Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 3 - zachobront
369 Plays2 months ago
riptide & zachobront discuss how a humble book salesman started dominating audit contests to raking in $300k from Chainlink on a critical bug find! Also we explored how to expand your neural pathways to find new bugs, plus a deep dive ALPHA DROP on finding bugs in Optimism forks including the exact Go files to start looking at in Geth, making money leveraging your bug hunt knowledge to getting paid out in contests ... and much, much, much, much, more.
Recommended
Transcript
Welcome and Guest Introduction
00:00:08
riptide
Welcome back to Bounty Hunters. It's a killer intro.
00:00:12
zach
the
00:00:12
riptide
I'm here with Zach O'Brant, the legend. Hello, sir.
00:00:18
zach
Very mysterious. I love those. I feel like I'm in a movie trailer.
00:00:20
riptide
ah We do whatever the fuck we want on this.
00:00:22
zach
Yeah.
00:00:22
riptide
Yeah.
Independent Spirit of Bounty Hunters
00:00:23
riptide
That's how so we do it on Bounty Hunters. We have zero sponsors, by the way. Maybe we don't want them.
00:00:29
zach
yes Yeah. Yeah. They're coming.
Zach's Project and Coding Frustrations
00:00:33
riptide
You know, I was actually, uh, I'm actually working on, um, my first project where I'm, I'm actually trying to develop something and I'm actually seeing the frustrations with writing solidity that now I know like why devs did the weird shit because I'm doing the same kind of stuff.
00:00:43
zach
Okay. Yeah.
00:00:49
riptide
And I'm like, Oh, stack too deep. Oh, okay. This, this is annoying.
00:00:53
zach
isn't it a mindful i am
00:00:54
riptide
It's a, it's a pain, dude.
00:00:56
zach
I used to do a little bit of dead stuff before security and then went back to doing a little bit recently. And I'm like, oh, well now I know everything about security. Like now I'm going to crush it with this. Still fucking riddled with bugs. I'm like, I, there's just too brave. There's two different people in my head and one of them to do security. One of them can write code. and there's no ah There's no overlap.
00:01:13
riptide
Yeah, dude, I was going to ask you about that. Cause, um, like right now you're, you're so deep with, I mean, optimism for whatever reason, you're, you're kind of melted in with these guys, right?
00:01:23
zach
It's kind of just worked it out that way. Yeah. Not really intentionally, but yeah.
00:01:25
riptide
But I mean, you're, you did something with OP p succinct, uh, which I looked at it briefly, but it was like a very, it seemed pretty simple for, uh, for anyone that wants to participate, but did you code up that, uh, the output Oracle was at you or no?
00:01:41
zach
Oh yeah. I mean, the upper work was a ah minor piece of it. That's just basically changing optimism's on chain stuff to verify a ZK proof. The hard part is, now how do you have a ZK proof?
00:01:49
riptide
Hmm.
00:01:51
zach
So that was most of my summer last year was I took three months off from security and did the the version one of that of basically getting it so that optimism blocks could be fully ZK verified on L1.
00:01:52
riptide
Yeah.
00:02:04
zach
And then I was kind of thinking of this as like, oh, this is like a little proof of concept. Look, we can do this. This thing's really cool. It's magical. I don't even know ZK and I can do this in three months. And they took it and ran with it and made it a thousand times better.
00:02:15
zach
And now they're actually running like live production on chains. sos Yeah, and it went farther than I expected it first.
Career Transition to AI and Coding
00:02:22
riptide
that's That's so, so your background, let's, let's go over your background quickly. So you were, as far as I know, you were a book publisher.
00:02:31
riptide
You were running this business about books and now you're neck deep in code. What's, give me some, some, uh, tell me how it works.
00:02:31
zach
Correct.
00:02:37
zach
Yeah, it was a weird transition. So I i started i started the publishing company. I was i was like maybe 23 or 24 when I started it. And so I hadn't really done anything else before and played around with some small things and had some jobs I didn't like, but like kind of just like immediately it took off. And so didn't really like have the thoughtful weirdo I want to spend time. It was just like, holy crap, I'm running a thing that's fun and it's growing quickly and evolving on that. And so grew that from then for the next six, seven years to doing, I think we were doing
00:03:16
zach
yeah We did well over 1,000 books. We were doing like hundreds of books a year. Had done some cool ones. We did David Goggins, Can't Hurt Me. We did some books with The Scene to Lab. Tiffany had it. It's just like a fun line of authors. And company was like over 100 people. And I was getting very bored. I do very well when a company is 0 to 10 people. And then 10 to 30, I was like, I can make this work. I can learn some process. And by the time it's 100, it's like, I don't know. I had this frustration of, oh, it's not feeling as fun.
00:03:48
zach
And then realized it's like, I don't want the company to become more like me. It's running the way a hundred person company is supposed to. I just, I don't fit with that.
00:03:52
riptide
Mm.
00:03:54
zach
So went to my, my co-founder and was like, Hey, here's what I need to do. I need to take a year to go deep on AI stuff. I'm going to learn at this was like 20 end of 2019.
00:04:05
zach
I think it was like GPT two era. And I was like, LMS are kind of crazy. I need to go deep and understand AI stuff. I'll come back in a year and I'll build some cool AI publishing things.
00:04:15
zach
And he's like, All right. That sounds, sounds like a good idea.
Discovery of Blockchain
00:04:18
zach
So when like this, I have totally non-technical at this point. So it was like starting to learn to code very, very basics.
00:04:24
riptide
This is 2019 you said.
00:04:25
zach
Uh, uh, what was it? It was, yeah, I think end of 2019. No, you know what? It was ended 2020.
00:04:33
riptide
Okay.
00:04:33
zach
Um, so, so the year off I was taking it as an end of 2020 to end of 2021 halfway through the year, I was like, ah, the problem is AI is also kind of boring. I like love the coding stuff so much, and now I find AI stuff a lot more interesting. At the time, my basic thought was like, that what you can do with AI is amazing, but the work of AI, at that point especially, was very it's very data heavy, and I'm gonna run an experiment and wait, and I need fast feedback loops. So I found it kind of like unsatisfying, and I was like, okay, here's what I'll do. i've I've got some months left. Let me play around with some other areas I'm interested in before I have to go back to real work.
00:05:12
zach
And one of those was like, oh, I'll check out some blockchain stuff. And literally one day of it. And I was like, found the answer. This is perfect. I don't know why. Just like something about something about it just like clicked. And I was like, oh, this is the kind of like technical workout.
00:05:28
riptide
And what was it? Was it you looking at a contract or?
00:05:29
zach
it's It's hard to explain exactly. Yeah, it's something about it being like like simple simple code for cool output. with all kinds of interesting nuances and like different use cases I hadn't considered and that like fast feedback loop.
00:05:46
zach
It's like you make something and it works in a predictable way and it can plug into other things that exist. You've got that, I mean that was like DeFi era. So it's like all the like building block money Lego things can fit together.
00:05:54
riptide
That was DeFi summer.
00:05:55
riptide
Yeah.
00:05:56
zach
Yeah, and so i was I was kind of in this like, yeah, just like this feels like magic what powerful things can be done simply.
00:06:04
zach
And the entire EVM is simple enough that I can like get down to the metal of understanding it instead of an abstraction atop an abstraction. So I started playing with that. And the plan was I still was in entrepreneur brain. I'm like um going back to the company. Now I've had a bunch of ideas for like blockchain publishing things and actually like went pretty far down the road with one of them. And at the last minute, it was just like, I'm having so much fun. Why the hell am I stopping doing this? like The company was doing very well. I had dividends coming in. i'm like
00:06:39
zach
I don't need any of this, i I can just keep doing this thing that I'm having the best year ever do it. So that that was kind of like the entry to blockchain stuff, was like, okay, I told the team I'm not coming back, I'm just gonna mess around with this and see where it goes, I'm not gonna try to start a company, I just wanna learn, and learning turns into reading code, turns into security, and got addicted, and here I am.
Entering Blockchain Contests and Bug Bounties
00:07:01
riptide
That was it. let So let me, let me gauge your, your, uh, IQ here.
00:07:02
zach
That was it.
00:07:05
riptide
So are you, are you the kind of guy that digs into the yellow paper and understands it, or do you need to read someone, uh, someone's work to interpret that for you? I'm, I'm guy number two.
00:07:16
riptide
Who are you?
00:07:18
zach
Yeah, here's a weird theory of family. I think part of that is is like, I guess IQ, but part of that is like fluency with the language of math.
00:07:31
zach
And not even math, like in the real like like number sense, but math in the like mathematical notation sense.
00:07:31
riptide
true true okay ah now that's a good take on it yeah it's true it's it i think that's that's what turns me off i think it turns a lot of people off and that's that's like i mean look at
00:07:37
zach
And so like, I read that and my eyes glaze over. But if I stop and try to be both people, and I'm like, oh, first I'll be the translator. Then I'll be the guy reading the translator. I can do both of those. So like I get there, but I gotta be really slow, because that the language doesn't come naturally to me. I haven't spent enough time in formal math stuff.
00:07:59
zach
Totally does. Reading some of these old AI papers, I remember facing this thing where it was like, there's this crazy formula that I'm like, what the fuck is going on with this? like And you know your your eyes, you want to just put eyes and eyes over and move on to the next thing.
00:08:11
riptide
Yep.
00:08:12
riptide
Automatically.
00:08:12
zach
and then i'm like
00:08:13
zach
Well, wait, what is this actually saying? Broke it down, whatever.
00:08:15
riptide
One plus two.
00:08:16
zach
And if you if you rewrite it in code, it's just like a double-mested for loop doing like a basic addition thing on the inside. like You would write it in code and be like, this is nothing, but you turn it into math and they have the benefit that it's one line, but the negative is, no it's incomprehensible to anyone who's not used to it.
00:08:22
riptide
No shit.
00:08:31
riptide
Yeah. These guys use that to raise money. I swear to God. its just Let me fuck with people.
00:08:35
zach
It's a part of it, for sure. Or to impress other professors, whatever their whatever their status game is, they'd use it for that.
00:08:41
riptide
Oh shit. And, and, uh, all right. So when you, you kicked off your, your blockchain career, were you doing defy, were you trading, or did you just say, did you just jump into audits or bug hunting?
00:08:50
zach
No, dude, I was, I was in the, yeah, I was in the like, holy crap. I am. I mean, when you're running a company so much as money-based. And so I was just like in heaven being able to be like, I'm earning zero. And I'm just doing whatever is most interesting those days. And I'm very lucky to have been in that position for a while. So that was like, by the time I was was done, I was like early 20. You know, when I got my years off again.
00:09:18
zach
That was 29, everything was a year earlier than I thought. So that so this was like early 2021, I was getting into all that. And was like, when I left and
Approach to Hacking Contests
00:09:30
zach
I'm like, okay, I'm just gonna explore. And somewhere towards the beginning of that year, a friend of mine was like, hey, if you've seen code radio. Security wasn't on my mind at all. you know i'm like I was just trying to be like, what's a purple tree? I'm gonna build one for myself. Look, this is fun.
00:09:45
zach
And so he was like, oh, you check it out. And so there was some contest going on. I was like, cool, I can spend a day on that. It's an excuse to read code and think about things, sure. And I think I found one not that doofed medium. I was like, huh, this paid me. That's kind of cool. The money was not very significant, but I'm like, that's kind of funny. These are professional debts. I'm just learning this stuff. What am I doing finding things? And so kind of got hooked and then went on a cold streak.
00:10:14
zach
I can give analysis on it actually, because I spent, I basically got serious about it in August of that year, or maybe July of that year. And July and August got zero dollar payouts from basically everything I did.
00:10:25
zach
I couldn't even find one worth it.
00:10:26
riptide
Mm hmm.
00:10:27
zach
Maybe I'm exaggerating a little bit, close to that. And now looking back, my bar for how fast I should go it was so high. I was doing a contest and being like, cool, it's like 2,000 lines of code.
00:10:39
zach
like I can read 2,000 lines in a day. but And like that was kind of like what I was thinking. And my bar for what a bug was was so high. I was treating it kind of like I was looking for bouncy crits and nothing else.
00:10:51
zach
And so they'd announce the results, and I'd be like, oh, I noticed to half that stuff, but like I didn't think that was a bug. I just thought that was like a quirk.
00:10:58
riptide
Right, right.
00:11:00
zach
And so yeah, basically at the end of August of that year, I was like, OK, either I'm going to move on to like the next interesting thing for me to puzzle through and learn, or like I'm going to take this seriously and and kind of just had this feeling of like, my brain is meant to be good at this and I'm not doing well.
00:11:16
zach
And I, if I want to quit, I'll quit later once I'm good at it. I'm not going to quit before I prove it to myself. So just decided to take it really seriously. And by that point, it started to happen pretty quick. I was, I like did very well through that September, or October, November, December.
00:11:28
zach
and And by that point, I would consider myself like happy being pretty good at this.
00:11:32
riptide
So you cut, you cut the chops on, on contests. That was your thing.
00:11:36
zach
Yes, totally.
00:11:36
riptide
And then, and then you did private audits and then bug hunting.
00:11:39
zach
Not for a while. i So like that yeah that fall that was when Sherlock launched bounties and or launch contest and basically just did every Sherlock contest for that whole fall. And then towards the end of that period, I've been chatting with trust a little bit and he had an idea for a bug that he Like was just kind of like a little vague at that point, but was like something could be here and I was like, let me chase this down through. Let's see if we can figure it out. And we found like a a pretty substantial crit. I think it's, I think, what yeah, it was a like a critical and chain link VRF. That was like multi six figures are pretty substantial.
00:12:17
zach
And so I was like, oh, but bounties work too. I'm going to spend next year focusing all on bounties and proceeded to spend zero days focusing on bounties the whole year because just there's something about the immediacy of like the contest is happening, a private audit comes in, whatever.
00:12:32
zach
So that's kind of been my pattern for the past many years is like try to squeeze in bounty stuff here and there. It seems to be the best expected value of anything I do. And yet I never make time for it. So that's, that's where I am today.
00:12:42
riptide
Really?
00:12:43
zach
Yeah.
00:12:43
riptide
it's That's interesting. and Because i mean you you had a successful business, you're not ah you're not the guy in the basement you you know trying to like needing needing to stack some cash, but it's more it seems like to me it's more because it interests you, it challenges you.
00:12:57
zach
Yeah, and but there also is, because I do find i actually find the bounty work more fun and and more interesting to be like less writing of reports, more going at the pace that feels natural. So I know there's something kind of messed up in my psychology that I don't do it more and I think it's mostly just like every single thing that comes up sounds so interesting, that it's hard.
00:13:20
zach
It takes saying no so many times to be left in a spot where I can do
Love for Problem-Solving and Security
00:13:24
zach
bad things. And that ah at some point, something goes over that threshold where I say yes all the time.
00:13:25
riptide
Yeah.
00:13:29
zach
So it's like, I'm lucky to have a lot of cool opportunities, but I'm trying this year and have succeeded a little bit so far at blocking off weeks to really, really just say like, I'm not booking anything no matter what it comes up.
00:13:42
riptide
that's That's cool. that's ah It's interesting hearing.
00:13:44
zach
But yeah, i will I will say actually like the contest thing, I push it pretty hard on people when they're starting. I know other people have different opinions, but that feedback loop of like, I'm going to give this my 100% effort.
00:13:57
zach
I'm going to get paid if it works so I can take it seriously like it's a job, but then I'm going to get the answer sheet of all the things I missed at the end is like that doesn't exist anywhere else where you can like like either something is pretend and you get an answer sheet after and you learn or it's real and you never know what you missed. There's something magic in contests of like this and there's a community around it everything there's just something about it that i feel like is like optimized or fast learning if you're the type of person who can like really learn from your mistakes and so i yeah i like i don't think i would have been able to like get up to speed with this stuff quickly if it wasn't for that environment where it was just like every week i'm getting a report of like hey that thing you did last week you sucked and like here's all the things that you would have done to not suck at it
00:14:38
riptide
Yeah. Yeah. The feedback loop. What I didn't like about doing my one contest, but it never really appealed to me because I looked at it like, okay, there's probably some bugs here. I could probably find something, but I didn't feel that anything was on the line because usually it's launched when, you know, before they go live.
00:14:55
riptide
And I just thought like, so what, man, people are going to find some bugs. Great. Who cares? Because I want to see money just waiting to be stolen for whatever.
00:15:03
riptide
That was my weird kind of like, that's why I like doing the bounties.
00:15:03
zach
Yeah, I feel like
00:15:08
zach
Yeah, I imagine, I mean, I've had like little taste of that and there's an addictiveness to it that I don't think can really be, I don't know if you can go back once we got a lot of that. I will say with functions that kind of shift, once you find a few unique highs in contests and you're like, ah, this was the last, this was like the final exam, like this thing was going live next week, this thing, I didn't find it, but it's not the same as like codes, like funds are vulnerable right now, I need to like adrenaline filled, email them and figure the hell out what's going on and try and help
00:15:37
riptide
Yeah, yeah. And I don't know if we could talk about this, but this was as a different style. like I think you, like I always think I have a different style than other guys because for me to sit on ah two weeks on a contest is fucking hard, right? To just sit on that and just go through every single every single thing and and really dive deep. Occasionally I do that on some projects that really reel me in. But for the most part, I'm all over the chain.
00:16:05
riptide
And this is how I found the one in, uh, what's the betting one, um, poly market, poly market.
00:16:10
zach
Polymarket.
00:16:12
riptide
And we talked briefly and you were like, you told me you went so deep on this thing.
00:16:13
zach
Yeah.
00:16:16
riptide
Like you're, you're down in the bike code and the bug.
00:16:20
zach
Well, what's crazy is I, I got, I only had, so this was one of my examples last year of like, okay, I'm gonna block a week and I'm gonna keep it rock solid. I got so addicted to the first contract I looked at that I never looked at the rest of the protocol for the whole week.
00:16:32
zach
It was like 300 lines of code. I couldn't stop and I was dreaming about it. Man, that thing messed me up.
00:16:37
riptide
Oh yeah.
00:16:38
zach
I yeah, but. For sure. that didn event of like Maybe that case it would have benefited to go a little faster maybe, but maybe not.
00:16:45
riptide
Well, well, that was, that was one of the things that I, I think I was talking to a hundred proof where I was saying, I think he was saying you, there's no reason or maybe it was, maybe it was dead, dead roses, but he was saying, there's no reason to view the storage of a contract.
00:16:57
riptide
And I said, you could test all you want, but you don't know how they're going to integrate this.
00:17:00
zach
Yeah, totally.
00:17:01
riptide
And it this was, this was one of their integrations and they still haven't fixed or disclosed it, but so I won't say it, but it was an integration. And, uh, so just, it just goes to show you, like, you'll never, you never know where you're going to find these fucking things.
00:17:14
riptide
But, uh,
00:17:14
zach
Totally.
00:17:15
riptide
That was cool. Like your technique, you know, took you down the rabbit hole in the wrong rabbit hole. And my technique was able to to work it, but then vice versa on the next book, you know.
00:17:20
zach
Right. Totally, totally. And i' I'm for sure more of the case of like, i if I looked at like the amount the bugs I found over time over the course of spending weeks focused on one thing, there's like a little spike at the beginning and then there's a spike at the
Security and Bug Hunting Strategies
00:17:43
zach
end. And in contests,
00:17:44
zach
The spike at the end is worth it because those are the uniques that no one else is finding. When I'm two weeks into something and I've got my head fully around it, whatever. But there's also like a revenue model that's like, if I just do all the spikes at the beginning, that's going to add up a lot too.
00:17:59
riptide
Yeah.
00:17:59
zach
So I think it like it depends where you're focused. But I definitely, my enjoyment is most when it's like, I'm going to pick one thing and go at it for like three or four weeks and know every detail more than the devs know it and like see if I can, yeah.
00:18:11
riptide
more than the devs. What do you think that is? Like, so what's interesting is we always talk about LLMs on the podcast and and I'm thinking about like when we look at a contract and then we don't see anything and then we look at again, we you keep looking at it and then something comes to mind where you think of a creative flow or something totally different.
00:18:32
riptide
And then it just comes to you and all, we joke about it on X, you know, just stare at the screen long enough, you'll find the bugs.
00:18:38
zach
Yeah.
00:18:38
riptide
But with LLMs too, like you put the same contract into five different LLMs, you get different answers and different kinds of thought processes. But like, is that all it takes? You just stare at it long enough and, and eventually it comes to you or you think there's something else.
00:18:53
zach
Yeah, it is a weird thing because it's like, once you see that, you're like, this is obvious, wait, it took me that long to come to this, like, come on, this is staring right at me.
00:18:59
riptide
Mm-hmm.
00:19:03
zach
I don't know, I imagine it's different for different people. My experience of that is like, once there's like first pass of like the ideas that come to mind that feel kind of like pattern of recognition.
00:19:14
zach
You know, like you see something and you're like, what if this, what if that, I don't actually know yet. Or like, this isn't right in every situation, but who knows if that matters. And those feel kind of like trainable. The the like later, deeper stuff is like, okay, I've got this whole system model in my head. I know how every single piece should interact. And in what cases would it not? And usually if it's a big enough system. like You can't hold all of it in your head at the same time. And so there's some quirk there of saying, like if i if I hold on to some idea of something that's off and then
00:19:50
zach
walk around this mental area while holding that and saying, what could this misbehave with? That's the kind of thing where once it's obvious, it's like, oh, these two things fit together. Of course they do. But it takes this going over things with your brain in different states in order to end up finding puzzle pieces that fit together, if that makes sense.
00:20:10
riptide
And and how do you how do you do that? Are you a whiteboard guy? Do you talk with other guys at a team?
00:20:13
zach
Yeah, I don't. I mostly,
00:20:20
zach
Yeah, I really like, a it's it's weird because it depends on um like where I think the project has risks, if that makes sense. like I'll give you an example. I was just doing the story protocol contest, or I just did the salinity half of it. I didn't have time for the rest. But on the salinity half, they have a lot of different contracts that are interacting, like jump, jump, jump, jump, jump, jump, jump jump back and forth, doing validations in different places. And so in that kind of context, it's like, where is somebody who's building a code base like that screwing up. Probably what's happening is like it's unlikely that they're seeing the state of everything holistically at every moment. Because it's like they're jumping here, checking something, changing something here, whatever. And so my my mindset through that was a lot of like, let's treat the entire protocol as one contract in my head and map out what's all the storage of the entire contract. And then literally like whiteboard or sometimes even like Google Sheets, just messiness go through saying like this one entry point,
00:21:18
zach
What is it doing if I think of all of this as one contract? And once I see that, it's like, oh, well, wait a minute. This thing that's setting something is touching in this way. This thing that's reading it is touching in this other way. Maybe they don't totally line up or whatever else. So in some cases, it's kind of like rethinking everything as a state machine and trying to get my head around like where does that bigger state machine misbehave. And then other times, I find myself trying to like think from the perspective of, like What are the things that could go wrong? And can I definitively prove to myself that they're not possible? And this is what got me on the Polymarket thing. man it is like i I got down this thread where I was like, if this fact is true, it is steal every dollar in the protocol with one click. And I can't prove to myself that this thing isn't true. And so I was just trying to get myself to leave it alone for the whole week. But yeah, I kind of like that app avenue of being like,
00:22:16
zach
Okay, if, if you were able to steal money here why it's because you would have to have this back be true and to make that factor you'd have to do this and kind of like work back to a say like okay I know that that's like an impenetrable fortress, at least for that line of thought.
00:22:30
zach
So yeah, I think it kind of depends on the context. I think it's like so much of this stuff is personal. And it's just like, if I'm engaging with this thing as a as like some kind of state machine that I want to behave in a certain way, like where do where does it feel off?
00:22:42
zach
And where do I feel like I need to push or prod? Or that it doesn't feel tight in the way that it should? I don't know. I don't have a good answer for translates to English.
00:22:50
riptide
Do you, in no, it I know it's hard. It's hard to translate your technique because everyone's got their own method.
00:22:56
zach
Yeah.
00:22:58
riptide
Do you take it offline at all? Do you use the printer?
00:23:02
zach
I have never used the printer. I i will like move to a whiteboard and not look at my screen for long periods of time.
00:23:08
riptide
Yeah. Yeah.
00:23:10
zach
Yeah, printer is... I could see the appeal. I...
00:23:15
riptide
I haven't done it in a long time. People gave me shit because I said I did back in the day.
00:23:17
zach
That's... Yeah.
00:23:19
riptide
But honestly, that was like, that's when you're first learning and it really helps you learn.
00:23:21
zach
I...
00:23:24
riptide
I think you just look at it.
00:23:24
zach
Yeah, I can see it. I mean, like, I don't know. I used to, when I was in the book business, like editing books, There's a different kind of editing you do when you print it off and write on a page than when you go on the screen.
00:23:30
riptide
Oh, that's right. Yeah. Print it out.
00:23:34
zach
like You're missing a lot if you're trying to edit it on the screen.
00:23:35
riptide
Just like in school, right? Print it out.
00:23:37
zach
Yeah.
00:23:37
riptide
You see all the errors. That's strange how that works too.
00:23:38
zach
Totally.
00:23:40
riptide
Maybe it works with Solidity bug hunters.
00:23:40
zach
Yeah. And there's this.
00:23:42
riptide
There's a tip.
00:23:43
zach
Yeah. you And you get that impulse, right? I imagine you had this printed out where you're like, oh, I've got to reach for this page. like I know this connects to something over here.
00:23:50
riptide
Yeah.
00:23:51
zach
I don't know if that's better than jumping to the right destination in VS Code with a few buttons. But like there's something different. And I feel like, I don't know what's weird in this space. is like Different can be more important than good, because all you're looking, you're not looking for the best bug, you're looking for the best bug that no one else has found.
Thoughts on Permissioned Attacks
00:24:09
zach
And so like, if everyone's thinking the same way, it doesn't matter if that way is better, because if you're thinking the way no one else is thinking, then there's stuff that's left that only you are going to be able to find. So like, I think there's value in just doing weird stuff.
00:24:21
riptide
Yeah. Yeah. what What do you think is like the holy grail for you with with ah bug hunting? Like is it finding a whole new class of bugs or one class of bug that they could say, Hey, Oberant found this, you know, just some some strange pattern or something completely original. Like what would you say would be yours?
00:24:39
zach
Yeah, that's, the I don't know that's the stuff I've had fun. I don't know if I have a whole grill as much as like it.
00:24:47
zach
Yeah, I find, like, there have been a few times where I found a bug pattern that feels like oh this could exist in other places and I just lose interest. Like, that's, I yeah i've had a few examples of this where it's like, oh I find something this could be everywhere and it's like, I hope, I hope.
00:25:03
zach
I don't know, maybe I'll like, there's a fair kind of an open set that was like, could be vulnerable. I'm like, can you guys just tell everyone? Like, I don't, I don't need to be going through the chasing down. Like the thing that's fun is the creativity.
00:25:15
riptide
Yeah.
00:25:16
zach
So yeah, I mean, if I get a chance to do that and have big ahas and like satisfying things that are, that feel original and creative, then I'm happy.
00:25:23
riptide
Yeah. Yeah. I feel like when you're, you're deep in the code and you're thinking no one, no one's thought like I'm thinking right now.
00:25:29
riptide
There's no way I'm totally original.
00:25:29
zach
Yeah.
00:25:30
zach
Dude, I'll tell you, I'll tell you this Polymarket thing. like I'm like, should I say it?
00:25:34
riptide
It's really on you. I love it.
00:25:35
zach
Well, no, the thing, the reason it's on my mind beyond that we just talked about it is actually, you know, what I'm not going to say it because I still haven't completely convinced myself. And if I say this and then someone hacks it, I don't know.
00:25:43
riptide
Okay. No, no, keep it, keep it hidden. That's right. Somebody will dig into it.
00:25:46
zach
I'm not even saying it for me. I'm never going to find it. I, I've given up on this quest, but if I say it and then it gets hacked, I don't feel really bad.
00:25:51
riptide
Well, dude, their, their code, their code is, if, if you haven't looked at Polymarket's code out there listening, look at it. It's, it's very unique. It's interesting. And it's very good. I'd say it's a pretty tight code base, but it's a, it'll have you thinking quite a bit. Like it's a cool code base.
00:26:08
zach
yeah i'm Yeah, I'll cut it off there. But yeah, it's ah it haunts me.
00:26:13
riptide
Don't, don't look, there's no bugs there.
00:26:15
zach
It haunts me.
00:26:17
riptide
ah So real quick on your chain link bounty. So that was, I read the, I mean, you didn't even really do a writeup, dude. That's sad.
00:26:26
riptide
I saw just like ah an article.
00:26:26
zach
they they were yeah they were They wanted do to publish things in in their own way.
00:26:32
zach
I'll say that. So we did their right.
00:26:33
riptide
Yeah, and I hear you. Um, but what I, what I got from that is, so they said, uh, that, okay, Hey, this is bug. Yeah. We, we admitted and it. And it allowed a VRF subscription owner to reroll the randomness until they got whatever value they wanted, which is.
00:26:49
riptide
which is really cool, but they kind of negated that. They're like, Oh, required subscription owner, which is a role typically controlled by the team behind the DAPT using the VRF must be malicious or compromised.
00:26:59
riptide
Okay. So not saying it's not a valid bug. It is valid bug.
Security Consciousness in Web3
00:27:03
riptide
What I'm saying is, uh, this, this is kind of a vector that I think some bug hunters don't look at our permissioned attacks, uh, just because there's something that's, that's like,
00:27:11
zach
Yeah. and And I wouldn't usually, you know, it's like, because like, I feel like people do that in contests. It's like, well, Yeah, but you're trying to help this team.
00:27:22
riptide
Right.
00:27:22
zach
Sure, you shouldn't put too much on a multi, whatever, but it's like, this isn't a bug. In this case, the reason it's a bug is because we were we were like pulling ads and stuff to show them. like if You can find ads that Chainlink runs that's like, if you use a casino that uses Chainlink VRF, you don't have to trust the casino owner.
00:27:40
zach
This isn't that a protocol owner is malicious, so that protocol has a bug. This is, you're providing a service so people don't have to trust the protocol on owner, and in fact, they do have to trust the protocol owner. So that was, that's like, if you if you trusted the protocol owner, you don't need VR, I feel like.
00:27:56
zach
So you can find, you could they can inject their own randomness or whatever. I think that the purpose of it is that it's not gameable.
00:27:59
riptide
It's that's true.
00:28:02
zach
And so it was breaking the like core purpose of what this service was for. And it was specifically listed on a Unify that any manipulation of randomness, no matter what, was a critical.
00:28:13
zach
So those things made me say it's like more serious versus like I would never really look at like Hey, your own team could steal funds from your users. They're like fuck off, we're not going to.
00:28:24
riptide
No, I hear that, but I mean, on so say like validators, like staked validators, like say like um ah polygon, the original, where you had all the validators staked.
00:28:33
zach
Yeah.
00:28:33
riptide
Okay, they they have capital staked. And I don't think they're all KYC, maybe they were, but still, you had, I don't know how many millions or billions were in the bridge.
00:28:41
zach
Right.
00:28:42
riptide
But if you found an exploit where it just took a compromise validator, it's like, well, you know, capital risks and possible reward. I think that's completely valid to say that some guy would risk his a hundred you know, 500 million.
00:28:53
zach
Yeah.
00:28:56
riptide
You know, no shit, but a lot of people won't look at it. They see only validator only owner and they just, ah, you know, fuck it.
00:28:56
zach
Totally.
00:29:00
zach
Yeah, right.
00:29:01
riptide
But it it could be legit, you know?
00:29:03
zach
Yeah, yeah, it's totally the case, especially if some of these things were like, I feel like one of the trickiest things is when a protocol is audited with one set of those trust assumptions and then tries to decentralize and it's like,
00:29:16
zach
the people The people who looked at it earlier were discarding that. The new people are just looking at that change and maybe don't have their head around the whole thing as well. So I feel like there can be some mismatches when but a protocol says, like oh, we're going to make this shift.
00:29:27
zach
And it's like, you're not considering all the old bugs that were invalid and that are now all about to show up on the same day.
00:29:34
riptide
Yeah. Oh, that's good. That is good. Yeah. And and you also have different levels of like, ah think about this. So you have the, you have the contest where you'd highlight all these different bugs, y'all. Yeah. Uh, centralization of ownership, all these things. Then you'd have the bug bounty and then you have the rules with the bug bounty too. Just like you said, with chain link, this and that.
00:29:53
riptide
And then you have the third class, which is the white hat rescue, should we say.
00:29:57
zach
right
00:29:59
riptide
Well, then, I mean, then everything's on your terms, right? And there's no rules. And, you know, then you're, you're, you're walking on that gray line, but that's like, um, you know, I mean, like it or not, those are the three kinds of tiers that bugs are going to be on and how they're going to get exploited versus protected.
00:30:17
riptide
And, um, I just thought that was interesting kind of.
00:30:18
zach
Yeah, what's interesting is like in that like, in that like only validator case. It's like, on the one hand, you could argue, hey, anyone there someone could get in to be a validator.
00:30:31
zach
On the other hand, if someone just becomes a validator and steals it and rescues it, it's an interesting dynamic where it's like, I don't know i think there's you see this in in like and like traditional in cybersecurity sometimes, where there's like, there are things that you can't prove unless you do the evil deed, right?
00:30:50
riptide
Mm.
00:30:50
zach
ah And so, and like, I'm like, I'm actually pretty, again, I'm actually pretty strongly against the like white hat recipe stuff. I think I get the pull towards like normalizing it in that like, it probably will increase the amount of funds returned to users. But like, I don't know, I do this because I'm on the team so side. I don't know. I wouldn't fuck around with that kind of thing. But I do think there's an interesting dynamic where like,
00:31:15
zach
there is a there is a type of bug. As an example, it's like a team puts a multisig that controls $8 billion dollars that's on the chain.
00:31:26
zach
From North Korea's perspective, they're like, if we can get the private keys to that multisig, we steal $8 billion. dollars But no white hat can look at it or try to work on it, because working on it means whatever you have to do to steal from those people, right?
00:31:31
riptide
Yeah.
00:31:37
riptide
Right, right.
00:31:38
zach
And so I think there's like a whole class of thing that we're not protected against, because there are these clean methods.
00:31:42
riptide
that's That's full spectrum security. Yeah, we just look at at one one angle.
00:31:45
zach
Yeah, but but those things bump into each other. you know it's like And so I think like as our world gets more developed, there's this missing missing gap that I think is going to haunt more and more projects, is like the more traditional upside.
00:31:48
riptide
Absolutely.
00:32:00
riptide
Yeah, I still think there's there's a big market for that. If you want to go full security, including Web3, you know, breaking and entering in the house, you know, what we're hacking the the devs, everything.
00:32:09
zach
Right.
Experiences with Optimism and Blockchain Audits
00:32:11
riptide
I mean, God, there's so much money around here and so many vulnerabilities and so many kids on the blockchain and just so many people with, it's shocking, man. Go to a crypto conference and just glance at somebody's screen.
00:32:23
riptide
And, you know, I don't know different people's backgrounds, but like I take a very conservative security approach. Like I don't even install extensions in my browser. I'll have a separate browser for that. I'll do split tunneling on a VPN. I use different laptops, all these things. And most people, man, you open up their, their browser, they have 65 extensions. You don't know what's involved with that. It's like, uh, these guys are devs behind your favorite project.
00:32:50
zach
Right. Yeah, it's a I think I'm glad to see more like awareness of this and more talking about the like, hey, don't like click a malicious zoom link that someone hit you up with on Twitter when ah a letter is off or whatever stuff like I think it's easy because this space is so unique from a security perspective.
00:33:02
riptide
Yeah.
00:33:09
zach
I think like it attracts more. It attracts a lot of people who are like puzzle solvers without security experience. And I'd count myself as one of those that like you, it's easy to get by and become good at it without knowing anything about security. And all of a sudden you're in a position where like, I mean, yeah, the like willy nilly VS code extension installations. I'm like, if someone saw my VS code live, I'd be in trouble and a lot of projects would be in trouble. You know, I'm like making notes of like, oh, I could steal everything here. We'll come back to it later.
00:33:40
riptide
Yeah, it's recording everything logging. What about, uh, so if, if, uh, if something at your house broke, would you take it apart and try to fix it?
00:33:44
zach
Right.
00:33:52
zach
Depends what kind of thing. I i have like a fantasy of being more of like an electrical engineer and understanding. I don't know a ton about that stuff. I try my best, but it's...
00:33:58
riptide
But do you, do you try to fix it? If something electrical breaks, do you fix it or attempt
00:34:04
zach
Maybe like the loosely attempt. I don't know. It depends on what. Not not a whole lot.
00:34:09
riptide
It's interesting because I mean, you painted yourself as a puzzle solver. And I'm thinking how I contrast to that, I would say maybe I like the challenge of figuring out how things work. Like I would take apart my floor heating system, what I just did two days ago, just to see, you know, try to fix it and do all that stuff. But to me, I'm like, I kind of like puzzles. I think they're frustrating sometimes, but I more think about how I love to see the inner mechanics of a device or a system and just kind of try to break it to be honest like that.
00:34:37
zach
Yeah.
00:34:41
zach
Can I ask you something though? do you Where did that start?
00:34:42
riptide
Yeah.
00:34:44
zach
like where Especially with like physical systems?
00:34:46
riptide
Oh, as a kid, just just taking shit apart. I was that guy taking the shit apart and trying to put it back together and successfully.
00:34:51
zach
Yeah,
00:34:54
zach
interesting. because Yeah, I feel like there's an interesting thing there where it's like, okay, I find the puzzles of blockchain security are really interesting, but if five years ago you just showed me a contract, I'd be like, this is just a bunch of words, this isn't even anything. And I needed the context and understanding to see, to like know what was what it was even being asked of me and to know what to do with it. And that's kind of the feeling I have with a lot of physical systems where I'm like,
00:35:19
zach
I feel like I'm missing a baseline knowledge to be able to treat it as a puzzle or to be able to even like reason about it and that's probably bullshit like probably if I spent a little time that I'd find it fun but I have like a like a distance from it where I'm like I don't even know where to start so it doesn't seem as interesting.
00:35:36
riptide
Do you do Sudukus on the flight?
00:35:39
zach
No no not that tight.
00:35:40
riptide
Yeah, okay. Yeah, different kind of puzzles.
00:35:44
zach
Yeah, I think it's it's the same thing.
00:35:44
riptide
Yeah, me neither.
00:35:46
zach
it's like the There's like a novelness that I need. And like a any kind of like puzzle in a book isn't that. right it's why It's why we're all addicted to this stuff.
00:35:56
riptide
Yeah, yeah, yeah, it's true.
00:35:56
zach
It's brand new every day, high stakes. it's it's ah There's nothing like it.
00:36:01
riptide
All right. I want to ask you, cause you are, you're the king of the op stack as far as I know, who places number one with a couple hundred grand in his pocket. I got to compliment you on that. That was, I was very impressed.
00:36:13
riptide
So on, on optimism.
00:36:14
zach
Which one? Oh, on Blast.
00:36:16
riptide
Yeah.
00:36:16
zach
Oh, Optimism, yeah. And then Blast is an OpenStack one.
00:36:17
riptide
Well, yeah, yeah, that's true. So, so you hit optimism first, then blast, right?
00:36:19
zach
I actually did a... yeah Yeah, I came first in both of those. And then I did a private order for Base, private order for Frax, for FraxToll. I've done, I did OPC Sync, which took me way deeper.
00:36:30
zach
I actually lead Optimism's developer advisory board. So like, I've ended up deep in, and actually, like my funniest Optimism thing, was I was in the governance forums kind of like spring of last year and they posted they're going to do this fault proof update so we're going to change the fault proof but with a ton of safeguards and then they did a safeguard on it with Sherlock and found that like safeguards
Innovative Bug Hunting Strategies
00:36:55
zach
are are solid like even if it's exploited they know how they are able to undo it. They say okay we're going to do the upgrade and I'm like
00:37:03
zach
I get that the safeguards are good, but guys like audit the actual thing before you deploy it. like I don't think there's really a risk of anything going wrong here, but it's just a bad look if there's bugs on it.
00:37:13
riptide
Mm.
00:37:14
zach
And there was some back and forth and basically decided, like that well we're they're going to deploy it and there's audits coming. and was like can i just I went to governance, basically it was like, will you fund a grant for me to go run a contest and administer it? Like you guys don't have to touch it, but like, I want this stuff to be safe. Uh, and for, to their credit, like they funded a good size pot and I just independently went to see for ran a contest, judged it. Uh, and some people did down some amazing epic stuff and and there were like multiple high severity things that they then like patched really quickly. So like everyone was safe the whole time, but, uh,
00:37:53
zach
Yeah, I was like, we need the fastest, like, good security researchers doing that, and SpiritBib was doing one in parallel, a private on it, on it, so like, yeah, I've seen this from the perspective of like, pretend I'm on the OP Labs team running a contest, doing contests and winning them on the Developer Advisory Board, building the ZKLP, so like, somehow, without attempting to, I've been i've gotten deep in that world, yeah.
00:38:15
riptide
ah What, so, but look, you get doing the optimism contest was your first foray into, into their code.
00:38:20
zach
total Totally, yeah, that was my first time looking at it.
00:38:20
riptide
Right. And why did you pick that complexity?
00:38:23
zach
It had a big pot and Sherlock offered me to be the lead. So I said, sure.
00:38:28
riptide
Okay.
00:38:29
zach
Yeah, wasn't it wasn't a lot of thought.
00:38:29
riptide
And.
00:38:32
riptide
ah This is interesting and this is kind of some alpha thing and a good tip for bug hunters because I i think I noticed a strategy, right? So if you're bug hunting a project and you're looking at it, you're so deep in the code, you know the code very well. And then say you find a bug, whatever. But if that project then launches a contest, go make some fucking money and go to the contest.
00:38:53
riptide
So do what Obra did here with optimism and then basically blast forked it, right?
00:38:53
zach
Yeah.
00:39:00
riptide
What, what was, what do you feel like your advantage was coming into the blast contest?
00:39:05
zach
Okay. I had one massive advantage. I had just been on a month of paternity leave and was itching to get back and to go so hard. And so like, I just, I was like fully, I mean, recharged in the sense that like I hadn't slept in a month, but recharged in that like my brain was wanting hard work.
00:39:25
zach
And so I blocked the full three weeks, like, like to your point, like we were like jumping in and out. canceled every meeting, I was like, if I'm doing this, I'm winning it.
00:39:33
riptide
Yeah.
00:39:34
zach
Even to the point that like I love, some friends who I really love working with were like, do you want to do it together? And I was like, I'm going to win either way, so I'm not, there's no point partnering because I'll just make less. I was just like, I'm settled, I'm going to win it.
00:39:46
zach
I already knew all the optimism stuff, so I was able to really focus on the differences. And Yeah, I'd say that was really it. It was just like, I hit it with intensity of like, I'm coming to win this contest, not like, let me poke around and see what I find. And so like, I went into it with the thought of like, any single thing I miss, why the fuck would I miss it? I'm good at this. I have maximum focus and I know the baseline. It's inexcusable for me to miss one book.
00:40:13
zach
And so that was kind of like the mindset I had through the whole thing. And towards the end, i actually, the two days left was like a lot of ideas. ah Here's a little possible alpha. I guess I maybe shouldn't say this on fucking podcast, but who cares?
00:40:27
zach
Two days left, I was like, I have no more ideas, like what other creative things can I do? I was thinking, I'm like, I think I've exhausted every idea. So I took a ton of mushrooms and just stared at it for a whole day and did find one more bug.
00:40:38
zach
I squeezed one more out of it.
00:40:39
riptide
That worked. What was the dosage?
00:40:40
zach
It worked. Actually, it wasn't a large amount in between so I I know the whole like microdose thing of like changes like the whatever but like it's imperceptible I want it to be like like high drawing connections not like like ah my brain is slightly rewired so I Think I took like one and a half grams like too little to be like on the floor tripping out but too much to pretend that nothing was happening and basically like
00:40:42
riptide
Micro dose or macro dose?
00:40:58
riptide
Hmm.
00:41:07
riptide
and that And that helped, that's interesting.
00:41:09
zach
I went to a room that I had know of that has like a 20 foot long whiteboard and wrote beforehand, wrote out the entire map of the protocol, everything connecting, and then I just paced back and forth staring.
00:41:21
zach
I paced back and forth staring at it, then went outside and went on a three hour walk where I didn't think about it, and then came back and paced for two more hours thinking about it. And all the parts of that were glorious. I had a really fun day.
00:41:30
riptide
This is serious bug hunting alpha. ah I've tried that in the past and it it didn't work out.
00:41:33
zach
Yeah, now it's a...
00:41:36
riptide
The screen just, just tripped me out.
00:41:36
zach
Yeah, I...
00:41:37
riptide
It's too bright.
00:41:39
zach
Yeah, I feel like it's there could be more honing to do it well. I haven't done it again since, but yeah. was just i was That's it.
00:41:46
riptide
Hey, whatever works, man. I mean, you know, we use caffeine.
00:41:49
zach
That's it. One more bug.
00:41:50
riptide
Some people don't use caffeine nicotine.
00:41:51
zach
Yeah.
00:41:53
riptide
Uh, some people smoke weed. Look at the code. I think whatever open ups opens up those, those pathways is beneficial.
00:41:56
zach
yeah
00:41:59
zach
And again, it's the same thing we were saying before. It's like, if you told me like,
Alpha Drops and Tips for Bug Hunting
00:42:03
zach
hey, you're the only person auditing this, look at it, I'm like, I'm not gonna fuck with things, I wanna be the most. And this is a weird thing in security is like, there's kind of two very different ways of thinking types of people. There's like like airline mechanic type where it's like, I'm gonna checklist everything and I'm gonna miss nothing. And then there's like, I'm gonna miss a ton, but I'm gonna find some crazy shit. And like, those are usually very different types of people.
00:42:34
zach
i I'm definitely more the latter, but I can like try to harness the former to not screw things up. But like if I'm trying to do an audit by myself, it's like, I'm not going to go do some mushrooms and like not be as like thorough as I can.
00:42:47
zach
But if I'm in a contest and I'm like, hey, if I think of something that's just fucking weird that no one else is thinking about, that's usable in the contest. They already have the like base of coverage. So I think there's like, it goes back to that, like the weirdness is kind of usable.
00:43:01
zach
And I think that encourages weirdness.
00:43:01
riptide
Yeah. Yeah. No, I agree, man. I think get it like i'd I'd say get out there, go run, go exercise. You know, drugs can help sometimes just anything can open it up.
00:43:11
zach
But you also, I'm curious on the drugs for you because like if you told me that you say that you go fast through things, like if I tried to do any drugs after looking at a code base for one day, it's like my brain doesn't know what to do with it.
00:43:22
zach
Like I was already like, it was like ingrained in my, in my like brain circuits by that point that like, I didn't have to look at the code once the whole day, you know, I was just thinking about it.
00:43:30
riptide
Yeah.
00:43:31
zach
And so it's a different place to be.
00:43:35
riptide
No, that's yeah. I yeah don't think I would do that unless I. Yeah. Cause I couldn't sit in front of the screen looking at it. That didn't work.
00:43:43
zach
No, no, no, no, no.
00:43:43
riptide
So if it was already in my head and I you know i could think, cause I do that in the shower, you know, I think through different pathways and everything.
00:43:44
zach
Yeah, no way.
00:43:47
zach
Right.
00:43:48
riptide
So yeah, I could see that. So if you already went through the code base.
00:43:51
zach
Yeah, you've gotta be deep enough that it's like, you don't even have to look, you know how every single thing is working already.
00:43:57
riptide
Yeah.
00:43:58
zach
You know, maybe I should go back to Polymer, get that 200 lines again.
00:44:02
riptide
Oh, hey, I think we should do the the alpha drop. I need a sound effect for the alpha drop. That'll be the next time.
00:44:07
zach
Yeah, you do, you do.
00:44:07
riptide
All right, let me, I'll drop my alpha and then hopefully you could drop some alpha here. Well, I want to ask you about ah what I texted you about on ah what people could look for in in the op stack on these forks and everything.
00:44:19
zach
oh yeah
00:44:20
riptide
All right, that'll be your alpha drop. All right, my alpha drop is probably simple. But these are things that I actively find still today. And I think simple bugs are out there everywhere.
00:44:32
riptide
Remember, I underestimated it last time. I think I chat GPT'd it. We got millions, millions of contracts deployed in the blockchain. And now there's multiple chains. They're everywhere.
00:44:42
riptide
So there's no shortage of simple bugs.
00:44:46
zach
Oh yeah.
00:44:46
riptide
A couple of things that I see devs kind of miss ah Over and over again, are look for a function that yeah watch the whole trace and look for it down there in the trace that where they've ignored ah the arguments.
00:44:56
zach
for both
00:45:02
riptide
The arguments have been comment commented out. So the initial call, you needed whatever argument, and then you know four functions down, it's overridden, and then they've commented out that argument.
00:45:12
riptide
So you never even needed it. So ah check for overrides. And then another one is check for for loops with continues that can break out of that for loop sooner than you think based upon a condition.
00:45:25
riptide
Those i've I've had multiple bugs around those. So that's my alpha drop. I wanted Zach to
00:45:31
zach
you feel kill cu tune
00:45:33
riptide
motherfucking alpha drop. I wanted Zach to talk about, since he's the OpStack master and you see a lot of these forks, ah you know what what kind of mistakes can ten bounty hunters look for when these are getting deployed by devs that might not know the whole code base, the nuance, low hanging fruit, any of that you could share?
00:45:36
zach
but
00:45:52
zach
Yeah, I was thinking about it before so I guess there's there's two things I'll
Future Aspirations in Blockchain
00:45:56
zach
share one is
00:45:59
zach
On the on the get side. I think if someone hasn't spent a lot of time with get it can be kind of intimidating big code base things are pointed all over the place. Lots of it's not used. It's kind of or not it' not used in the flow that you're looking at.
00:46:15
zach
And what you'll find if you go deep in it is like there's only a few areas that matter for EVM-related stuff at all. but You can basically trace from when a transaction is pulled from a block that's being processed, and from there, how the gas is charged, how to check for the enough balance, how and how the actual EVM cost works. So there's like that world, and then there's how the state database is managed. And basically, those are the only two areas, and if you include in the first one, pre-compiles.
00:46:44
riptide
Which Go files are those?
00:46:44
zach
Those are the, so it's like state processor, it's core slash VM slash, I think like state processor.
00:46:51
riptide
He knows the path.
00:46:54
zach
Yeah, of course man, type this shit up too many times. Contracts dot.go is the all the pre-compiles. And then yes, state DB if you search you'll find it. those every get like op geth work that's where the changes are made and for the most part or not for the a lot of the changes from geth to op geth are in those as well and so i don't know i found like at first i was like well i'm not going to understand all of geth i'm just going to look at this and then i realized like no i should understand all of
00:47:24
zach
that set of things. And that will open things up a lot like blast and changes to the state database. Okay, I'm immediately thinking like I know how the journal works of where state changes are made and then reverted. Are they handling all those reverts properly? Are they doing things out of order? Are there situations where you could self destruct but then would skip the revert like there's You can start to know those pieces with a level of depth that's like a thing you're actually familiar with, whereas depth as a whole is just like helpless to feel like that. So that's one thing is like knowing that set of things really, really well.
00:47:58
riptide
So just, just to rehash for the listener sets, just if you can get those contracts.go state tree dot.is that that.go as well.
00:48:01
zach
Yeah.
00:48:06
zach
I would I would go to state. I think it's state processor and there's a function called process and that's literally take a block and execute all the transactions just following that through all the way and looking at everything that touches you will be in good shape.
00:48:21
riptide
Okay.
00:48:22
zach
And then on the contract side, you were just talking about the like overrides and inheritance. I think the optimism bridge is pretty simple, except for two things. One, there's a weird quirk where basically when you're doing withdrawals, the initial withdrawal is not replayable if it fails. And then that goes into like a wrapper contract called the cross domain messenger that handles all the replays.
00:48:48
zach
And so anytime like and each time I'm looking at any optimism thing, I'm thinking, like is there a way to make withdrawals fail so before they hit the cross-domain messenger so that they can be wasted? Because I can process your withdrawal for you and break it. And that's in the original Optimism Contest I did, both of the hives, or I guess all three of the hives, that was the core bug, was like different ways to break other people's withdrawals for free.
00:49:14
zach
So that's like one thing to pay a lot of attention to. And then the other thing to pay attention to is it's a weird, it's it's hard to get your head around the bridge because they've got this this like mirror image on both sides. So like there's a standard bridge contract, or say there's a cost cross domain messenger contract, and then it's imported into the L1 version and the L2 version. And sometimes they override things, and sometimes they don't. and like It can get hard to get in your head like what is this one contract doing without trying to do the like Don't repeat yourself to have stuff of kind of combining code. And so I find it useful to just like
00:49:49
zach
for each of those contracts, kind of reorganize it, so it's actually just what is actually in this contract. And for optimism, it's fine, like I've done it enough times, there's this all solid, but when there start to be changes, you would start to notice like, okay, the L2 one overrides this thing, but they don't realize that another thing of the underlying is calling that function and now it's not gonna behave. So I would just, I would take everything in the bridge and split it into like, what are these contracts actually doing, as opposed to trying to use the the shared code.
00:50:21
zach
yeah The one other thing I'll i'll say is interop is coming very soon. So that's like instant interoperability between OP stack chains, starting with a smaller base and growing that cluster over time. And that's a good fascinating area for new creative bugs that they're working hard on. I'm actually in the middle of auditing it right now, or at least auditing the contracts. But I think like Getting ahead of that and understanding that system.
00:50:49
zach
There are going to be a lot of app layer bugs by teams misusing interoperability. So that's like worth understanding.
00:50:53
riptide
Is that, is that get up public? Is that under bedrock or something else?
00:50:58
zach
Yeah, yeah, it's under just like their optimism on a repo. I think yeah, there's if it's not in the main branch.
00:51:03
riptide
Ops stack to ops stack. Cool. Yeah.
00:51:06
riptide
Who knows what that opens up.
00:51:06
zach
Yeah, yeah, it's really, it's, it's immediately like very, very cool opportunities for things to build with it.
00:51:14
zach
And also a lot of gotchas to that desk. We'll get wrong. I'm sure.
00:51:19
riptide
Did you ever, uh, did you ever look at arbitrary?
00:51:23
zach
I've never looked at arbitrary.
00:51:25
riptide
not once interesting
00:51:26
zach
Yeah. So much of what I know is based around like.
00:51:28
riptide
they
00:51:31
zach
what like my myself but how the calendar worked itself out. you know I'm interested in it and like have plans to look into it a few times, but when there's just other priorities to come up, it's kind of coin toss whether it happens or not.
00:51:44
riptide
Yeah. I mean, look at the momentum optimism has had with this, um, the super chain, Opstack. There's so many forks of it. And then with arbitrary, um, I don't think, um, maybe, maybe now there's a couple, but I mean, tell me, tell me, tell me who who forked it because optimism just ran away with it, I think.
00:52:03
riptide
And I don't know why I don't know, but
00:52:04
zach
Yeah. Yeah. Yeah. I would guess that's a mix of, I don't know what it is. I mean, they, I think they've they've like worked hard on how they express the vision. They've worked hard on the biz dev. They've worked hard on some of these like, the only reason for all of it to exist is obviously this interoperability, right? So like they've been planning this for a long time. It's like, there's a reason to be in one stack besides the other if they both do the job. Because one of them, you get to exchange with OP Midnight and Basin, now Unichain and Sony in one second, and then the other one you don't. like
00:52:35
zach
I think there's there's like network effects from that.
00:52:35
riptide
Yeah.
00:52:38
zach
I have heard ZK Sync is doing a good job with that model as well of like being the stack for others to build on, but I haven't looked at that either.
00:52:45
riptide
Yeah. This is cool. Seeing where all this, all this evolves. Uh, I want to ask you, what is your end game in this industry? Do you have one?
00:52:55
zach
Dude, who knows? Every day i is a battle to convince myself to not start a company, so at some point I will give up on that battle.
00:53:04
riptide
You mean you're gonna start a protocol? What are you gonna do?
00:53:08
zach
Who knows, who knows. I think there's a ton of interesting opportunity and cool things to build. And i I'm having so much fun with this current form of work, and especially with three young kids, it like jives well with it. I enjoy it a lot, but there's a there's for sure a part of me that misses like grow a thing really big and take it seriously and be committed to it for a long time. So I suspect,
00:53:35
zach
At some point, something that I feel like needs to get built and no one's building, I'm gonna just give in and do that, but who knows what that'll be.
00:53:42
riptide
Yeah. Yeah. I hear you. Well, dude, awesome. Thank you for coming on the podcast. It's been a pleasure. I think some serious alpha was dropped here. The great Zach Oberant.
00:53:54
zach
Great chat, we did, it was fun.
00:53:56
riptide
All right, man. Thanks. Take care, brother.
00:53:59
zach
Later.