Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 31 - drastic watermelon
190 Plays22 days ago
riptide & drastic watermelon lounge by the pool at the faena hotel in buenos aires and discuss devconnect, yAudit, CTFs, security outlook, competitions, getting shafted on a juicy bug bounty, judges must be crazy, auditor profit maxxing, AI submissions, and probing the mystery of why each time you order the same type of coffee in buenos aires it changes, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction at DevCon DeFi Security Summit
00:00:01
Speaker
Bounty Hunters Life on the Blockchain Alright, welcome to another episode of Bounty Hunters and we're here at the pool at the Faena Hotel in Buenos Aires which means good air which I like and we're here Argentina as part of DevCon connectt eon DeFi Security Summit and this podcast brought to you by immunefy the best place for making millions of dollars finding some bugs and being an ultimate based chad to be honest so anyway today we have a special guest we are by the pool here just gonna rub it in we are getting a nice tan and two ultimate based chads i'm here with mr drastic watermelon welcome sir
Comparing Conference Quality
00:00:52
Speaker
Hello, hello. Hey, Ripsight. Thank you very much for having me Unreal being on the podcast and also nearby the pool and during the sunset. We're sitting we're sitting in the pool with these stupid wireless mics like two idiots.
00:01:06
Speaker
Good times, man. This is good, man. Living the life. So, what did you think so far of a of the event? It's been the best conference that I've ever been to. I don't do many.
Building Relationships and Workflow Development
00:01:20
Speaker
The last one I did was DevCon in Bogota. And I guess it then went to CSS in Paris the next year. But nothing comes close to this. It's been the best of it ever. Definitely, definitely. I thought this was amazing. Maybe second to Bangkok, but... ah I missed that one. Yeah, this is really cool. I dig it.
00:01:42
Speaker
I'm trying to think like what did I accomplish here. Did you accomplish all your goals, whatever you're doing? I came with the idea of on one side developing the Y audit workflow or like fire flow and on the other side I'm like developing my relations with Spearbit and Cantina. You can get into that later.
00:02:01
Speaker
And I think I went above and beyond, honestly.
Value of Real-Life Connections
00:02:05
Speaker
I'm so happy with all the conversations and all the chats that I've had. it's yeah And also had some awesome steaks and met a lot friends. So it's just a nice people. Lovely time.
00:02:17
Speaker
do like Sometimes I wonder, i'm like why do I go to these shows? And then I have some real good in real life conversations with Just a bunch cool guys. I mean, for me, like, the coolest thing, i think, was doing the ultimate security game. The rarest coolest thing. That was incredibly geeky and really, really cool.
00:02:38
Speaker
So shout out to BrazSkills, man. Jeff, you put on a great event. I gotta say. And you know, it's so cool to be able to see so many faces and talk in real life with these people that you're always dealing with online and as super profile pictures of animals or anime characters. Absolutely, man.
Journey in Blockchain Security
00:02:57
Speaker
It's well worth like one once a year, twice a year to take this time be with these people in real life.
00:03:05
Speaker
Yeah, probably maximum. couple times year. yeah I agree. So, alright, people that aren't familiar with you, Mr. Watermelon, don't know if you want to go and tell us your background with maybe a prior alias if you'd like to do that or it's just like, who who are you? here Why am I talking? I won't jump into my previous alias. I started off in blockchain like 10 years ago when I took the security route, I'd say like three years ago, I did the famous Y Academy Block 5 Fellowship. Funnily enough, I applied for Block 4, the previous one, and I didn't get in.
00:03:42
Speaker
And Dev Tulligan, which was my interviewee, he said, come back next year, man, you've got it. So I did, i studied up, got into the fellowship, passed the program, didn't get in as a resident right away.
00:03:56
Speaker
trying it out competitions that's where I like made most of my foundations and learned the most and eventually i think that the Paradigm 2023-20 where I played solo and beat the Y-Odit team that's what got them over the line and said okay we need to get this guy on board um so where We had some technical difficulties here. but more I was at the Paradigm CTF 2023. It was online.
00:04:26
Speaker
And I beat the
Role at Spearbit
00:04:27
Speaker
Y Audit team. And I think that's what got me over the line and invited as a resident. So February 2024, joined as a resident there. Been working with those guys since. I love working with them. They're the best place that I could have hoped to end up at.
00:04:43
Speaker
And, well, I kept going between like audits there and competitions on Cantina or Sherlock or Coderino, wherever I could find any. And eventually I'd come second in centrifuges like Polkadot, parachain competition back in August of 24.
00:05:00
Speaker
I got second place, those guys really liked working with me and eventually they asked Spearbit to do a review where I needed to be on it and that's how I got an in for
Y Audit Team Structure
00:05:12
Speaker
Spearbit. I joined them as an ASR in May or June and I've done like a couple of reviews for them and I'm Working my way up the ladder I guess time to promote this guy. Yeah to Chad CSR Chad security researcher Yeah, I like why out a team I think you guys are a good bunch I think you guys are just like you've been around the ecosystem a lot for a long time like bunch cockroaches and just kind of like really good Yeah, really mean like I've seen the reports and and you guys are good and it's a small like how many guys are on the team?
00:05:44
Speaker
We are currently, I'd say like six or seven smart contract residents, including me, four core members, including me, so there's some overlap there. And then we have like, I would say four, three, maybe five, somewhere around that, um ZK residents as well. And we have like that sort of business that's actually ramping up.
00:06:05
Speaker
We just closed up at ZK Audit with Warm, I think it was called. And yeah, we're trying to push those guys a little bit further. So in total, maybe like 12, 14 people.
00:06:18
Speaker
Okay. Plus corn, which is our sales chad. He works with Y Audit and with Yearn, so 14-15. Mr. Korn, who I did meet. Yes, also next chat. Love him. He's the best.
00:06:30
Speaker
Okay, cool. Yeah, very cool.
Bug Bounty Challenges
00:06:33
Speaker
So, your but your participation in the bounty space has kind of been limited, right? Yeah. In the I started off this year like with the approach of saying, okay, I'm going to take bug bounty seriously now.
00:06:45
Speaker
Mostly driven by the fact that i I came up with a good runway for myself with competitions and with audits and I said okay like the the best EV right now for me is to go for bounties because I can last months without finding anything without getting paid and if I find a big bounty then that's even better right? So the experience went like it went like in January the first few days of the year I found a a bug in a Cosmos SDK chain which was a rather simple bypass of their permission, but they're entry and exit.
00:07:18
Speaker
And those guys actually said it was out of scope, but they were nice enough to offer like a goodwill payment of, I think it was a few K, was a small payment, but definitely good and very motivating for myself because, you know, finding those projects that are actually appreciative of your work and they say well it's out of scope but we'll say pay you, thank you. That was very good and the second experience I had this year with Immunify specifically was a critical bug that I submitted in another Cosmos SDK chain and that experience was just the polar opposite. It got shut down.
00:07:55
Speaker
Well I didn't get a response for five days. The fix was posted on GitHub. So I was ready to see the money, right? Everything was ready me. This a bounty hunter's nightmare when this happens. Yeah, and I just got shut down saying, oh, we actually knew about this bug. We were told like 18 hours before the report. I'm sorry.
00:08:13
Speaker
and no
Unpredictable Nature of Bounty Hunting
00:08:14
Speaker
issue. Report closed. Then it was months of fighting mediation to get approved, get a screenshot of anything, and I never got it. And I was just tilted from there on.
00:08:24
Speaker
So this was how long ago? Ten months ago. This was February. So end result, you did not get paid and you were not provided sufficient proof that their claim was legit. Is that what you're saying? Yep.
00:08:35
Speaker
I didn't get proof the first time around for mediation. It got closed up. Immunified told me, trust me, bro, it's it's correct. I ended up meeting ah getting to know somebody at Immunify and I ended up joining their audits team. They do like, I have like a small auditing team. They give me two audits this year, which are very good.
00:08:56
Speaker
And in the process, he asked me what was your experience at Immunify and brought up the this issue and he said, oh, that's unacceptable. we Let's make sure you get that proof. So they reopen the investigation, I would say maybe in April.
00:09:11
Speaker
That lasted a month, a month and a half, and I still didn't get any proof. yeah So that's when I just put a stone over it and said, well, and me let me forget about this.
00:09:22
Speaker
Yeah, this is this is, you're describing the day in the life of a bounty hunter, which is unfortunate because the system's crazy. It's like massive upsides when they pay out and then giant downsides for the majority of the time. Yeah. yeah That's where I understood the fact that it's just part of the game. Yesterday I was at dinner with the Y audit guys and Usman Khan was there, the Jigachat, and he said... i heard he's like 7'4 in real life. He's just huge, man. he Sculpted.
00:09:57
Speaker
And he said everybody has that story. It's such a common thing and the difference there is that some people understand this is the rules of the game and they go with it and some people just walk away from the table and I think I'm part of these last group of people where I'm not up to and I didn't grow ah accustomed to as well doing competitions and audits yeah to working and possibly not being paid.
00:10:19
Speaker
Yeah, this,
Dealing with Unfair Accusations
00:10:20
Speaker
unfortunately, we hear it a lot. this is It's unfortunate to see you not try, like, just to see you back in the game, because, you know, good guys looking at these bugs are always appreciated. But, hey, I mean, this is what happens. Like, this is a problem that we've got to fix.
00:10:34
Speaker
I don't know how to fix it, man, because every protocol wants to handle differently. Strictly business. Yeah. And they close you down. i understand. Yeah. So we'll we'll give you the project's address later. and this Go look for something, guys. um your ah Your buddy, um we won't we'll just dime him out. Mr. Engineer, who's at base, Chad? He wanted me to ask you some questions, so I'm going I am not ready. I am definitely not ready. Hey, maybe this is the first one is what we just talked about.
00:11:06
Speaker
all right, so he says, what was your most depressing experience in your auditing career? Was it getting rugged on this bug bounty? Was it what? Was it getting rugged on the bug bounty? That was...
00:11:18
Speaker
That's close. I'd say it's between that and an audit in which I got accused of not finding enough issues. oh The client at the end of a three-week audit, they were saying, oh, but how can we be sure that you actually reviewed all of this cross-chain accounting stuff?
00:11:38
Speaker
I said, well, we found, like, I don't know how many criticals, highs, mediums, and you guys aren't going live, right? And they were saying, oh, but how is this possible? how what what what What mistake did you guys make? And they were accusing us of not having found enough issues, I guess, or something stupid.
00:11:58
Speaker
So that was very depressing. I remember doing the closeout call. Just like being accused of not doing your job? Yeah. And and know it had never happened to me. And I remember closing out the call where that happened and I was just so angry. My hands were shaking. I had to go for a walk and actually discharge all of that.
00:12:20
Speaker
Nerves because it was it was a very tense call. Yeah, that's not cool. That's not a fun time. I mean unless you were slacking off until Claude the codebase make no mistakes. Yeah, it's definitely not. So that was very depressing I'd say.
00:12:33
Speaker
So you got you got over it by uh maxing out on bench press in the gym like what was the haha yeah, I just went to the gym. Buenos dias, espresso, por favor.
AI's Role in Auditing
00:12:43
Speaker
Espresso? Si. Okay.
00:12:45
Speaker
No te deixar agua, por favor. Te deixar agua. Te deixar agua.
00:12:51
Speaker
All <unk>t get aic right, listeners, you heard my amazing Spanish. Now, watermelon here is quite fluent. Me, I'm quite not fluent.
00:13:02
Speaker
ah All right, let's see. let We'll go to question two here. Okay, what is the worst part of the profit maxi mindset of auditors these days?
00:13:17
Speaker
This is a funny question. I can't say why, but it's a funny question. um Yeah, profit maxis. There's a set of auditors, I feel, that have ridden a wave of
00:13:35
Speaker
their name being used as a staple kind of like a guarantee stamp sort of stuff. Couldn't imagine this happening. And well, we... I've had experiences working with people that...
00:13:51
Speaker
They would ask for more money than Y audit would offer and then not deliver on their promises. We need hunt them down for, hey, are you working on this audit? And then they come up by the end of the audit saying, well, I only gave half of the days.
00:14:08
Speaker
Do I still work on it? And then the delivery was yesterday, man. So. Yeah, that is a tough issue. You have a personal brand that you want to maintain, but if you make so much money, you're just like, ah.
00:14:21
Speaker
It's like being the guy work that's really good, and then you kind of got one foot out the door, and you're just collecting the paycheck. yeah I think it comes down to being a good human being. Yeah, I think that that circulates internally though, like eventually the names get around and you're like, okay, this guy's a shadow of his former self, right?
00:14:39
Speaker
Yeah, well, it can happen because people maybe get stuff mixed up, personal stuff can happen, it's perfectly fine. The big issue I have is with people disrespecting other people's work.
00:14:52
Speaker
You can say, I have personal issues, I'll take three more days and deliver late, that's perfectly fine with me. But you shouldn't avoid messages and not say anything and then come up with, right I deserve this and i I'm late to deliver. So that's the big issue I have maybe with with people that don't communicate and don't respect other people's deadlines and the client's deadlines and all of that structure that goes into an actual audit because it's not only...
00:15:20
Speaker
the researcher finding bugs and sending them to the client. There's a lot of other stuff that happens. oh Absolutely. Behind the scenes. um Let's go to another question here. Great question, engineer.
00:15:32
Speaker
Third question is about AI findings on contests. Do you think this is going to destroy them? Do you think that Sherlock, Cantina, maybe ImmuneFi, they're all going in the right direction with this kind of feed to submit model?
00:15:47
Speaker
Yeah, I think it has already kind of destroyed them, maybe partially. um I haven't seen Daily Warden this week, but last month it was low volume.
00:16:01
Speaker
And if being a judge already sucked before the AI era, being a judge now must be one of the most depressing jobs that you can in crypto. we have a really good AI judge?
00:16:13
Speaker
Oh, well... That's funny one, right? Because then it's just AI slop, judging AI slop and coming up with reasons to... People are putting their in their submissions. No, man. Make me an apple pie, judge.
00:16:25
Speaker
I've never been offered the like the opportunity to judge a contest, but I always said I would never take it, even before AI. I would never do it. Post-AI, just... I wouldn't want to read like 99 reports to get to the one that's actually human-ridden. I'd have to decide if it's actually valid or not. Yeah, I support the fee. I support the fee. I think if you have confidence in your AI-generated report and some are valid, man, then just put up your shutout. Put some cash behind it. That's it.
00:16:54
Speaker
You don't want to be the Web 2 spam central where it's hundreds of reports of bullshit. Like, these take time, man, and I feel for those judges, and you're crazy to be a judge, I think, to read all this stuff. No, respect to the judges, man.
00:17:06
Speaker
That's a certain type of individual, right, that does
AI Tools and Manual Verification
00:17:09
Speaker
that. I mean, I will say there's difference between people that grab an LLM and say, hey, find the bugs, please make no mistakes, make the reports and send them.
00:17:17
Speaker
And I do use AI to write up my contest stuff because it's faster for me. I'll write up the first two or three, keep them in a local repo on the codebase, and then just say, hey, I found a bug in this.
00:17:30
Speaker
Look at those reports that I've written, use the same style, same writing, same kind of format. And that's usually pretty good. I just need to make ah some ill little edits, send that, and it never got flagged as an AI-generated report. so Yeah. it yeah it is um It's easy to kind of obfuscate you know the AI generation if you'd like.
00:17:49
Speaker
What I found was interesting, like we developed this AI bug hunting platform. And so sometimes it'll find really cool bugs, right? got like a military chopper over us here. This is a live action podcast, guys.
00:18:02
Speaker
And um so something I found on last night was really interesting. I submitted it and I had I had cursor help me generate the POC for the finding. And it was like it's it made like it was like a valid POC and you have to go through these things manually, obviously. yep But it was such a complicated finding that it like found part of it. And then i was like, I need to make like a whole integration test.
00:18:25
Speaker
and then that didn't actually it like oh i wasn't succeeding i was like what the fuck and then i was like oh you really have to understand the protocol sometimes you know ai will find it like our tool will find it but then like the poc might not show the right angle or this and that so you still got to get in there sometimes and yeah really double check any ai poc that it generates it's like It might take a shortcut or it may do something strange. or You just hate to see Claude start looping around saying, oh, I did improve the POC. Let me try again. Let me try again. And eventually it just gives up and say, well, I'll just simulate this stuff and illustrate it. And it simulates it with like a thousand console log calls. That's just so much trash that you say, well, I could have done this myself. and It's not taken now. Waiting for Waiting for you.
00:19:13
Speaker
Okay, so number four here. i
Significant Bounty Exploits
00:19:15
Speaker
wonder if this is like a baited question. So he says, who do you consider the best bounty hunter right now November 2025? Riptide, of course. Oh, shit. This is baited. This is obviously not me. I have a funny story of being like in 2020 and 2021. I didn't know anything about smart contracts, but I kind of made my way to the Arbitrum Bridge and I made my way to the lines where they were clearing the storage.
00:19:37
Speaker
And I remember reading those lines and saying, why are this SSStore.slot0? What is this even going on here? And then you found a bug there. That was like your infamous yeah Arbitrum bug.
00:19:52
Speaker
And anything clicked and I said, whoa, this guy is... Got lucky. right so I got lucky. Well, everybody will say I love it. The thing is, I found that bug by pulling the storage slot. I didn't even look at the code first. All right. I pulled like slot zero, slot one.
00:20:09
Speaker
And it was zero. Yeah, and I was like, oh, that's weird. And then I started looking at the code. But yeah, it's... And and what you described, we spoke about it a couple days ago. It's like yeah being in that position where you see a bug but can't recognize it because you're early in your bug hunting journey.
00:20:24
Speaker
My man. So, i Is that yours? Did you get a water? Yeah, I got a i got a water. I don't know who's the best, because how are you going to... Is this an espresso?
00:20:39
Speaker
It's like a... It's a quinto. A quinto espresso here. All right, excellent. I think one of the waters was for him. Yeah. no no IRL live episodes.
00:20:52
Speaker
this is an interesting thing in argentina this me so fascinating when it's together right now i'm looking at this coffee next to me and i ordered a single espress ir l live episodes this is cheap This is a cappuccino cup full of
Dedication in Blockchain Work
00:21:08
Speaker
espresso. Man, you can't ask for an espresso outside of Italy and expect an espresso. Dude, this is like five shots. But every morning I've noticed weird behavior. So i'm at this nice hotel.
00:21:17
Speaker
Every morning i' I'll order like the same coffee. I'll get a cappuccino. Each morning it has arrived as a completely different creation. I don't know what i'm getting, man. It's like I'm in America. where um You order something, some bad coffee, like what the fuck? They just make it up.
00:21:32
Speaker
And this one, it's it's like six shots. This is crazy. you want a shorter coffee, you need to ask for a cortado. Cortado. That comes with milk, though. No, you can ask for it with milk. go thedito Maybe that's what I wanted.
00:21:45
Speaker
Either way, I have the biggest coffee known to man. Okay, we will continue here as we enjoy sun pool. Wait, wait, wait, I still have stuff to do. Oh, shit. Okay, go ahead. So, of course, Riptide is up there in my list.
00:21:57
Speaker
um It's very hard to come up with... one guy but yourself white hat mage i really look up to mage king lonely sloth of course the king sloth my boy usman king usman need to get him on here um and yeah blockian guys i met one of the blocking guys at in a conference in milan oh yeah twice in a row actually he's a great guy love him control z Yeah, those guys are great, man. Some guys who are just really consistent, really good. Yeah, that's the strength, I guess, of good bounty hunters, consistently showing up with awesome findings. Which is not easy to do, man.
00:22:37
Speaker
Like, I talked to some guys, and they're like, hey, um you know I'm just going to do it part time. got a job at this firm, and I'm going to put two, three hours in. And I'm thinking in back of my head, like, it's a cool hobby. Like, it's fun hobby, but don't expect to top the leaderboards, man. The guys that are on top.
00:22:53
Speaker
just it's seven days a week I guarantee you. Yeah. Mage to get up there he was non-stop beast. He was not sleeping. Yeah. Like anything in life right? I had that realization also for competitions. I used to do competitions like three hours a week or three hours a day and I was studying in university until I met is I guess it was, he was OX Weiss.
00:23:17
Speaker
Mark Oh yeah, yeah. Weiss is based yet. And TSS in Paris in 23. And he said, people are going at competitions like eight hours a day minimum, maybe 10, maybe 12.
00:23:30
Speaker
And that's how you win. And it was yeah I was saying, are you sure? Is that right? was yeah, man. So that's when I kind of moved my college and university schedule around to actually make time to put in that time. What were you putting in at that point before that?
00:23:48
Speaker
Four hours a day. Yeah. Three hours a day. I had classes. I had calculus two classes. I had physics classes, which were really angry really hard. Compilers classes, which I really enjoy compilers, but they're hard, man. Yeah.
00:24:01
Speaker
Yeah, these guys are putting, like, if you're you're absolutely right, man. If you're going be on top, You need to go all in, straight up all in. Yeah. And that's only reading code and reviewing and finding bugs. And then you have all of the study you need to do afterwards and the feedback loop that Zach Obrant so made popular, right?
00:24:18
Speaker
King Obrant. Yeah. Dude, that's why we call this life on the blockchain. Because that's what it is. That's what it becomes. We'll look back, man, in five years, ten years, and we'll think, you know, wow, we were we were really early in this crazy experiment. yeah man.
00:24:36
Speaker
And, you know, ah feel um I feel like I don't want to regret not giving it my all during this totally pivotal and and this time of transformation, just like the early Internet were early blockchain days.
00:24:51
Speaker
A lot of uncertainty, price up and down. and this is the coolest part. man when When everything levels out, it's really boring in my eyes because it's very predictable. i wouldn't have it any different.
00:25:02
Speaker
Honestly, I find myself thinking every three to four months, six months maybe, what would I be doing if blockchain, if Satoshi hadn't published his paper and started at this avalanche of technological revolution? And yeah i don't I can't
Common Pitfalls for New Auditors
00:25:20
Speaker
come up with an answer. No one has an answer. Every every hardcore guy we talk to, no answer. It's true.
00:25:26
Speaker
All right, ah let me get to the next question. here Okay. Okay, what's the biggest mistake you see newer auditors making in this space? I see auditors making in this space? The the new auditors, what's the biggest mistake that you see them making?
00:25:42
Speaker
That's a good question. Probably using AI tools is what I would say. and It's a new answer, I'd say, because AI is relatively new.
00:25:53
Speaker
um Using AI too much. You you shouldn't be using AI, in my opinion, you shouldn't be using AI to understand codebases. You should be using it to... make test cases, hopefully without all of those console logs, writing reports, but you should be the one understanding the code base and actually being able to discern when the AI is just smokes a fat blunt and starts saying anything. yeah Because if you don't know, then the AI will tell you and then you'll just insert so much misinformation in your knowledge set for that audit that
00:26:25
Speaker
you're You're not only behind, you're ah you're running in the opposite direction of where you should be going. Very true. I don't know how you're going to get good if you can't understand it. If you just keep hitting enter and talk to the AI, man, it misses so many things. Like, you you have to dial that thing in so hard, and you can't do that without experience. Yep.
00:26:43
Speaker
And another mistake I see new auditors making is being afraid of jumping into complex code bases. I guess everybody feels this when they're starting something and this feeling hardly goes away.
00:26:56
Speaker
But being scared of jumping into, say, a Rust audit and you only do Solidity or being scared of looking into The Monad competition for example, that was a fat one. with Consensus client implemented in Rust, execution client in C++ plus plus with just-in-time compilation for executing EVM stuff in x86, which you shouldn't be scared. You just just go into it. If you find nothing, you'll learn. And that's how anything works in life, right? you You take chances and you do stuff and if you really commit to it, you you get somewhere
Evolving Web3 Security Environment
00:27:30
Speaker
eventually. it's Very good It's as simple as that.
00:27:32
Speaker
I think it was J4X I had on here and he said one language to the other. The majority of the ah the languages are really the same as far as logic wise that you can identify bugs. You're just reading it. As long as you can understand the basic syntax, it's like if this is done before this, hey, there's a bug.
00:27:51
Speaker
Absolutely. I have an example there. and Shout out to J4X for beating me in the San Refuge competition. He handed so much issues to me. i texted him after said, man, you crushed me Good job.
00:28:05
Speaker
And that competition was for a Polkadot parachain. And i had I didn't know anything about Polkadot. I know kind of how to read Rust, not like the super internals.
00:28:16
Speaker
But I just said, i'll I'll try this. Let me jump into this. I'll go into it with my current knowledge set, how I understand that block blockchains should function. And I just dive at it. Logic is logic. You can write it in any language you want. and It's still logic. So once you start wrapping around the syntax, which is should be sort of fairly simple if you've been programming and working with programming languages for couple years at least,
00:28:43
Speaker
Then it's just come down to internalizing the concepts that the code base is showing and reasoning about those. yeah and that I'd say I'd go far as far as saying that that was maybe like 90% of the findings that you will find mostly. And then there's just 10% with language related specifics like unwraps and rust or i don't know non-deterministic mapping iterations in goldang or whatever you can find in solidity. I'd argue it's a little higher than that maybe because like if you see you know like on your point where you see a ah bug and you can't really identify it yet and it's not clearly like a logic error like if you have an empty array right yeah it's a silly error like that but
00:29:26
Speaker
Would you necessarily know that, okay, it would just skip through the array if you didn't know the language, like how it handles those? Maybe, I guess, maybe. Maybe, maybe not. I mean, modern programming languages, they have an interest, I'd say, in converging to a certain behavior because you don't want to insert too many differences and not have your language be easily picked up.
00:29:49
Speaker
But yeah. Yeah. All right. um So what would you, this is like a Q&A because we really didn't have anything anything prepared. And I hope you're enjoying the background fountain here. I'm loving it. I'm ready to jump in the pool, man. I'm getting cooked in this house. So ah how would you describe what you do to your normie friends? ah I say my main consulting.
00:30:12
Speaker
Consulting? You say consulting? Yeah. So boring. I went to engineering school. and a lot of my friends, they're older, i have they're like three to four years older than me, and they all ended up in consulting for like the big four companies there and where I live, and everybody was saying, oh, but I love this because they moved me around and I get to do so many projects, and I always saw that as they're literally draining you, and you're not specializing in anything. i get to work on the plane in economy class, my laptop open. And I get to stay at home two days a week. And I always told them, I think they're kind of rugging you of your value because you should hyper specialize and go into like hard stuff instead of being a generalist because that's what better returns you in the future. So I always fought with my friends saying, you guys,
00:31:03
Speaker
You don't understand that you're not getting any value and I probably shat on all of the consulting like big firms and now I just tell them I'm in consulting I do like security stuff because it's easier to explain.
00:31:16
Speaker
Some of them know a little bit of the insights because they're computer science engineering classmates so they know the insights of that. But to a normie that walks up and asks, oh, what do you do? I'm a consultant.
00:31:28
Speaker
I'd just say internet security. That usually keeps everything at bay. Oh, that sounds complicated. If they ask, oh, what do you consult about? I'll say internet security, IT security, something like that.
00:31:40
Speaker
All right, let's see what else we got here. Mr. Engineer, you're feeling the whole podcast. Shout out to him. He's got some good questions. What changed in your perspective of Web3 security in the past year? What changed, sorry? In your perspective of Web3 security in the last year?
00:31:54
Speaker
Gotten better, worse? I think we've gotten it a lot better. And you can see that in the fact that a lot of the hacks that happened in the last 24, 18 months, even 12,
00:32:05
Speaker
eighteen months even been twelve they weren't related to smart contract hacks. A lot of them were, well the Bybit one was the multi-sig front-end compromise, and a lot of them were private key leaks.
00:32:19
Speaker
So if you look at some of the data that's around, and I looked at it earlier this year, Smart contract, pure smart contract hacks are going down and did go down.
00:32:30
Speaker
Of course, it's kind of hard to say that we're in a very good space after the Balancer V2 thing happened. yeah But I do think that that's the result of many years of, well, the competition structure working, producing so much talent.
00:32:47
Speaker
And you see that in the fact that new people enter, they eventually reach the top of the leaderboards and then they never compete again. and they join firms and they join work as freelancers. So we have more security talent, a lot more, and that's only making us better.
00:33:02
Speaker
And I also think that as we have more security people, developers are getting better because they have more resources resources and they can learn a lot more. And of course, you you get developers to be more security minded when all of these hacks happen, all of this stuff happens. So we are definitely in a better spot.
00:33:19
Speaker
And I think it all it will only get better from youre on Oh man, I have a totally different take on that. i think I think it's it's gotten okay. yeah It's a hard question answer, right? So let's just focus on the 25% of you know the things that are caused by smart contract tax.
00:33:38
Speaker
it's We feel like it's gotten better because we have this audit cycles contest. Bounties, that's all good. The infrastructure is better, definitely. The same bugs are reappearing, though.
00:33:49
Speaker
And then we have more AI code coming out, as you've seen. That's not good. That's not good. That won't be think that's a net negative. And then you're going to auditors try to use that to audit. People are going to get lazier, just what humans do.
00:34:04
Speaker
and But what I do think is good though is you have like AI stuff that we're making, like and there's going to be other competitors that do it really well. And hopefully we could find these super edge cases like the balancer one you know that are out there in these big protocols that no one's seen before, like to dive into the the smallest corners of of nuance and and specificity that that humans haven't looked at yet.
00:34:27
Speaker
Like that is, that's what I'm really bullish on is like to really use this to secure things that are out there to help improve smart contract security because I think it's it's like up and down, man. Like
Debating Circuit Breakers in DeFi
00:34:38
Speaker
we we gave some ground and then we gained some ground. Yeah, I agree. so I think I'm an optimist in this.
00:34:44
Speaker
But I also think that we need to come up with a new framework or a new way to think about the old contracts that have been around for so long because it really blindsided me to see Balancer V2 hacked like the the way it did and I think a lot of us were blindsided and I think the common idea was that well, balancer v two kind the V2 contracts have been out for what is it, three, four years so that has to be secure, that has to be fine now and
00:35:15
Speaker
the the We have this inherent inherit and problem that as the contracts stay on the blockchain and we get better, the skills we develop and all of that, the new skillset that we get also needs to be kind of covered by the old contracts which didn't know about this information and then we have like this weird scenario in which we can sort of teleport in time, jump back to where the practices that we had in 2021 and apply the knowledge that we have in 2025. And that's what happened to Balancer v two essentially. Yeah.
00:35:48
Speaker
Someone had a great take. I think it was 0xNGMI. um' and I'll attribute this to him, but I think he said about these hacks. And this seems like a no-brainer, right?
00:35:59
Speaker
and I'm all about permissionless no kyc defy do whatever you want am i but it's just like a limiter function and he's like this should be like a basic thing and all defy is like there should be okay you can only pull out like 25 of tvl for whatever it is dude four hours eight hours like something to give the team a chance to respond yep And I'm like, you know, if you got 100 million, okay, dude, you can wait a few hours. Like, I kind of like that circuit breaker idea. i don't see it in place more. I think we will see more of that because this full drain stuff is just crazy, man. You just can't do that anymore. Yep.
00:36:35
Speaker
I think Philogy, which is the guy that really pushed the standard, I think it was an EAP or an ERC, I don't remember. um He was ahead of his time, definitely. I see, I've always seen DeFi to be more of a spectrum rather than a binary option of saying well either it's my bank or full permissionless yield strategies, vehicles, whatever.
00:37:01
Speaker
um And I do think that Within the spectrum, you will have all of these types of mediations and tools of, well, maybe you need a time lock for to withdraw. Maybe you need an approval from one of these entities to allow this exit.
00:37:15
Speaker
And in reality the reality of the fact is, if we want to grow and ultimately merge with traditional finance and grow the pie a lot bigger, those players will not in any way, shape or form take the deal that we're providing right now. Full grain. Yeah. One transaction, you don't know anything. You just blink your eye. Money's gone. Yeah, I don't see that.
00:37:34
Speaker
think we'll look back as this is a crazy time. yep Yeah. One click the one click full drain. You don't even know. You just see the transaction and you see what happens. You don't even have some time to say, oh, this is happening. It's just like done. I think that's the answer. Unfortunately, and unless some giant brain can come up with a better solution, I think we'll have to have some sort of limiters. You know, where we could do it so it's not like one guy censoring you or limiting you or, you know, some some sort of thing we could bake into the code, but just like a way to help protect the protocols just in case happens. Well, if it's one thing that I learned from so much engineering school is that it's all trade-offs.
00:38:09
Speaker
So everybody will be tender to their needs and their kind of necessities. And if you really want to go the whole Degen side, then go ahead. That's for you. And if going to end up in the middle and be somewhat safe and you're fine with taking the trade off of needing to withdraw and having a 24 hour cooldown and having like a multi-seg approved, then that's for you.
00:38:30
Speaker
I think that we will end up somewhere, maybe like points in that spectrum. But it's what makes most sense to me, I think. I agree.
Conclusion and Light-hearted Ending
00:38:39
Speaker
I'm going to say we're physically getting cooked here in the sun, and we are going to hit the pool. So this episode is going to be slightly shorter.
00:38:47
Speaker
But ah Mr. Watermelon, it was a pleasure having you on the podcast. It was my pleasure, man. It was awesome meeting you, and thank you for having me. Hey, man, it was great. We'll see you next time on the blockchain.