Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 23 - 0xjuann & 0xspearmint
71 Plays21 hours ago
riptide & the Obsidian audit team (0xjuann & 0xspearmint) discuss their Fraxlend high severity bug find including a deep dive into ERC4626 vaults, helping hyperliquid builders with their hyper-evm-lib public good, how they use automated tooling during audits, why you should drop out of med school to be an auditor, defi strategies and risk tolerance, alpha drops, and much, much, more ...
Recommended![Episode 19 - 0xe4669da [SPECIAL n00b EDITION] image](https://media.zencastr.com/cdn-cgi/image/width=112,quality=85/image-files/677fcded3f04b4e1c3f96cfc/1b4f61b7-5c8c-48b2-9d61-66ec9549c632.png)
Transcript
Introduction and Episode Tease
00:00:07
riptide
Oh, life on the blockchain. We are back for an extra special episode today with redacted guests. No, I'll tell them in a second.
Sponsor Highlights: recon.xyz and rareskills.io
00:00:17
riptide
So ah first off, let's talk about the sponsors.
00:00:21
riptide
Let's talk about when you want to fuzz. Where do you go? you get recon.xyz forward slash Riptide. Get all your invariant tests, get a big discount, drop the Riptide link, get recon.xyz forward slash Riptide.
00:00:36
riptide
Get some change back and get your project secured. For all the up and coming bounty hunters and for the experts who want to level up, go to rareskills.io forward slash Riptide, knock out some boot camps,
00:00:51
riptide
and get a big Riptide discount as well. So go find some bugs, get some.
Meet the Guests: Obsidian Audits, Xerox Juan & Spearmint
00:00:57
riptide
Today's guests, I have two guests and we have both guys from Obsidian Audits, Xerox Juan and Xerox Spearmint.
00:01:07
riptide
Good day, sirs.
00:01:10
0xjuaan
Thanks for having us.
00:01:13
Spearmint
Yeah, thanks for having us.
00:01:13
riptide
My pleasure.
00:01:14
riptide
Awesome to have you guys. Calling from down under, that's what I like to see. Whereabouts might I ask?
00:01:24
0xjuaan
ah We're from the west side.
00:01:28
riptide
where where no one is over there in Perth.
00:01:32
0xjuaan
Yeah, around there.
00:01:32
Spearmint
Yeah, the yeah, there's...
00:01:37
riptide
Awesome. I was hoping you'd say like we're in Broome and if you don't know Broome, Australia, you're you're riding camels. You're just out there in the middle of nowhere.
00:01:47
Spearmint
Yeah, true.
00:01:47
0xjuaan
good good
00:01:47
Spearmint
We haven't we haven't even been to the broom yet.
00:01:50
riptide
I don't think anyone has except some tourists.
Origin Stories: How Obsidian Audits Began
00:01:54
riptide
Um, dudes, uh, so great to have you on the podcast. Um, you guys are both behind obsidian audits, uh, which I think you founded, um, is it, is it fairly recent? How long have you guys been running your audit shop?
00:02:11
0xjuaan
Yeah, we started a couple of months ago.
00:02:13
0xjuaan
i think we announced in May or April, but we we've been doing private audits as a team since like last February, but we officially branded it as Obsidian just a couple of months ago.
00:02:24
riptide
Okay.
00:02:30
0xjuaan
yeah
00:02:30
riptide
Cool. Cool. And maybe maybe give some give some background on on how the hell you got here. Maybe, Juan, you could start off.
00:02:41
0xjuaan
Yeah. Um, so I was at the first, the end of my first year in university studying math and computer science, and i wanted to either go into AI or into crypto. I just had to pick one and there was no specific reason, but I just picked, like, I wanted to go deep into crypto during my, uh, my summer holidays.
00:03:06
0xjuaan
And then I initially just wanted to be a dev and I was doing Patrick's um development course, but he happened to launch the security course at the same time. And that's what got me learning about security.
00:03:19
0xjuaan
And then thanks to contests, I got into those and got like immediate feedback, i started to do well in contests. And then, ah yeah, just kept doing that for for a long time. And here we are.
00:03:36
riptide
And then you decided to start your own audit company.
00:03:41
0xjuaan
Yeah, so with with the audit firm, it it started with a team, Tenor Finance, reaching out to Spearmint. I think they saw him on Cantina's leaderboard, and they reached out to him for like a solo review before their main audits. And then he suggested to them that we do it as a team.
00:04:02
0xjuaan
And we did it. we We did a review for them. And during the opening call, they... They told us that they were going to have a review from Spherebit after us.
00:04:14
0xjuaan
And so we we told them like jokingly, okay, so our goal is for them to have an empty report for them to find nothing. And so we tried really hard for that audit.
00:04:25
0xjuaan
We found like quite a few highs, mediums. And then a few weeks later, they told us that the Spherebit review only had one medium and then like a couple of lows. So after that,
00:04:37
0xjuaan
We, we kind of realized, okay, so we we actually can provide value and like do a good service and private reviews. And at that time we were mainly just doing contests and like solo private audits, but not doing them together.
00:04:50
0xjuaan
And yeah after that we were, we we already started thinking about coming together and like providing our service as a team.
Diving into Crypto Security
00:05:01
riptide
Okay. And can I ask you something about ciphering? So Patrick's thing, ciphering, you took his course, you're saying, how, what did you, would you think about, why did you choose to do a course?
00:05:13
riptide
And did you think it was valuable?
00:05:18
0xjuaan
So I took the course just because people I knew told me like, that's the, that's a good way to, to start learning. I just didn't have a, like, if I didn't do the course, I would have had to, you know, do the, do my own research, but I felt just having the, especially at the start, having the structured program, showing me everything I needed to know was quite beneficial.
00:05:46
riptide
Okay, very cool. I've never looked into it, but I hear a lot of people talking about ciphering. So I'll have to check it out. ah Mr. Spearman, can you give me a little background? Why that why the hell are you here on the blockchain?
00:06:00
Spearmint
Yeah. Okay. So mine is pretty different to Juan's. So I don't really have a technical background. So right after high school, I got into medicine. So I studied a two years undergraduate in biomedical science.
00:06:16
Spearmint
And after that, I got into the first year of medical school. And just at the start of the second year was when Juan had, I'm pretty sure he got his first contest payout. So I saw him, you know, take Patrick's course and within a couple of months he'd started doing contests and he already got paid. So yeah, like at the beginning of the second year of med school was when i also followed the similar path to him, which is take Patrick's foundry course and then a security course and get straight into contest.
00:06:54
riptide
And did you, are you still in med school?
00:06:58
Spearmint
So um I'm not right now. So ah around six months, yeah, around six months into my second year, I you know basically paused the degree and took a gap year.
00:07:01
riptide
It's like, hell though
00:07:12
riptide
hell decision. Why go into into further debt when you could start making that big audit money?
00:07:14
Spearmint
but
00:07:18
riptide
Big audit mafia cash. ah That's awesome, man.
00:07:22
Spearmint
Yeah, definitely.
00:07:23
riptide
Dude, I'm waiting to hear like one of the backstories. It's like, well, you know, I was an Uber driver and then started doing some ciphered course on my drives. And here I am, you know, we have a tier one on it for, you never know.
00:07:38
riptide
I like the med background, man.
00:07:38
Spearmint
i
00:07:39
riptide
That's, that's non-traditional.
00:07:43
Spearmint
Yeah, definitely. I think that that exists. I think I read about someone who was a taxi driver and then took Patrick's course and then now they're spear bit researcher.
00:07:53
0xjuaan
Yeah, Elhaj.
00:07:53
riptide
who wait youre Wait, you're serious? This is a real guy?
00:07:58
0xjuaan
Yeah, that's real.
00:07:59
Spearmint
Yeah.
00:08:00
riptide
What's his name?
00:08:02
0xjuaan
Elhaj, like E-L-H-A-J. He's a cantina ASR now, I think.
00:08:11
riptide
I got to reach out to this guy, man. It sounds like a story. Very cool. ah ah You never know, man. So, all right. So I've i've seen you guys around on X for a while, but I think where I noticed you was obviously when you dipped your toe in the bug bounty game.
Cracking the Fraxland Vulnerability
00:08:31
riptide
And I saw this cool Fraxland vulnerability. And it's just, like I've looked at Frax's contracts, and I think...
00:08:42
riptide
i think It's an interesting team. they're It's a lot of go-getters. And they kind of push code pretty quick. And they've gotten notes from some audit firms in the past saying, hey, you know chill.
00:08:58
riptide
Don't go so quick. you're You're trying to do too much too fast. But having said that, I don't think they've had any real exploits. I did find a few things in their contracts, but nothing you know Nothing enough to to get paid for them. They kind of accepted the risks. and yeah know they They have flaws like anybody else, but they they still, I think, have good coding practices and their their code is pretty good.
00:09:21
riptide
But you guys took a look and you found something pretty interesting. which Which one of you would like to talk about?
00:09:31
0xjuaan
do you want to take it?
00:09:34
Spearmint
ah Sure. Okay. So, you know, that
00:09:41
Spearmint
Fraxel, and I'll just give a quick summary of the protocol. it's It's basically an isolated lending protocol. And we found and interesting way to inflate the share value so that you can steal the first deposit, essentially.
00:09:57
Spearmint
And a bit of like backstory before we get into this is... We, while doing audit contests, we, we did a contest for a sentiment V2.
00:10:08
Spearmint
So they are also an isolated lending protocol. And that's actually the first time where we discovered this vulnerability. So yeah, during that audit contest where we both did it as a team, we found, found this way to, um, yeah, exp exponentially inflate the share value.
00:10:30
Spearmint
And
00:10:31
riptide
And was that a 4246 vault implementation on that project?
00:10:37
Spearmint
And yeah, they also had a 4626 vault.
00:10:40
riptide
Okay.
00:10:42
Spearmint
So yeah, and then the frax bounty came like couple of months later. But yeah, I think that's one of the interesting things about this bug is that it it can apply to really any protocol that has, you know, a share implementation. It doesn't really have to be a vault. and We've seen it in AMMs, for example. We've seen it in you know across different languages, clarity, Rust, or solidity.
00:11:10
Spearmint
But yeah.
00:11:14
riptide
And so could you go over kind of the just the mechanics of it, just, just the base, like what's, what's the major flaw that, uh, that you guys found?
00:11:24
Spearmint
Okay, so so you know the basic share inflation bug, which is, let's say, in the old version of 4626 false is Well, whenever you deposit a certain amount of assets to a vault, you will get minted shares representing you know the percentage of ah assets that you own in the vault. So the the actual calculation for that, when they you know calculate how much shares to mint you is the amount you deposit
00:11:59
Spearmint
multiplied by the you know total shares divided by ah total amount total assets of the vault. So you know in this calculation, the problem is it can round down to zero basically, or it can round down, but ideally for IMPACT, you want it to round down to zero so that when a user deposits a certain amount of assets, he gets minted zero shares and effectively donates his deposit to the
00:12:29
Spearmint
the attacker.
00:12:32
Spearmint
So in the basic vault inflation attack, it's where total assets is just the balance of tokens in the vault. So the attack is really simple where you just front run the first depositor by minting a single share and then donating a large amount of assets to the vault by transferring tokens in.
00:12:54
Spearmint
so that whenever you know the next guy deposits, he gets minted zero shares and you know you can just withdraw everything that he deposited. So you know that's the basic vault inflation bug.
00:13:08
Spearmint
And you know basically everyone knows about this. Anyone you know creating a 4626 these days knows about it. And Frax, of course, they knew about this and their solution to it was to track the total assets using ah storage variable instead of using the balance of you know address this.
00:13:31
Spearmint
So that prevents the attack vector where you can just donate assets to the vault to inflate the share value. So, you know, this is this is I've even seen this as recommendations in audit reports and things like that to fix the yeah share inflation.
00:13:48
Spearmint
ah The basic share inflation attack is you know, track it using a storage variable instead of ah balance of address this. So, yeah, that's that's a bit of, you know, the backstory to that. But now how you actually go from the previous ah attack to attacking when they track it as an internal variable.
00:14:14
Spearmint
It's, you know, the question is, how can we inflate the total assets of the vault while keeping the total shares you know at one. you know That's the goal.
00:14:26
Spearmint
So you know a basic thing you can do is once the share value is, let's say two to one, if you try to just deposit one way, so you deposit one way to the vault, it'll increase the total assets to three, but you'll get minted zero shares.
00:14:45
Spearmint
And, you know, this is a very, you know, it's a tiny inflation. If you tried to deposit two way, you would get minted a share. So there there would be no inflation. So, you know, it starts with just depositing one way to increase the share value again by one.
00:15:03
Spearmint
But the interesting thing is now you can deposit two way and you increase the share value from three to five. And now you can deposit four-way.
00:15:14
Spearmint
And you know that just exponentially goes up until you can you know buy just like 20 deposits. You can steal you know over a million USDC, for example.
00:15:25
riptide
Right. And that's that's the key is is it starts to go exponential. And then that's that's the big takeaway. Like, i dude, I've seen this. I swear to God, I've seen this behavior a long time ago.
00:15:39
riptide
And ah just it just didn't click to me. Like, you know, i playing around with Sims and you see you could deposit something and then You get zero shares, but the amount increases.
00:15:50
riptide
But in my mind, I'm i'm looking at it from ah user and just think, oh, well, you know it just screws the user. Look, I didn't get any shares back. Move on to the next thing. And I wasn't thinking about it in the context that you thought about it, which is you know when you have one share and that this whole, the whole exploit scenario. So,
00:16:11
riptide
I just thought, I just thought it's is really cool, man. And I mean, this, like the like you said, it's not new, but the angle you took on it was ah novel.
00:16:24
riptide
And I think you found this and who missed it? Trail of Bits was at the tier one firm.
00:16:31
Spearmint
ah Yeah, it was. Try with it.
00:16:33
riptide
Look at that obsidian flexing on big TOB. That's what I like to see, man. ah And this dude, there's something, I don't want to say similar. um did you guys see the resupply hack?
00:16:48
Spearmint
i haven't seen that yet.
00:16:48
0xjuaan
uh,
00:16:49
riptide
So they it was a 4626 kind of problem there. you Like deposit one way into an empty vault, donate to inflate the share price, Oracle reports to the inflated price, and then exchange rate zero because of division.
00:17:07
riptide
And ah so LTVs, zero. um And then you could do unlimited borrowing. So they just did like the exchange rate divided by...
00:17:18
riptide
whatever they call it the Oracle, get prices, and it rounded to zero. And it's like it's like, man, we see the same stuff with this. Anytime you see a division symbol, look at that rounding, man. I mean, it's it's like one of the most overlooked things in in protocols to this day.
00:17:38
riptide
It's just like, I think people look at it and nate they just say, oh, it's nothing big. And at first glance on the Frax Len bug, The first glance you're like, okay, you know, big deal until you start playing with it.
00:17:50
riptide
And then you're like, oh, look, this can get big very quick. Is there, is there any tools you use? Did you fuzz anything here? Like, how do you guys, how'd you guys, um, kind of find this bug? Is this just all manually digging or, or any tools involved?
00:18:06
0xjuaan
So for this one, when we, when we first found it in the contest, I don't remember like, like fully just, uh, finding it through exploration.
00:18:18
0xjuaan
Like I, I'd heard of it because this is called stealth donation. It's like, it's not completely novel from us. it's It's been known before. Um, So when we when we looked at the at the vault for the contest, I just kind of remembered that there was some way that you could still still inflate in played the share value without, even if they track the total assets as a storage variable.
00:18:49
0xjuaan
So I can't take full credit for like, you know, being the first the first person to discover this through some, you know, some fuzzing method or something. But, uh, yeah, I think the main, if if we were to think about how, like, how could we be the first person to discover this?
00:19:08
0xjuaan
I think it's just, uh, just thinking about how we can inflate the share value from first principles. So we just need to somehow increase the total assets without increasing the total shares as much.
00:19:16
Spearmint
Thank you.
00:19:22
0xjuaan
And the, the precision loss just happens to be the, the vector we can take. to to do that.
00:19:32
riptide
yeahs Have you ever looked at the yeah ERC, the original ERC for 4626?
00:19:40
0xjuaan
i Yeah, we have.
00:19:43
riptide
Like where they talk about yeah the the security considerations.
00:19:43
0xjuaan
I think
00:19:48
riptide
um I was just browsing it this morning. i don't I don't know, I don't think this is mentioned.
00:19:54
0xjuaan
but
00:19:55
riptide
Like these bugs that have been found.
00:19:58
0xjuaan
yes i think Maybe the basic inflation has been mentioned, but after the fact, like after, probably after someone got exploited or something, but yeah, the ERCs don't, uh, they should probably do more in listing the security considerations and all the, all the different, uh, like protections you need to put in.
00:20:21
riptide
Yeah. I mean, you know, in all fairness, this was written in 2021. That's how long these takes to go, to go through.
00:20:27
0xjuaan
Yeah.
00:20:29
riptide
Uh, it's wild, but no, this this is a cool bug, man. Very cool. So frax team, uh, very based. It sounds like they fixed everything, paid you out of bounty and did they make an announcement as well, or just you guys?
00:20:46
0xjuaan
It was just us. They didn't make anything public. But yeah, we asked them before doing it and Sam was happy to have us post it.
00:20:50
riptide
Okay.
00:20:58
riptide
Cool, cool. And on another topic, I saw you guys are doing something with Hyperliquid, something I just saw recently, this Hyper EVM library, ah which is kind of cool. Do you want to talk about that? i'm I'm curious, kind of who was, who'd you, who'd you hear about asking for this? Like, why did you make it?
Developing for Hyperliquid and LLMs in Audits
00:21:19
riptide
And um do you know of any projects that are using it right now?
00:21:24
0xjuaan
Yeah, so Hyper Liquid recently launched the Core Rider, which is just this, it's a system contract on their EVM, which lets you communicate with their, with Hyper Core, which is just a, like a perp and spot text, ah which is, which, it looks like a centralized exchange from the front end, but it's on a, it's on a blockchain.
00:21:51
0xjuaan
So,
00:21:54
0xjuaan
Uh, the issue with the, the core writer right now is it's quite tedious to implement into your contracts. Like there's a lot of different things you have to consider, like converting between, converting the decimals from the EVM representation of the token to the the core representation. So they have different, like they're represented with different, uh, amounts of precision.
00:22:21
0xjuaan
And then there's just a lot lot of different weird things that make it annoying if you want to be a dev, if you're a dev and you want to do do something with this. And we we we found this by just playing around with it once they announced that it was live on mainnet.
00:22:39
0xjuaan
And so we we thought, what if we just, like after after testing everything and finding the like finding the places with the most friction,
00:22:50
0xjuaan
If we just made a library that made everything simpler for the developers, it would probably be used a lot by like anyone who wants to build using these, these features of, of the hyper EVM.
00:23:03
0xjuaan
So, yeah.
00:23:05
riptide
And did you, did you notice like, I'm assuming you've audited some protocols on Hyperliquid. Did you notice they were you kind of maybe stepping into into some security traps where you saw like, oh, this, this could be a problem. I could see devs kind of messing this up over and over again.
00:23:25
0xjuaan
So we actually haven't yet audited a protocol that uses the hyperliquid system contract or the pre-compiles, but we have but have seen a few a few audit reports like from Pashov. He's done a lot of them.
00:23:43
0xjuaan
And from that, we have seen a few of the pitfalls that people can fall into, which which are easily avoided i just using, like not not rolling your own um, their own code for this.
00:23:57
0xjuaan
Like if, if that was just a, thing you could import that does everything for you, that would be really helpful.
00:24:02
riptide
Mm-hmm.
00:24:05
riptide
No, that's really cool, man. i I hope you guys haven't taken on something that that is too much work now. Like if you look at Soul Lady or Soulmate, any of those, it's like the initial goal was like, yeah, we put this out there.
00:24:16
0xjuaan
Yeah.
00:24:18
riptide
And then you're like, oh my God, you look at all these commits they continue to do over months and over years. So to do you have an idea about that going forward?
00:24:24
0xjuaan
yeah
00:24:28
riptide
are you just going to say, you know obviously GitHub, you know is anyone open to contribute? and just kind of hope the community maintains it? Or is this gonna be like an Ipsidian Audits kind of work of art?
00:24:41
0xjuaan
Um, well, we're not completely sure like how, what the future, where the future is going to take it. Um, the, the good thing is like, it's mostly feature complete. Like there's not, there's not unlimited things that you can add. Like with Solady, you can always come up with a new, new function to add, but with, with this, there's a limited number of, uh, of pre-compiles that, that Hypervium has a limited number of,
00:25:08
0xjuaan
actions you can do on core. So once they're, once they're put in, there shouldn't be too much, uh, like extra development to do after that.
00:25:19
riptide
And I'm curious, how did you guys team up?
00:25:24
0xjuaan
So we, yeah.
00:25:24
Spearmint
So, yeah.
00:25:28
riptide
You say your brothers?
00:25:30
Spearmint
yeah
00:25:30
0xjuaan
yeah
00:25:31
riptide
Oh, shit. That's pretty awesome. That's really cool, man. And you guys are both doing your own audit firm, dropping out of med school to go audit Solidity. Yeah.
00:25:43
riptide
this is This is pretty cool, man. And ah are you only doing solidity? Like as is Obsidian just going to focus on that? are you doing, know, DLT stuff?
00:25:58
riptide
What are you going to focus on?
00:26:00
Spearmint
ah we We mainly do Solidity, but we've also done some Solana, so Rust audits.
00:26:06
riptide
Mm-hmm.
00:26:07
Spearmint
we you know We haven't really delved into the blockchain node level stuff, though.
00:26:16
0xjuaan
Yeah, we're just focusing on and DeFi contracts, but on Solana and EVM.
00:26:23
riptide
Okay. And what kind of automated tools do you guys use? Do you use any static analysis, dynamic analysis, LLMs?
00:26:37
0xjuaan
um I haven't used Slither since Patrick's course, so since like a year and a half ago. Um, the main, i guess with LLMs, we both use cursor just for like, to help with code, understanding the code at the start.
00:26:58
0xjuaan
Um, maybe like basic code navigation.
00:27:02
riptide
Mm-hmm.
00:27:03
0xjuaan
we We haven't gone deep into the, the AI agent, the code, uh, audit agent stuff yet. But I do think that in the future, like a lot of the the low level, a lot of the bugs, not vulnerabilities, but a lot of the, the bugs will be, will be caught by AI.
00:27:26
0xjuaan
And,
00:27:30
riptide
Yeah, no, I agree.
00:27:31
0xjuaan
and yeah.
00:27:32
riptide
i agree. i think I think I had a light chaser on, and I think when you combine the static analysis with LLMs, to be honest, I think that's a ah winning combo to catch a lot of bugs, a lot of bugs. like I see some interesting findings come across my desk, and not sure you know Obviously, some some are not all accurate, but there are some interesting ones that warrant enough attention to these tools. so do not just
00:28:07
riptide
Anyone who's listening, don't don't think like yeah the gpt the initial GPT bug-finding skills have stayed the same. It's got better, ah not just GPT, but other LLM platforms.
00:28:21
riptide
It's got better. and And when you could do different training and prompting, they've gotten a lot better. So always a great tool to use. and And it's interesting hearing how you're using Cursor to kind of help understand a code base.
00:28:34
riptide
um Is that pretty simple? Do you just load? I've used Cursor once to to play around with with it, but do you use it to just load the whole code base? And then do you have specific kind of prompts you ask it, like how what do you what's kind of the steps that you go through to understand the code base from zero?
00:28:52
riptide
from zero
00:28:57
Spearmint
Yeah, so after, you know, the first thing I do after just cloning a repo, and you know, if I want to get, especially if there's you low or no documentation to get a high level understanding, I'll just ask Cursor, like, what what's the high level, you know, of each contract? What's the purpose of each contract?
00:29:16
Spearmint
who Who are the actors involved? And what's the entry point? And you know within within a minute, I have some understanding of what the protocol is about, the main contracts, and have a point to go to actually start the manual review.
00:29:33
riptide
And do you remove all comments?
00:29:37
Spearmint
you know i I think I've done that a while ago. I haven't done it in a long time, though, to be honest.
00:29:45
riptide
Classic DVF. I remove all comments before I look at the code. I only look at the code. I don't know, man. Sometimes I get some some usage out of them.
00:29:53
0xjuaan
Interesting.
00:29:55
riptide
It just depends, I guess, what you, like, I guess your style.
00:30:04
0xjuaan
I think, yeah, they they do help with with understanding. But I do remember once I got baited out by a comment, which led me to miss a park. But i I can't remember the details, but yeah, that has happened.
00:30:17
riptide
was it Was it something like this never reverts?
00:30:17
0xjuaan
So I can...
00:30:21
0xjuaan
um I can't remember. Maybe it was just some assumption. Yeah, it was definitely some kind of assumption that I just took on instead of challenging.
00:30:31
riptide
i
00:30:31
0xjuaan
So yeah, I can see it.
00:30:32
riptide
It does do that, man. It it can can just like enter your subconscious and you're like, oh yeah, this look, it says it'll never overflow. it's never I'm not even going to look at it.
00:30:41
0xjuaan
yeah
00:30:44
riptide
That's classic, man.
Trust and Adoption in DeFi
00:30:45
riptide
ah What about like, what about DeFi then? Do you guys, i mean, we all look at DeFi protocols. Are you guys brave enough to put your own capital in there?
00:30:58
Spearmint
Yeah, we we do use like very few protocols though, like Aave, Morpho.
00:30:58
0xjuaan
In the right ones.
00:31:05
Spearmint
like For swapping, we we go through Uniswap or whatever, but where we actually like leave money inside a contract, it's really only Aave or Morpho.
00:31:17
riptide
What about Steak Deeth with Lido?
00:31:22
Spearmint
ETH.
00:31:24
Spearmint
You know, I would trust my you money in there. But yeah, I'm pretty sure there was just a serious bug found in Lido as well.
00:31:33
riptide
which Which one? I just found in one, but it was with their their dual governance.
00:31:35
0xjuaan
The rib-tied one.
00:31:38
riptide
And dude, it was such a basic bug. It was just a basic bug, just overwriting a timestamp. as
00:31:45
Spearmint
Wow.
00:31:46
riptide
But it's like it was one of those protocols, like if you look at Lido and why it's a good target is because a lot of their audits, because they frequently get audited,
00:31:57
riptide
And I noticed a lot of their audits were returning highs like by multiple auditors. And it's like, it's like man, you have, it's just look at their ecosystem, man, and pull up some of their repos.
00:32:10
riptide
It's not just one repo, it's plenty. And they've just grown so big and they wanna do so many things. And you have a lot of people in the code, a lot of moving parts,
00:32:21
riptide
A lot of auditors, and when you get a complex situation like that, i think just your your chances of finding bugs just increase quite a bit.
00:32:33
0xjuaan
I'm curious what made you dive into the dual governance specifically? Was it because they just launched it on Immunify?
00:32:40
riptide
um I can't remember how I came across it. I think I was actually working with another guy on it and we we just picked this target, and they I think just out of the blue, just like, hey, let's look at Lido.
00:32:55
riptide
and then we pulled up that i wasn't even aware of dual governance and pulled up that and then once you start looking at it you're like my god this is so complex and i had another finding denied by them and and i had to really kind of go through dual governance and try to understand the docs and you know llms are really good for understanding super complex docs like that you know like
00:33:17
0xjuaan
Mm-hmm.
00:33:18
riptide
where you're getting rebuffed by the protocol. Like we know it's hard to understand, but, and you're like, okay, shit. Let me really dive into this. And I think it's just too complicated.
00:33:28
riptide
And you had a lot of lot of nuance and a lot of what ifs and you enter one state and then that goes down a path to another state. And then there's a lot of kind of if else gates down there.
00:33:40
riptide
And I mean, that that's ripe for bugs in my opinion.
00:33:47
0xjuaan
Yeah, it makes sense.
00:33:49
riptide
Yeah, and like, go ahead.
00:33:49
0xjuaan
is If the audits, like if they have many audits and they all return highs, then yeah, that's probably a really good target.
00:34:01
riptide
Yeah, and even like, I just think it's good, man. And this is this is another, maybe I'll drop some, do some alpha drop. ah Something I used recently was to run Grok, Grok 4 on some diffs on, you know, just just see some diffs and have Grok look at it. My God, it's fucking good.
00:34:23
riptide
Like on the speed, it doesn't get everything right, but on the speed that it can review a large diff, and and research the rest of the project and kind of give you input on it is is just incredible. Like if you want to look at a lot of things quickly, my God, some of these tools, I mean, there's so many different ways you could use them.
00:34:48
0xjuaan
Grok 4, okay.
00:34:50
riptide
You haven't used it?
00:34:51
0xjuaan
So...
00:34:51
riptide
Oh, shit. Serious alpha.
00:34:55
0xjuaan
Yeah, I've never used Grok because it's on... Wait, is it... Do you use it from the Twitter...
00:35:01
riptide
Yeah, yeah. It has its own website, I think, but like it's blocked in the EU for some reason. So I just use it through X, which works for whatever reason. The downside is it's it's very slow, but it's pretty exhaustive on its searching and it goes out to the web, everything, man.
00:35:19
riptide
And like anything, you know, you got to double check everything, but I'd say it's pretty good, a pretty good tool.
00:35:26
0xjuaan
Okay, I'll definitely give it a try.
00:35:28
riptide
So you'd go Ave, Morpho, I like those, both good choices. And then maybe some Staked ETH. But what about, have you looked at Dead Rose's platform, Yildor?
00:35:46
Spearmint
Yeah, so we we have looked into Yieldor. I think it's really interesting. you know it is an interesting protocol. And you know the main way he gets a lot of the yield is looping the PTs.
00:36:00
Spearmint
So Appendal is actually another protocol that we do trust and use. So we we also do a lot of the Yieldor strategies manually ourselves.
00:36:13
riptide
I wonder why just don't trust it.
00:36:14
Spearmint
but
00:36:15
0xjuaan
Hmm.
00:36:17
riptide
Dude, a great, a great line is like, don't trust what you don't understand. And some of these protocols are so complex. And if you are not a dev, if you are not an auditor, I think, I think people just YOLO into shit because when I look at things just like you, I'm like, uh, I don't know about that.
00:36:38
riptide
You know, but What kind of math is he doing? I'm sure he's looked it over, but it's like, and I'm not i'm not saying anything bad about his protocol. I honestly haven't even looked at the code. I'm just saying in general, I'm kind of the same way. I like to do these manually. I don't trust looping with um with stables or E. i just You just see these problems happening where there's an Oracle issue or you know you name it, and and then your capital's gone, dude.
00:37:09
Spearmint
Yeah, that that is true.
00:37:09
0xjuaan
Yeah, so I'd say Spearman has a higher risk tolerance than me because he's doing the the PT loop strategy on Aave, but i I haven't got around to doing that yet.
00:37:22
0xjuaan
So I'm missing out on the 80% APY or whatever that is.
00:37:27
riptide
Ted White tells the strategy, drop some DeFi Alpha here.
00:37:32
Spearmint
i mean, it's it's really simple.
00:37:32
0xjuaan
I think it's this. There you go.
00:37:35
Spearmint
you you just So it also involves Athena. so you get staked USD. So, okay, so you get the PT staked USD, which yields, I think right now, maybe 11%.
00:37:50
Spearmint
You can use that as collateral on Aave, borrow USDC at 5% and swap that into USD, again into staked USD and get the PT staked USD. So each iteration of the loop, you get an extra 5% on your capital. So let's say you start with 10% if you loop, you know, five times.
00:38:12
Spearmint
So five times five, 25 plus 10, now you're getting 35% APY on the same capital. And, you know, in terms of Oracle and risk and things like that, I was, you know, just like you, that's what I was worried about.
00:38:24
Spearmint
But, you know, Aave treats USD-E just like USD. So it's it's basically a hard-coded Oracle.
00:38:31
0xjuaan
Thank you.
00:38:32
Spearmint
So the risk is actually quite low. And as long as you trust Athena not to blow up, you should be fine.
00:38:41
riptide
Is it hard coded though? I doubt it knowing Aave.
00:38:45
Spearmint
I'm pretty sure for you, you know, USD, like the PT, at least it's, it's pegged USD price. I looked into it and it was, you know it just returned one.
00:38:58
Spearmint
It's like a discounted Oracle. So over time, the price can only go up as the PT gets closer to maturity. But
00:39:07
riptide
Has USDE ever depegged?
00:39:08
Spearmint
Yeah, i havent i haven't looked into it I don't think it has for like a long period of time.
00:39:19
riptide
I don't know. i hear you.
00:39:20
0xjuaan
Yeah.
00:39:21
riptide
This this sounds like, a i this is straight up DeFi, man. I love like, you know, i used to be in traditional finance and you look at products like this and there'd be a whole structured product teams that would come up with some crazy way to generate a yield.
00:39:34
riptide
But you look at DeFi, it's like that on fucking steroids. but What you just said is so funny.
00:39:39
0xjuaan
yeah
00:39:41
riptide
Like to us, we're like, oh yeah, and some that's typical DeFi strategy. To anyone else, they're like, what what what can you do on this thing and how many levels of risk have you just ah put on the burner there?
00:39:53
riptide
So if USD E D pegs and then you get liquidated on Aave, the whole thing kind of unravels.
00:40:03
Spearmint
ah Yeah, you'd be it be in some big trouble there.
00:40:08
riptide
Well, and but you're getting 30%
00:40:11
Spearmint
ah Yeah, you can easily get over 30%. I think you can leverage up 10x, so you could easily get over 70%.
00:40:22
riptide
Oh my God, man. i I don't know why. I used to do this. I used just go YOLO on this DeFi, man. And I'm sure it'd be good. I just can't. I just can't. I just stick with like staked ETH and I just kind of sit there with my ETH like a humble humble non-DeFi user.
00:40:41
riptide
And i don't I don't know if it'll ever improve.
00:40:45
riptide
you feel like, you know, the institutions that are that are obviously here now, um what do you think their risk appetite is with DeFi? And do you think there's more that and we could do to kind of help help kind of push this so it's more mainstream, the use of DeFi?
00:41:05
0xjuaan
I think it would take time. Like people, there's there's way more people that trust Aave now than three years ago. And if if these protocols can be battle tested for like 10 years, then I can see like traditional institutions being happy to um like that use these products for a lot of their assets.
00:41:31
riptide
Mm-hmm.
00:41:33
riptide
Yeah, i mean, they have...
00:41:34
Spearmint
You know, and they ah that you know there's a lot of demand for, you know, there's a lot of demand for these kind of strategies.
00:41:36
riptide
Good.
00:41:42
Spearmint
You can even see on Aave, like right now, the PTUSDE, PTSUSDE, the caps are completely full. And every time they increase the cap, it usually fills out within a few blocks.
00:41:56
Spearmint
So, yeah, a lot of people, I guess, are happy to ape into these strategies.
00:41:59
riptide
Mm-hmm.
00:42:04
riptide
And are you only using mainnet for your strategies?
00:42:10
Spearmint
Yeah, this ah only mainnet accepts the PTs as collateral.
00:42:16
riptide
Hmm. Okay. But what do you think about you? You've looked at hyper liquid. What do you think about this separate L one that's running on, think four validators that I don't know if they've been decentralized yet and it's attracted so much capital because they have a good product.
00:42:41
riptide
Uh, do you have money there as well? Would you trust that?
00:42:47
Spearmint
You know, yeah, right now it is, you know, really centralized to the four validators. They have decentralized up to, I think, 20 validators now, but I don't know.
00:42:59
Spearmint
i don't think they're involved with the bridge. So I think the bridge is still, you know, controlled by that, those four.
00:43:09
Spearmint
You know, we do have some, you know, some money on Hyperliquid, but yeah, that was definitely a big concern we had.
00:43:19
riptide
Yeah, I think it's it's interesting, man. It's it's just like, i don't know, it sounds like you guys haven't been in the game too long, but if you remember when BNB chain came out, they were the first kind of chain to take market share from Ethereum because they were doing what Ethereum could do, but do it quicker.
00:43:39
riptide
And they, they just increased their block size, block times, and they were able to have a very fast experience, but it was centralized, but they took so much, uh, market share away for the meme coins. Not one on meme coins, but gambling, um, scam coins, everything, but everyone went to BNB and no one really gave a shit that it was centralized.
00:44:01
riptide
And, I feel like the same way with Hyperliquid. I think they're making good steps last time I checked to kind of push out decentralization a bit and address some concerns.
00:44:15
riptide
And I guess they're building something a bit different with a different objectives. But it's funny, man. It's just like, at the end of the day, people wanna make money as as always.
00:44:26
riptide
And they're willing to sacrifice. a certain amount, everyone's got a different risk tolerance. And if you see like a billion in the bridge, couple billion, and you're like, well, what's my 20 grand, you know, as, as part of this, you know, if the big whales are willing to go deep, come on, like that justifies it to them.
00:44:49
Spearmint
Yeah, definitely. And with Hyperliquid, you know the validator code is currently, you know, completely private. And that's, you know, that's what we, you know, we haven't gone into, you know, auditing blockchain level stuff yet. But if they ever do make that public, that would be such an interesting place to look.
00:45:11
riptide
Yeah, someone reached out a few months ago. I think they were decompiling it. Maybe they're still decompiling
00:45:17
0xjuaan
Thank you.
00:45:17
riptide
i don't know.
00:45:18
Spearmint
okay
00:45:18
riptide
But there's dudes that do that. like There's guys that just sit in the dark, man, and just like decompile code. Way, way bigger brain than I am. But like those dudes are out there.
00:45:30
riptide
And hopefully they're not malicious because you know you have you know the Lazarus and other big groups that literally... you know, do this stuff because they have to.
00:45:41
riptide
Like, um did you see that one from, who put it out, PC, put it out, like the investigation that they found where the initializers and everything was being kind of poisoned by Lazarus?
00:45:56
0xjuaan
Yes. Yeah. We had a look at that.
00:45:59
riptide
God, man, like, you know, I can't, I can't say, ah that they're not looking at hyperliquid because I guarantee they are.
00:46:11
0xjuaan
Yeah. i think there was a ah tweet from Tay Vano a while ago, like showing North Korean linked wallets trading on Hyperliquid.
00:46:21
riptide
yeah like getting liquidated, you know, probably poking around testing.
00:46:22
Spearmint
yeah
00:46:22
0xjuaan
Yeah.
00:46:26
riptide
It's just like, and and you hope to never see it, man. You never want to wake up. And my God, how many times it happened, you know, where I woke up and I'm like, oh, fuck. what What crazy exploit on some protocol that i' vested in has been hit. And it's happened so many times that this is why I'm scared out of DeFi.
00:46:46
riptide
It's like, i't I don't know how to kind of get that feel good feeling about doing what Spearman's doing here.
00:46:47
0xjuaan
Yeah.
00:46:53
riptide
When I think Pendle had an incident, it was only six months ago, right?
00:47:00
0xjuaan
ah
00:47:01
Spearmint
Oh, is it? did
00:47:01
0xjuaan
I did not hear. I.
00:47:06
riptide
I'd have to look it up.
00:47:07
0xjuaan
i
00:47:07
riptide
they They had some issue.
00:47:09
Spearmint
Oh, I think they they did have a front-end issue. i I don't think the contracts ever got exploited.
00:47:17
riptide
Okay, maybe it's a front end issue. Dude, there's always something. Fuck. What do we do, guys? What do we do?
00:47:27
Spearmint
Yeah, it's hard, but
00:47:27
riptide
Call Obsidian Audits.
00:47:29
Spearmint
i
00:47:31
Spearmint
I think that if you trust the main players, it is just different. For example, on Solana, Juan was doing different looping strategy.
00:47:46
Spearmint
And you know he'd asked the really amazing yield. And he was you know he suggested me to also get into it. And I almost got into their vault. So they also had a vault.
00:47:56
Spearmint
I almost deposited money in there. And then a couple of weeks later, they got exploited. and so we We do also have these close calls.
00:48:05
riptide
Oh man, yeah, the best is when you get out.
00:48:11
riptide
All right. Dude, and there's so many trust assumptions too. but even Even with Aave, there is trust that you're going to have an active governance as well, that you're going to have participants that care about the protocol.
00:48:31
riptide
So if something happens that you know a proposal passes where governance is not, you know they're asleep at the wheel, Well, you have a, it it can cripple the protocol.
00:48:45
riptide
And don't know, some people are comfortable with these assumptions, but then others, I mean, especially when you have huge stakeholders in certain protocols that basically have captured governance.
00:48:58
riptide
And if those entities are disabled for the right window of time, well, now that protocol is compromised, even though it doesn't look compromised and no one really notices because a governance proposal has been pushed, pushed through and and it's been approved and it passes court and then the whole protocol is fucked.
00:49:22
0xjuaan
Yeah, um that's why I'd say and'd say just supplying USD to a Marshall market that has a Chainlink Oracle and the collateral is like, I don't know, wrapped ETH or something.
00:49:37
0xjuaan
but That's the probably the the best way you can earn yield on your USD with no not not having to worry.
00:49:44
Spearmint
Bye.
00:49:49
0xjuaan
but Not having to worry about Aave. <unk>ina Or Athena or Pender.
00:49:51
riptide
In DeFi. Yeah.
00:49:53
0xjuaan
Yeah.
00:49:54
riptide
Yeah. I think even Coinbase, like if you want to just say, forget DeFi and you really want, you know, if you're really paranoid, I guess I'd go with Coinbase. They offer a staked or some sort of yield on and USDC. I would never do that. I just, I don't like the whole centralized aspect of anything.
00:50:13
riptide
But yeah, I think you're right. Just a basic strategy and your risks are very low, but hey, then your yield's low. I mean, you know, what does what does yield represent?
00:50:22
0xjuaan
Yeah.
00:50:23
Spearmint
Thank you.
00:50:23
riptide
It represents the amount of risk that you're willing to take. In some cases, it would be some alpha if if you had something somebody else didn't, but usually that reflects your risk.
00:50:35
riptide
And I kind of want to transition from that, ah talk about governance, capturing governorance governance risk to a little alpha drop.
00:50:47
riptide
ah Today's alpha drop would be, it's actually a ah known finding that many people are probably not aware of, but it's with OpenZeppelin and you can look it up as CVE202231198.
00:51:01
riptide
two zero two two three one one nine eight And it's a governance capture quorum bug. So it's pretty cool. I think it's before 4.7.3. the you could have proposal and the bug was that you could have a proposal that yeah know there's some votes on it and it ah it doesn't pass.
00:51:26
riptide
But the positive votes were ah larger than the negative votes and it didn't pass quorum. And so it could sit there for, there's no time limit.
00:51:37
riptide
This is the big problem. And then you have a ah new proposal that comes out that a year later that says, hey, we're going to change the quorum and it lowers the quorum.
00:51:50
riptide
And now that old proposal can be executed, even though it didn't pass the initial quorum. So you can have some stale thing out there.
00:51:57
0xjuaan
Oh,
00:51:59
riptide
And it's really cool, man.
00:52:00
Spearmint
Thank
00:52:00
riptide
And I looked at this, i was like, oh my God, i didn't I didn't even hear this until recently. I just... came across this bug. So ah governance capture quorum change. Now here's the issue.
00:52:12
riptide
And here's as a bounty hunter, right? If you go report this to a protocol, they're just going to give you the, unless you could find, you know, so where they've already lowered the quorum,
00:52:24
riptide
and you have old proposals at risk, they're they'll blow you off. They'll just say, oh, we'd never lower lower the quorum. Just like anything with bug bounty hunting, if there's any nuance, if there's any room for them to deny it, they're just going to say, oh we'd never do that.
00:52:38
riptide
So if you do find a protocol with this, You got to set your alerts and you got to say, all right, well, we just need to wait until they lower the quorum and then we could submit a bug because it is it is actionable um for certain protocols you know once once that happens.
00:52:56
riptide
So something cool to look at. Do you guys have any alpha drops to drop?
00:53:01
0xjuaan
Interesting.
00:53:03
riptide
I mean, even though you've dropped your your cool Frax lend one, don't want to put you on the spot, but if you do have something, please share.
00:53:12
Spearmint
right Yeah, I'd give one, which is, it's more just advice to my past self, but it's don't, when when bug hunting, bounty hunting for crits specifically, don't just look at the, you know, core contracts and core functionality of, you know, whatever protocol you're looking into.
00:53:25
riptide
you
00:53:30
Spearmint
So yeah, it's really common that, especially when you have a time crunch and, you know, you want to audit a protocol, you just go on DeFi Llama,
00:53:41
Spearmint
ah you know, look at what's gaining TVL and then you start looking into it. And, you know, what I used to do is after I, you know, like deeply look into the core contracts, if I don't find anything, okay, there's probably nothing. It's time to move on to the the next option. But I've seen now time and time again, that if you, you know, look a little bit outside the core, core contracts or the core product, there's often criticals there. So you know For example, like Silo Finance is an isolated lending protocol, but they launched like a you know a separate contract to help people but loop and leverage and that quickly got exploited.
00:54:25
Spearmint
Even yourself, you found a bug Balancer's Merkle Archer. So that's you know that's a separate reward distributor contract. If I was going to go you know try to find a crit and balancer, I would you know just spend all my time looking at the you know the core logic of the AMM and things. And it's easy to overlook these other contracts, which you know you can still find criticals there.
00:54:53
riptide
Yeah, good good alpha, man. I actually do the opposite. I i always go to the periphery first. I just assume i assume there's less eyeballs on it. I don't know. Or if it's not in scope, I look at that. and and i just like Governance contracts, just like, have they done anything weird?
00:55:10
riptide
And you know, devs, man, they usually just do some weird shit. Like, oh, we'll just roll our own crypto. but you know We'll just change this up a bit. They add a few lines. So I think that's always interesting. I think that's how I ended up on that.
00:55:22
riptide
weird Merkle orchard, uh, claiming contract. It was just so oddball that, um, you know, what I found out didn't work right, but yeah, that's a great tip, man. Go outside the core and hopefully no one's looking where you're looking.
00:55:38
Spearmint
Yeah, definitely. And I think it's really common for these like periphery like contracts to not even get audited, especially you know, tier one audits cost a lot. If you have a huge code base, they usually just get the core, ah you know, just get the core audited and, you know, they just leave out this periphery stuff.
00:56:00
riptide
Yeah, yeah, and and that goes for relayers too. Anything that touches the contracts, you know, the good old black boxing and not looking at things. Just try to look where no one's looking. It's one of my classic tips.
00:56:14
riptide
um Cool, guys, you got anything else here? eddie do you Do you have to have an ID to log on now that you're in Australia? You got to verify your age to log on the blockchain?
00:56:26
Spearmint
Not yet, but probably pretty soon.
00:56:30
riptide
ah You know, ah ah around that, like, I always trust the nerds on our side to outwit the government nerds. And i think I think we'll always win in this technology battle.
00:56:46
0xjuaan
Yeah, I think we need ZK proofs to become mainstream and then we can have privacy without, um like we can prove prove our age without needing to give them our IDs.
00:56:46
Spearmint
Yeah.
00:57:00
riptide
Absolutely. Or not prove it. Fuck them, man. Fuck all these rules. Fuck the rules. When you get to my age, man, you just say fuck the rules.
00:57:10
Spearmint
you
00:57:12
riptide
Cool. Well, guys, it was a pleasure having you on. Again, this is Obsidian Audits. um I think you guys are doing great. A brother team. I mean, I don't think this team is going to blow up.
00:57:25
riptide
They're tight. Tight as anything. ah But you guys are doing great work. Thanks for putting out the the lib for HyperEVM. I'll have to check it out. But um yeah, man, thanks for coming on.
00:57:37
riptide
And we will see everyone next time on the blockchain.