Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 21 - danielvonfange
107 Plays1 day ago
riptide & danielvonfange discuss running a bug bounty program at Origin and dealing with LLM spam and bounty sizing, how he creates tests and invariants, hunting bugs before you were born, the challenges of selecting audit partners, security in crypto now vs the past, why devs and auditors should cross-train, why PHP rules, and how morals, ethics and incentives intersect in crypto, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction and Sponsorship Shout-outs
00:00:06
riptide
Welcome back to Bounty Hunters Life on the Blockchain. We are here today with always a very special guest, but first the shout outs to the sponsors.
00:00:18
riptide
We are sponsored by Git Recon, gitrecon.xyz forward slash Riptide. If you want to get some invariant testing done, a little fuzzing done on your protocol, go to that link.
00:00:32
riptide
Riptide sent you and they'll give you five grand off for first time customers for an invariant testing engagement. So I got to come up with slogan. If you don't fuzz, you're going to get buzzed or something. I don't know.
00:00:44
riptide
And then we got a rare skills.io forward slash Riptide. and go ahead and buy one of their ah one of their packages, the boot camps to start your learning journey as as an SR. So Uniswab V3, they have ZK stuff, they have Salinity, they have everything you need to to get up off your ass and start hunting bugs.
Guest Introduction: Daniel Von Fange (DVF)
00:01:08
riptide
So without further ado, our guest today is DVF Daniel Von Fange. Good day, sir.
00:01:17
DanielVF
Greetings. I'm impressed you pronounced that correctly. lot people stumble around on that.
00:01:21
riptide
i've I've traveled the world. Know a few names here and there.
00:01:26
riptide
But um hey, man, great to have you on. You, i don't know if you know this, but you are like secretly my idol.
00:01:32
DanielVF
I appreciate that.
00:01:34
riptide
I don't know if you recall or not, man, but like what I was, when i was, and you probably don't because, you know, it's it's the opposite, right? But when I was first learning Solidity and and going through all that, I would read your traces and your write-ups. You turned me on to Tenderly.
00:01:50
riptide
And I would just think, man, this guy knows everything. Right. And I, I remember you wrote something up and then I took all the time I needed to figure it out. And then I responded to you and I said, Hey, so basically, and I, and I just said how worked and then you confirmed it. And I was like, oh shit, I got it.
00:02:07
riptide
Fuck yeah, dude.
00:02:08
DanielVF
Yeah.
00:02:10
riptide
It's hard, man. Like it's hard to go from zero to, to know how to trace through a transaction in solidity.
00:02:19
DanielVF
Yeah, I guess.
00:02:20
riptide
And when you, when yeah, I know looking ah in back, you're like, okay, yeah.
00:02:20
DanielVF
Yeah, it is.
00:02:25
riptide
But it's, ah you know, doing that as a beginner, I think is just like you've unlocked a new skill. And
Impact of AI on Developer Learning
00:02:32
riptide
it's it's just so cool, man. and And that's one of the things I worry about with AI and all these things. It's like, I don't know if people are getting that kind of revelation anymore because they're so quick where they could just hand it off to to the bot, you know, to figure it all out for them.
00:02:51
DanielVF
Yeah, I mean, I do wonder what the future will be like. Certainly, LLMs can drastically speed up how soon you can get going with things.
00:03:04
DanielVF
And to some extent, that can give you a ah good baseline as long as you
00:03:12
DanielVF
you know move on from there. But yeah, if you get stuck in that optimum or you know that local optimum there, then yeah, you you never learn
Raising Problem-Solvers in a Digital Age
00:03:20
riptide
Thank
00:03:21
DanielVF
what's really going on under the hood.
00:03:22
DanielVF
and there's There's a ah huge, huge, huge mind-boggling difference between the surface level knowledge and really knowing everything in a particular area as far as you know everything about a particular piece of code or um yeah even to transaction traces, everything that's going on in the transaction trace.
00:03:43
riptide
Oh yeah, everything. And, and I attribute this, like I have my, I have a son and will, like, I, I disconnected his computer from the internet because I saw him doing something that, that wasn't learning.
00:03:55
riptide
And so I disconnect him and then he won't use the computer. And I'm like, listen, okay, I had no internet growing up. I just explored the whole system. And that was that was how you learned. You know, you didn't go anywhere for the answers. You didn't have manuals. You just kind of just figured it out.
00:04:12
riptide
And I worry that this generation is is, they can't even do that. They can't be disconnected. They have to, I got to search for the answers somehow or have someone tell me what to do.
00:04:22
DanielVF
Yeah, it's ah that's interesting. um I similarly really want to raise people who can figure it out.
00:04:32
DanielVF
um But yeah, you know it's it's it's such a two-sided sword because either um being able to quickly get the answer, you know like when Stack Overflow showed up, i don't you know it was good for good programmers as well as
00:04:43
riptide
Yeah. Mm-hmm.
00:04:48
DanielVF
for poor ones. And um yeah, it's it's really, it's a very hard balance to get right. How much, you know, where, and maybe I guess that comes down to knowing yourself or you know where you're, you yourself are at, or, you know, the person learning, whether they're going to be benefiting or harmed by it.
00:05:07
riptide
Yeah, that was really like step one when you had the forums and IRC and Stack Overflow. You started looking like, okay, and you you sometimes could just say, well, I just won't try to figure it out first. Let me quickly see if anyone else has figured it out already. So I guess that's always been around, yeah at least for you know the past couple decades. But I think it's gotten worse now.
00:05:28
riptide
I mean, worse or better it depends on your viewpoint with LLMs, no doubt. ah
DVF's Journey into Security Engineering
00:05:34
riptide
Before we go forward, yeah um I want to introduce you a bit because some people don't know you, don't know the OG.
00:05:34
DanielVF
Yeah, these teachings, yeah, go ahead.
00:05:39
DanielVF
yeah
00:05:41
riptide
ah So you had you did an interview with Offbeat ah Block Xerox Profiles.
00:05:45
DanielVF
Yep.
00:05:46
riptide
I did the same kind of thing. It's pretty cool. But you you would do, looks like you were a C programmer back in the day, doing some immutable code with ah Honda's car crash facility, which sounds really cool.
00:06:01
DanielVF
Yep, although that was ladder logic, which is, ah Woo!
00:06:05
riptide
what What is that? What is ladder logic?
00:06:09
DanielVF
Ladder logic is something that came from old machines in factories that used to be wired up. And so they to convince people to switch over to computers, they made what is not actually a computer language, but it looks like wires on a screen.
00:06:15
riptide
Mm-hmm.
00:06:24
DanielVF
um And then they said, hey, you can just draw all your wires on the screen and ah then have a computer run them, and you don't have to buy all these wires and switches, and it'll be more reliable. And for some reason, that has stuck around. So you basically have to program by drawing wires.
00:06:41
DanielVF
And when you're trying to do networking while drawing wires, good luck to you.
00:06:42
riptide
What?
00:06:47
riptide
what this is This is around as of what decade? Now?
00:06:52
DanielVF
it's Yeah, I just talked to somebody a few ah ah in the last month who does still does ladder logic. So it's still completely around. This was early mid-2000s that I did Yes. Yep.
00:07:05
riptide
Oh my God. So this is primarily in kind of industrial systems, you would say?
00:07:07
DanielVF
but i did
00:07:10
DanielVF
yes
00:07:11
riptide
Okay. Interesting. No one would ever know that unless they specifically work there.
00:07:17
DanielVF
yep
00:07:18
riptide
So, and then you also run, like, what's your position at Origin?
00:07:24
DanielVF
I am a security-focused smart contract engineer um with, I guess, a little side of research engineer, too. So hop around between and occasionally getting to write some solidity code, a lot of reviewing solidity code, and doing a research to build new products sometimes.
00:07:41
riptide
And like, what are you, what what drives this? Because like, if a bug is out there, a hack happens, eventually DVF comes up on the feed with like this super detailed trace.
00:07:53
riptide
and And I always like reading through these and I'll never be the guy to write a trace. I look at that and I'm like, ah, you know, I'm like, the the bug's already been exploited. To me, I have zero interest, but I like reading them. I like seeing how the bug was was found. Why do you do it?
00:08:10
DanielVF
Well, that actually started my whole security journey, I guess. The protocol I worked on was hacked back in
00:08:24
DanielVF
years of meaningless in crypto. ah
00:08:26
riptide
which Which protocol is this?
00:08:27
DanielVF
Four and a half four a half years ago, origin protocol, OUSD. And it had just launched, was still in beta, big warnings and stuff. um And I was not a security guy or contracts guy at the time.
00:08:41
DanielVF
And so I said, you know our team needs somebody who knows security. I'll just be that guy and learn it. um And so besides setting up a lot of processes um that I learned previously in life about um coming up with reliable, you know ending up with reliable systems, so I also decided to learn you know how you don't get hacked.
00:09:05
DanielVF
And that the smartest way to do that seemed to be to learn about every hack. um
00:09:10
riptide
Mm-hmm.
00:09:11
DanielVF
And just it's ah the odds are much bigger that any bug is going to hit some other protocol before it hits you. And so I just figured if I stayed up on every bug that hit every protocol, um then the odds were to be able to see something that wrong and make sure you before it hit our code.
00:09:30
DanielVF
and It also turned out to be an incredible education as well because you're seeing what slips past the audits, what people don't, ah you know, what's being missed.
00:09:41
DanielVF
ah So i just basically started with anything that was a million dollars, over a million dollars, and on mainnet, I would go dive into internally.
Mastering Hack Analysis and Prevention
00:09:52
DanielVF
um At first, I did like big markdown documents on it and then kind of brought it down to tweet thread scale. And at the time, most bug write-ups There were occasional occasional like single tweets um that really didn't explain what was going on.
00:10:12
DanielVF
Or there were giant pages of every single time money moved inside an entire hack, which was just as bad as trying to read a trace itself and didn't really give you any information.
00:10:20
riptide
Mm-hmm.
00:10:22
DanielVF
So I tried to focus my write-ups on what the bug was, how you could prevent the bug, and then for internal reasons, you know check our own code and make sure didn't have the bug.
00:10:33
DanielVF
um or anything related to it. um So it was basically a a chance to both improve our processes from figuring out how would we have caught this bug if it was going through our systems, or do we need to make any changes to our process to catch this, as well as ah just learning about every kind of bug as they showed up.
00:10:53
DanielVF
um Yeah.
00:10:55
riptide
and And that's kind of kept you, ki I mean, obviously you're a guy who's very interested in the mechanics and the inner workings and and all the bugs. I mean, or else you you wouldn't keep doing this.
00:11:08
DanielVF
Yeah, I mean, i have slowed down a little bit on writing up bugs. i'll I'll only write up ones that are either not covered by other people or particularly interesting at this point. But yeah, it is
00:11:19
riptide
Yeah, no.
00:11:21
DanielVF
it is fun
00:11:22
riptide
It is. That's what I tell people who want to hunt bounties is you know some chase the money, they burn out.
Avoiding Burnout in Bounty Hunting
00:11:29
riptide
I'm like, dude, you have to be interested. You have to be interested in in the stuff that you're looking at. Or it's just days on days and looking at code and you just you know you turn off. yeah You got a ah real life to live out there.
00:11:41
DanielVF
Well, I'd say ah keeping a bunch of code bases secure is, I don't know, the more you care, the harder it is.
00:11:50
riptide
See, now you're you're not on, I mean, have you ever done any bounties or are you strictly on the defensive?
00:11:54
DanielVF
Yes, early days of Immunify, i did some, um and I've submitted some if I'm like integrating with the protocol or something and see a bug, I'll send it in. So I've done ah i've ah yeah i got one of the first Immunify critical hoodies way back in the day.
00:12:13
riptide
Of course.
00:12:13
DanielVF
um But
00:12:15
riptide
ah what What was it for? Do you recall?
00:12:18
DanielVF
I don't. It was only like a $15,000 bounty, but it was a critical. That's just what the program had. I used to be very unserious about bounty hunting. I would just like pick up my phone and say, I'm gonna pick a project name that looks like they might have a bug.
00:12:34
DanielVF
And then I'm to pick a contract name that looks like it'd have a bug. And then I just Scroll, look for a function that looks like it'd have a bug, and then look around, and often enough, there'd be a bug. um Yeah, it's it's a different world nowadays than it was then.
00:12:46
riptide
Agreed. Yeah. Listeners take note. DVF picks up his phone, scans a contract, finds a critical, forgets about the critical who even existed, doesn't even care.
00:12:57
DanielVF
Yep.
00:12:58
riptide
I love it, man. Yeah, i mean, it's it's evolved so much, man. I mean, it's it's really interesting where it's evolving now. It's, you know, where now bug hunters like me who, what I viewed as like a rite of passage was learning to write a POC, which was fucking hard, right?
00:13:17
riptide
For me, it was really hard just knowing how to set up hard hat.
00:13:19
DanielVF
Oh, yeah.
00:13:20
riptide
Like there was no resources and then resources came out. Okay, great. You still had to do some legwork. And you still had to write up your bug report. You had to know what the fuck you're talking about. And now, I mean, you're in the best place to explain it as any.
00:13:31
DanielVF
Yep.
00:13:35
riptide
what What the fuck does it look like on your side where you're getting bug reports?
00:13:39
DanielVF
OK, well, my number one wish is please write a POC. um That's 100% at the top of the list. But so on as a project receiving bug reports, the fundamental thing to know if you're a bounty hunter is that the project is getting spam reports in.
00:13:59
DanielVF
And the spam reports are going to, you know, Almost everything they get is going to be spam with a little side helping of people misunderstanding what your project does and honestly writing something that's not actually a bug.
00:14:09
riptide
Mm-hmm.
00:14:12
DanielVF
And so real reports are very rare. So the moment that whoever is reading your bugs sees a new ticket arrive, unless they're new to this, the first thing they're going to think is, hey, it's another piece of spam.
00:14:24
DanielVF
um And so what you want to do is move as quickly to this is a ah valid bug. and ah A lot of spam people use LLMs. They write like 13, 14 pages worth of stuff with lots of bold capital letters about how dire this bug is.
00:14:45
DanielVF
And really, you just need to communicate like what the impact is, one paragraph or less, what the bug is. Typically, you can probably fit that in one or two paragraphs.
00:14:57
DanielVF
um Where the bug is. um And then show a POC. And the POC is really probably the most signal in the entire bug report.
00:15:10
DanielVF
Because if there's not really a bug, ah there's not really going to be a good POC, for one thing. um And so I would say that's the key probably to getting attention ah you know to to new getting quick attention is being clear with the POC.
00:15:28
DanielVF
And it also you know lets the project guy go on with his life if it's not a bug or immediately respond um if it is a bug.
00:15:36
riptide
But even that is not even a gating function, really, because you can have a POC. It looks legit until you see one line like, you know, prank, admin address, do something ridiculous.
00:15:45
DanielVF
Oh, yeah. Oh, yes. Oh, yes. um I mean, i had somebody send in a ah Oracle. you know I get really bad bug reports all the time, and so I just like have to sit on my hands and not tweet about them.
00:15:59
DanielVF
But, yeah, somebody sent in an Oracle manipulation attack, and They pranked an internal contract value and were just are not you know just set storage slot and were just whipping it around.
00:16:13
DanielVF
And that's not an Oracle manipulation. On the other side of that, you know when I say that a lot of bug reports are bad, that contract didn't even use an Oracle.
00:16:17
riptide
You don't say.
00:16:24
DanielVF
So ah ah you things like that.
00:16:25
riptide
God. What do you do about this, though? Do you have a filter for the spam and then a filter for that? Like, how do you how do you save your time and, and you know, not avoid the good ones?
00:16:35
DanielVF
um if it's
00:16:38
DanielVF
Fortunately, the ah quantity is not but such that you know maybe you get a bug report every week or something for us. And that's with a million dollar bug bounty. Maybe it's twice a week or something. But it's not that it's not that onerous.
00:16:53
DanielVF
And if somebody actually writes one, I'm glad to read it, even if it's, ah yeah as long as they've given it an honest shot and honestly think they found something. and um The LLM ones are still pretty bad.
00:17:09
DanielVF
um And often it really falls down in the POC and you know writes garbage. um So it usually usually you can tell pretty fast. um I think they're only only maybe twice did something that was ah garbage get past my, oh, this looks like this is going to be garbage filter.
00:17:30
DanielVF
um I still check them all because just being hu careful. But most of the time, garbage is pretty obviously garbage.
00:17:38
riptide
and Can you use LLMs to filter out that garbage or no?
00:17:42
DanielVF
No.
00:17:42
riptide
Like trained trained on your code base or something like that?
00:17:42
DanielVF
Well, I don't want i do know not want to. i do i you know Just at the odds of ah even one being real, you that's why we have the but the bug bounty program is something that's gotten past stuff. So um yeah would have the volume would have to go way up before we put some kind of anything in front of it.
00:18:00
riptide
Yeah. Yeah, no, makes sense. Yeah, because, you know, we, it's, when I, when I submit something, and I usually use ImmuneFi, or else I'll do, you know, just, just with you, like, i already knew you, I submitted something to Origin, and I just shot you some over Telegram.
00:18:15
DanielVF
Yep.
00:18:15
riptide
But normally, it's ImmuneFi. And when I submit, like, the severity, I'm like, I think about the guy on the other end, I'm like, ah, but then I'm also like, if I think it's legit, I'm like, hey, I don't know what else to tell you. yeah i'm I'm submitting the bug. I hope it's legit, but I've had plenty of reports closed out, either from misunderstanding of the backend mechanics or sometimes the protocol as well, or maybe I had bug report that was or a POC that was actually flawed.
00:18:40
riptide
So, I mean, it happens.
00:18:40
DanielVF
Yep. Yeah. yeah
00:18:42
riptide
Yeah, you're not you're not trying to spam the protocol. I mean, that some of those are obvious, but ah either way, you know everyone's going to have some rejected bugs and you're going to have to reject them.
00:18:50
DanielVF
Yeah, you know, like on an honest mistake somebody made who really was good intentions looking for bugs is one of our protocols when you you can deposit one coin, but whenever you withdraw, you get three coins back.
00:19:03
DanielVF
um And so they compared the amount that you deposited um of the one coin with the amount you got back, which was like a third smaller or, you know, two-thirds smaller.
00:19:16
DanielVF
And... yeah we're very concerned that the protocol is losing money. But that yeah that was an honest misunderstanding. They wrote a POC. They showed that yeah you lost money depositing, withdrawing. um So I mean, go for that. But you know at least they had a POC. They had a theory. um Yeah, just as long as a running POC is great.
00:19:35
riptide
Yeah, I'd agree. And what about what about for you? Like, I'm always curious how different ways people are using AI. So in your workflow auditing, do you have it? Simplify things for you Understand code? Like, how are you using it?
00:19:49
DanielVF
ah I'm like one of those old school lightsaber guys. So I keep AI completely out of my auditing at this moment. um
00:19:57
riptide
Yeah.
00:19:57
DanielVF
And so I'm really going for, well, I'm really going for me completely understanding the code at the end of the day.
AI vs Human Auditing Techniques
00:20:06
DanielVF
And so then everything I do that's essentially grunt work during auditing is building up my understanding of the code so that I can do the really hard stuff.
00:20:17
DanielVF
It's basically like loading you know loading up your brain with the grunt work. I don't know that, yeah I do think that there is a future in which AI could be as good as the you your median auditor, um which is not necessarily an incredible bar.
00:20:23
riptide
yeah
00:20:32
riptide
Mm-hmm.
00:20:33
DanielVF
But
00:20:35
DanielVF
at this moment, that's not kind of where I'm at. Because again, that complete, when you're doing an internal protocol work, That complete understanding then builds into the next thing you're writing and the next thing you're writing and next thing you're writing because you know it's into your interfacing with something you've done before or built on top of it.
00:20:53
DanielVF
And so being able to keep that long running complete understanding is a real long term investment.
00:21:01
riptide
Mm-hmm. Yeah, it's it's very true. we And, you know, one of your tools I saw from, and I already knew this about you, but from the interview, you had, what's your current setup?
00:21:14
riptide
And your first question or your first response to that is HP black and white laser jet printer. And you and me have some haters because I also flex my printer as print out some code.
00:21:25
riptide
And you wouldn't imagine the hate I get like, oh, you're old, man. The fuck you do that for? Oh, blah, blah, blah. but there's something good to it, right? You even wrote something that has, ah what was it? You did it for Euler swap.
00:21:39
DanielVF
Yes.
00:21:40
riptide
Yeah, some formating formatting thing. It looked pretty cool.
00:21:43
DanielVF
Yep, I have a shell script that goes through. One of the other things besides printing that I like to do that other people may not may not work for them is I also strip out all comments.
00:21:57
DanielVF
um
00:21:57
riptide
Oh, dude, that's that's backfired on me recently.
00:21:58
DanielVF
and so
00:22:00
riptide
I did that. I was like, DVF does it. I'm doing it. And I started stripping comments and I submitted this bug and the guy responds. He's like, it's literally in the Natspec.
00:22:11
riptide
ah god said I stripped it out completely. Okay.
00:22:14
DanielVF
Hey, you saw it.
00:22:15
riptide
like yeah Take the L on that one.
00:22:18
DanielVF
Yep, yeah.
00:22:19
riptide
That can backfire.
00:22:20
DanielVF
You can turn it back on afterwards or something. but ah yeah cause it you know so much ah So many of the big bugs are from wrong assumptions and comments are you know a list of assumptions and they're often untrue as code bases go by, you know as time goes by in code bases and stuff. And so you're basically starting not with and intentions of what the person intended the code to do, but you know just seeing what it actually does.
00:22:47
riptide
Yeah, you know very true. And you know I wanted to ask from your point of view, because you're on the the dev security side, When I look at a protocol, I like to go through the tests. I like to read some of the docs, like see what kind of invariants are there.
00:23:03
riptide
And, you know, one, a big part of it is looking at the test and just saying, what, what are they assuming? Are they just putting in BS tests for coverage purposes? Are they actually kind of asking how can this protocol break?
00:23:17
riptide
So I wanted to ask the guy behind creating some of these tests, how do you create them? How do you come up with them?
Code Simplicity and Security Best Practices
00:23:23
riptide
How do you kind of, you know, think about these variants to test where you're you're um you're satisfied that you're covering all the bases.
00:23:34
DanielVF
Um, that's a pretty good question. To me, uh, tests and variants are very different things. Uh, I don't think, you know, all security tools have their pros and cons, strengths and weaknesses, places they're good at, code they're good at, code they're not good at.
00:23:51
DanielVF
Um, and so to me, unit tests, because they only test things you've imagined, um, are basically good at ensuring that, um,
00:24:05
DanielVF
the common cases work, um and that the common things you don't want to happen don't happen, um at least in in a specific case. So it's, in my event view, unit tests are absolutely required, but are basically the baseline and everything else is built on them. And what they really tell you is, under ideal circumstances, is your code going to do what it says it's going to do?
00:24:29
DanielVF
Which is something that's, you know, oftentimes people miss out on or you know it catches you from very quickly when you make a change or something that does something stupid.
00:24:40
DanielVF
But um to me, they're not you they're they're very low on the security list just, again, because they're limited by imagination. Invariants are a lot more powerful, um particularly if you run them through a fuzzer or formal verification.
00:24:58
DanielVF
But even if you just write them down and code check against them, that catches a lot of more into situations where things you hadn't imagined are going on.
00:25:08
riptide
and That's interesting because i yeah I look at it from the point of view of just you know an attacker. What can go wrong? like
00:25:16
DanielVF
Yep.
00:25:17
riptide
Just completely adversarial versus ah the dev kind of thinking usability. um yeah How can the protocol make money? This and that. And I'm just thinking, okay, how can I break this down?
00:25:30
DanielVF
Yeah, so you know, that does it work is a typical trap for devs if that's all they think. um you know the real i You've probably seen Pirates of the Caribbean, and they
00:25:45
DanielVF
Captain Jack Sparrow gets the ah hero guy out on the the mast, and he says, well, the you know the only thing that really matters in life is yeah it's not what you want. It's what a man can do and what a man can't do.
00:25:58
DanielVF
and From my point of view with code, that's really you know what it doesn't matter what the dev wanted or what you think is likely to happen in the world. you know it it really comes down to what the code can do and what the code can't do.
00:26:13
riptide
Yeah, no, very true. That's the honest truth. Nothing else to it. and All right. Next kind of thing I want to talk about. um I was thinking about this yesterday. i was looking at a goddamn diamond proxy contract. I don't i don't like diamonds, right?
00:26:29
DanielVF
Nope. I hate diamonds.
00:26:29
riptide
I was going to ask you.
00:26:30
DanielVF
I hate UUPS.
00:26:30
riptide
Yeah. ah I was going to say, what do you find the most frustrating about solidity readability? And I was going to say diamonds or inheritance.
00:26:40
riptide
And yeah all you don't don't like UPS either.
00:26:41
DanielVF
Well, I just, you know, one of the ah the great advantages of being on the dev side is you can just pick the stuff you ain't going to work or ain't going to do and then not do that.
00:26:42
riptide
Yeah. and don't like you psc
00:26:49
DanielVF
So we don't do diamonds and we don't do UUPS.
00:26:50
riptide
yeah
00:26:53
DanielVF
I think diamonds... not the full Diamond spec, but the idea of proxying on a per method basis is a really cool, beautiful thing. um But it has no place in production code unless you're like something insane.
00:27:11
DanielVF
um
00:27:11
riptide
Just say an amateur.
00:27:14
DanielVF
Well, I mean, I'd probably use it in a hobby project, but I would not use it in anything with millions at stake. um
00:27:22
riptide
Yeah.
00:27:23
DanielVF
But yes. As far as, so you you ask about what makes solidity hard to read or what's the hardest thing in solidity?
00:27:28
riptide
No, just just, yeah, what do you find frustrating about Solidity Readability? I was looking at some transient storage recently, and I haven't seen that often, so I had to kind of get up to speed on that.
00:27:40
riptide
But, i mean, there's just so many different things that I think, to me, diamonds, they're just annoying to look at. Luckily, we have tools like Looper. But just things where I feel like it's, um it should be, in my mind, you should be able to look at a contract and know what it does without, it could be very simple and it could have so much functionality.
00:27:57
DanielVF
Oh, yeah.
00:28:03
riptide
And i know what's going on. Like the devs want out-nerd each other. ah You get some really cracked guys, whatever. They want to pull a one inch and assembly the whole thing. I get it, man. I get it.
00:28:14
riptide
Or the the Wildcat dude who, oh, fucking optimized the balance function. It's just like, it it blows my mind. It's like, that goes against the whole... The whole goal here, which is like readable code, not for the technician engineer.
00:28:29
riptide
It should be for like just a guy who just basic solidity he knows and he can kind of get the gist of the function and the usability of it. But if you obfuscate, it's like fucking Perl coders ran a mock on your code.
00:28:42
riptide
And it's like, I can't stand it, man. I don't know about you.
00:28:46
DanielVF
Yeah, I'm a a huge fan of not many inheritance layers and of, I mean, definitely not the deep nested split functions everywhere. I don't know if you've seen Uniswap v3 code, but that is way over inheritance um to the point that it's incredibly difficult to read, even though it's good code.
00:29:00
riptide
Mm-hmm. Mm-hmm.
00:29:07
DanielVF
you know Something like Uniswap v2 where you've got everything in one page, you know that's that's much more what I go for. so and We usually try to do like three layers. One layer is extraordinarily base thing. you know like You're inheriting a function call, basically, that you're going to use. And then the next layer up is kind of the baseline for everything that does that particular job. like If you have a ah yield investing strategy, you've got some contract that they all inherit, gives a consistent outside interface, and then you have the the layer that does the job.
00:29:39
DanielVF
and And as soon as you move beyond that, ah it starts getting pretty difficult to follow what's going on.
00:29:44
riptide
Yeah, I mean, doesn't it, like from a dev point of view, company point of view, would want, I would say hey make the code simple, but have the functionality that we want. Because number one, readability, great. New guys that I hire on can get up to speed quicker.
00:29:58
riptide
i'm going to have more people familiar with the code. My auditors will take less time because less, you know, it's easier to understand. i just see all pros from from that side.
00:30:08
riptide
I don't know why people allow to just go crazy for...
00:30:12
DanielVF
Well, simple code, OK, so going from ah dev's point of view, simple code is actually hard, much harder than writing spaghetti code that's sprawled everywhere um and requires much more skill.
00:30:26
DanielVF
And so it's it's not you it is much better in the long run, and it is much more secure. But it is a whole lot harder to write code that ends up simple. um And so in our normal process, yeah you first you kind of define the problem. And the more you understand about your problem before you start writing code, the cleaner, the closer you'll be to the mark and the cleaner it'll be.
00:30:49
DanielVF
And then somebody writes the code, writes the test, And then usually like the the tail end of somebody's own, ah you know before you start the real security stuff, is just squeezing it down to the simple version. and Our you know our um PR, a code change, new feature, new code lives in a ah PR branch.
00:31:12
DanielVF
And sometimes we'll have 200 comments in one of those. And maybe half of them are just squeezing the complexity out of it. yeah we Usually, when a PR process, you know once somebody's written the initial code, we'll often get it about a third smaller.
00:31:30
DanielVF
um And you know that's a third less code. Bugs, in my view, go up by the square of the code. So you've you've cut out basically half the bugs that possible universe of bugs out by you know shrinking your code by a third.
00:31:45
riptide
Yeah. Yeah. I mean, it sounds, sounds simpler than what it really is, right? Just, which is what you said to write simple, clear code.
00:31:50
DanielVF
Yeah, it's it's it's no doubt hard work. Yes, it's really hard work.
00:31:54
riptide
Hmm. it's ah it's It's a challenge. Have you ever done, i mean, you say you don't play with AI that much, but did you ever say, all right, like you're going to code something up and you say, tell AI to do it and just see how they do it. And then you do it on your own or you do it first, then you give AI the prompt just to kind of see how they would code solidity a bit different than how you do it.
00:32:17
DanielVF
I haven't done with Solidity. Something AI's pattern-matching-y kind of thing does is it does get you really close to the right libraries to use if you're doing something random. um So, for example, I think I wrote a ah little script to visualize actually our code size shrinking during PR.
00:32:39
DanielVF
um So I wanted to basically make a visualization of code of our code, and you could see every commit that it getting smaller and larger. And so through the actual drawing of that, I wrote it in some weird language, I think.
00:32:53
DanielVF
And yeah I used AI to get me started on that. you know it was pretty wrong about a lot of things, but it had all the right libraries. um And then you know that's a lot of your time picking up a new environment is just knowing what to use and how to call things.
00:33:11
riptide
DVF doesn't even know the language you wrote it in. He knows so many languages. He forgets about it.
00:33:17
DanielVF
ah Well, at one point I looked at like the top 30 programming languages and yeah I'd written production code in 15 and play code in probably half the remaining ones.
00:33:30
riptide
Did you start on C or, or is it assembler?
00:33:33
DanielVF
um No, I started with ah HTML then PHP.
00:33:39
riptide
Oh, PHP.
00:33:39
DanielVF
um
00:33:40
riptide
Oh my God. Hold on. Hold on. I'm shaking. Love PHP four or five.
00:33:47
DanielVF
I probably started on three.
00:33:48
riptide
Oh shit.
00:33:48
DanielVF
um
00:33:49
riptide
So totally that's not object oriented. That's all functional.
00:33:52
DanielVF
Oh, yeah.
00:33:52
riptide
Okay.
00:33:52
DanielVF
And there's actually a lot of, yeah, PHP is underappreciated, and you can actually write really good code in functional PHP.
00:33:53
riptide
Procedural. Yeah.
00:34:00
DanielVF
um But yes, so that that's where I actually got started programming. ah um And i actually wrote a ah
00:34:08
DanielVF
online multiplayer game client in PHP way back in the day, which is something that you basically stayed connected to the game servers and recorded stats on everything that was happening. um
00:34:18
riptide
Oh,
00:34:19
DanielVF
But yeah, that's that's not the usual use case for PHP.
00:34:22
riptide
classic.
00:34:23
DanielVF
But i can't get I still can't get Haskell. That just doesn't work.
00:34:26
riptide
Never looked at it.
00:34:27
DanielVF
doesn't work
00:34:27
riptide
Never looked at it. All right, let me ask you this. So I got some questions from your biggest fans out there. All right, this one's from Antonio Villegano, who is one of the partners at Get Recon, our sponsor, getrecon.xyz forward slash riptide.
00:34:44
riptide
ah He says, how do you select your audit partners?
00:34:48
DanielVF
So I'm not the actual one that selects in the end, but what I do is evaluate how who we worked with has worked out um and give my guesses on people who we have not hired yet and um decide what we need for a particular code change, new feature, new contract.
00:34:51
riptide
Thank
00:35:12
DanielVF
um And so Some things like formal verification is not going to help us very much. Some things, something like fuzzing or formal verification is absolutely vital. um So that that's where I am there. But zooming out to a bigger industry picture, I think this is a huge industry problem in that there's no way really to know whether somebody's good or not.
00:35:39
riptide
Mm-hmm.
00:35:40
DanielVF
without having used them and using them is going to cost you tens or 100,000 or something. And so the only people in the world who really know how good auditors are actually are our VCs who are deeply involved in the technical side of things um or big protocols.
00:36:01
DanielVF
But your average person on the street, even your average team, is only going to have experience with a very limited set of auditors. so um And it's it's definitely a big visibility problem. So one of the things that um
00:36:16
DanielVF
we want to do is constantly be evaluating how good our auditors are. you know In theory, the auditors are evaluating how good your code is. But if you don't usually ship bugs to the auditors, um you know how do you know that they're actually good?
00:36:29
riptide
ah this Those parties you mentioned, I don't think i don't think any of them knows. I don't think the bounty hunters know. Even though we we think we know, it's the thing is the brand names.
00:36:40
riptide
You could see a big brand, and then you but you have to look who's auditing it because I've seen the quality vary from, it's night and day.
00:36:44
DanielVF
Yep.
00:36:47
DanielVF
It really does.
00:36:48
riptide
Yeah, night and day.
00:36:49
riptide
And I'm like, who audited this? And then you you look at the guy and you're like, okay, maybe I haven't seen his name before. But you really don't know even the independent guys. I mean, i would say the independent guys would be better for some cases, right? Because independent guys have their reputation on the line, much like a big brand, except your quality control will be better if you want to continue auditing.
00:36:49
DanielVF
Yep.
00:37:13
DanielVF
we At least an independent guy, if you're paying a specific developer, he's not going to switcheroo out ah you know somebody who's bad at on you
00:37:19
riptide
Right.
00:37:22
riptide
But I'd say like for complex projects, maybe they could be on the scope of one guy, you know, but he might he might have helped this and that, but it's, it's it you're right, it's a very tough problem.
Evaluating Auditor Effectiveness
00:37:34
riptide
Like how do you, and then from my point of view to, that I'm curious about, follow up on Antonio's question is like,
00:37:41
riptide
All right, you pay whatever it audit price. You get the guys in there and I guess you're grading it based upon the findings that they find. But you don't know. Like, was your is your code really tight? They really couldn't find anything?
00:37:53
riptide
Did they really put two weeks in it? or Or what? like Like, how do you know an auditor did a good job other than the soft skills with you? Hey, we're following up.
00:38:03
riptide
with just when like They look like they're checking everything, but they may not be that great.
00:38:04
DanielVF
yeah
00:38:07
DanielVF
Yes. So you know that that is a very real concern and problem. um One thing is we usually have like hey yeah some kind of communication with the auditors during a Slack channel or Discord channel or something going.
00:38:20
DanielVF
And you can often get a pretty good feel whether somebody understands your code or not from the kind of questions they're asking.
00:38:24
riptide
Mm-hmm.
00:38:26
DanielVF
um However, that's still not the final thing. So what we'll often do is run things in um in parallel with the audit and kind of see who finds the bugs.
00:38:36
DanielVF
um Or I'll skip doing my internal review before we send it to the auditor and then see what I find versus what they find. um Or again, with like formal verification or something, we'll have ah the auditor work simultaneous with the formal verification and then see how that shapes out.
00:38:56
riptide
Do you ever hide bugs for the auditors?
00:38:58
DanielVF
I have never hidden bugs for the auditors. I have shipped bugs to the auditors that we found but didn't fix.
00:39:04
riptide
Oh, shit. All right. Here's what I think. do you have Because I've done this on... I don't do audits. I do security reviews. So I say when you're done... It's like ah an incentivized bounty hunt that I just do solo before they launch their program.
00:39:21
riptide
So before you're going to put 500K out there, you know come to me. We'll come with like a tiered pricing kind of thing. So I'll do a base fee.
00:39:27
DanielVF
Yep.
00:39:28
riptide
And then I say, listen, any criticals that I find that are... High criticals, basically definition loss of funds for the protocol or users or protocol destruction. We'll set a bounty on that.
00:39:39
riptide
Maybe that's 15, 20K critical.
00:39:40
DanielVF
Yep.
00:39:42
riptide
and or you could pay a higher base fee. Whatever you want to do, how secure do you think your code is. And I feel like there's satisfaction on that end to the client. They say, oh hey, this is cool. You you know what you're getting.
00:39:54
riptide
And the guy totally incentivized to find criticals.
00:39:57
riptide
Versus this this model right now of just, God knows what these bigger shops charge, a hundred grand, you you said. I mean, for what? Man, I hope it's worthwhile.
00:39:58
DanielVF
yep
00:40:08
DanielVF
Well, you the one thing about that incentivized model is that it kind of sets up an ah and adversarial incentive system. It doesn't necessarily have to work out in an adversarial method.
00:40:19
DanielVF
um But yeah protocols incentivize to turn down bugs you send, and ah bounty hunter is incentivized to send in things that are of questionable value.
00:40:30
DanielVF
I think it is you know there's definitely places for it, and it really it does... It does unlock cases where somebody wouldn't pay for a bounty. And it's a whole lot better to have that than not, all right sorry, not pay for a bounty, but pay for an audit.
00:40:44
DanielVF
It's a whole lot better to do that than not do that, you know not have anybody checking your code. um But it at least is a, I guess there's kind of tiers in the industry where the more reputation you have, the more you can charge, the more people pay you to just, you know for for your time, I guess.
00:40:58
riptide
Yeah.
00:41:01
riptide
You ever thought of like, ah say you have a couple of big firms and you're like, hey, firm A, I'm also hiring firm B and you're going to audit on the same commit. Okay. And you have this two, three week time span to do it and you haven't battled it out.
00:41:15
riptide
So maybe the the egos get there and
00:41:16
DanielVF
Oh, yeah
00:41:17
riptide
Maybe that could be good too.
00:41:19
DanielVF
yeah. i think Yeah, I think if you have the budget to do it, I think using independent people, not necessarily in like taunting them, but in evaluating their skill, it could be very useful to parallel run like one or two independents
00:41:39
DanielVF
alongside with big name audits. And that basically, over time, lets you evaluate how good and kind of build up a ah ah collection of people you know and trust, while not at the pudding you know not risking your protocol security on somebody you haven't ever used before.
00:41:52
riptide
that That's the important thing. Yeah.
00:42:00
riptide
Yeah. I would say if people are looking for audits and stuff like that, they should reach out to, um, to guys like you or, or bounty hunters. Cause we see a lot of code. We read a lot of audits and we have contacts on the industry and we can kind of say, Hey, you know, this firm, you know, I'd choose these guys over these guys, you know, help them hopefully make a better informed decision.
00:42:18
DanielVF
Yes, so ah after this podcast is over, i do want to hear your list of good and bad auditors.
00:42:24
riptide
Of course, man. ah All right. Also some some other questions here. So we have a quote from Engineer who just launched Twine Protocol, which is like, you know him?
00:42:33
DanielVF
Yep.
00:42:35
DanielVF
I know him. He's a really cool guy.
00:42:36
riptide
i met him in Belgrade. Very cool. And I like the idea of the protocol too, where you're using that unused borrowing capacity.
00:42:42
DanielVF
Yep.
00:42:45
riptide
ah So he says, what do you think security auditors could learn if they had some time on a dev team?
00:42:52
DanielVF
um Well, if you're the kind of security person who likes clean code and your life is constantly annoyed by bad code, ah being on Dev Team gives you an opportunity to actually make the code clean, not just stick Band-Aids on it.
00:43:06
DanielVF
um So that's you know at least something that might make a security person happy. um
00:43:14
DanielVF
that's the
00:43:16
riptide
That's a good point.
00:43:17
DanielVF
I'm sure there's a lot more to unpack on this, but that's one of the things that I really like.
00:43:18
riptide
That's good point. Yeah.
00:43:22
riptide
Okay. um And then, you know, we could flip that too. Like, what could devs learn if they if they go hunt some bounties too?
00:43:31
DanielVF
Yeah. See, I kind of straddle the world of dev versus, you know, most of my quote-unquote dev time is spent, you know, trying to break so you know find ways things are broken.
00:43:34
riptide
Mm-hmm.
00:43:41
DanielVF
But, yes, if you're just a dev and you're used to normal Web 2 world, all you have to do is make it work in the nicest possible case and your life is good. um And you know that the works in all situations with people attacking it and you know the the breaking mentality, you know it really is a huge mentality shift of finding how to break code.
00:43:50
riptide
Yeah. yeah Yeah. it's It's a unique perspective.
00:44:06
riptide
So our his second question is, ah so as this goes around optimizing. So what are some examples of real world trade-offs that project teams make that end up not optimizing for ideal security?
Project Security Trade-offs
00:44:20
DanielVF
So this is a really great question. um And one of the powerful things that I learned ah actually from Engineer used to be with Yearn and Storm Blessed used to be with Yearn. And Storm talked about um that security is not a Boolean.
00:44:43
DanielVF
And I think that's one of the very key things from a protocol's point of view is that you're not flipping some Boolean from insecure to secure.
00:44:44
riptide
um
00:44:51
DanielVF
you know An audit doesn't flip you from secure to insecure. It's all about what the probability of bugs are. And so when you're developing code, your job is to take some amount of resources, time, and money and so turn them into moving the probability of bugging the code as low as possible.
00:45:11
DanielVF
And so that's where a lot of times you know using the right tool for the job really matters. Your own personal skill really matters. Your team skill really matters in that. um And I guess real world trade-offs, one key thing you can do there is know which pieces of code are more, are know which pieces of code bugs are going to matter less and which pieces of code bugs are going to matter more. And then focus more on the ones that bugs are going to matter more.
00:45:43
DanielVF
So if you can write your code, again, going back to the architecture thing, so that um one piece of code really holds the real security and variance of the system, one you know and let's say one smart contract, the other pieces of code can matter less.
00:46:00
DanielVF
um
00:46:00
riptide
Mm-hmm.
00:46:01
DanielVF
For example, if, let's say, yield processing or you know handing handling, taking reward tokens in and selling them and turning them back and sending them back into the contract is profit, if that lives in a separate contract,
00:46:16
DanielVF
if it gets hacked, it's not going to be affecting user funds. And so you've just taken a big chunk of code that's outside of that critical path, and now that code can be have a lot less money, or you know the money that you would spend on that, you can spend on the stuff that really, really matters. It's directly tied to holding the big bulk of the funds.
00:46:35
riptide
Mm-hmm.
00:46:36
DanielVF
um So that's probably one of the the biggest ah both ways of sort of Cheating the system um is getting the the really critical stuff, down to as small as possible and then putting enormous resources onto those.
00:46:54
DanielVF
um For example, Morpho's contracts. The Morpho Blue contract handles their lending thing, and it's extremely small, tight, like 500 lines plus a few libraries that are small.
00:47:07
DanielVF
five hundred lines plus a few libraries that are small Similarly, if you have Uniswap v2 pool, that code doesn't do a ton of work that you would think needs to be in an AMM.
00:47:23
DanielVF
It really just ensures that number go up, that the x times y constantly gets better. um
00:47:33
riptide
Mm-hmm.
00:47:34
DanielVF
And so that that's one of the the powerful things you can do.
00:47:38
riptide
ah Do you feel like, because I feel like this, remember the optimization issue was the whole gas thing, right? Everyone was optimizing for gas and you'd see that, and you don't see it as much anymore, but they would do everything.
00:47:49
riptide
Like, especially like non-reentrant modifiers, you know, the ah plus plus eyes, the you name it.
00:47:50
DanielVF
Yes.
00:47:57
DanielVF
Yes.
00:47:58
riptide
And it was getting so ridiculous where they were making security trade-offs for those, know, 10, 20 gas. And don't, I don't think that's around anymore.
00:48:08
DanielVF
Absolutely.
00:48:08
riptide
i think people are just like, well, I mean, it's around, but it's not as crazy.
00:48:09
DanielVF
Well, let's see.
00:48:12
riptide
Like people are like, Hey, I'm just going to put non-reemption on all these, you know, like the basics people are realizing that are stupid to leave those holes open.
00:48:13
DanielVF
Okay.
00:48:18
DanielVF
Yes.
00:48:22
riptide
Aren't there anymore.
00:48:24
DanielVF
Yeah, i'm I'm definitely, you know, we'll tell people we're not going to gas optimize this because this is an admin function. Or we're not going to gas optimize this because it's only going to be called 1,000 times a year or something.
00:48:31
riptide
Mm-hmm.
00:48:33
DanielVF
And so you really do want know, you basically, if it's on a critical path of transferring money, then it probably matters a little.
00:48:34
riptide
Yeah.
00:48:43
DanielVF
um If it's not...
00:48:48
DanielVF
If it's not there, then you you just kind of scale it. So we know what functions really matter, what don't, and don't optimize the ones that don't matter.
00:48:57
riptide
There you go. ah Next question is from toasted steak sandwich. Shout out to toasted steak sandwich. He's, I think we touched on this. Keen to hear how he's been so consistent in the space all this time. And I'd say what, it's your interest, right?
00:49:12
riptide
You just love it.
00:49:12
DanielVF
and I'm full-time employed.
00:49:14
DanielVF
I show up every day.
00:49:15
riptide
ah He gets a paycheck.
00:49:16
DanielVF
I don't want it i don't want to get hacked. Yes, ah you I appreciate my company very much allowing me time to write things up and ah yeah work with like SEAL 911 and stuff.
00:49:29
DanielVF
So you know major props to them for letting me be more involved in the community. um But yeah, you know it's it's my job and I'm constantly trying to do a better job at it.
00:49:39
riptide
I should get the SEAL guys on here for for a podcast. I'd like to hear what they're seeing every day too, because they're a big help in the space. That's great. Uh, next one is ooze man, my man ooze man.
00:49:53
riptide
And he says, DVF is an OG, but still gets his hands dirty. Understanding. It seems like every hack that happens. So he says, you've seen his industry improve a lot, but he wants to know, where do you think that we are regressing as well?
00:50:08
riptide
Are we forgetting the old ways?
00:50:11
DanielVF
I actually, I mean, I really do think the security, smart contract security has improved mind-bogglingly over the four and a half years I've been deeply involved in it.
00:50:23
DanielVF
Like, it's no, you know, if you roll back to, like, DeFi summer or something, you can pretty much flip a coin if a new launch protocol is going to get hacked.
00:50:34
riptide
Mm-hmm.
00:50:34
DanielVF
And we're no longer in that kind of environment.
00:50:37
DanielVF
um you know Most things that are big name, you know have big name VCs attached, get lots of audits. People are much better about knowing the common things, much better about defending them.
00:50:48
DanielVF
um So I think that side has really improved ah tremendously. Where I think that the industry is currently still in the stone ages is on the operations side. a lot of protocols have admin operations, upgradeability stuff, and I think a lot of people do a really bad job at that.
00:51:05
DanielVF
um And that's that's the biggest hole. As a bounty hunter, this is one of the things that ah you can get paid and solve real-world problems is not just checking code, but checking how people have deployed and how people have set up their contracts and stuff.
00:51:21
riptide
I was just going to say that deployment scripts.
00:51:21
DanielVF
um Yeah.
00:51:23
riptide
if you're If you're doing upgrade two and you're not doing upgrade two in call and you're not making that atomic, like I see it out there still.
00:51:29
DanielVF
Yep.
00:51:33
riptide
And it's like, yeah I think some people are so much behind the screen sometimes. They don't think like, And they see like your broadcast in Foundry and it's like, you don't see actually how it's posting to the blockchain. It's like, if there's any chance something will get front run, it probably will.
00:51:53
DanielVF
Yep. Well, i mean, that's ah quite relevant to last week's big security attacks.
00:51:58
riptide
Yeah. Yeah.
00:51:59
DanielVF
um
00:52:00
riptide
That was that was wild, man.
00:52:00
DanielVF
But...
00:52:01
riptide
That's really wild to read about the deep dive. that that Who was it? um PC? Secca Vario?
00:52:09
DanielVF
Yep. Yep.
00:52:10
riptide
I forget the name. Yeah. I mean, he he just dove deep on that. And I was like, I was shocked. Like, that is that's wild. Yeah.
00:52:17
DanielVF
Yeah, I personally reverse engineered the contract yesterday, or one of them, because there's several different variants. But it's and extremely sophisticated in the fact that it was able to run undetected for so many months.
00:52:31
DanielVF
you know They spent a tremendous amount of time making it undetected. um So, yeah.
00:52:37
riptide
Yeah, it wild stuff, man. Anything goes in the blockchain. ah And the last one is for him from White Hat Mage, who's become very famous recently, a lot of lot of good bounty finds.
00:52:50
riptide
He was asking about the spam in the programs. And if it's why reasons some projects don't set a bounty, do you think that's a factor?
00:52:59
DanielVF
I mean, this the spam could easily be, if well, if you're not writing bugs, the spam could easily be your biggest ah cost, just because it takes a very skilled person to you know if it's spam or not spam. And that may also be somebody who's writing the next cool thing for your protocol.
00:53:18
DanielVF
um I think one of the big ways you can drastically cut down on spam ah is just only accept highs and criticals. um That just gives you the ability when somebody, you know, the petty things are the ones that people are going to argue the most about and they're the hardest to like prove.
00:53:37
DanielVF
And so if you can just say, hey, it doesn't steal yield, doesn't steal funds, you know, buy. um
00:53:44
riptide
Do you ever tell your auditors that to just say, don't give me a report with anything other than highs and crits?
00:53:50
DanielVF
No, not at all. um
00:53:51
riptide
Oh.
00:53:51
DanielVF
And we actually will pay bug bounties when it's low or medium if it's something that's interesting to us, you know something we didn't know. um We just don't advertise that. And we basically just have the flexibility to Instamark without argument if it's not ah you know not that.
00:54:10
DanielVF
So that's to to me, that's ah been a really helpful thing on bug bounty reports. But you know again, going back to knowing every piece of bug
00:54:20
DanielVF
your code, you know every once in a while, there's something in your code you didn't realize it was there. And you know hey, it's only marked as a low. And you know it's actually never really going to happen in the real world. But you misunderstood something about your code.
00:54:32
DanielVF
um And so you need to update there.
00:54:35
riptide
Yeah.
00:54:36
DanielVF
Yeah, I guess ah jumping back to the original ah or one of the early questions about what do you think security auditors could learn if they have time on a development team?
00:54:36
riptide
or
00:54:45
DanielVF
um I think one thing, if we're speaking of auditors versus bug bounty hunters, is how often auditors will say you need to change something about your code, and it's actually a bad idea.
00:54:56
riptide
yeah
00:54:56
DanielVF
A lot of low, medium, severity things are things that you actually probably shouldn't change. So a very important skill on working with auditors is knowing what you should and shouldn't change in a report.
00:55:07
riptide
Good point. Very good point. He's got one more question where, and this, I'm going to talk about GMX in relation to this. So he says, what do you think of projects to set a bounty cap to 1% assets for white hats and then happy to negotiate for 10% with black hats?
00:55:23
riptide
i think I think we all know the GMX thing would happen. They took 40-something million, held it for a minute, got the little the offer, and they said, okay, cool, and they took the five mil. I think when you look at that hack, ah it's possible, it's it's quite possible that they could have just closed it out or they give them a small payment.
00:55:43
riptide
If you see a big bounty on something, if there's any room for... for a fungibility there. The project is very high probability not going to give you that max payout.
00:55:54
riptide
And I ah just got a confirmed bug today with a big project and it's not at the top range for the severity and I'm not surprised. From
Ethics of Post-Hack Negotiations
00:56:04
riptide
a business point of view, you don't want to pay out that unless you have to.
00:56:09
riptide
So what do you think about that? How do we solve this thing? Or is this the new standard where you you have to hack it and then you do this weird kind of gray hat thing where you just say, okay, thanks. I'll take the reward.
00:56:20
DanielVF
Well, I guess there's the people are often discussing you what's the right thing to happen after a hack versus what's the right thing to happen before hack. And so if somebody has no bug bounty program, well, then they really should have had bug bounty program.
00:56:33
DanielVF
And similarly, hackers should have not hacked it instead of hacking it. um And then you know after what the ideal solution for both of them is, is is a little bit different.
00:56:44
DanielVF
I think people really underestimate um probably the cost of their life and future happiness of a great big huge pile of illicit money.
00:56:56
DanielVF
um
00:56:57
riptide
Uh-huh.
00:56:57
riptide
Uh-huh.
00:56:57
DanielVF
I think that you are better off yeah doing what the GMX hack, you know after a hack has happened, doing what the GMX hacker did and um sending most of it back.
00:57:10
DanielVF
And realistically, their odds of going to jail for a long time have have drastically dropped. Not zero, um but have have drastically dropped. So...
00:57:21
DanielVF
so
00:57:21
riptide
Are those odds higher than, than it would have been to report and get the same amount of money. Like, like you have to, you have to weigh all these variables.
00:57:29
DanielVF
Oh, yeah. Yes, there are odds of going to jail.
00:57:31
riptide
Yeah.
00:57:32
DanielVF
or Yeah. all I don't know of anybody who's gone to jail for reporting about it.
00:57:36
riptide
No, no, no. I mean, they're like the calculation. Okay. Odds of going to jail when I do this versus odds of getting an actual payout that, that I think is material and relevant to this, to this bug.
00:57:49
DanielVF
Yeah, I'm guessing you that bug is very clearly a real bug. ah So I think that would have gotten payout.
00:57:53
riptide
Yeah.
00:57:56
DanielVF
um But you know kind of jumping to a a slight side thing, in crypto, you're used to everything running off incentive systems.
00:58:06
DanielVF
And so you know you incentivize people to do this, and then you know more majority of them do that. But you know personally, you don't have to you know follow the incentives. And you know Somebody said in some Twitter thread, you know if if you could steal $5 million dollars from protocol or you know whatever it was, and no one would ever know, and you'd never get caught, would you do it?
00:58:28
riptide
Uh-huh.
00:58:30
DanielVF
And that's a good question because it really shows if your entire morality is just based on what can I take for myself. And if you could like murder 100 grandmas, steal their life savings, and get away with it,
00:58:49
DanielVF
That's not something you should be doing, even if you could get away with it. And so they're really you really have to have something beyond, can I steal this money, as your source of morality. Or you know you're going to live among people who believe like you do and live in a horrible society.
Value of Bug Bounty Programs
00:59:11
riptide
It's that's a good point. I think that these bounty programs existing are net positive good but
00:59:17
DanielVF
I have tremendous good and way move things forward.
00:59:20
riptide
Absolutely, especially for Web 2 Bounties. But you look at it from the the stance of a moral person because, right, life in society, like it's it's not a movie. The good guys don't always win.
00:59:34
riptide
You have bad guys that win and they don't face repercussions in a lot of aspects of of life as you go down the road and you see it happen and you see no repercussions. And that's just how life is.
00:59:45
riptide
But you have all these bounty hunters that stepped up and said, hey, you know what? i have some I have a moral compass. I'm going to do the right thing. And to be honest, they're doing the right thing because if you get a million bucks versus 10 million, dude, a million bucks is a lot of money.
01:00:01
riptide
like you ten million it's It's fine, man. like A million bucks doing the right thing, that's the path you want to go on.
01:00:06
DanielVF
Yes, oh yeah, yes. And it's it you know the incentives in this space are so much clearer than every I guess where the rest of society is used to or something. um That ah it really is good for projects that have big bug bounties.
01:00:25
DanielVF
And it's good for their users, it's good for the projects, and it's good for the bug bounty hunters. Even though I'm not gonna hack anybody ever, um you know the number of people who come in And the amount of time, you know basically, there's a there was a huge gaping security hole in the ecosystem.
01:00:45
DanielVF
And then by using incentives for people to do the right thing and very big payouts that make economic sense, it brought a lot of people to looking at these problems and making the whole space better and safer.
01:00:58
DanielVF
you know Right now, I guess that, you know,
01:00:58
riptide
who
01:01:01
DanielVF
If something can't automatically be exploited at deploy time, there's probably like a 50% odds that you know bug bounty hunters are going to catch it at this point. And that's a fantastic good for the world. And you know we have a million-dollar bug bounty, and we would so much rather pay that out than get hacked.
01:01:18
riptide
I love it. and Let me ask you this. How in the hell do you size bounty? Like, how did you come up that million dollar? Was that just, this is, will attract people, get seven figures out there? Do you do you think of adjusting it based upon TVL or some other metric?
01:01:35
DanielVF
um Well, we were ah originally one of the largest bug bounties out there on Amunify when we started our thing, which was like 500,000, which was still you know almost unheard of back then.
01:01:48
DanielVF
um And then just moved it up to a million ah over time. I guess a million dollars is life-changing money and seems like a good number.
01:01:57
riptide
Mm-hmm.
01:01:59
DanielVF
So I guess it kind of depends on protocol TVL and stuff.
01:02:04
riptide
Yeah. Yeah. That's, that's a tough question. and And I'm cool whatever the number, I mean, it should be enough to incentivize. If I was a project, I'd say that exact kind of thing. I'd say, okay, can I incentivize the right guys to look at it?
01:02:17
riptide
Cause the more money I have at risk of customer funds, whatever it is, I don't want just the new guys looking at it who don't have a lot of experience.
01:02:25
DanielVF
Absolutely, yep.
01:02:25
riptide
Yeah. I seven figures, I think is a good figure and you're going to get the right guys looking at it. No doubt.
01:02:32
DanielVF
Yeah, and I do get to have chats with ah people like yourself who have a lot of skill, you know sometimes message me and ask me about stuff, and um that's fantastic and yeah lets me know that this is you know we're in the right ballpark. And you you really when you're really good at bug bounty hunting,
01:02:49
DanielVF
dollar amounts really, really matter. um And when you're not good, you know you just want to get some money showing up. um
01:02:55
riptide
Yeah. Yeah. So we're, we're nearing an hour here. So I want to I have this feature that I do. It's called the alpha drop and where we drop some alpha to, there there's a lot of new security researchers who listen to this and, and OGs, whatever, but I like to have some advice to put out there.
01:03:12
riptide
And since I wasn't preparing you for this, I want to, I want to, Pull something from your interview that you did, and maybe you could just expand on this.
Advice for New Security Researchers
01:03:21
riptide
So it was it would it was advice for new security researchers, and you said, have a process, a checklist.
01:03:21
DanielVF
OK.
01:03:28
riptide
ah Maybe expand on that, how that can help someone go on their journey here.
01:03:28
DanielVF
Yes.
01:03:33
DanielVF
OK. um
01:03:37
DanielVF
Well, this is like scratching the surface of a ah huge, deep topic. So I'm trying to figure out how to say this very quickly. But you know essentially, you want to be able to turn time into finding bugs.
01:03:50
DanielVF
And if you have a a fixed piece of code, the more you look at it, if you're just looking at it, you'll so you'll have a drop off in finding bugs. You'll get bored.
01:04:01
DanielVF
um There are things you won't think of. And so by having a process, of you know first you check for this, then you check for this, then you check for this. It keeps you at a high efficiency rate of turning time into bugs and allows you to put more time and get more bugs out of it.
01:04:20
DanielVF
It also covers up things that you just weren't thinking about at the moment. um you know I've built up many years of looking at code, and oftentimes as I first read through code, I'll spot bugs.
01:04:35
DanielVF
um But I won't spot all the bugs that way. And so by using a process, you know I may be three days into checking code and then spot a bug, um because I've been able to to keep keep being productive for a longer time period and think about things that ah I wouldn't have thought or you know didn't trigger red flags.
01:04:57
riptide
Very, very good advice. Checklist. I suggest everyone do that. Very good. All right.
Conclusion and Farewell
01:05:03
riptide
Thanks, DVF. It's all the time we have. We'll see you guys next time on the blockchain.