Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 13 - 0xsimao
0 Plays2 seconds ago
riptide & 0xsimao "the human fuzzer" discuss being a humble aerospace engineer to getting started in crypto with ThreeSigma and then selected to be a part of Blackthorn, how he approaches audits vs. contests, auditors vs. bountyhunters, approaching bug hunting with the right mindset to locate zee bugs, auditing for clients that do not respect security, bountyhunting is playing the long game, taking the L when you miss a bug as an auditor, red flags in codebases and what to look for and things that are always out of scope during an audit that bug hunters should look at and much, much, more ...
Recommended
Transcript
Introduction and Sponsor Shoutout
00:00:00
0xSimao
Thank you.
00:00:07
riptide
life on the blockchain welcome back to bounty hunters this is your host big riptide and we have again our first sponsor big shout out to recon can learn more at get recon.xyz forward slash riptide They offer high quality solidity audits powered by invariant testing.
00:00:28
riptide
Having worked with leading products projects such as Centrifuge, Liquidity, and Badger, they also have a ton of useful resources for bounty hunters and protocol devs.
Meet 0x Simal: The Human Fuzzer
00:00:38
riptide
And as I was saying the prior episode, I like that you can fuzz test right from the GitHub.
00:00:43
riptide
Check them out at gitrecon.xyz forward slash riptide, and you'll get five grand off for the first time customers for an invariant testing engagement. All right, my my guest today is 0x Simal.
00:00:59
riptide
Is that how i say it?
00:01:01
0xSimao
Yeah, I guess literally it is how you said so.
00:01:05
riptide
Also known as the human fuzzer. Is this true?
00:01:10
0xSimao
ah Well, I'd like to think so, but I don't think it's always and true to be honest.
00:01:15
riptide
Dude, that that's a good flex. Introduce yourself to ladies. Baby, I'm the ah the human fuzzer.
00:01:19
0xSimao
Yeah.
00:01:22
0xSimao
that
00:01:24
riptide
So, hey, i was I was referred to you from McKenzie with ImmuneFi. He said you were ah based Ultra Giga Chad. So thank you for coming on the show.
00:01:35
0xSimao
Yeah, thank you. It's ah really nice to be here. It's really cool. like I finally get an an opportunity to introduce myself to the community. so And I think this is a great place to do so.
00:01:47
0xSimao
So yeah, really excited.
00:01:48
riptide
Definitely. Hey, man. give So give us a little a little background, anything you want to share, like how you ah you guys started.
From Aerospace to Blockchain: 0x Simal's Journey
00:01:54
riptide
I saw you were at Three Sigma, and then are you doing that with Blackthorn as well, or is that a kind of a new startup? Kind of give us ah a little ah little breakdown of your past here and how you got into this.
00:02:06
0xSimao
Yeah, I mean, I feel like everyone gets into blockchain as a whole in very specific ways. it's It's not blue really a predefined path, you know. but um So in my case, i was I finished my aerospace engineering degree.
00:02:23
0xSimao
um and actually tried to do some some work in in the industry but uh it's not really developed where i'm from in portugal so i'm like yeah well this is not going to work out so i turned to software um I worked like four months or something at a kind of ah product ah company.
00:02:47
0xSimao
They were developing some enterprise software. um But yeah, that was, I got to be honest, that was a bit boring.
00:02:56
riptide
Mm-hmm.
00:02:57
0xSimao
And then ah these guys from Three Sigma, well, they they had a friend in common with me. And they reached out to me, we we talked a bit, and then they they they introduced me to the to the blockchain solidity world, and I got basically addicted.
00:03:14
0xSimao
i just I just tried to to find out as much resources as as possible, you know, to try to to learn as much as possible. I started by reading Mastering Ethereum, stuff like this, very theoretical stuff.
00:03:28
0xSimao
um Yeah, and then eventually, like the guys at 3Sigma, they realized I was really interested in this. And so they took me in as an as an intern. um Yeah, and then basically they were they were ah teaching me and I was doing ah collaborating on audits too with them.
Mindset of Auditors vs Bug Hunters
00:03:45
0xSimao
And yeah, that's that's basically how it started. and And at some point, I just, I think two months in, I discovered like Coder Arena and I just spent most of of my free time there.
00:03:58
0xSimao
So yeah.
00:03:59
riptide
Oh, very cool. Everyone's so humble in this, in this field, humble ah rocket scientist here, just just casually auditing some, some protocols. And so I should let the listeners know. So this is our second podcast with a primary, I guess I would say you're primarily an auditor.
00:04:18
riptide
You, you say you, you were trying to do some bug hunting, but no success yet.
00:04:19
0xSimao
Yeah.
00:04:22
riptide
Right.
00:04:23
0xSimao
Yeah, I mean, I dedicated only maybe one week to it. So, like, ah if I had success in one week, ah that would be pretty insane.
00:04:28
riptide
Not enough.
00:04:32
0xSimao
But I think it's just, I haven't dedicated a lot of time to it, you know, so...
00:04:36
riptide
Yeah, no fair fair and yeah, it's always the case don't dedicate any time to something don't expect any results.
00:04:42
0xSimao
Exactly.
00:04:43
riptide
Yeah, so so right now so yeah, so I brought Tigran on from Hexans on the last episode and we were talking all about how kind of auditors look through things a bit differently than than how bug hunters look at things but
00:05:00
0xSimao
Yeah.
00:05:01
riptide
I wanted to kind of, cause we share so many viewpoints, we share a lot of the same knowledge base, but it's just, we do the job differently. You know, like how do you, how do you kind of view your role versus a ah bounty hunter in this industry?
00:05:16
0xSimao
yeah Yeah, so this is this is actually something very funny because I started thinking a bit about this. um when I think it was a White Hat Mage, I think.
00:05:30
0xSimao
when yeah exactly when When he found this 1 million bug, I think, bounty.
00:05:30
riptide
Love the mage.
00:05:36
0xSimao
And I'm like, well, yeah, I mean, what what exactly should I do different to to be able to to get this kind of bounties and to do bug hunting? bow hunting And to be honest, I think it boils down to the fact that, and this is something that he he confirmed when talking to when i was talking to him,
00:05:55
0xSimao
which is that as auditors, we try we like we don't except we don't assume any piece of code is correct. you know We think everything is wrong and we need to manually, often writing tests and and stuff like like that too to verify that all code is correct, even if it doesn't really matter.
00:06:04
riptide
and
00:06:16
0xSimao
you know So I guess... i guess the main difference is that we don't assume any happy path or something like this. we We don't take any any code for granted. And whenever I try to apply this to bug hunting, I just spend so much time on, like, useless stuff when when I think I should be spending all my time trying to get to to that attack path that people probably didn't look, you know?
00:06:45
riptide
So like, what do you what do you mean?
00:06:45
0xSimao
like
00:06:46
riptide
What's the useless stuff that you're wasting your time on?
00:06:48
0xSimao
Like the usual stuff is that, for example, something that, for example, a like if a protocol has been live for, let's say one week, one month or one year, you just know like most flows, they work, right?
00:07:03
0xSimao
Like yeah at least this is the conclusion that that that I got to is that, Most flows, you have to assume they work. Like, I shouldn't lose time. Like, you make a deposit and ah you get a certain ah certain number of shares. Like, ah I shouldn't be trying to to verify this is ah this is correct.
00:07:23
0xSimao
Because the protocol has been live for so much time. It would have come up by now, you know?
00:07:30
riptide
That's a hell of an assumption that that anyone would, my God, I mean, there's flaws in that. You know that.
00:07:39
0xSimao
yeah yeah
00:07:39
riptide
Yeah, I mean, a deposit withdrawal, yeah. Because remember, 99% of people are interacting with the front end. So whatever the front end says is right, it could do front end rounding calculations.
00:07:52
0xSimao
yeah
00:07:53
riptide
You'd be doing um you know whole number 118 withdrawals.
00:08:00
riptide
You know, you just, you never, there's just so much nuance to that.
00:08:03
0xSimao
Yeah, yeah. I mean, let let me just get you a better example. Like, for example, when I audit, I always verify that the name of the variable that you pass to a function is is the same argument that the function receives, you know?
00:08:18
0xSimao
I manually verify this because this is a very common bug, unfortunately. Like, it happens all the time. Like, you pass you pass a variable to a function in in a wrong order, you know? And when I'm auditing, I need to manually verify all of this.
00:08:33
0xSimao
But this is something that would just come up if people use a protocol like this. I think it's impossible for something like this to not come up, you know?
00:08:42
riptide
nothing's impossible nothing's impossible I think it's ah Well, when you, it's, I'm not going to say easier, but it is because I've done private audits. I've done private reviews. You're my, my hope that I'm going to find a bug when I do a private review before they go live is so much higher than when I bounty hunt.
00:09:03
0xSimao
Yeah.
00:09:04
riptide
Cause I'm like, these guys haven't gone live yet. you know, they're coming to me to check for bugs. Obviously I'm going to find something and you know, you, you always find something on those projects, but a bounty hunt, you could just spin your wheels because
00:09:12
0xSimao
Yeah.
00:09:17
riptide
you know, three, four audit firms contest, everyone's looked at it and you may just find nothing and it gets super demoralizing.
00:09:24
0xSimao
Yeah. yeah
00:09:26
riptide
Yeah. A little difference. Yeah.
00:09:28
0xSimao
So, yeah, I mean, that's that's really cool to to get to know different perspective on this, to be honest, because, like, I'm i'm i'm coming from a theoretical point of be view, you know, so it's cool.
00:09:39
riptide
Yeah. No, I think if you put more time into it, obviously you'll find you'll start finding bugs. you know We all share the same kind of knowledge base. I think it's just a big challenge is the mental thing. Just don't get frustrated not finding anything like you would with an audit because โ guys Guys on the Discord, they talk about, you know or on X as well, what's his name?
00:09:57
0xSimao
Yeah.
00:10:04
riptide
um ah Sloth, Lonely Sloth, was talking about, i think, not finding a bug, I want to say a year.
00:10:08
0xSimao
Yeah, yeah.
00:10:12
riptide
It was six months or a year or something.
00:10:13
0xSimao
That's crazy.
00:10:13
riptide
It was some crazy amount of time, but that's what it is. You're just waiting, and you're just looking, and you've got to have some patience and some bankroll to float you through these times.
00:10:24
0xSimao
Exactly, exactly.
00:10:28
0xSimao
um Yeah, I mean, like, to be honest, I think now that I have a more solid, ah you know, financial side of things, I think now I i feel a bit more free to dedicate more time to bug hunting.
00:10:42
0xSimao
Exactly because of what you just said. But when I was starting out, like, I just couldn't afford to stay six months with receiving zero zero money.
00:10:49
riptide
Yeah.
00:10:50
0xSimao
So, you know, that that's absolutely true.
00:10:53
riptide
Yeah, not many can. Hey, I wanted to ask you, so when I was talking on the last episode, i I brought up some red flags that we kind of use, like, well, I use as a bug hunter when I see projects and I try to screen projects, something like that.
00:10:56
0xSimao
Yeah.
00:11:12
riptide
um I'll give you my list, and i want to hear your feedback on it this time. I forgot to ask Tigran for this. So my red flags, if I see an audit.
Recognizing Red Flags in Audits
00:11:21
riptide
Okay. So if I see a protocol with follow-up audits, so audit number two or three, and they're all done by the same firm, big red flag.
00:11:33
riptide
What do you think of that? Do you ever, have you ever been in a spot where yeah have a protocol saying, hey, we want a second audit by you guys? Do you say, hey, get the fuck out of here.
00:11:44
riptide
You need new eyeballs on it? Or do you say, yeah, I got to pay the rent?
00:11:48
0xSimao
um Well, actually, ah i don't think I've been in this position, to be honest. But like in my opinion, i mean, you're usually within the same firm, you have more than one team, right?
00:12:05
0xSimao
So you can kind of get around it, you know? But if it's the same team, yeah, definitely. Maybe maybe get some some other eyeballs on that.
00:12:18
riptide
All right, yeah.
00:12:19
0xSimao
Yeah, I think i think that's that's a good, that but generally, I agree that that that is probably a good a good idea. Yeah.
00:12:25
riptide
right, what about this one? So this is one of most common things I see is the old out of scope contracts.
00:12:33
0xSimao
Yeah.
00:12:33
riptide
ah due Due to the time boxed audit, or this is another one where it's, you're interacting, the protocol interacts with something else, and the audit team's like, oh, that's a black box.
00:12:47
riptide
We're not even looking at What do you think about that? Because that's very common. And that that led me to a critical on Polymarket, the good old black box.
00:12:53
0xSimao
yeah
00:13:00
riptide
No one pays attention to any external things sometimes. What are your thoughts on that from an auditor's perspective?
00:13:03
0xSimao
Yeah.
00:13:06
0xSimao
Yeah. I mean, like for from an auditor's perspective, I think um think most firms like actually do that. Like they just flag it as out of scope, like an external dependency.
00:13:18
0xSimao
And then whether the auditors actually look thoroughly in this external integration is entirely up to the firm, but it's not something that comes written down, you know?
00:13:28
0xSimao
Yeah.
00:13:29
riptide
yeah Why is that? Is that just an easy way to cop out? Or is it like, hey, this is a business, this what we're getting paid for, and we're not lifting a finger more?
00:13:35
0xSimao
Yeah. No, I think i think it's it's because of the the second point. yeah I think like clients have this budget, they they get quoted for audits, and everyone quotes them excluding the internal and the external integration, and it it just gets a whole lot cheaper for them.
00:13:52
riptide
Mm-hmm.
00:13:54
0xSimao
you know like Because it would be very expensive to have the auditors officially looking at the external integration, if that makes sense. But
00:14:04
riptide
Yeah, no, it does.
00:14:05
0xSimao
but I think any any reasonable firm that actually tries to do really well security-wise, I think the auditors absolutely need to to look into into external integrations with with proper attention. Okay.
00:14:22
riptide
All right, next one. i I never see audit firms doing this. Deployment scripts always seem to be not reviewed.
00:14:29
0xSimao
ah
00:14:33
0xSimao
yeah Yeah, yeah
00:14:35
riptide
Is that true? ah Yeah.
00:14:37
0xSimao
this that's very true. So basically, as an auditor, I do that ah whenever whenever like the the the clients, but sometimes they ask us.
00:14:50
0xSimao
like it's It's never officially a task for us, you know? So we do that either when when we we feel that it it is interesting for some reason or because the client ah asked us to do, but it's never officially a task.
00:15:04
0xSimao
Like you're not actually required. So for example, in contests, it's never in scope, right? Like deployment scripts are never in scope.
00:15:10
riptide
Right. Good old in scope.
00:15:12
0xSimao
Yeah, so yeah, that's that's that's true. So absolutely.
00:15:16
riptide
that's That's another crazy one.
00:15:17
0xSimao
Yeah, and I think it's it's it's, for example, extremely relevant in upgrades. I think I've seen bugs more than once in upgrades where they they just send the wrong parameter or something.
00:15:28
0xSimao
Yeah, it's common.
00:15:30
riptide
it's It's amazing how overlooked it is. And, ah but you know, hey, bug owners listening, that's a place to look deployment scripts.
00:15:33
0xSimao
Yeah, yeah.
00:15:39
riptide
All right next one. ah my Another great one. Unclean code. Just searching for to do or double check or any of those.
00:15:49
0xSimao
I don't know, man. Like, yeah, that's true. But couldn't, couldn't i mean, if if it's if it's ah an actual critical and there's no way around it, yeah, of course. But couldn't protocols try to, like like, not pay the bounty because it's a to-do?
00:16:06
0xSimao
Like, is this something that happens? I have no idea. Yeah.
00:16:10
riptide
No, no, no, I look at it like like as a symbol for lack of attention to detail. Like if you're going to go live, it's like deploying with console log.
00:16:20
0xSimao
yeah
00:16:21
riptide
You know, like like you're not you're not really looking at all the details. I just look at that as as a potential weakness where there could be flaws elsewhere. Not always true at all. could be rock solid, but you never know.
00:16:33
0xSimao
Yeah, yeah, that's this.
00:16:34
riptide
All right, what what about um lack of tests?
00:16:38
0xSimao
Yeah, yeah, I think, yeah, that's a huge red flag actually.
00:16:43
riptide
is Is that pretty common when you get people coming up for audits? Do they just come up and like no test suite at all? Do they ask you to build it
00:16:52
0xSimao
Like it's it's common when the protocol is very small, you know, when it's just a simple thing, they think they don't need tests. But what, like in this case, I do the tests myself because I just don't trust myself enough to do an audit without at least a decent testing suite, you know?
00:17:12
riptide
yeah Yeah, no, makes sense.
00:17:12
0xSimao
Yeah. Yeah.
00:17:16
riptide
All right, last one is if I see a high amount of higher critical bugs in their audit report,
00:17:23
riptide
what do you think about that?
00:17:26
0xSimao
Yeah, it's that's that's how, like when I pick contests to do, it's one of the things I look at, especially when it's a conditional pot, you know, where if you if there are no highs, the pot is 100,000. If there are highs, it's 1 million, you know.
00:17:43
0xSimao
In this case, you you got to look into in into past audit reports to figure out um if if it's worth it, you know, because if if there are highs and crits in past audit reports, then definitely there should be also currently, so.
00:17:56
0xSimao
Yeah.
00:17:57
riptide
All right. All right. So Montari, do you have any red flags you'd like to add that you could think of?
00:18:04
0xSimao
Red flag. Yeah, i mean, so for example, when like accounting, when when the rounding is not consistent, you know, when when it's not always protecting the users and the protocol, that's that's a huge red flag for me.
00:18:20
0xSimao
so
00:18:23
0xSimao
Like if if you find something rounding up in favor of a user instead of the protocol, most likely there could be an exploit related to rounding because when when people do this, it's because they haven't put in enough attention, you know?
00:18:39
0xSimao
So yeah.
00:18:39
riptide
ah Rounding up versus rounding down usually. Yeah. Okay, cool. I wanna talk about one thing with the, I found something. it's It actually remains one of my favorite ah audits to look at.
Trail of Bits' Findings on AnySwap
00:18:54
riptide
It's from 2022, and this is like an auditor ah trail of bits kind of dressing down the client, and the client was AnySwap, which I think is no longer around. I think the team is, I think they they bounced, something happened, they drained everything, whatever.
00:19:10
riptide
ah This is from 2022 it was their implementation of a threshold signature scheme. and the audit is just riddled with findings.
00:19:21
riptide
There's so many findings and it's it's some serious cryptography. And they had this comment that Trail Bits says, the significant number of high severity issues discovered during our review are indicative of an immature code base that has room for improvement.
00:19:36
riptide
These issues largely stem from incorrect protocol implementation and improper data validation Several of these issues affect critical areas and we suspect they're similar areas issues are present elsewhere in the code base.
00:19:49
riptide
And so that one's, it's pretty spicy, but then they have another one from the cross chain bridge audit with any swap. And they say, a number of the issues identified during the audit result from a failure to adhere to cryptography cryptography but best practices for off-chain applications.
00:20:07
riptide
Others involve deficiencies in the documentation, error handling, data validation, and unit testing. In aggregate, these findings are indications of a code base lacking in maturity and of a software development lifecycle in which security was not prioritized.
00:20:24
riptide
I mean, you know, imagine the protocol getting that feedback like, fuck, man.
00:20:30
0xSimao
Yeah. Yeah.
00:20:30
riptide
it's it's It's embarrassing. And, you know, when you go to an audit shop and you expect them to do all the work for you, I think is is is a wild kind of assumption.
00:20:34
0xSimao
yeah
00:20:42
riptide
It just means I think you're lazy and you're going to get fucked in the future.
00:20:47
0xSimao
Yeah. Yeah. ah I mean, it's I think it's it's something probably much more common than than it should be, to be honest. Like people just deposit so much so much hope that the audit firm can fix all their problems magically, you know.
00:21:04
riptide
do you have any Do you have any stories from but you know your time at Three Sigma where, I have to name any clients or anything, but just like some egregious examples of just protocols not taking security seriously?
00:21:04
0xSimao
but
00:21:22
0xSimao
um Yeah, I mean, more often than not, I was basically writing the code for them. like this
00:21:29
riptide
or
00:21:29
0xSimao
because i'm like do Because I'm like, well, if if I just make the recommendation, they will probably just implement it incorrectly, you know.
00:21:29
riptide
How many times?
00:21:39
0xSimao
So at some point I was just writing code for them.
00:21:42
riptide
And they just took it just copy pasted the new function.
00:21:43
0xSimao
and attention so yeah
00:21:46
riptide
Oh, Jesus.
00:21:48
0xSimao
ah But yeah, like most of these protocols, I i was pretty convinced they they were not even going to deploy, to be honest, when this happened, because ah they they have this very, usually this happens when they have a limited budget, and unfortunately, you know.
00:22:03
0xSimao
ah And with a limited budget, it's often very very much the case that they just don't get to deploy because they run out of resources, you know. ah But yeah, I mean, I don't have any any any feedback like on these protocols that something went wrong.
00:22:22
0xSimao
So, but yeah, some of them were were in a very scary place. it
00:22:29
riptide
ah and so So you've done audits, formal audits, working for an audit company, and then you've also dominated the contests.
00:22:36
0xSimao
Yeah.
00:22:40
riptide
What do you think about, like if you're if you're a protocol dev and you're about to go to market, what do you think about the differences between those two those two avenues?
Private Audits vs Contest Audits: What's the Difference?
00:22:50
riptide
And do you do you think one should come before the other, like getting their money's worth better on one versus the other?
00:22:58
riptide
what do you think?
00:22:59
0xSimao
Yeah, I think they just fit different purposes. Like you want to go with a firm to get that base coverage, you know, to make sure that you actually get two or three or four, I don't i don't know how many experts looking at the code base and you are guaranteed to to have them looking at the code base. You have some legal protection on this.
00:23:22
0xSimao
So that definitely, like, it's more of a, like, you you you more or less know what what exactly what but you pay for. Although, of course, if you choose some firm that is not very honest in their audits, like, you know you know who I'm talking about, right?
00:23:38
riptide
Who would that be?
00:23:44
riptide
Start with the c
00:23:45
0xSimao
yes
00:23:48
0xSimao
Everyone knows what what I'm talking about. But but the yeah, like you at least you have some guarantee that you're going to get top auditors. But in contests, it's a bit more, you can get zero, right? you can or Or one, or maybe something like this, top auditors, which is very bad.
00:24:07
0xSimao
But you can also get like 10, you know?
00:24:10
riptide
Mm-hmm.
00:24:11
0xSimao
and And like many of these participants in competitions, they're very, very talented. but they just don't have any, they haven't been around long enough, so they aren't known, but they provide a lot of value.
00:24:26
0xSimao
So I guess that maybe like on average, maybe on average contests can be better, you know, on average, but as a protocol, you don't really want to play a lot with averages.
00:24:39
0xSimao
and So, you know, you have to pick wisely, but yeah, they fit different purposes, I'd say.
00:24:47
riptide
Like if you were a dev, what would you do? And you're about to deploy, would you say, Hey, I'm going to go three audits and then contest and then private review. Like, what would you do
00:24:59
0xSimao
Yeah, I think I'd go with at least one private audit and then one contest, I think.
00:25:04
riptide
after the the audit firm?
00:25:05
0xSimao
Yeah, just so, you know, after the audit, you get the code, ah you get the code a little, because it's also different because, you know, when you're private you when' when you're doing getting a private audit, you you get much more feedback from the people doing the audit.
00:25:23
0xSimao
So it's easier to and and to implement fixes and stuff like this, get some feedback on the architecture. In context, you don't get as much of this, you know, they just present the bugs usually.
00:25:32
riptide
and That's a good point.
00:25:34
0xSimao
so and and
00:25:36
riptide
Yeah.
00:25:37
0xSimao
So it's maybe it's easier to, you know, it but and on the other hand, ah if you if you end with a firm, you also get more attention on the fixes, most likely.
00:25:48
0xSimao
So it's it's really hard to say, to be honest.
00:25:54
riptide
Yeah, that's a very good point. Yeah, because you read an audit firm's reports and you get ah you get like, hey, they really dig into your, I mean, the good ones.
00:25:57
0xSimao
Yeah.
00:26:03
riptide
they They go through your whole protocol and say, hey, look, here's the design. Here's what we think. Here's what you can do better. Whereas the contest is just, I found a bug.
00:26:11
0xSimao
Yeah.
00:26:11
riptide
I broke it. Fixing it, I don't know. It's optional. Come up with something.
00:26:16
0xSimao
Yeah, exactly.
00:26:18
riptide
Yeah, it's interesting.
00:26:20
0xSimao
Yeah.
00:26:21
riptide
and so So right now you're focused just straight on competitions. And then what ah tell me, what is this Blackthorn thing?
00:26:29
0xSimao
So, Blackthorn is like... So, Sherlock has these top tier auditors in their layerboard leaderboard and they basically ah assembled a team which is called Blackthorn, you know, and it consists of the top auditors.
00:26:36
riptide
Mm-hmm.
00:26:46
0xSimao
And the basically it's a way like, okay, if you really want as as a protocol, if you really want to get that these three or four individuals in the leaderboard participates in the audit, you you actually get them locked down for your code, you can do a Blackthorn audit.
00:27:03
riptide
Yeah, okay. No, I didn't. i had Jack on here from Sherlock. I didn't realize it was called Blackthorn, the thing that he was doing.
00:27:09
0xSimao
Yeah,
00:27:10
riptide
Okay, so that's cool. So you guys are the top tier. Yeah.
00:27:13
0xSimao
yeah we we try, we try.
00:27:16
riptide
No, that's good, man. Like security in this space is just, it's so, it's so fascinating just on Twitter every day. Just, you never know what's going to come up and it's always fun to just look at the exploits and just see what was missed, who missed it.
00:27:35
riptide
Is this a new feature or is this a ah new bug pattern? and Like what happened? You know, how, how often do you kind of,
00:27:40
0xSimao
Yeah.
00:27:44
riptide
dive into the after action reviews and, and, uh, all these kinds of things. Do you look at all the new bugs like that? Do you follow this?
00:27:52
0xSimao
um Yeah, like when basically I, you know, as as I think most security researchers do, I follow more or less what happens in the crypto Twitter space.
00:28:02
0xSimao
And whenever there's an an exploit, like I try to to find out if it if this bug is something that I've never looked into, you know. And if it interests me, I i take ah take a kind of a deep dive to try to understand it.
00:28:18
0xSimao
and And yeah, but basically that's it because as you say, some of them are quite novel, right?
00:28:26
riptide
Mm-hmm. That's true. Have you had any any instances where ah something that you audited had ah had an exploit?
00:28:37
0xSimao
um Well, not an exploit, but it has happened that I think it has happened once that one white hat actually found something after after it was ah yeah after it was audited ah by me.
00:28:51
0xSimao
Yeah.
00:28:51
riptide
Yeah.
00:28:52
0xSimao
like At some point, like you're auditing ah so many protocols. I mean, I try my best. everyone i like I like to think that most people do, but we're humans.
00:29:04
riptide
It's impossible. yeah Everyone has flaws. Everyone is going to miss a bug at some point.
00:29:09
0xSimao
like what what I try to to do as best as possible as I can always. And that that that clears my mind, you know?
00:29:17
riptide
And the thing is like, this is another problem with the space. It's like, I did a private review one time and yeah, I did my best on it and I gave it back to the guy and I thought everything's fine.
00:29:30
riptide
And then he messages me, I think like a week later and says, Hey, uh, so we just got a report from another white hat. You know, you missed, it was like an approval bug or something.
00:29:42
0xSimao
Yeah.
00:29:42
riptide
And my response is just like, you know, hey, I don't know what to say, man. You know, try best fuck. I'm sorry. I didn't apologize. I'm just like, hey, yeah, I missed that one. Because what do you say?
00:29:54
riptide
It's like, I tried.
00:29:55
0xSimao
Yeah, you you can see much.
00:29:56
riptide
I mean...
00:29:57
0xSimao
Like this time, hasn't happened to me any time before, but I just tried to look at the fix, you know, try to find out if everything was well fixed.
00:30:09
0xSimao
And then I tried to to to to to see if there were related bugs, because, you know, if if you miss
0x Simal's Audit Approach
00:30:17
0xSimao
if you missed this bug, there's a chance you you missed the same bug in an unrelated place in the codebase, you know.
00:30:24
0xSimao
So i I try to put some time into trying to at least mitigate what's left, you know, so.
00:30:32
riptide
And so what would be your method like when you approach an audit versus a contest? Are they different?
00:30:40
0xSimao
Um... yeah Actually, the the the they weren't in the beginning, but I think they they kind of need to be now because um so devs and protocols, they really want that quick feedback, you know, and when you're doing a private private review, if the auditors stay silent for like a week,
00:31:02
0xSimao
Like the protocol is going to get stressed out. But and like ah ah like my my way of doing things actually takes takes more time because I like to start with the basics before I i dive into the very specific and complex things.
00:31:18
0xSimao
you know So I try to cover as much simple bugs as possible, like correct arguments, like a precision, things like these decimals.
00:31:26
riptide
Thank
00:31:30
0xSimao
I try to cover these easy things first. So, and and I don't dive right away into the complex bugs. So it means that it takes me a bit a bit more time than the protocol devs want to to get to these deep bugs.
00:31:45
0xSimao
So I think to be honest, I will change a bit my approach in in private reviews to to to find those complex bugs first because devs just love getting that early feedback, you know?
00:31:56
0xSimao
So...
00:31:57
riptide
and And for people that are listening, this is what is referred to as speed running. When people say they're gonna speed run a competition or whatever, these are these are security researchers who know a bunch of bugs in their head and they're looking for high level bugs and they're gonna scan a code base very quickly.
00:32:15
riptide
for any patterns that they're used to this and that, but deep kind of bugs and interactions are are separate from the the old speed run. So if you ever see that, that's a guy trying to just, all right, here's what we got.
00:32:25
0xSimao
Yeah. Yeah. Yeah.
00:32:27
riptide
Here's the low level stuff we could find.
00:32:29
0xSimao
yeah yeah
00:32:32
riptide
Okay, cool. And so so doing doing an audit versus a contest a little bit is a little bit different. and But for, I asked Tigran this too, the longest you've been locked in for an audit, you know as an employee you're paid to audit, was how long?
00:32:52
0xSimao
Um, I think it was like six weeks, I think.
00:32:57
riptide
Fuck, six weeks.
00:32:59
0xSimao
Yeah, because it was a, um, noir code base, you know, so they had the solid implementation and they had the noir implementation.
00:33:11
riptide
And was it interesting to you?
00:33:13
0xSimao
Yeah, it was yeah actually.
00:33:13
riptide
Or were you could you not wait to get off it?
00:33:16
0xSimao
Yeah, no, no, it it was it was cool because you know basically I spent half the time in the solidity part and half in the noir part.
00:33:22
riptide
Mm hmm.
00:33:23
0xSimao
um And so i I don't know, but I find like this this kind of ZK proving systems, they're they're very interesting. like you just They just get you a proof and and and you plug it in and it's ah it magic. you know so
00:33:40
riptide
ah what what was ah What was involved with that? Like, did you have to pick up new skills?
00:33:43
0xSimao
um ah Yeah, basically, so Noir was and still is pretty new, right? So that there isn't much information. So when this happens, what I try to do is I also do a lot of tests because, ah yeah, I want to make sure, like double double check that everything is is working correctly.
00:34:04
0xSimao
and And then I also spend a lot of time, like, actually trying to... to see all all sorts of bugs that I must look for. like this it's It's a bit different than Solidity, which is well very well known.
00:34:21
0xSimao
right But yeah, basically it's just that. and I just need to test test things more thoroughly. think
00:34:31
riptide
Now, Noir, that was, is that related to Aztec? Why am I thinking it's something to do with Aztec network?
00:34:38
0xSimao
ah
00:34:39
riptide
Remember that does the privacy protocol that shut down because they're worried with the tornado situation?
00:34:39
0xSimao
i think
00:34:47
riptide
should look this up.
00:34:47
0xSimao
Yeah, it's Aztec. Yeah, exactly.
00:34:50
riptide
Aztec. did they develop this?
00:34:54
0xSimao
um I think so.
00:34:55
riptide
I don't know. I haven't looked into this that much.
00:34:57
0xSimao
I think so, yeah. I think so. To be honest, by now I was expecting to to be more noir stuff, but it's just what happened. I was also expecting that for Fuel, but I'm still waiting.
00:35:08
riptide
ah And what's next, move?
00:35:11
0xSimao
Yeah, I actually looked for the first time at move in this Zeta chain contest. they have They have some some move contracts.
00:35:25
0xSimao
Actually, I like i like auditing Rust-based languages. I think they're easier. like The language itself is way more security-wise. I think it's better.
00:35:38
0xSimao
you know Some things are out of the box.
00:35:38
riptide
what do What do you think has the most pitfalls? Solidity?
00:35:44
0xSimao
yeah, Solidity, Solidity is just so fast to ship, you know, that it becomes dangerous but it's very fast, like
00:35:45
riptide
and's so ah It's so awesome.
00:35:53
riptide
Yeah. Yeah. I think it's gotten crazy with the inheritance. I really despise that just trying to find out what what's calling what it's really when you have like 50 contracts, it's terrible.
00:36:04
0xSimao
yeah yeah
00:36:08
0xSimao
but yeah Yeah, I agree with that. But you know yeah i saw the the survey, the Solidity survey, and actually people prefer inheritance.
00:36:19
riptide
Well, they could always go to Viper, I guess.
00:36:21
0xSimao
Yeah, yeah, yeah. I mean, yeah, I think inheritance is is not so good also because of the super thing. Like, what the hell is it calling super? Like, you have to look at the order of inheritance to find out which, if you have more than two functions with the same, you know, you can't just, if you write super, you you have to check which one you're actually calling.
00:36:42
0xSimao
So.
00:36:42
riptide
I know. I know. And so, all right. So let's, we're going to go back since you're the auditor on, I'm going to still call you an auditor, even though you do contests until you find your first bug bounty, which no doubt will come as as long as you keep at it.
00:36:58
0xSimao
You know, i I submitted one just before this interview, so fingers crossed.
00:36:58
riptide
So,
00:37:01
riptide
oh, Hey, nice man. I hope it gets confirmed. So, right. Why do auditors miss bugs? Why do you think?
00:37:12
0xSimao
um like short answer it's a human nature but the long long answer is that uh more often than not they're just uh there there isn't enough time you know like ideally you load it for much longer but due to constraints like budget deployment and stuff like this uh it's uh You just can't spend as much time as a bug hunter looking at the specific part of the code voice, if that makes sense.
00:37:46
0xSimao
Because as a bug hunter, you just, you you decide, okay, I'm going to focus this for, doesn't matter how many days, right? yeah
00:37:54
riptide
Mm-hmm.
00:37:54
0xSimao
And it just stay there. But with protocols, it's not always possible. So you try to do as better best as you can within this window, what audit window.
00:38:05
0xSimao
And yeah, sometimes people miss bugs. So yeah.
00:38:09
riptide
I'm curious about the the method of
Team-based Audit Methods by Hexens
00:38:12
riptide
the audit firm. So the only one that I know of, and maybe a lot of them do this, is the Hexen's method because they actually put it on their audit reports that I've read where they have a team doing it and then they give it to the other team.
00:38:22
0xSimao
Yeah.
00:38:25
riptide
So you get like two internal teams doing the โ I think it's pretty cool.
00:38:27
0xSimao
Yeah, this is
00:38:29
riptide
Do you know other firms doing this? Like did they do that at Three Sigma?
00:38:34
0xSimao
No, we didn't. But I know that I think it's file security that also does it. I think I saw tweet.
00:38:40
riptide
a Okay.
00:38:42
0xSimao
I think I saw tweet about this. A post, right? About this.
00:38:45
riptide
Yeah. The only way I could see that model kind of breaking down is like if you get somebody with an ego, maybe like it's your boss or something and and you find this shit under him and you just can't flex on him.
00:39:00
riptide
So you โ I couldn't think of a scenario where you're going to hide the bug.
00:39:01
0xSimao
yeah Yeah, I mean, i mean that that falls under the part where you you must do a background check on the people you hire, right?
00:39:03
riptide
No, that wouldn't happen. But it seems pretty good.
00:39:13
0xSimao
If you want to hire people to participate in a team, they they have to be able to know how to participate in a team.
00:39:20
riptide
Yeah, yeah. And when you do your, the audits, do you kind of like, do you have to educate the devs that you work with? Or, you know, do do you find that most are competent?
00:39:35
riptide
Are you just getting all types? Because anyone could pick up Solidity, start coding, get money and say, hey we're going to deploy.
00:39:40
0xSimao
Yeah, um yeah and when I'm doing private audits, I know who the devs are.
00:39:43
riptide
Like, do you even know who the devs are sometimes? Yeah.
00:39:53
0xSimao
But um I guess now most of them, they're more competent now, definitely. ah it's It's getting better in that perspective.
00:40:02
riptide
Then when?
00:40:04
0xSimao
Then, i don't know, maybe when I started two years ago, yeah i think it was, it's getting better overall, I think. like
00:40:12
riptide
Do you think it's going to get worse with people vibe coding?
00:40:16
0xSimao
Yeah, I mean, it it can get worse. Yeah, it can get worse. I think like all studies that that people have done have shown that like these tools have increased the number of bugs in the code.
00:40:30
riptide
What did you see some studies about this?
00:40:33
0xSimao
Yeah, there's there's there's a study. I think I actually published it, like guy the article. I think I've mentioned it somewhere. There's there's ah been at least a study about this.
00:40:45
0xSimao
Because, you know, like you just press tab or something and and it writes the line of code.
00:40:45
riptide
Do you?
00:40:50
0xSimao
It just seems easy.
00:40:52
riptide
It's so bad. you think we'll get to a scenario where bug bounty hunters are the most valuable people on the planet? Because devs from Bangladesh will be vibe coding.
00:41:05
0xSimao
yeah
00:41:05
riptide
There'll be teenage devs vibe coding from Bangladesh. And then the audit firm vibe audits. And then the only one looking at the code is the bug bounty hunter.
00:41:15
0xSimao
yeah yeah i don't know man i i like to think that won't happen but but yeah yeah i mean
00:41:15
riptide
This is my prediction.
00:41:22
riptide
ah Dude, humans are lazy, man. I see it happening.
00:41:29
0xSimao
Protocols try to often try to cut as much cost as possible. So you know it's bound to happen.
00:41:37
riptide
That's true. i do you How do you figure like, all right, you wrap up an audit. This thing's locked down, secure. And then the company deploys it. And then they always tinker with it they have to change something.
00:41:53
riptide
yeah And, you know, like they only have so much money and they always want to tinker with the protocol.
00:41:59
0xSimao
yeah. yeah.
00:42:00
riptide
but then they'd have to get another audit. And the price of an audit for people who don't know can range from like five grand to 80 grand, to more, to 150 I've seen.
00:42:13
0xSimao
yeah
00:42:14
riptide
So the prices are all over the place, depending on the engagement time, the brand, blah, blah, blah. So if you do a little modification, most can't afford to pay for another audit. Like what what should these protocol teams do to try to ensure security?
00:42:31
0xSimao
yeah i like i think they um well there is always the option of trying to find some uh but i don't think this option is is well known to be honest because i've been in this place and i have never gotten any protocol reaching out to me but You've got like junior independent auditors that are actually pretty good.
00:42:56
0xSimao
And I think security wise, in terms of outcome versus price, you know, I think you can get a very good deal with these people, but protocols don't do this. they this like they They just aren't aware of this.
00:43:10
0xSimao
which I think it would be a good fit, to be honest. But alternatively, think maybe they can reach out to the last firm that audited them because this firm could do a discount because they already have a lot of context on the codebase, right?
00:43:28
riptide
That's a good point. I've gotten that request before. Just like, oh, hey, can you just quickly? But that's also kind of ah a trap because they they they know you're not getting paid for it.
00:43:39
riptide
You know you're not getting paid for it. And so they just kind of want your thumbs up, but you may not give it your all because it's like, oh, you don't know that it interacted with something else they didn't change um that they you're not looking at because you're doing something else.
00:43:44
0xSimao
Yeah.
00:43:56
riptide
So who knows?
00:43:56
0xSimao
yeah Yeah, that's trap.
00:43:57
riptide
Could go either way.
00:43:58
0xSimao
Yeah, it's trap. Yeah.
00:43:59
riptide
Yeah.
00:43:59
0xSimao
I mean, I try to avoid that as much as possible. But I mean, ah you you you got to try to be as honest as possible here. And for for the protocol, it's still the best deal they can get, probably.
00:44:13
riptide
What about for fuzzing? Do you like, is that a normal part of your audit process? Do you, do you pull out the fuzzer on every engagement?
00:44:21
0xSimao
Um, like when I try to when i try to find out if if something will break, yeah, like if I have some intuition about something, I might try to set up a first test about that thing, just to verify that that it really happens or it doesn't happen, you know?
00:44:37
0xSimao
So it it gives a little bit of extra confidence.
00:44:41
riptide
And what do you use? Typically you just use built in foundry.
00:44:44
0xSimao
Yeah, I just use Foundry. Yeah. if If they're using hardhat, I just set up Foundry and write the quest. because
00:44:53
riptide
No love, no love for hard hat.
00:44:55
0xSimao
No, I just... When I started out, like, Foundry was already becoming mainstream a lot, so I didn't get to pick up hardhat. um So, yeah, I guess I that just...
00:45:08
riptide
Not missing much.
00:45:09
0xSimao
Yeah, I...
00:45:12
0xSimao
i i don't know how do you actually fuzz in hardhat you have to set up your own random arguments right
00:45:18
riptide
I've never fuzzed in hard at. I have no idea. I've only done fuzzing in, I used Echidna and the foundry fuzzing. And then you need to get recon.xyz slash riptide.
00:45:32
0xSimao
yeah
00:45:33
riptide
ah No, but, uh, whatever fuzzing tool you use, I think they're all just, they're cool. Like it's, If you find something that you couldn't find by manually plugging in something like that's just so, so cool that that these, these kind of tools exist for us to play with.
00:45:51
0xSimao
Yeah. Yeah, it it should be part of every protocol's ah workflow. It just doesn't make any...
00:45:56
riptide
It should.
00:45:58
0xSimao
Yeah, it should, it should.
00:46:01
riptide
Yeah, no, true. ah Very cool.
00:46:03
0xSimao
it's and It's so easy to set up. ah So there's there's no excuse for not implementing it in your tests.
00:46:10
riptide
A foundry test fuzzing. Yes. Very easy to set up, but a more comprehensive kind of thing. Like some of the other fuzzers can be a bit of a pain in my experience.
00:46:19
0xSimao
Yeah, yeah. Okay, okay.
00:46:21
riptide
Yeah. Yeah. Silence. simow
00:46:25
0xSimao
Yeah, I mean, I've never used any other fuzzer, to be honest, but...
00:46:26
riptide
he up
00:46:29
riptide
I'm not a fuzzing King, man. I don't know.
00:46:33
riptide
All right. So what else is going on, man? We almost made it to an hour here.
00:46:37
0xSimao
um
00:46:38
riptide
Give me some alpha. What's happening over there?
00:46:41
0xSimao
Yeah, like, um to be honest, like, you some real alpha, I think it's, ah I've judged recently ah contest on Sherlock, which was Babylon, and
00:46:55
riptide
ah The Bitcoin one.
00:46:58
0xSimao
ah Yeah, exactly. And and i've I've participated in other like um other audits related to Cosmos, Go, even the newer languages like Move and stuff like this. like They don't have nearly as many eyes as Solidity, right?
00:47:20
0xSimao
If you really put in the time in this code basis, you can like ah can do really, really well because although this may not be always true, but on average, like the participation levels are so much lower than solidity.
00:47:38
0xSimao
It's pretty insane.
00:47:40
riptide
ah That's a good tip. the And the trade-off for everyone is like, well, is this going to be around?
00:47:46
riptide
look at look at Look at Cairo. Where's that?
00:47:46
0xSimao
exactly yeah exactly and and and just yeah like it's a trade-off but I think it's it probably is still worth it
00:47:58
riptide
Yeah, I would say pick something that that, like what you're saying, like pick one of them that you think might have some legs and then be that dude. Be that dude that's the master of it.
00:48:09
0xSimao
yeah yeah yeah it's crazy
00:48:09
riptide
ah That could pay off pretty well.
00:48:14
riptide
Yeah. ah Cool, man. All right, you got anything else?
00:48:20
0xSimao
Um,
00:48:24
0xSimao
let, let me see. I actually took one or two notes. Let me see if I can. Let me see.
00:48:27
riptide
Go ahead, man.
00:48:29
0xSimao
Um,
00:48:30
riptide
And just just for everyone's note, I gave him no โ no guest gets any prep. i just I just invite him on and just drill him with some questions. so
00:48:42
0xSimao
um,
00:48:44
0xSimao
Yeah, I mean, I think like ah one one common thing that people do is just ah giving up too early. Like even when I was starting out, there were other people with exactly the same background as me, but they just like they they were demotivated because, well, this industry is is mostly for the the crazy people, I think, ah in terms of...
00:49:11
riptide
Yeah.
00:49:12
0xSimao
I think everyone that succeeds is is basically a ah workaholic. you know
00:49:18
riptide
Yeah. You got to be on all the time.
00:49:20
0xSimao
Yeah, it's it's either go big or go home. I don't know how to explain it. But like if you see the the leaderboard in audit contest, you'll know what I mean. like You see top three getting all the money and then from from top four below, they get like McDonald's celery.
00:49:39
riptide
and the The competitive streak some of these guys have is incredible. Like yourself, like like all these guys dominating contests. That takes dedication and you need to be extremely competitive.
00:49:51
0xSimao
Yeah. Yeah. Yeah. You need to, to have the mindset that, okay, I'm going to find all the bugs that exist in the causeways. Yeah.
00:49:59
riptide
It's crazy, man. ah You know, I don't like contests because of a few reasons. Like, you have to work on this time. Like, here's your time that you're allotted.
00:50:10
0xSimao
yeah
00:50:10
riptide
I know that, like, And I'm a competitive guy, but I know that like 50 people are going to look at this as well. And then I'm just like, oh man, you know, it just, maybe it's a mental thing.
00:50:22
riptide
I'm like, oh fuck.
00:50:22
0xSimao
Yeah, it is
00:50:22
riptide
And then I'm going to have to argue my findings and then I have to look through the docs and just see like, oh here's the fucking rules and the invariable. And Bughug is just like, can you take the money or not?
00:50:37
riptide
You know, this is like, are you going to argue with the judge and this bullshit?
00:50:37
0xSimao
is.
00:50:40
riptide
I don't know.
00:50:42
0xSimao
Yeah.
00:50:42
riptide
you must You must really like You must be really good at it too to excel.
00:50:47
0xSimao
Yeah, I mean, for starters, you really need to know the rules of the platform well. If you don't know the rules, it's you're you begin at a disadvantage, you know, you're already starting from a worse point.
00:51:00
riptide
Mm-hmm.
00:51:05
0xSimao
So I think that's the first thing to know. And then the second thing is that... like keep in mind that so the way the rewards work is if many people find the more people find it the less the bug is worth right so if you have 10 bugs if you find just one right and and it's a unique finding and there are other nine bugs if these nine bugs all of all have like 50 duplicates or something then you you will take the whole pot
00:51:37
0xSimao
So the it's not necessarily true that the more people look at it, the less you you receive, you know?
00:51:46
riptide
I don't know. I don't like the rules.
00:51:48
riptide
ah just as This is more shit i have to deal with. I just like looking at the code on my own terms and if I get bored of it, jump to something else and you know to each their own.
00:51:48
0xSimao
Yeah.
00:51:58
0xSimao
yeah
00:51:58
riptide
I think you're you're in your specialty and I'm i'm over in mine.
00:52:03
0xSimao
Yeah, yeah. like But like you you touch a good point, which is if the bug is too obvious, it's probably it's not even worth it to report it.
00:52:13
riptide
Really?
00:52:14
0xSimao
Yeah, because like if it takes you half an hour to build the the report of for this bug and POC or whatever, but then you get paid one cent.
00:52:23
riptide
It's going to be worth a McDonald's meal. Yeah.
00:52:25
0xSimao
Yeah, like why? Why are you putting in the time?
00:52:30
riptide
I don't know. It's a weird job. It's a weird lifestyle. What do you tell people you do? Like people that have no clue what crypto is.
00:52:39
0xSimao
Yeah, it's very hard, actually. ah and ah Honestly, I just tell them I'm a software engineer or something. i don't even go
00:52:48
riptide
i Keep it simple.
00:52:49
0xSimao
I don't even go that deep because if I tell them I work in crypto, then they think I'm i'm a scammer.
00:52:49
riptide
Yeah.
00:52:56
riptide
ah Yeah, that's true.
00:52:58
0xSimao
And then I have to explain to them that I'm not a scammer or at least...
00:53:03
riptide
ah you do you Do you speak Portuguese?
00:53:05
0xSimao
Yeah,
00:53:06
riptide
you' Are you from Portugal?
00:53:08
0xSimao
Yeah, yeah.
00:53:08
riptide
Okay.
00:53:09
0xSimao
I'm pretty good.
00:53:09
riptide
cause ah Like I moved to Italy and I'm from the US. And so trying to explain to Italians in Italian what the hell I i gave up on that.
00:53:13
0xSimao
Yeah.
00:53:19
riptide
And I'm just like, I'm just like, no, I just work in internet security. And they're still like, huh, what is that? And I'd say, oh, smart work. I just do smart work. all smart work. that That means you work online.
00:53:31
riptide
Okay.
00:53:34
0xSimao
yeah it's it's something like that it's like it's yeah i don't know man like crypto is still under this massive umbrella that it's all a scam and it's really not but most of it is if we're going to be honest so yeah
00:53:44
riptide
yeah
00:53:50
riptide
that's the gut check too i i get the same feedback anytime you mention to anybody that you're anywhere involved with you just say the magic word blockchain or god forbid bitcoin or anything and they think oh so you trade oh so skip like that's all they think they have no clue and that's
00:53:58
0xSimao
yeah
00:54:08
0xSimao
Yeah, what what coin should I buy? and This is really good.
00:54:10
riptide
Ah, you know, it's, it's really terrible given that it's, I mean, I got into Bitcoin in 09 and I mean, it was launched what, 08 or something.
00:54:21
riptide
I mean, it's been a while since this technology has been out and still this is the public perception, which every day is not helped by all the shit that goes on.
00:54:27
0xSimao
Yeah, yeah.
00:54:32
riptide
and
00:54:32
0xSimao
Yeah, of course. Like, you just look at the news and it's a meme coin rug pull. Like, what you expect?
00:54:37
riptide
Yeah. But you know that wasn't happening couple years ago. like It was a different narrative. So like what's gonna be the narrative this year and next year?
00:54:44
0xSimao
Yeah.
00:54:48
riptide
It'll obviously move from meme coins to whatever the next thing is. i don't know. Hopefully it's more positive for our industry.
00:54:56
0xSimao
Yeah, yeah, like meme coins are a massive trap, to be honest, because you get liquidity coming in, but you get like rug pulls coming out.
00:55:07
riptide
Yeah.
00:55:09
0xSimao
it's it's it's It's hard because you want the liquidity, but you don't want rug pulls. So it's, yeah, it's tough.
00:55:19
riptide
Yeah. ah I don't know. I don't know. We'll we'll see what happens. I see it. I look at it as more people enter the space than leave it. That's my overall thesis.
00:55:30
0xSimao
Oh yeah, that's true. Yeah.
00:55:32
riptide
And I don't bet against the nerds. And the nerds are all here. ah They're building some crazy shit. So there's going to be ups and downs. And price will always affect everyone's sentiment.
00:55:40
0xSimao
Yeah.
00:55:42
riptide
But he's got to hang on. And hopefully, you know if you're if you're here, you're interested. in And you'll stick around.
00:55:49
0xSimao
Yeah. Like when when when I first got into crypto, like in blockchain, I really thought it was a scam. You know?
00:55:57
riptide
That's why you got in.
00:55:59
0xSimao
ah Exactly. That's what brought me in. No, but like, because, you know, I just, I i was a pretty standard guy, at least here in Portugal. We just, we finished high school. We tried to get us as much of good grades as possible. We go to college, you know, and it's very standard path.
00:56:19
0xSimao
And blockchain, yeah, like blockchain is nothing like that.
00:56:19
riptide
Humble student.
00:56:24
0xSimao
It's not common at all. And and it's you know it's tied to scams, unfortunately. So um I'm like really doing research. Oh, what is this Three Sigma firm? And then I found some actual scam with a similar name.
00:56:41
0xSimao
But yeah, no, but in the end, the guys guys were were pretty cool. so
00:56:46
riptide
i Dude, I think that's that's a very high chance that that happens for every crypto project is you just just type the domain in wrong and you're guaranteed to get some drainer or some fucking scam website.
00:56:59
0xSimao
yeah there's so much fishing going on even on like coinboys and stuff like this like so much fishing stuff going on thank
00:57:00
riptide
Like,
00:57:08
riptide
It's incredible. Yeah. I don't know. Come up with some solution. Well, cool, man. Well, hey, thank you very much for coming on the pod. It was a pleasure to have you on here, sir.
00:57:17
0xSimao
you so much yeah likewise
00:57:20
riptide
I'm going to give a shout out here. So we have a deal with ImmuneFi. If you want to list your project for an audit, attack-a-thon, anything, mention Riptide, and they'll hook you up.
00:57:33
riptide
And also join the Discord, Bounty Hunters Discord. It's awesome. and subscribe to the sub stack for some alpha. All right, we will see you next time on the blockchain.