Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 4 - blockian (ControlZ_1337 & pwnmansh1p)
313 Plays2 months ago
riptide & blockian (ControlZ_1337 & pwnmansh1p) discuss the unique Austrian method of hunting bugs while drinking raw milk and wearing augmented reality goggles, how the trio found a critical bug in LayerZero V1, laying low while ranked #38 on the Immunefi leaderboard, some very juicy ALPHA DROPs, career paths for bug hunters, and the importance of understanding the code better than the devs to find the most impactful bugs!
Recommended
Transcript
Introduction to Guests and Setting
00:00:08
riptide
Welcome back to bounty hunters. We have today two guests who make up the group block in we have control Z and Pwnmanship like pwning owning you Hey guys, welcome to the show And Where if you don't mind, where's your accents from?
00:00:18
Blockian
Hey. Hello.
00:00:24
Blockian
this is
00:00:28
Blockian
Thank you. guys Glad to be here. yeah We're at Austria right now, and specifically at Myrofan.
Skiing Experiences in Austria
00:00:40
Blockian
This is like a ski town. And we currently staying here. We're doing like a super long and ski vacation, you can say.
00:00:52
Blockian
And we are and snowboarding and researching at the same time. Yeah, and we haven't yet shared the origin of our accent.
00:00:55
riptide
Oh my God.
00:00:59
riptide
Ah, that's, well, you know, I just had to double check as I'm legally not allowed to have any more Bulgarians on for at least 12 months.
00:01:05
Blockian
What? yeah we can say
00:01:08
riptide
That's cool, man. I've been to, uh, I was skiing. Do you know where Oitz is?
00:01:15
Blockian
ah what No, where is it?
00:01:16
riptide
Yeah. Uh, it's, it's in Austria, Austrian Alps. It's a shitty, it's a shitty scary. Don't go there. I picked the wrong one.
00:01:24
Blockian
no
00:01:24
riptide
You know, when you go like skiers, no more in the Alps and there's so many different spots and you know, Italian, French, or Austrian, you just pick one.
00:01:32
Blockian
Yeah.
00:01:33
riptide
And sometimes you just pick the wrong one.
00:01:35
Blockian
and
00:01:35
riptide
And I went with snowboards and they had the lifts that were so old that it's just a rope and you just hang onto it. And for snowboard, I mean, you can imagine it's terrible.
00:01:44
Blockian
Oh, yeah.
00:01:48
Blockian
it's tough yeah Yeah, I feel you. I'm also snowboarding and this is like the toughest shit out there.
00:01:57
riptide
But more fun. Yeah.
Background in Security Research
00:02:00
riptide
so ah So guys, so tell me, I don't think well known as, I mean, I just had Oprah on, which is like a superstar, um but you guys are are up and coming.
00:02:09
Blockian
Yeah, yeah.
00:02:11
riptide
I think it's fair to say you guys sent me a couple of bug reports, which I looked through, which is pretty cool stuff. um So kind of, I don't know, give me your, give me your background. um Maybe you can go, go one by one and and whatever you want to share and and tell, tell me how you got here.
00:02:28
Blockian
Yeah, sure. So I'll start. This is an apartment ship here. So I think think I've been doing vulnerabilities since forever. I just didn't know how they're called. And then maybe it's uni was i learned the name and I was like, Oh, right. Yeah, that's it. That's the thing I like doing. So I think it's been with me forever.
00:02:51
Blockian
my um All my jobs have been in this field. I've been a classic security researcher, like a classical software security, not Web3 stuff.
00:02:58
riptide
Like Web 2?
00:03:00
Blockian
Yeah, yeah. anything Anything low level, actually, I think.
00:03:05
riptide
Cool.
00:03:06
Blockian
And then it's somewhere in 22. I've read Sarik's blog post. Do you know that one? about
00:03:15
riptide
Oh, Cydia. Yeah, I read that one too.
00:03:18
Blockian
So I read that in one, and I sent it to Control-Z and put it in the back of my mind. And then I had like a ah class in university as well about but consensus protocols, and everything clicked. And I was like, OK, OK, we have to do something about it. And the and then that's how it happened. That's how we got I got into it. And Control-Z has been with me since the start, so he can share how he got into it, and then we'll share our story since then.
00:03:45
riptide
Cool.
00:03:46
Blockian
yes so I actually started like pretty late in my life, like programming at all. I started like at age 22. I started as a full stack developer and I just ah learned like ah me and ownership. We were friends like from, from school. So he just showed me some CTFs and stuff like that. And I just fell in love with the security and the research part of,
00:04:14
Blockian
of the job, like i I found it more fun than programming. So I started like to make ah the move to transition into security research. And I started doing like traditional web2 security.
00:04:26
Blockian
And then, yeah, the partnership came to me and was like, look at this and this stuff, like the web3 stuff. There's a lot of cool bounties. We couldn't get into it.
00:04:38
Blockian
So we went for it.
Transition to Full-Time Security Research
00:04:40
Blockian
And the stuff turned out pretty good.
00:04:43
riptide
And you said you started late in life at 22 get the fuck out of here.
00:04:43
Blockian
Yeah.
00:04:48
riptide
That's you just started in life, man. That's great.
00:04:51
Blockian
ah
00:04:54
riptide
So all right, so you guys right now you formed your your group, you're calling a block in controls the I love that name 1337. You have the elite speak on your handle.
00:05:03
Blockian
for that
00:05:04
riptide
ah So you guys are just doing bounties. Are you doing audits contests? What what are you focusing on?
00:05:11
Blockian
So up until now, Everything was part-time. We were doing it in the evenings and the weekends. So we did mostly bounties and just a little bit of of contests and audits. But from like a month ago, since the start of 25, we transitioned to full-time. And so we're still figuring out our balance between all the options out there. We're trying to find what's best suitable for us. I mean, obviously, there is a trade-off. So we do a bit of everything, and we're trying to find our balance.
00:05:42
riptide
What do you enjoy the most?
00:05:45
Blockian
and Not constant contest, that's for sure.
00:05:48
riptide
Why not?
00:05:50
Blockian
I think like the longer resolution time compared to like bug bounties and also the fact that contests are a lot of unknowns. Let's say you find the critical in a contest. You don't have an approximation of how much you will get from it until the contest ends and your judgment phase ends.
00:06:11
Blockian
And like when you're doing bug bounties, you found a critical zones, like a clear and range of what the payout would be. And you everything you find is like a lot more, and a lot clearer, I think. And also a lot of the times, like the experience of bug bounties is a lot faster.
00:06:31
Blockian
you submit a bug bounty. Although I heard some stories and like we had some unfortunate stories with bug bounties, but most most of the bug bounties that we did get paid for and the project did not run away. And they were handled the pretty fast compared to competitions. So that's a I think a big win for bug bounties compared to competitions.
Significant Bug Discoveries
00:06:53
Blockian
I think also, the for me, the time rush in contests has been annoying. I think only the last competition we participated in, I really felt like I researched everything I wanted to ah by the end of it.
00:06:58
riptide
Mhm.
00:07:06
Blockian
Usually, they my to-do list is very long when I finish, still a lot to check off.
00:07:10
riptide
Hmm. Yeah, and i've I've heard the same kind of feedback on that. That's interesting. um Yeah, obviously, I'm more pushed towards bounties. I just had something happen yesterday. And this is kind of how bounties, you get that immediate feedback loop. Most of the time, ah you know sometimes you can be kicked to the curb back in the queue. But I submitted this critical yesterday.
00:07:37
riptide
And I'm like, oh, yeah, this this is big. Oh, man. And I think in my head, you know, I i envisioned the the cash payment and then the code rearranged itself. And then my bounty, it was it was totally invalid. Like I fucked up on my test and it was embarrassing. But I, you know, I said the project said, hey, sorry.
00:07:58
riptide
I want to withdraw this. This is my bad there. Oh, no problem. No problem. It's great. It's great. But you know, it can happen either way. But I agree with the contest. Just not knowing because you can get a critical and you get paid 100 bucks because 50 other people found it. And I think that's such a such a rug pool.
00:08:18
Blockian
and yeah Yeah, exactly. That's the same way I feel about contests. And back bounties are just ah simpler, I think.
00:08:26
riptide
I want to hear your thoughts on because you you sent me a bug right up on layer zero.
00:08:33
Blockian
Yes.
00:08:33
riptide
And it was kind of cool. I don't know if you want to maybe just give a brief overview of it to to let everyone know what you found.
00:08:41
Blockian
and Yeah, sure. Actually, it was, I think, I found this bug like exactly two years ago, like to the day a when i when I see like the date right now, because I remember it was like ah Valentine's when I found it.
00:08:56
riptide
Was that version one of layer zero?
00:08:59
Blockian
Yeah, it was a the first version.
00:09:00
riptide
Okay.
00:09:02
Blockian
And it was actually like with the off-chain components of the protocol. and And the the way that I like got to the bug, i as I told in the beginning, I came back from a developer background. ah So I did like full stack and stuff like that. And when I looked at the flow of layer 0, they're sending messages. They're meeting they' meetinging those events, that the off-chain components. They're catching them, and then they're submitting them to the appropriate chain. right so And you have like lots of configuration that you can do.
00:09:40
Blockian
a personally to your implementation. If you're using like layer 0 yourself, you can implement a lot of configuration. like Everything is configurable. You you can like choose to use and other oracles and other relays and stuff like that. Or at least that's what you could do in the first version.
Importance of Monitoring Code Changes
00:10:00
Blockian
And I thought like if I were the one who ah created the protocol,
00:10:07
Blockian
then what common pitfalls might I fall into? Like what mistakes would I make and what parts are pretty tough to implement? So and I thought that maybe like a hard part to do to implement correctly is ah processing the configurations in the same time as sending messages like if everything's happening like fast enough like maybe there would be like a race condition or something like that because like the off-chain code I couldn't see it so I had to make assumptions and so they had their like and also and
00:10:47
Blockian
And in the testnet, they also had like a configuration of layer 0 and relayers and stuff like that. So I tried it over there. And I just saw that I could change the configuration to a way that I won't pay any fees to layer zero, but they will still pass on my message for me. So I could essentially force them to pay for messages that I haven't like compensated them. And I could just like drain ah the funds that they have put in their off-chain components to deliver those messages.
00:11:26
Blockian
And that was a pretty nice bug that came from more of an idea of trying stuff and like what would I do and what would be tough for me to implement. So it might be tough for other people and it paid out.
00:11:44
riptide
So you put yourself in the role of the dev and just kind of looked at it holistically.
00:11:50
Blockian
Yeah, exactly. That was my approach in it. I just thought how I would do it. And then that worked.
00:11:59
riptide
And what I'm going to do from now on, I'm going to put the the links you gave me to write-ups. I'm going to put that in the show notes on YouTube. I think people will like to dig into this. ah So I know you've looked at layer 0 version 2.
00:12:13
riptide
You have to. it just Just out of curiosity, right?
00:12:16
Blockian
Yeah.
00:12:16
riptide
what do you What do you think of? And I did too. They paid me to to do a review before they launched. and I think it's a great system. I think it's really good. I think the bugs, the bugs there are obviously on the implementation side. People can make an OFT and totally fuck it up and do something crazy. and But I mean, the the raw system ah that they built is really kind of ah yeah it's Once you get the hang of it, it's it's not that complicated, but it's um I think it's it's very secure. and i like i I wouldn't expect them to you know um say, hey, we've been hacked on the front page anytime soon. What's what's your take on on their current system?
00:13:03
Blockian
Yeah, I totally agree. I really like the current system and and I guess I also like really fond of the Layer Zero team. and The experience with them was super, super good.
00:13:15
riptide
Mm hmm.
00:13:15
Blockian
Like, for example, when i when I submitted the bug, I got like the payment in the same evening, which is super crazy.
00:13:25
riptide
Top notch, top notches, guys.
00:13:27
Blockian
Yeah.
00:13:27
riptide
Yeah.
00:13:28
Blockian
So and I have like nothing but good stuff to say about layer zero. And the the current system looks great to me as well. I think it it's really robust. And like if you don't fuck it up yourself, like there shouldn't be any problems.
00:13:44
riptide
That's the problem. Devs are going to want to change something. Hopefully, hopefully not. Hopefully that, you know, this is this is a kind of sticking around. Do you guys remember Nomad, the Nomad Bridge?
00:13:56
Blockian
Yes.
00:13:57
riptide
So I remember looking at that and I think it's Prestwich was the the architect behind that and he designed a really really good system and it worked and and that was another bridge where I was like man this is this is rock solid and it was only fucked up by a configuration issue.
00:14:16
riptide
And this I mean this is this is our world right is is like even when something's rock solid. The devs just got it and I've said this before devs got update they they need to change you need to optimize and they have to do something they they just even if that configuration issue wasn't an issue on nomad then they would have went to nomad version two and then they have to change something.
00:14:39
riptide
I just saw Aave launched their next iteration.
00:14:39
Blockian
Thank you.
00:14:43
riptide
um They have really good security and they they have everyone review it, but there's always upgrades and updates and and people change things. And so even if you look at a protocol, like we're looking at layer zero, and we're like, fuck, i'm I'm not wasting more time on it because I think it's secure.
00:14:59
riptide
You know, track to GitHub, look look for new releases coming out. There's always some kind of attack vector I think that you should be on the lookout for.
Tracking Changes and Custom Alert Systems
00:15:08
Blockian
Yeah, exactly. Actually, what you said right now is like part of what we look at in projects that we want to research. Like if the project is ah active and like pushing lots of changes into their code and stuff like that, this is something that is very appealing for us. Because as you said, maybe the code was secure, like during the audit and in the past, but if you keep on pushing changes constantly, you bound to some day, some time do some sort of mistake.
00:15:41
riptide
And the more people you have too fooling around on the project just just more things to change and Especially if you see people approving their own commits It's always you know like little red flags that you could take a look at but the the interesting thing is like the flip side of that is you think something's vulnerable because it's it's you know, they're deploying with like
00:15:44
Blockian
yeah
00:15:50
Blockian
good
00:16:01
riptide
There's the console log or the mocks are in there and, but still the code secured, you know, and it's like, okay, well, fuck that didn't work. There's two dudes all over the place, but, but it's still, there's no bugs.
00:16:10
Blockian
Yeah. Yeah.
00:16:13
riptide
That's the name of the game.
00:16:13
Blockian
yeah But you gotta to keep an eye on that. When when there's to-dos all over the place, you like make yourself a note to keep checking what's going on with that to-dos.
00:16:26
riptide
And so what are you doing for, like I use, um, tenderly alerts for certain contracts, deployers occasionally, not that much, but I'll have occasional telegram messages like ping and me, Oh, transactions done on this, blah, blah, blah. Do you, do you guys have an alert system? Uh, would give me some of your, uh, your methods that you guys use to find books.
00:16:48
Blockian
And so actually, yeah, we have an alert system, but it's like developed in-house. We developed it ourselves. and We have several systems.
00:17:01
Blockian
and And I will now like ah reveal our cards. is that
00:17:08
riptide
this is this a python script and you're running a node locally what is
00:17:12
Blockian
No, no it's of course it's a Python script, but like the methods that we find interesting is like maybe our secret sauce, I don't know. and But like we have ah alerts to changes like in contracts and alerts to new commits into projects that we find interesting. like Our alert system is is kind of manual.
00:17:33
Blockian
It's like not all over the project.
00:17:34
riptide
Is this a Python script and you're running a node locally?
00:17:35
Blockian
it like We mark the projects and the contracts that we find interesting and we get alerts to them specifically. yeah The thought behind it was that we have knowledge on stuff that we have researched already.
00:17:47
Blockian
and Even if they were secure, we have put in the work and we do know a lot about them. So it it would be a shame to let that go to waste. So perhaps we should monitor everything that changes within the the systems that we are already aware of.
00:18:02
riptide
this this is a You also have a notes at.md file. I love it. i I think everyone's got stuff that some packet of notes and you guys are monitoring all these addresses too. that's cool it I think it depends on how much effort you want to put into a lot of this stuff.
00:18:13
Blockian
Yeah.
00:18:18
riptide
um I think it's a very good tactic. I wonder what your hit rate has been. I think i I've had um ah pretty low. I'd say maybe 10, 20% on ah like an alert that's actually led me to something I was waiting for because it was certain. I knew it would happen, but other ones I just kind of would see something and then you know go check it out. What about you?
00:18:45
Blockian
Yeah, so I think ours is actually lower. It hasn't proved itself just yet. um i think I think up until now, most of our most interesting findings or even most of our findings were just based on hunches and random projects that we ran into. and But hopefully, while we and make this more tailored for us, then perhaps it will prove itself one day. But if not, then so be it.
00:19:14
riptide
yeah the opportunity cost is so low why not now that's yeah that's interesting it's it's like what i was looking today right and i was probably i was probably staring at some i i opened up my old notes and i looked at some old um i looked at a valid bug and then i said well have i looked elsewhere for this and i probably had and sometimes i do this
00:19:17
Blockian
Yeah, exactly.
00:19:37
riptide
And I started getting lost in some some contracts and then I realized I'd been to these contracts before and I'm thinking, man, am I am i wasting my time? and And I didn't find anything today, but just looking at like when you see something, like say it's um you know a pattern that works and you found a bug in it, you you know instinctively you think,
00:19:59
riptide
I'm gonna find another one all this has to be out there and then no one else is doing it like it's a very unique pattern and you just you just can't find that exact same vulnerability and you think in your head like this is going to be widespread and it's one result and you've already found it.
00:20:14
Blockian
and We have definitely had that exact experience a couple of times.
00:20:22
riptide
Was that with, with um so you found the layer zero one, you sent me two. And then the other one was basically a voting ah kind of exploit with this obscure queue blockchain, which I've never heard of.
00:20:32
Blockian
Yeah, I think that was, like, the
00:20:33
riptide
just
00:20:35
Blockian
the thing that got us into it, the the cube blockchain, our first bug.
00:20:38
riptide
and did Did you look for, did you say, okay, we're the voting Kings, now we're governance Kings. And then find try to find it everywhere else where votes were cast.
00:20:48
Blockian
Actually, yeah, we did. yeah i exactly I think we also like ah found something other governance related, and like pretty soon afterwards, with the exact like method, we we were just like, OK, we had this government issue. Let's search it wide like on every project on
Adapting to Various Technologies
00:21:08
Blockian
immunify. Yeah, delegations isn't easy. Let's find who did it for themselves. And and the tilted results. Yeah.
00:21:18
riptide
Where do you feel like there is like the most overlooked areas by developers when they're making a protocol or when they're integrating their protocol with another?
00:21:29
Blockian
So sadly, I think the the last thing that you mentioned, the integration. I said sadly, because it's the least interesting part, I think, for me. I like the the very core stuff within the protocol, which is usually the least overlooked because it is clearly the the the place where most eyes are at. And I think the most overlooked is the integration without the project. It's with the um but new releases. Yeah.
00:22:00
riptide
And are you guys looking at, do you do you just restrict yourself to Solidity? Or do you look at Go, Rust, everything else?
00:22:08
Blockian
actually we look at like everything else our less latest bounty like it was a zk proof stuff and then we also like we like everything every everything that could be complex enough this is like the the main stuff that intrigues us like it doesn't matter if it's and Solidity or go or rust or stuff like that.
00:22:36
Blockian
It's method that that it's complex enough to be interesting enough and like Probably maybe novel enough. I think we have at least one bug in in in all C JavaScript go rust Solidity and circuits.
00:22:50
Blockian
I think we have at least one bug in each one of these Yes,
00:22:55
riptide
Interesting so the zk that was you found a bug in a circuit Can you can you give a high-level overview of that yeah or you know just a snippet of what that zk bug was and
00:23:00
Blockian
yes we have I think we have one We were the solo finding in in an IOP in immunify in one of the circuits, and then one just bounty made me. So after we've been the governance kings, now we're the circuit kings.
00:23:23
Blockian
So I think I haven't looked at the like the sharing policy of the the project, but the the
00:23:31
riptide
You don't have to name them, just just ah maybe.
00:23:33
Blockian
Yeah, the high level is when you develop a circuit, you have to think in a different manner than when you just write code, right? Because a circuit is based on the fact that there is an input that yields the output that the the contract is getting. Not just that when you provide the specific input, then that's what you get. And so in that in the this specific bug,
00:24:01
Blockian
The issue was we found a different input that produced the same output. The output that was used to perform something on chain. um And the mistake itself was yeah just a generic length of of a vector one, not not something very interesting. But because you have to think differently when you develop a circuit, then it's easier to make these kinds of mistakes.
00:24:24
Blockian
mistakes and not now notice them because the but the the code works. It does exactly what it's supposed to be. When you provide the right input, it provides the right output, which is what most development looks like. In this case, the question is whether there is another input that can produce the same output.
00:24:39
riptide
Now, how did you find that? were you Did you just kind of plug in numbers guessing? did you Did you look at the circuits? The logics flawed here. Did you look at the you know the ah the libraries? Did you fuzz it? What was what was your method?
00:24:55
Blockian
No, it was manual review. So I think my my method is usually just ah look at code, ask myself questions, and answer them until I feel that ah feel comfortable enough that I know it more than the developer. So one of those questions, the answer was, oh, yeah, it does work like that. And a bug was used. But I think the methodology is just to have ah to keep learning about the the code that I'm looking at. I think that's the only thing I can say.
00:25:26
riptide
What would you say that when you're bug hunting, when you're looking at bugs and you're on the chain? I was thinking about this today because I know my answer. What would you encounter this? what would um What kind of shuts you down when you when you get on the blockchain?
00:25:45
riptide
Maybe this, maybe this question doesn't make sense. I'm i'm talking about Gnosis safe. When I get to it and I'm like, I see the governor, I'm like, oh yeah, it's going to be a contract. And I see the Gnosis thing pop up and I'm like, fuck man. God damn it. Dead end.
Tools and Techniques in Security Research
00:25:59
riptide
Like, is there, is there anything on your end where you see something and you're like, fuck man. I know this thing's rock solid.
00:26:05
Blockian
So when we looked at at voting, a lot of governess than the voting escrow, I forgot the the the like the canonical construct that everybody uses. When we saw that one, we were like, ah, not again.
00:26:18
riptide
they didn't but They didn't modify it, damn it. ah what what about um So tell me, what about your tool suite? What are you what are you guys using? any Any interesting ones you can toss out there?
00:26:21
Blockian
Yeah, exactly.
00:26:33
Blockian
I'm a big fan of Regex. Regex, Regex, I don't know how most people pronounce it. Big fan.
00:26:39
riptide
Regex, yeah.
00:26:40
Blockian
Yeah,
00:26:41
riptide
Just just throughout, your you download all the all the GitHubs and then just use Regex and VS Code or what?
00:26:48
Blockian
yeah exactly. Big fan.
00:26:50
riptide
You can't Regex on GitHub code search for some stupid reason. I don't know if anyone uses that. Yeah, do you guys use GitHub code search?
00:27:00
Blockian
And not so much actually. We're like scraping all the projects and like opening it locally, like with VS code and we can regex over there.
00:27:10
riptide
Are you having, are you old school? Are you developing your own Regex or are you having GPT make it?
00:27:17
Blockian
No, I think we both like develop our own regex. Yeah. I mean, there's this one online tool. I forgot its name that visualizes it and helps you.
00:27:25
riptide
Yeah, I've seen that. I've seen that that.
00:27:27
Blockian
i mean a emon
00:27:29
riptide
I don't know if you guys how old you guys are, but if you've heard of Pearl.
00:27:33
Blockian
Oh, yeah, we're we're both sorry.
00:27:34
riptide
Yeah, that that reminds me whenever. No, go ahead.
00:27:38
Blockian
I said, we're we're both 27. We're not keeping that.
00:27:42
riptide
It's that's not old, but you still heard of Pearl. Yeah, that reminds your reg ex whenever I think back in the day to Pearl and it's there's like few people that that actually know it. And so what else, what else are you using for, for your tools? I'll drop one out there. I use, and I don't think a lot of people use this. It's called Bloxy B L O X Y dot info. You ever heard of it?
00:28:04
Blockian
I don't think so. I've read it down for me, though.
00:28:07
riptide
Yeah, the, the UI is kind of shit, but it's, it's just so easy to use. You just pop it and it's only on mainnet is the thing. So you pop in a contract and then it shows you every single call, every single event, ah how many contracts called it. It just gives you all that info.
00:28:23
riptide
on one page, whereas normally, ah either you got to run your own tools, you got to go to Dune, ah you got to browse through Etherscan, do filters. This is just like such a time saver.
00:28:35
Blockian
Yeah.
00:28:35
riptide
That's that's one of my favorite things to use on mainnet.
00:28:37
Blockian
Now I look at this and I recognize the the logo, so I've probably used it. I think one that pops to mind is a Falcon by Blockside. I think I'll use that one for a few times.
00:28:48
riptide
Oh, yeah, yeah, Metasleuth and Falcon.
00:28:52
Blockian
Yeah, exactly.
00:28:53
riptide
Are you guys simulating with um Tenderly or do you just do it in Foundry or Hard Hat?
00:29:00
Blockian
Foundry. Yeah, foundry. when When it's, we do a lot of non-soidity stuff, of course.
00:29:03
riptide
And what about in in Foundry?
00:29:11
Blockian
No. no like Yeah, when we do non-soidity stuff, that maybe we just ah provide like a local copy, stuff like that. and But yeah, I think we're like not super big on tools. We like the basic stuff, like the explorers and stuff, and fundraising stuff for POCs.
00:29:32
Blockian
checking code, but we don't have a lot of so sophisticated tools and like tools that help us with the and research itself. We have like tools that help with the processes around and that run the research. yeah we do We do have a long list of tools to look at that we keep growing and not checking things off it. Yeah.
00:29:53
riptide
it's It's probably just noise. A lot of these tools, the manual method really is the best. Just just read through it and just take your time.
00:30:00
Blockian
yeah
00:30:02
riptide
Do you use any ah performance enhancing, any any tools, mental tools?
00:30:02
Blockian
yeah
00:30:08
riptide
I know you're in Austria, so perhaps raw milk from the mountains.
Motivations and Rewards
00:30:14
Blockian
and Actually, I have like the Apple Vision Pro, a which yeah I think, yeah, it it works like super well for me because I like, I have like a some back issues.
00:30:19
riptide
Shut the fuck up. I use this for for auditing.
00:30:32
Blockian
So, um, it's hard for me to sit like, uh, for long times. So with like the Apple vision product and like being any position I want, I can lay down on my back and like research in the same time and stuff like that. So it helps me a lot. Like, so it's, it's super funny. It's stupid, but it works for me very well.
00:30:51
riptide
So you sit on the couch and then you have raw milk in your left hand and then you have, and then like with your right hand, you're it's just in front of your face and you're manipulating everything. How do you type the, I've never used it.
00:31:02
Blockian
Yeah, exactly. You can use a keyboard as well. Yeah, you're you're not forced to like use your hands like a weirdo, but you can use your normal keyboard and stuff.
00:31:12
Blockian
It just helps you to like move the screen to other locations, like not be hunched over with your head all the time a and stuff like that, which is, for me at least,
00:31:22
riptide
Mm hmm.
00:31:27
Blockian
It helps my shady back. Another industry secret for security researchers is repetitive music.
00:31:30
riptide
No.
00:31:35
Blockian
You put the same song for the entire day.
00:31:39
riptide
The whole day.
00:31:40
Blockian
It helps you, I swear. You should try it.
00:31:43
riptide
What are we talking lo fi? Like, what are you listening to?
00:31:45
Blockian
No, no, no. Just a song that you like that doesn't have a lot of... That you know it well, so it won't distract you.
00:31:52
riptide
Hard house.
00:31:53
Blockian
Put it on repeat.
00:31:55
riptide
Okay. All day. I don't know about that.
00:31:58
Blockian
yeah that but's oh Yeah, sometimes it's two months.
00:31:58
riptide
Maybe it maybe it is good.
00:32:02
Blockian
that's not not i'm not a I'm not like this, so it's the only partnership. He's not talking for the both of us.
00:32:12
riptide
He's got electronic music on repeat and you're sitting on the couch with an Apple Vision Pro.
00:32:16
Blockian
yeah
00:32:18
riptide
I do like that idea with the um because i mean you sit in front of the screen. like The method we have for doing this is so stupid for everyone using computers. like I thought we'd have I don't know, like a neural link thing years ago, because we're just sitting here with the keyboard and mouse that was invented ages ago.
00:32:36
riptide
And that's, that's the best that we have. but and We're all stuck here. Just yeah.
00:32:41
Blockian
yeah
00:32:42
riptide
I think what you're doing honestly makes more sense, even though it it may look ridiculous. I think when they, when they downsize it to a pair of Oakleys, then I'll start doing it.
00:32:53
Blockian
Yeah, that that makes sense. its It does look ridiculous. like From the side, I think it looks utterly stupid. but then If it works, it works, you you know?
00:33:04
riptide
That's true. it's true
00:33:07
Blockian
I think that the visual was a gift to yourself once you found the Layer Zero bug, right?
00:33:07
riptide
ah
00:33:11
Blockian
No, the B. Oh, it was a different one, right? Yeah.
00:33:14
riptide
That's true.
00:33:15
Blockian
For motivation, then each of us has a list of what we're going to to buy for ourselves if we find a bug in something that we're researching. That was the one.
00:33:25
riptide
So what's what's on the list? What's number one?
00:33:29
Blockian
i think I think it's evolving. It's not and and and not big things. Currently, I want to have a subscription to ah for just a game. It's not very expensive. I can afford it. But when I tell myself, ah, when you find the next bug, then you can subscribe.
Using AI in Bug Hunting
00:33:45
Blockian
It gives me a motivation.
00:33:47
riptide
That's true. I mean, money is a motivator. That's, that's why I got into this space.
00:33:52
Blockian
Yeah. Yeah.
00:33:54
riptide
ah So you guys have on your profile, number 39, immunify all time. That's more than just those two bugs, right?
00:34:03
Blockian
Yeah, we we just, like, we're super bad at writing blog posts and we always forget to write them. Yeah, we have a long list of stuff we want to write. Yeah, we're just a bit lazy.
00:34:16
Blockian
no not
00:34:17
riptide
and that's it. Everything's everything's on the down low.
00:34:20
Blockian
Yeah, but like, it's also, it's not that it's on the download, we want to write the bugs, but like, Imagine you have like ah some limited amount of time and you tell yourself, okay, what do I do with the time? Will I research or will I write a blog post? Of course, i will I will research. So we never get to writing the blog post because we feel like our time would be like better spent for research. So it's hard to do other stuff.
00:34:47
riptide
No, I hear you. Yeah. You got to look at the upside just for an experimentation. You could throw, uh, the POC into Claude and just say, Hey, write me a bug report or or or write do a write up. And, uh, it may not be a hundred percent accurate, but if you're looking to put some content out there, that that could work.
00:35:07
Blockian
I think we're going to give it a try. I tried it, actually. I tried it. I i took one of my bugs and like I gave it to Chad GPT and he just uttered like complete nonsense and butchered the entire bug and stuff and like he did not understand anything.
00:35:24
Blockian
It takes like a boring bug and, oh, there's no non-reentrant here. from Yeah, so like it was a did not work at all.
00:35:35
riptide
Yeah, no, it's yeah, it's hit or miss. I know. ah All right, so I have this I buy alpha drop section. I hope you guys are fucking prepared. The alpha drop bug tip that I like to throw out there. So I'll do mine first. I was thinking about this this morning as I unsuccessfully was looking for bugs, as is always the case.
00:35:59
riptide
uh was um but but it didn't remind me of of a bug that I submitted uh a while back and that is to think outside the contracts so like what you guys do you look holistically at it and you think about the back end this was a bug where um it had an agent on the back end just whatever rust or cron job whatever it was But it was it was like an ID and I could set that ID just to max you it and That was able to crash the back end I think was rust it crashed the back end which made the protocol not work and It was like it was like this um
00:36:43
riptide
Stupid thing, you know, you look at the contracting thing, this is dumb, but these are things that devs just may not have thought about. it Maybe you do all the tests on Solidity and everything checks out, but then when you think about how those interact with the backend, they might not have done all those kind of, you know, whole system tests that integrate everything. So that's my, that's my alpha drop. What do you got?
00:37:08
Blockian
So I have, I think I have one, maybe controls will have another one as well. So for me, it's, uh, it's that you, you have to have some sense or measurement of progress because, um, both mentally so that the the brain needs is open in a success and you're going to go a while before you find something. And so you have to have some sense of progress and, and also to prevent from being stuck. I mean, uh, it's easy to be stuck in a loop when researching something to read all the functions and then, then just read them again and Nothing will happen. So it could be it could be artificial. you don't have to to You can't measure how close are you to finding a bug. But you have to have something just for the dopamine and the the progress. For me, it's that I keep a to-do and questions list that just keeps growing. And I just check check things off that list, even small things. Everything that I need to do with the research I'm doing at the moment goes on that list.
00:38:04
Blockian
And so I can feel myself, I can feel see the list growing, I get the dopamine, and also I learn more about the the project as I go. And I think it's ah it made the biggest difference from when I was just researching and documenting what I was seeing.
00:38:20
riptide
Very nice.
00:38:24
Blockian
I think like my alpha drop is like and try to monitor like
00:38:35
Blockian
bugs that are happening like right now and like bug fixes in there in in code and like monitor the fixes of those bugs because lots of time like someone submits a bug and like gets paid and as a but as a bounty hunter you won't necessarily look at the fix of it. You will get paid, you will be happy and you will continue with your life.
00:39:00
Blockian
which is was a was my mistake. A couple of times I submitted a bug, I did not check the bug fix, and then a couple of months later I saw that someone else found like a bug in the exact place that they fixed the vulnerability that I told them. I just did not check what they did afterwards. and So I learned like from that that it's a good idea to always check and the fixes to your bugs and like check fixes to other people's bugs.
00:39:29
Blockian
like monitor what what's getting fixed and how it's getting fixed. And if you can like a like squeeze of with some like low-hanging fruits like easily, that could be nice.
Unpredictability and Staying Updated
00:39:45
riptide
That is a good tip. I think I've only checked maybe a couple bugs that like check the fixes from from bugs that I've submitted. But that is that is really good because I've seen write ups where they' they've opened up a whole new can of worms.
00:39:59
Blockian
Yeah, exactly. then that That's what happened to me. Yeah, I think we've had a ah contest that we participated in that we looked at all bug fixes that the project had in the past.
00:40:10
Blockian
And we found by bypasses for like 50% of the bugs that they have fixed.
00:40:15
riptide
Oh, very nice.
00:40:16
Blockian
Yeah.
00:40:16
riptide
You know, the projects are not very, they're very clandestine ah when they put a fix out there. like They put it on GitHub and it's hard to dig in there and find it, obviously, because I know why, you know, especially if you have live code out there, you don't want anyone to know.
00:40:31
riptide
but They're very sneaky ah about, you rarely see big, big fucking security bug race right here here. We're fixing it. Like you never ever see that actually.
00:40:42
riptide
It's like, oh, uh, just humble fixes, just humbly fixing some code here. Pay no mind to this he's sneaky devs.
00:40:50
Blockian
Yeah, trying to hide it between other commits. Yeah, but there is some, there is some heuristic that you can use to like. help your chances of finding those fixes.
00:41:01
riptide
Tell us.
00:41:01
Blockian
And yeah that's the secret.
00:41:03
riptide
Tell us. Spill the beans.
00:41:06
Blockian
No, I mean, ah for example, something that I'm ah trying to do, it it is not proved like, it actually proved a bit interesting, is that um I monitor like the leaderboard that we unify.
00:41:23
Blockian
And like anytime I see a big enough movement in the leaderboard, I see like a change in the in in someone's place and I can see... like in how much the the their place changed.
00:41:37
Blockian
For example, there's this researcher and he has currently like 50K that he had up until now and then something changes and he has like 150K.
00:41:49
Blockian
So I know that he made 100K probably from bounty and I can like look at projects that ah offer 100K and maybe find where he found the bug.
00:42:00
Blockian
yeah And then like,
00:42:01
riptide
Hmm, that's really going deep.
00:42:04
Blockian
that's a That worked for me once, but that's ah an idea.
00:42:11
riptide
I think no idea is too far out there for for bounty hunting. I think I think very strange ideas could lead you to strange places and you it just may be the right may be the right place right time.
00:42:20
Blockian
Yeah, I think the the last bounty we had, we found it because um ah someone tweeted the project they were researching They didn't specify what project it was, but they left enough hints that we found that project.
00:42:38
Blockian
in and And we had motivation. to That's how we got into the project. And we had motivation because it felt like like a competition. And then we found it.
00:42:47
riptide
Hmm. Can you, can you give anyone details about, uh, Celestia?
00:42:55
Blockian
Hello, Celestia.
00:42:56
riptide
Yeah.
00:42:56
Blockian
You want to look at our tweet?
00:42:59
riptide
That's a all I'm looking at. Does anyone have a connection to Celestia?
00:43:01
Blockian
that
00:43:02
riptide
ah You do what I'm doing. Just like, just post it out there and see if, see if you can connect with the devs.
Career Paths and Future Plans
00:43:08
Blockian
Oh, you've done that as well?
00:43:10
riptide
I do it a lot and it always works great.
00:43:13
Blockian
It works great to you, really. Nice. For us, it didn't work.
00:43:16
riptide
What you guys, you need more followers.
00:43:16
Blockian
We don't have a part of each.
00:43:18
riptide
Yeah, you only have 500.
00:43:21
Blockian
Yeah, we need to have...
00:43:22
riptide
Hopefully everyone follows you guys and you can easily get it.
00:43:22
Blockian
um
00:43:25
riptide
I mean, you know, you could reach out to me. I can, I have some back channels with a bunch of people that I know. So any future, you know, if you want to connect with anybody, just, just shoot me a message.
00:43:36
Blockian
so So we still haven't managed to get a hold of the rest here.
00:43:40
riptide
Okay. So it's still valid.
00:43:43
Blockian
It's still a connection that we need. Yeah, definitely.
00:43:45
riptide
Okay. Cool. Um, I'll, I'll connect you on my telegram and we'll, we'll try to hook you up with those guys.
00:43:52
Blockian
Nice.
00:43:53
riptide
Cool. What?
00:43:54
Blockian
Something already came up with this.
00:43:54
riptide
So yeah.
00:43:56
Blockian
that
00:43:58
riptide
So what, what would you say is what's like the longest you've gone with no, no bugs, nothing. You haven't found shit.
00:44:07
Blockian
I think we've had a while because it it was always like a part-time thing for us. We've had time when we didn't even put the time. um So it's a bit hard to tell. Maybe a couple of months. Do you have anything? Yeah, I'm also not. I'm sure like it's it to more than a single month. It's like a couple of months, probably. But as Connership said, it's like it's hard to ah quantify because like we we haven't been doing it like full-time. It was a part-time thing. so like and Did we not research enough or did we just a research something that is not good? It's hard to tell like what was the reason for us not finding bugs in those months. yeah and I think it was also less memorable because it wasn't that important because we both had jobs. and so We didn't feel the sense of urgency of
00:45:02
Blockian
earning something to put bread on the table. Maybe now that we've gone full time. we We will answer this question in a year. I'll tell you.
00:45:12
riptide
And so what is this is interesting takes me on the thought of like a career path for a bug hunter because I'm seeing your profile where you have you also take audits. ah What's what's your plan for this business? Where do you see? Where do you see your guys future going? ah Do you just want to stay bug hunting? You want to do audits? You want to be a full web three security solution? Tell me your plans.
00:45:37
Blockian
and so i think like As we said like in the beginning, the bug bounties is the most fun part. This is why what we were doing like mostly in the last two years. But now that we transitioned to full-time, we also want to do like more audits and more competitions to have like a steady paycheck as well.
00:45:56
Blockian
because like and now we we are interested in having like a money flow on a somewhat regular basis and you can't guarantee it with bug bounties because let's be realistic it's highly probable that we'll have a long time without finding anything and like this is like the job. So our current plan is to really start and like shifting our time to be more, ah and not 100% bug bounties, like more 50% bug bounties, 50% competitions and audits, and the work from there. And I think we don't have like five years ahead plans, we have like
00:46:41
Blockian
the current year ahead plans and this is our current plan like we'll see where it takes us like in the future and maybe we'll evolve like to a bigger web3 solutions ah company or stuff like that and maybe we'll stay like in the audits and research space exclusively and who knows like the future we'll tell yeah this is our time to figure it out
00:47:08
riptide
Yeah, definitely. that It's interesting, you're using bug bounties as kind of leverage to get your name out there and then and then build on top
Partnership Dynamics and Advice for Newcomers
00:47:17
riptide
of that. I got to say it's ah it's a slippery slope. You're talking about 50% audits in competitions, but then you're going to see that money roll in and then you're going to say, ah, you know, fuck these bug bounties. They don't pay as well.
00:47:32
Blockian
Yeah, we're trying to to keep track of our time in a way that is visual and and and reminds us that we have to split it between everything that we want to get done. But maybe maybe we'll find out that you're right, and it's a slope that we've fallen into, just like when control is snowboarding.
00:47:53
Blockian
yeah
00:47:54
riptide
do you So do you guys split everything 50-50? Like one guy finds a bug, the other doesn't. Do the profits go straight down the middle?
00:48:02
Blockian
Yeah, straight down in the middle. I think it gives us a lot of the um the freedom to take risks and to try and research projects that are maybe seem secure. And so one of us can do something that is of higher chances of a reward, but a lower one and the other one can take more risks. So if we if we won't split it halfway, we'll change the dynamic and everything will be different. And we like the way that it is right now.
00:48:31
riptide
Yeah, you must trust each other very well and know each other very well to to make that kind of deal.
00:48:37
Blockian
Because even if one of us finds a bug and the other one didn't put anything into that specific research, whatever he was doing at that time or beforehand allowed the other one to research what he was researching. like Everything is built on top of each other.
00:48:52
riptide
So what if, what if you guys tomorrow you crack some crazy bug and layer zero and you get that massive, uh, what is it? $12 million dollars bounty. Does that change anything?
00:49:02
Blockian
50-50, and we both buy a building.
00:49:09
riptide
a Very cool, man. Is there anything anything else you guys would like to share that because we have a lot of I get a lot of feedback on this podcast from a bunch of guys that seem to be and brand new in the field and I get you know guys that are just interested in it, but Um, any of the new guys out there, because this is a hard, hard field to kind of stay in it for the long game. Uh, because you don't find shit for a long time and it's, it's very demoralizing. So I like what you said about, um, just kind of keeping your progress and and tracking yourself on that. Anything else either of you would like to add to guys that just getting started, maybe they just found a bug or haven't found their first bug.
00:49:53
Blockian
I think, like, ah if someone already found his first bug, like, the feeling is super addictive, so a it would be easier easier to go on from there, but, like, before finding your first bug, I think it's, like, the hardest part. and So, like, you need this first success, like, as the opponent ship said, like, the dopamine rush hey to get you to push forward. And so I think, like,
00:50:22
Blockian
ah good A good approach can be to have at least small wins in the beginning, like even getting a small amount paid, maybe start from competitions or stuff. or like It depends really on your personality, like what you what your background, what do you prefer.
00:50:39
Blockian
But like it's important to have those first wins because after you have those, like not necessarily, when I say like, when it's like not necessarily placing first in a competition is like having this success feeling, like finding something and like getting even 10 bucks out of it, like having this sort of a feeling that you can get something out of it and it helps push you forward. and So.
00:51:10
Blockian
I think this is pretty important and can help motivate beginners and people who are studying in the space to keep going. I think another thing that I've shared with someone in the past week, and I think it's true not only for security research, but probably to everything that's trying to get done. But if you're feeling stuck with something that you're doing, then just learn something that is related to it. It doesn't have to be directly related. It doesn't have to be the exact thing that you're researching right now. But just take a break and learn something, anything. And I think for me, it helped a lot in the past to either just to open my mind for other things or to give me the the push that I needed with that specific thing that I was trying to get done, not just with research, but generally.
00:51:58
riptide
All right, man, very good tips. Thank you. ah Guys, I think we're going to wrap it up here. If you guys want to stay on for a second, I just want to chat after I stop recording, if that's cool.
00:52:07
Blockian
Yeah, sounds cool.
00:52:09
riptide
All right. All right, guys, thank you for coming. And that ends this episode. See you next time on Bounty Hunters.