don't want to code anymore, which is okay. oh But yeah, auditing is pretty different. And to be honest, honest that I don't know if we are going to be replaced.
00:34:22
Zigtur
oh
00:34:22
riptide
Yeah.
00:34:22
Zigtur
But it's possible, yeah.
00:34:24
riptide
I don't think we will, at least for for a long time, because my theory is that the more devs that use this stuff, they make, the you know, the machines make mistakes and then the devs get complacent and they deploy it out there and then the humans find the bugs that...
00:34:41
riptide
you know, the humans, the first humans missed because complacency,
Commitment to Blockchain Security
00:34:45
Zigtur
Yeah.
00:34:46
riptide
because the LLMs, all that stuff, man, they'll, they'll make some code that works, but they fuck it up a lot too.
00:34:51
riptide
So to trust them with your security is just, it's just, we're just not there yet.
00:34:56
Zigtur
Yeah.
00:34:58
Zigtur
Yeah. yeah
00:34:58
riptide
Yeah, it's, it'll happen though, man. I mean, at some point, but I think you're right. I think we're, we have a long runway here.
00:35:07
Zigtur
Yeah, I think writing code and really deeply and just and understanding everything, the because that's what we do, um it's pretty different.
00:35:20
Zigtur
ah And yeah, I think we have time to do to just make money on competitions and bug hunting.
00:35:27
riptide
Yeah.
00:35:33
riptide
So, I mean, this is your career now, right? You're done with school and you're full in bug hunting. You have this great gig with Cantina. This is your career, at least for the next five years. Like you see, this is what you're doing full time.
00:35:49
Zigtur
um Yeah, um at least for now. Maybe in a year or I will be bored or something like that. But for now, like I feel that I can still improve um and I can still learn. But if at some point I don't learn anything new and don't Don't miss any bug, but that that would be crazy.
00:36:15
Zigtur
um I may get bored, but so yeah, not for now.
00:36:21
riptide
How do we get you to start looking for some bounties?
00:36:25
Zigtur
Yeah, ah i I tried once, but... ah i It was not like ah in competitions, you know that you have an ending point and you can just focus on your code base.
00:36:43
Zigtur
And I don't know, bug bounty, I was like, okay, I can look at this code, but i need to really focus and allocate time for it. Yeah.
00:36:58
riptide
but it's the same as what you're doing now. It's just, it's not time boxed.
00:37:02
Zigtur
Yeah, that's it.
00:37:03
riptide
I mean, because let's look like this bear chain thing, right?
00:37:03
Zigtur
If it's not...
00:37:06
riptide
If you didn't compete, those bugs wouldn't have been found. And yet you would have had those two guys.
00:37:11
Zigtur
Yeah.
00:37:12
riptide
Okay. We found the top two. And then you could have said, Hey, great. Now's a great chance to show up my competitors here or collaborators, however you call them and go find a live bug that's out there in the system.
00:37:27
Zigtur
Yeah, that's true. um Maybe I should allocate some time the future to do it. Yeah.
00:37:33
riptide
Dude, if you're number one on these contests, I think that should give you enough confidence to say, hey, you know what? I bet I could find shit that no one else is looking at if I put the time into one of these projects.
00:37:45
riptide
I challenge you.
00:37:45
Zigtur
Yeah.
00:37:46
riptide
i challenge you to to go take the biggest bounty up. go do Go find the layer zero bug that we can't find.
00:37:54
riptide
It's out there somewhere for someone.
00:37:58
Zigtur
yeah oh How many dollar it is for layer zero? rule Like, 15 million.
00:38:03
riptide
$15 million.
00:38:06
Zigtur
and
00:38:07
riptide
In my am i ah my view, I think there won't be a bug found that captures that full amount unless there's some sort of...
00:38:18
riptide
um
Ethereum's Pectra Upgrade and Challenges
00:38:21
riptide
You know, actually thinking about the code, because I was going to say unless they make a change to the code, but it's all immutable. um Yeah, all I see is like a private key leak or, know, malware attack
00:38:36
Zigtur
Yeah, or I'm thinking like, for example, a change in the Ethereum virtual machine that would break some assumptions from layer zero, especially, yeah, especially there is an EIP, the 7702.
00:38:47
riptide
Oh, yeah. And maybe you... Go ahead.
00:38:58
Zigtur
Did you it or do you know what it do?
00:39:00
riptide
ah Which one is that? Let's see.
00:39:02
Zigtur
So basically it's a new type of transaction that allows...
00:39:06
riptide
Oh, it's part of Pectra.
00:39:08
Zigtur
Yeah, the yeah I was working on it this morning.
00:39:09
riptide
Yeah.
00:39:12
Zigtur
So
00:39:13
riptide
No, tell us about it.
00:39:14
Zigtur
ah so basically it's it's a it's a new transaction types that allows you to set code to externally owned accounts.
00:39:26
Zigtur
um And... It's, yeah, you you can just delegate. it's called delegate. ah And so you can just set, put the buy code of an existing smart contract and execute it inside of your externally owned account.
00:39:46
Zigtur
um And we know that there are some protections sometimes, like we are checking that that it's a new way that is doing the call.
00:39:58
Zigtur
ah by checking that the origin of the transaction is the message sender. But now we as EOA are able to execut execute bytecode, there is a change in the VM and assumptions may be broken.
00:40:14
Zigtur
So yeah, I don't see how it can be applied to layer zero, but maybe it will be ah for other projects.
00:40:15
riptide
Mm-hmm.
00:40:25
Zigtur
I don't know.
00:40:27
riptide
So does this break the message sender um TX origin check?
00:40:35
Zigtur
Well, it does not, but if you put if you take the assumption that your EOA can't execute code, this assumption is not true anymore. um So yeah, maybe there will be bugs with that.
00:40:51
riptide
That's a good point. Yeah, that someone's not thinking about or with, um yeah, Pectra, I have to look at this. This is gonna be pretty interesting. And I really just, and the thing with this ecosystem is you can't track everything all at once. It's just fucking impossible.
00:41:10
Zigtur
Yeah.
00:41:10
riptide
mean, i tried to, so I i put aside DeFi for so long because I'm always looking at contracts. And then like just yesterday, and I tweeted this, and I longed Ethereum for the first time and I got,
00:41:25
riptide
i I fucking blown out and I was like, my God, this piece of shit. But I was i was using the DeFi ecosystem and it had been so long since I'd done anything. And now we have all these chains, bridges and this and that.
00:41:36
riptide
And it was incredibly complicated to be able to do certain things with the liquid staking, stake on main net, bridge a token over here, this, that, you know wait 14 days to unstake, move these around, like doing bear chain things.
00:41:50
riptide
It's so fucking complicated. That, which is great.
00:41:53
Zigtur
Yeah.
00:41:55
riptide
Like, you know, there's bugs, there's complexity. It's cool. But as a user, it's just, it sucks, man. It's as complex as you want it to be. But when you want to just do something or try something new out, you have to be a technician.
00:42:09
riptide
You can't be just an end user unless you have some, um you know wold garden that has you know made a ah pre-made pathway for you to take this from your bank account straight to ah you know the new project but if you just are on blockchain x and you want to move it over here and do it all yourself fuck man that's why i think like these ai agents which i haven't played with i wonder if they'll make it a lot easier for people to do it or if the ai agents are going to be like what the fuck we can't figure
AI Agents and Blockchain Interaction
00:42:39
riptide
this shit out either
00:42:44
Zigtur
Yeah, I know that there are some projects that are trying to like make everything smooth for users, but it has become so complex that it's, yeah, I think it's nearly impossible to make things easy.
00:43:00
riptide
It's incredible. Like I'll look at it just just like today, I was looking at a trace for a transaction. And this thing was pages and pages and pages and pages long.
00:43:11
riptide
And all these interactions, I'm like, my God, how this works is incredible. It's incredible. It all works. And like it's so cool, but trying to guide people to say, okay, this is what you got to do.
00:43:26
riptide
ah it's it's still you know We're still figuring this out. But thinking about AI agents, have you done anything with these yet?
00:43:35
Zigtur
With AI agents, not at all.
00:43:37
riptide
Yeah. Yeah. Like I'm hearing people say, oh, yeah, you could you could use it for – right, I want to – just anything I want to do, I type it into an LLM basically. Hey, take this capital. Go ahead and put it in this protocols pool on this chain.
00:43:53
riptide
ah Let me know when it's done. And here's a signature for whatever. And then it just does everything for you.
00:43:59
Zigtur
Oh, yeah. That's
00:44:02
riptide
and then And then you could also say, oh oh yeah, and then set a limit order and do this, you know just all these steps and it could be out there kind of, you know, cron job on steroids, just monitoring everything and and just acting on your behalf.
00:44:17
Zigtur
OK. Do you have, like, example of these AI agents?
00:44:22
riptide
I don't, I don't, I've just been seeking on X and that's, that's what people are pitching. And of course there's all these ideas out there and people are creating some products to do it, but I think that's it.
00:44:33
riptide
That's the gist.
00:44:36
Zigtur
Yeah, I need to look at that. Seems really cool.
00:44:40
riptide
Yeah. Sounds cool. If it works, I mean, great, but fuck.
00:44:45
Zigtur
Yeah, it's always the problem. Like, if it works, it's cool. But
Tech Insights and Advice
00:44:50
Zigtur
sometimes it just does not work.
00:44:50
riptide
It is very cool.
00:44:53
riptide
ah Oh, I have to drop. We need to drop our alpha drop. I'm sorry i didn't prepare you for this. um Are you familiar with the alpha drop? but
00:45:03
Zigtur
ah Like, I need to drop some alphas.
00:45:05
riptide
You better drop fucking alpha. Yeah. All right. i'll I'll drop my first. We're doing the motherfucking alpha drop. Alpha drop for to- today is actually going to be quite simple.
00:45:16
riptide
Even though I have the master on here, Zig Tour, who's mastering Go, Rust, and Solidity. I'm gonna drop some clear alpha that even retarded Spider-Man can still find bugs out there.
00:45:33
riptide
Is the simple keyword in solidity called delete. And when you see delete, look very carefully like everything, but delete can lead you to find some interesting bugs that the devs may not have thought of because what delete does, it deletes an item in a mapping.
00:45:40
Zigtur
Thank you.
00:45:52
riptide
and but it doesn't delete it, delete it. It just zeros it out. So that mapping item, that still exists. So if you wanna look in your history, anyone, but you could look at the old Frax staking farms that have now been phased out.
00:46:08
riptide
um They had a bug and they had this, where they would delete something in the stake. And it was called, the ID was called kek, kekid, K-E-K underscore ID. and you could you could make it zero.
00:46:23
riptide
And then, so basically you could do a stake with no lock, And there was another, you could add to a stake, but have zero lock. You can create a stake with zero lock, but it looks like it was locked.
00:46:36
riptide
And I looked at that 10 ways from Sunday, trying to leverage that into a bigger bug before they finally fixed it. But you just never know. So delete is my alpha drop today. It's a very cool one.
00:46:48
riptide
You just never know what's going to happen when that gets zeroed out. All right. Zygter with no preparation.
00:46:54
Zigtur
OK.
00:46:56
riptide
Pull one off the hip. See what you got.
00:46:59
Zigtur
Yeah, so that would be on the anchor framework for Solana. Are you used to it?
00:47:06
riptide
I've never looked at Solana.
00:47:08
Zigtur
OK.
00:47:09
riptide
I'm embarrassed. What is that?
00:47:11
Zigtur
So yeah, to to really summarize how Solana works, you know that in the EVM, you have your code and your storage that are attached. like
00:47:22
riptide
Mm-hmm.
00:47:23
Zigtur
They are really linked together. um In Solana, it's really different. um You have accounts and your executable code is in an account and your data are in another account and can be in multiple accounts.
00:47:41
Zigtur
So when you are making a transaction, you have to attach accounts to your transaction um to say, okay this code is going to read um this account and this account, and it's going to write another account.
00:48:00
Zigtur
So let's say that there are three accounts. Then the Solana virtual machine would just verify that the program, ah so the executable code, ah is allowed to write to the given accounts on which write operations are needed.
00:48:20
Zigtur
And in the anchor framework, the thing is that you are passing these accounts to the the instruction that will be executed. And it just deserialize all the data from the accounts and keep them in local memory, such that if you are modifying some fields of the accounts in the in the transaction, in the the instruction,
00:48:50
Zigtur
ah you this may not be reflected directly on the real storage account. And basically, if you ah you are writing to the account, forcing to write it, and then ah do not reload it,
00:49:14
Zigtur
then you may have ah data that is not up to date because you just made a write and the data you are reading is the old data and not the new one.
00:49:26
Zigtur
So yeah, when you are writing in anchor to an account, you have to reload this data to deserialize the data again. And that can lead to...
00:49:36
riptide
Can you spell that, that, that ank ankle, is that what you're saying?
00:49:40
Zigtur
Yeah, Anchor framework. It's A-M-C-H-O-R.
00:49:47
riptide
Okay. Okay.
00:49:49
Zigtur
And what it does basically is it just abstracts a lot of checks that are done ah for the Solana environment, but it's still Rust.
00:50:05
riptide
Okay.
00:50:06
Zigtur
And if you want to optimize things, you can just write native Solana in pure Rust, but it's not really recommended for security reasons. Yeah.
00:50:20
riptide
Okay, cool. That's a good drop, man. Very nice drop. I've never looked at Solana and I don't know. Should I? think it's worthwhile? do You think that ecosystem survives as the shitcoin casino or what how does it go forward?
00:50:33
Zigtur
yeah
00:50:37
Zigtur
I mean, yeah, it's more DGN than Ethereum, but they are some interesting concepts. like At first, I was not understanding why do we need to pass the accounts we are reading and writing to, we are reading from and writing to our transaction. like it it's It feels weird because we are not doing that in EVM.
00:51:03
Zigtur
but At some point, I just understood, okay if I have two transactions that are not calling the same accounts, I can just parallelize everything.
00:51:17
Zigtur
I don't need to go in a sequential way because they are not writing to the same accounts.
00:51:25
Zigtur
and And that's part of why the Solana VM is pretty efficient. You have a lot of transaction per second when when does the chain is not down.
00:51:41
riptide
Yeah. Interesting. Yeah, I've still never used it. I've still never used it. I think the tech might be cool. I've just, you know, like I said, there's just so much stuff, so little time, and you need to determine where your time is best spent.
Final Thoughts and Encouragement
00:51:58
Zigtur
yeah for sure
00:52:00
riptide
So new guys in this space, and I get messages from a lot of you. like And I looked at my analytics for this podcast. It's 100% male. it is it's ah The majority to 18 24.
00:52:14
riptide
and yeah it's a vast majority eighteen to twenty four So the young guys out there just getting started, what what advice would you give to them? if Should they do contests? Should they do bounties?
00:52:26
riptide
How should they start? Should they focus on solidity, go, anything, any tips you could drop?
00:52:33
Zigtur
ah Yeah. Okay, so first, um I think that the tech you are starting with is not really important.
00:52:45
Zigtur
ah What is important is to understand all the basic blocks that you are using. Like, what is a blockchain? ah blockchain is just using the internet.
00:52:58
Zigtur
um So having servers that communicate with each other. And you need ah cryptography for signature purpose. And when you know that, you can just...
00:53:14
Zigtur
It's nothing than just this. You have the virtual machine concept, so you have to understand what is a virtual machine. And when you put all these blocks together, you understand everything.
00:53:28
Zigtur
Do not focus on one specific... ah tech because when this tech dies, you don't know anything else.
00:53:40
Zigtur
ah And it's good to to start with one for sure. And after another ah advice that I can give is that ah you have to do, you have to try, you have to fail to really improve yourself.
00:54:01
Zigtur
If you are
00:54:04
Zigtur
ah always waiting for the perfect timing or for the perfect knowledge before starting. You will never start because perfect conditions do not exist.
00:54:15
Zigtur
ah You just have to try and fail and yeah, that's it.
00:54:19
riptide
Agreed. Agreed. Very good tips. All I got the last last question for you, and this is worth all the points. Bree or Rockford?
00:54:33
Zigtur
So we are speaking about cheese.
00:54:40
Zigtur
ah Yeah, that's a good one. I would say Roquefort because hated it when I was young.
00:54:54
Zigtur
like it It was really bad for me, but now it's pretty good. So I love it.
00:54:58
riptide
It is good. um right, I'm with you on that. I dig it. All right, Zygter, you are the man. ah Thank you for coming on. This this broke the rules a bit. He's not a bounty hunter yet, but I know he's going to get bored, and he will do it. it's And I wanted to bring you on because I think what you're doing out there is very impressive, and um I'm following your contest.
00:55:19
riptide
I'd love to see you dominating. I'd love to see the Spider-Man hitting the charts there.
00:55:23
riptide
So...
00:55:24
Zigtur
Yeah, I need to do new Photoshop ah with this Spider-Man.
00:55:27
riptide
No, no, it's so good. Hey man, thanks for coming on and we will see you on the blockchain.
00:55:36
Zigtur
Yeah, see you.