Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 12 - tpiliposian
112 Plays5 days ago
riptide & tpiliposian discuss how auditors and bounty hunters differ, hexens audit model, what the certora prover actually does, what devs should do prior to deploying, RED FLAGS to look for when looking at a project to bounty hunt on, why everyone misses bugs, getting your money's worth as a protocol dev with audits and contests, and much, much, more ...
Recommended
Transcript
00:00:07
riptide
Welcome back to Bounty Hunters. And today's guest, I will tell you in a minute, but first big news, we have our first sponsor. Give a massive shout out to Recon.
00:00:20
riptide
You can learn more at getrecon.xyz forward slash Riptide. And you can get a five grand discount for your first time customer for an invariant testing engagement.
00:00:32
riptide
So Recon offers high quality solidity audits powered by invariant testing. Having worked with leading projects such as Centrifuge, Liquidity and Badger, they also have a ton of useful resources for bounty hunters.
00:00:43
riptide
and devs and I checked them out and I'm not, I would never have any sponsor that I didn't agree that it was a cool product. um I saw you can fuzz test right from GitHub, which looks awesome if you're developing a protocol.
00:00:59
riptide
ah So bounty hunters, protocol devs alike, check them out, recon.xyz and of course mention Riptide. But basically they they wrapped like this nice gooey around fuzzing.
00:01:10
riptide
So if you've ever done fuzzing, set up a fuzzing suite, it could be a pain in the ass. So these guys have taken all the legwork out and and it's pretty awesome. So they're our first sponsor. Shout out to Recon.
00:01:21
riptide
Thank you guys. And we'll kick off. So guest today is we're doing something a bit different. We're... were using the opposing force to get there their viewpoints, the auditors.
00:01:34
riptide
So I have Tigran on, the man who previously was at Hexans but is now with Sertora. Welcome, sir.
00:01:44
tpiliposian
Hey, hey, sir. Thanks. Thanks for introduction. It's a it's very great idea to have auditors here because I always listen to your podcast and it's really honor for me to be here.
00:01:59
tpiliposian
So thanks for inviting me
00:02:03
riptide
the honor's all mine. And and i think I think it's great that you know we defined auditors and bounty hunters. like We have different job scopes, but we still we're still looking at code. We're all looking for bugs.
00:02:16
riptide
It's just kind of a different you know a different viewpoint in how we look at things, different time commitments, different budgets, different incentive structures, ah but we have a lot of commonalities, definitely.
00:02:30
tpiliposian
yeah yeah exactly and we are learning from each other i would say
00:02:31
riptide
So,
00:02:37
riptide
Absolutely. i know we see, i mean, how how does a bounty hunter get started? He starts, I tell people is what I did as I just start reading audit reports. I think I read every Peck Shield audit report back in the day.
00:02:52
riptide
And I didn't even know these bugs existed until I saw ah more skilled auditor point them all out for me.
00:02:59
tpiliposian
Yeah, yeah. It's a great point to start. I guess I started likewise back then.
00:03:09
riptide
Yeah, let me go over your background real quick. So you know I just, I looked at your, I think you had it up on GitHub. You have kind of some good background.
00:03:17
tpiliposian
Mm-hmm.
00:03:17
riptide
You you posted ah you pinned a good tweet as well with kind of your background story. So you're a humble math PhD. And anyone that wants to to to read the full story on Tigran, he pinned the post on his X profile. It's pretty cool.
00:03:33
riptide
But if you want to give a ah brief intro, as much as you want to share, go ahead.
00:03:35
tpiliposian
Yeah. Yeah, yeah. Yeah. So it's kind of long story. You're right, because I'm not the youngest guy here.
00:03:47
tpiliposian
so I came from traditional finance. It all, I guess, started from when I was finishing high school. I had a to choose between going into pure math or math with economics.
00:04:02
tpiliposian
We call it like financial math. ah The thing was that with pure math I had to pass a physics exam as well. So at that point I didn't love physics, to be honest.
00:04:15
tpiliposian
So I took the second part and after my bachelor's, one of my lecturers offered me a position at the Central Bank of Armenia and that that's where my journey started.
00:04:29
tpiliposian
i work I worked there for about 10 years. And yeah, during that time I did my PhD. It was again about a bit more financial math, not so much pure math.
00:04:47
tpiliposian
And yeah, I became head of financial risk management at that point. But after some after some time, it started to get boring as there wasn't anything new to learn in that position.
00:05:04
tpiliposian
Most of it turned into like managerial works, management stuff all day long. And I thought that I can do these kind of things after my fifty s I had guess.
00:05:18
tpiliposian
and And yeah, during all that time, a lot of my friends were getting into development stuff, but ah to be honest, it never attracted me. But when I realized that I could ah do security instead of development, that was, I guess, the breaking point for me. And ah after after that realization, i it was around three years ago, I started learning Web3 security.
00:05:47
tpiliposian
And ah I have been doing it since ever, day and night, because I'm loving it. I guess it's the power that is keeping me motivated, let's say.
00:06:01
riptide
that you're interested in it. Yeah, there's no other way. Nothing else, right?
00:06:05
tpiliposian
Mm-hmm.
00:06:06
riptide
Do you think, so you say you were at the Central Bank of Armenia, and I'll just compare that to where I grew up in the US with Federal Reserve, and they would have so many PhD economists on staff, which I thought was hilarious.
00:06:07
tpiliposian
Mm-hmm.
00:06:21
riptide
you' It would be hundreds of PhDs. all doing God knows what. And then I walked into some ah presentation one time down in at the Federal Reserve Bank in New York. And it was a PowerPoint presentation by some PhD on staff there.
00:06:33
tpiliposian
Mm-hmm.
00:06:37
riptide
And it was just, it seemed like a ah flexing session between him and all his other PhD buddies in math, just seeing how many Greek letters they could put up on the board, just so they understand whatever the fuck they're talking about.
00:06:52
tpiliposian
Mm-hmm.
00:06:52
riptide
I mean, i mean it's ah it doesn't have to be as complicated as I i think they try to as they try to make it.
00:07:01
tpiliposian
yeah Yeah, you're definitely correct. And, ah ah you know, that sphere is not growing that much fast like ours, like the tech sphere. So I really what I like, love what I learned from central bank that manager managerial knowledge, let's say,
00:07:23
tpiliposian
ah Because at at the end of my central bank career, I was managing around 20 persons there. So maybe the most valuable thing that I took with me from the financial math, it was that math knowledge and the management knowledge.
00:07:49
riptide
Yeah, no good skills if you if you definitely want to manage people. ah What about guy with a math PhD that goes into crypto and you look at DeFi?
00:07:54
tpiliposian
Mm-hmm.
00:08:02
riptide
ah Do you think it actually helps you identify bugs or is the math really? I mean, from what I've seen, it's unless I look at Curve, I'm not that blown away by any of the math in a DeFi protocol. Unless you go to curve, unless you start looking at moon math with ZK, ah maybe some exceptions.
00:08:21
riptide
um What was the other protocol? Was it algebra or that might've been another one, but but in general, DeFi's basic arithmetic.
00:08:33
tpiliposian
Yeah, yeah. i I felt like a lot of guys, even with the not a math background, they are understanding the DeFi or AMMs like formulas pretty good.
00:08:45
tpiliposian
So I wouldn't say that it's like you must have a math background. It's just a bit a helper in the beginning, like your understanding or all that formulas and stuff a bit faster, maybe, let's say. But at the end, the ah you're correct. That deep math will be necessary, I guess, in the cryptography or other ZK stuff, PHE or I don't know.
00:09:18
riptide
Yeah, yeah, i agree. I mean, you're one of the guys that probably looks at a white paper and sees a formula, cracks his knuckles, kicks back and just can't wait to open that thing up.
00:09:26
tpiliposian
Yeah,
00:09:30
tpiliposian
yeah to be honest, I had ah one opportunity in the Hexans to do a research for the project, not a security audit, to research their white paper and introduce ah like a new so solution.
00:09:45
tpiliposian
That was yeah pretty fun.
00:09:48
riptide
That's cool, man. If you get the chance to to use the skills, it's always good. So you bailed from Hexans and Hexans, I got to say, very good work. ah The model there, just from what I could tell, looking at the audit papers, I think a team of guys reviews it and then they kick it over to another internal team. So you get kind of two internal reviews. Is that right?
00:10:11
tpiliposian
Yeah, yeah, ah that's right.
00:10:17
riptide
I think it's pretty effective.
00:10:17
tpiliposian
and
00:10:20
tpiliposian
Yeah, as as the the results are saying, as ah yeah I noticed that not like after everybody says that after Hexen's audit, it is difficult to find something.
00:10:23
riptide
Mm-hmm.
00:10:36
tpiliposian
So I guess it is saying yes.
00:10:40
riptide
i don't yeah I don't know if it's got, if publicly, I don't know if there's been something where where there's been a bug found that's been material on one of their audits. So that that says something about the model.
00:10:53
riptide
Do you know how that compares with other audit firms? I mean, there's, God, there's so many. You know, Certic, Peck Shield, Trail Bits, you name it. And I'm sure everyone has their own process. But are you familiar with any of these other models?
00:11:08
tpiliposian
Oh, so now I'm working with Sertora and to be honest, like, like Let's say that both companies are very, very great firms with really amazing professionals.
00:11:24
tpiliposian
So the customer can be like confident that their project is going through top-notch service, whether it is audits or in our case also formal verification.
00:11:35
tpiliposian
and etc but for me personally the structure of the teams and working style here at serra felt more like aligned with how i want to grow as a professional and that's why i changed my like a company and
00:11:58
tpiliposian
I feel like here, you know, ah when there are there are
00:12:05
tpiliposian
not so much people looking at the code, I think there is more room to grow when there are, like, let's say, a lot of people looking at your code with different seniority and twice.
00:12:17
riptide
you
00:12:22
tpiliposian
it's It's giving a good result, but...
00:12:26
tpiliposian
I don't know, it's difficult to compare compare, but I felt like it's maybe can be a bit ah more complex ah because the same result will can be gained with two great auditors, two, three auditors doing the audit and like doing with a good teamwork, let's say.
00:12:53
riptide
So you're saying maybe at Hexans they have, there's maybe too much oversight, too many people on an audit.
00:13:01
tpiliposian
Oh,
00:13:01
riptide
Like too many hands in the cookie jar.
00:13:04
tpiliposian
it depends. Yeah, maybe because like it's a bit distracting sometimes. Yeah.
00:13:15
riptide
I can just imagine the pressure though. Who, who's the, who runs Hexans?
00:13:22
tpiliposian
What do you mean?
00:13:24
riptide
What, who's the CEO?
00:13:26
tpiliposian
Oh, CEO is cpan hexon1337 user naming Twitter.
00:13:32
riptide
Okay.
00:13:33
tpiliposian
really, they are,
00:13:34
riptide
I can imagine the pressure on this guy because he's like, because if if you get one one company, one protocol that there's a critical bug and they get hacked, your name is done.
00:13:47
riptide
Your reputation's done.
00:13:50
tpiliposian
yeah yeah it's it's really they are They're like
00:13:58
tpiliposian
taking this very seriously and that' that's great. That's why there is no such cases after holds it.
00:14:07
riptide
That's pretty good. And by the way, all the bounty hunters listening, I think i think they offer like a, is it 10 or 20 grand on top of a bounty if you do find a bug in a Hexans project that they audited.
00:14:18
riptide
So that's pretty cool.
00:14:19
tpiliposian
Oh yeah, they they offer 20.
00:14:22
riptide
that's That's pretty cool.
00:14:23
tpiliposian
yeah yeah
00:14:24
riptide
So let me let let me ask you about Sertora. So Sertora is not your typical auditing firm. They have this thing they made called the Sertora Prover. And could you just kind of explain like, what is a prove or what does it mean to prove a protocol?
00:14:40
tpiliposian
yeah yeah it's uh it's the formal verification part so it's uh let's Let's say that this is like definitely another type to verify your contract, to mathematically verify that it is working correct.
00:15:00
tpiliposian
And there are different teams working on the formal verification and and manual audits, but they mostly are like...
00:15:12
tpiliposian
working with each other to give like auditors who know DeFi ah did that specific project very well. They are working with the formal verification team, like to give ah more interesting properties to check for the project and they are like separate services but ah combined with each other it is like giving very very good security because sometimes it's really
00:15:46
tpiliposian
You can miss something doing manual audits, but if if you have good properties set in the formal verification, it can like find ah very good issues there as well.
00:15:55
riptide
you
00:16:02
tpiliposian
And ah there are a lot of companies that are doing both of them, like formal verification with their team and like manual load it and then they are combining everything. So in my understanding, it's the best possible like a security service someone can provide.
00:16:25
riptide
And when you say verify, I think you're youre your word was verify it mathematically, your contract. Is that what you said?
00:16:35
tpiliposian
Yeah, yeah, yeah.
00:16:36
riptide
So how does how does that work? So say you have a simple contract and it says you know A equals B plus c what is What is the prover doing? How is that doing more than just running a test and fuzzing it and verifying it?
00:16:51
tpiliposian
so So, yeah, it compares, you're giving the rules, like your project have these these rules that it is working. Like the very, very simple example is that in ERC20 example, yes, let's say we have a couple of users and...
00:17:13
tpiliposian
they all their balance put it together is the total total amount of assets, right? So you are giving that invariant and the prover is like doing everything, every possible scenario there ah to to break this.
00:17:33
tpiliposian
If somewhere this invariant breaking, this means that there is a bug somewhere. But if nothing is breaking, this means that this is working correctly.
00:17:46
riptide
But how is that different than than running Echidna with the same kind of logic, with the same kind of invariance?
00:17:47
tpiliposian
Yeah. and
00:17:55
tpiliposian
Yeah, you mean like comparing with fuzzing? The thing is that, yeah, Prover compiles your contract like down into math to evaluate every possible contract state and the contract path.
00:18:00
riptide
Yeah.
00:18:12
riptide
Interesting. Okay. So, okay. But tell us tell us why that, well, actually, let me ask you, does this mean that everything proven, every protocol that Sertora proves is bug free?
00:18:17
tpiliposian
Mm-hmm.
00:18:28
tpiliposian
Oh, it ah it depends ah ah whether the all the properties were given correct, but I think the like manual audit is the part to be in the security as well.
00:18:48
tpiliposian
so I don't know, can we, ah like after any audit or something, can we say that the code is bug free?
00:19:01
riptide
Usually not, no. Mm-hmm.
00:19:03
tpiliposian
Yeah, yeah, that's the case, but it is a very good tool to have, and combined with the manual audits, it's it's like very, very good results.
00:19:19
riptide
and I know I wanted to put that out there because I'd seen in the past where people see it's proved and they think that it's mathematically sound bug free. And then once I did some research on it, I looked in it, it was it reminded me of when I see a test suite that doesn't ask the right questions.
00:19:37
riptide
If you don't have the right invariance to prove, well,
00:19:38
tpiliposian
Yeah.
00:19:41
riptide
and And I want to ask you about that. So when you're coming up with the invariance to check, do you work with the team on coming up with that? Or do they just give you this is what we want and then you just implement it?
00:19:53
riptide
Or is it kind of like a ah cohesive ah method use?
00:19:59
tpiliposian
Yeah, they they like already have a lot of great, great like properties to implement there. But to you as a, let's say, second eye, not like reading anything in detail to not be BS on anything.
00:20:18
tpiliposian
You're like in your DeFi understanding or some project understanding, let's say you're very good at Uniswap, like AMM's part, right? So you are giving the all the properties or invariants you think that this specific project needs to have and combined they are combining this everything and running the prover.
00:20:45
riptide
Okay. And is there, and I'm going to compare this to regular audits, where because actually should probably pair this with what I want to go over with, with kind of auditing and how bounty hunters look at audits and kind of some red flags that always pull me in closer to the protocol.
00:21:07
riptide
And so I'll follow up with my question after this. So some red flags that I notice in different protocols, which causes me to dive deeper, are I made a list. So if I see follow-up audits by the same firm, so they do audit one, then audit two after a change,
00:21:26
riptide
That's always a red flag. You always need new eyes on the code. ah The second would be of scope contracts that are black boxed or for lack of time. We're not gonna look at these.
00:21:37
riptide
Out of scope deployment scripts, unclean code. So to do or should double check, all these comments are still in there. That just shows lack of attention to detail. um Your test suite is lacking.
00:21:49
riptide
That's also a bad sign. And also, i guess the last one would be high amount of higher critical bugs found in the audits. ah So on top of that, is there is there something that specific to Sertora when they do their proving process? Because I know you do the manual audit as well.
00:22:09
riptide
Is there kind of an out of scope ah disclaimer when they do the prover as well? Is there just some things that they just don't consider?
00:22:22
tpiliposian
Yeah, to be honest, I'm working on the manual audits right now and ah not this much, like, know what they are doing in this much detail.
00:22:35
riptide
you
00:22:37
tpiliposian
But I think, yeah, there can be, like, ah projects that are not so much...
00:22:45
tpiliposian
calculations there being done and uh like the formal verification can be done like easily and uh on the opposite like if there is uh complicated with mo a lot of math formulas imms some yield generation uh protocols in these cases i think uh everything should be like formally verified to to be like sure that everything works correct like in terms of underlying mathematics.
00:23:23
riptide
Do you think it'll be there will have some some way at some point to be able to guarantee that the code secure, like with a combination of ai manual review proving
00:23:36
tpiliposian
um i think yes i think uh um you know it uh it mainly depends on the speed of the like new things coming or uh like auditors or hunters ah like growing so if the speed of the growing and uh auditing like that security service if it it will grow faster.
00:24:03
tpiliposian
I think, yes, that will come some point that the like, sphere security will be on top But if there are like a lot of new things coming that... and like a Not much people are being able to be in line with that all the new stuff.
00:24:26
tpiliposian
And as you can see, with all that new stuff is coming new attack vectors, new life things that can be broken. oh And... Yeah, but I think that...
00:24:43
tpiliposian
We are like going to the first path. The sphere is growing faster, and there will come some point that most of the security part will be covered after some audits and combined with some toolings.
00:25:03
tpiliposian
And maybe AI, but I don't know. At this point, I think the AI is very weak in finding some security issues.
00:25:16
riptide
I agree. It's a very honest assessment, I agree.
00:25:18
tpiliposian
Mm-hmm. Mm-hmm.
00:25:20
riptide
ah let Let me ask you this. So you spent a lot of time in Hexans, a lot of audits. So let's say I'm a protocol and I come up and i say, hey look, we just finalized the code.
00:25:26
tpiliposian
Mm-hmm.
00:25:32
riptide
what Now what do we do prior to deploying as far as security? What would you recommend?
00:25:39
tpiliposian
Oh, I would recommend like to
00:25:44
tpiliposian
to do a couple of outd audits with different firms. They can do even contests because nowadays there is a very very there are very good professionals in the contest platforms that are not working full-time in some firms but are like doing full-time contests and are very, very good at it.
00:26:09
tpiliposian
So I think the best possible way will be like going to the contest after it going to the security firm doing audits and maybe at the end having the bug bounty launched in some platform.
00:26:33
tpiliposian
So I think yeah ah how how much like the protocols funds like can protoco like give ah money to the auditors, they they need to do that as much as they can.
00:26:52
riptide
So you think that they should go to an audit firm first and then do a contest?
00:26:58
tpiliposian
To be honest, i i didn't, what i haven't understand what will be the ah correct like order first contest then audits or opposite but i do really believe that there is no not much difference there because there are like in the contest there is a lot of guys looking at your code trying to find something so
00:27:32
tpiliposian
It's like another another type of service in my understanding. And when you are going to the audit company, there there are a small amount of people, but they have a lot of time to concentrate, to try to break something or anything.
00:27:50
riptide
Thank you.
00:27:55
tpiliposian
So in my understanding, these two combined we plus if you have like any tooling, for example, formal verification or fuzzing or something like Raccoon is doing, it that will be great. Like what to do more?
00:28:18
riptide
Yeah. well So why do you think auditors, ah why do you think we miss bugs? Like why do you think everyone misses bugs, devs, auditors, bug hunters?
00:28:29
riptide
Why do you think that I can look at some code and the same code and then you could spend all day on it and one of us sees something the other didn't?
00:28:29
tpiliposian
Mm-hmm.
00:28:39
riptide
Why do you think that happens when we're reading the same lines over and over again?
00:28:45
tpiliposian
Yeah, that's that's because in my understanding, every like person is thinking differently and everyone is creative creative on its own way.
00:28:58
tpiliposian
ah So looking at the same code, you can... go with with a lot of different ways than me to understand the attacks.
00:29:10
tpiliposian
But, ah you know, if we have, like, let's say a lot of time, let's say for a couple of lines or one function, two functions, like a month, maybe at the end we will end up having everything the same.
00:29:27
tpiliposian
But ah with with different order let's say because you will start thinking from the other side your attacks i will start my attacks from another side but if we have a lot of times at the end we will end up having the same result in my understanding so that's the uh yeah
00:29:48
riptide
Maybe. Maybe not.
00:29:53
tpiliposian
I think the thing is in the timeline. So if we have one week, there are people that are like bounty hunters always. i As I saw, they are not going so much line by line, but they are like taking all the functions where the user is interacting or can interact.
00:30:17
tpiliposian
and trying to break them first. And if we have like very short period of time, the bug hunter will definitely find to more juicy findings than like traditional auditor.
00:30:31
tpiliposian
But
00:30:34
tpiliposian
But ah when doing like in traditional auditing in firms, you just need to like provide and you need to like find all possible issues there.
00:30:39
riptide
you
00:30:49
tpiliposian
That's why ah they take a bit longer time to be able to think about everything in the in this protocol, about every attack, about each scenario.
00:31:01
tpiliposian
even giving recommendations like informational issues, because, you know, something like now can be considered as best practice, like informational issue.
00:31:14
tpiliposian
But if the project has no that best practices and in the future there is some update and the informational issues nowadays can become like highs and criticals in the future.
00:31:31
tpiliposian
So this is a bit different mindset, I guess.
00:31:31
riptide
Thank you.
00:31:37
riptide
Yeah, this is why bug hunters will always exist and always be needed because there's no there's no time box for these guys. They'll just take as long as they want to pick it apart.
00:31:49
riptide
Whereas you guys, you have to fit the client's budget.
00:31:50
tpiliposian
Mm-hmm.
00:31:52
riptide
You have to scope it a certain amount of weeks you're allowed to put in and all the all the constraints around that. Whereas the bug hunters are looking for everything and then they're they're able to capitalize on any vulnerability arising from changes that come out, which is so hilarious with the space where they can go pay all this money on audits and then someone has to just add some feature.
00:32:06
tpiliposian
yeah
00:32:17
riptide
Like right when they're done auditing, some dev has to change some shit.
00:32:17
tpiliposian
yeah working
00:32:22
riptide
And it just, you know, I compare this to, I remember getting in the this industry and I think one of the Yearn guys was, i heard he was from,
00:32:33
riptide
aerospace engineering where you just you have to test the code so much it has to be rock solid because you can't update it and guys now i mean let's put it behind some proxies let's just constantly update here's a new version and you're really not putting it through the ringer as much as you should for for the amount of value that it that's that's at risk it's incredible
00:32:49
tpiliposian
yeah yeah
00:33:01
tpiliposian
yeah
00:33:03
riptide
don' I don't even know what to say about it, but that's that's the state that we're at. And and that's why I think all of us working together is is great. um how Like when a protocol pays for an audit, because my God, I've seen some shit audits out there. There's the GPT audits.
00:33:20
riptide
Before the GPT audits, there were Slither slither audits.
00:33:22
tpiliposian
Yeah.
00:33:24
riptide
you know ah like ah like how If you're a protocol dev, how do you know that you're even...
00:33:25
tpiliposian
yeah
00:33:30
riptide
getting your money's worth. And this, this isn't brand name specific. I'll tell you that right now, because I've seen, um but i won't shame anybody, but I've seen big brands out there that use the brand.
00:33:41
riptide
They put a new guy on it and he's representing the brand and he's, they're paying the same price for this guy. And yet the audit is, is not great. So how do you know you're getting a good deal? do you know you're getting your money's worth when you pay these audit prices as a dev?
00:33:58
tpiliposian
Yeah, that that's a really great question because I believe if the dev is not in the Twitter, like in our space in Twitter, not following us, maybe he even wouldn't know which one is good, which one is bad because like ah you As a dev, you can't just go over each report from all the companies and understand which one is good, which one is bad, right?
00:34:34
tpiliposian
Even as you said, someone can use their name and give the audit to the like junior person who is will not do the audit well.
00:34:50
tpiliposian
i I think the,
00:34:55
tpiliposian
like,
00:34:57
tpiliposian
The solution is just for devs to be to follow all of us because we are like speaking about everything in Twitter. And if there are such cases, there there we there were always we can find someone who will post about this, who will shame someone.
00:35:20
tpiliposian
so The best possible solution, I think, is that to be active in in the security space, to like to follow our security space.
00:35:34
riptide
And if you got an audit result and it had no bugs, does it mean your code is really secure or the auditors didn't even do the job? That is the question.
00:35:45
tpiliposian
Oh, yeah.
00:35:45
riptide
Dev's ego, the dev's ego is like, oh yeah, it's I'm the best. I have zero bugs.
00:35:52
tpiliposian
Yeah, I think if I were a dev, I would be very sad because, the yeah, it's maybe your your last money you gave them to find something and there is nothing.
00:36:06
tpiliposian
But after after this, I think you definitely need to like ah go over another audit, but maybe you have not money.
00:36:17
tpiliposian
I don't know. this is...
00:36:20
riptide
You always have constraints, right?
00:36:22
tpiliposian
Mm-hmm. Mm-hmm.
00:36:24
riptide
And you know, you didn't mention private audits, like so solo auditors, because I think there's an issue when you make a brand and and then your audit company starts gaining ground and you get bigger and then you're probably not doing the audits anymore. You're hiring guys to do it.
00:36:42
riptide
And eventually, if you don't run a very tight ship, quality goes down. And so I think the solo guys, I think they shouldn't be overlooked. And it's it some of the guys that knock it out on bounties or contests and they do individual reviews because it's you. You're representing your brand.
00:37:00
riptide
And if you're hacked, mean, that's it. But the bigger you are, I see it a lot, unless it's run properly, it's um you just can't guarantee the same quality.
00:37:14
tpiliposian
Yeah, yeah, exactly.
00:37:16
riptide
Yeah, it's tough, man.
00:37:16
tpiliposian
But, you know, here yeah here you can think like ah this way. Let's say ah you're a developer, you have the project you have written and ah you have very small amount of money you can't like go to the and entire the the fear but what is better to go to the solo auditor with a cheaper like value or to to do nothing i guess it's uh at least uh better than uh to not go over any audit
00:38:00
riptide
something's better than nothing, but also you don't want a false sense of security as well.
00:38:04
tpiliposian
Yeah, yeah, yeah, exactly. Because if if you are like planning to, to to around your project long and not being hacked yeah you need to find funds from somewhere and go to to uh to the audits because otherwise you will end up giving all all your money to the blackheads so why are you doing why are you starting even
00:38:34
riptide
do you do you have Do you have protocols that you've seen where you're just like, there's just red flags going off left and right? Like you're seeing the code and thinking that they're coding this thing, they're vibe coding it. you know They're coding with no regard to security.
00:38:51
tpiliposian
Yeah, yeah. i I worked on such a project, I guess, a year ago maybe. you You could find like criticals on every line of code and it too it was it was very bad.
00:39:10
tpiliposian
To be honest, they even were audited before our audit. and we asked them the previous audit report.
00:39:22
tpiliposian
The previous auditors also found a lot of criticals there. Part of that was fixed, part of that even wasn't fixed, and there were a lot of fixes that introduced new findings, higher criticals.
00:39:40
tpiliposian
Yeah, ah that was the worst one I have done. Because even you, when doing the audit of such a project, even you are starting to like think maybe there is something else, maybe there is something else, because...
00:40:00
tpiliposian
After some point, you you are not like taking this serious, is it? Like, seriously, so much bugs here. And like it it is becoming to write code from zero, like doing developer job.
00:40:19
tpiliposian
Mm-hmm.
00:40:20
riptide
ah Yeah, and two things with that. i've I've done a review of a project, a couple projects, where it was โ I had to clarify with the project. It it was external functions that were โ they should have been ah only owner. you know Just basic really, really basic criticals like that, and and I just couldn't believe โ that they were looking for security reviews at this point.
00:40:44
riptide
and And then i' I've read other audits where there's so many findings and it's almost like the team says, hey, let's not worry at all about security.
00:40:52
tpiliposian
Mm-hmm.
00:40:55
riptide
We'll just get an audit and have the auditors tie everything up. So every possible thing, like zero concern for security at all. I've seen that too. And those are the ones I worry about because I look at it and I'm like, well,
00:41:09
riptide
This just shows you don't give a fuck. And when you make a change, it may be rock solid now. Maybe Hexans did a great job. But if these guys are in charge of the protocol going forward, that's such a huge red flag.
00:41:24
tpiliposian
Yeah, yeah. I think this is very, very important topic in our sphere because that's maybe the starting point we need to improve in our sphere, in my opinion.
00:41:41
tpiliposian
Because, you know, I have been a triager in the Remedy Bug Bounty platform, which is the Hexans Bug Bounty platform, if you heard about it.
00:41:53
riptide
Mm-hmm.
00:41:54
tpiliposian
And yeah, I can say that the most, it is the most problematic part in our sphere because I mean, there are a lot of projects that it's just a marketing thing for them, like saying they have a bug bounty or they done audits here and there or putting in the docs, like in the audits folder, their audits and...
00:42:23
tpiliposian
trying to use it maybe to raise some funds but actually not caring about security and uh i think yeah they are not gonna make it and they should like change their mindset because uh i i've seen uh i've seen projects that are like opposite uh they have bug uh submission on them they uh
00:42:53
tpiliposian
And ah sometimes they their developer even assigns the report faster than the triagers because they are very curious what what the issue was found on their project.
00:43:06
tpiliposian
And they are like immediately reading it, wanting to understand what issue they they have missed. And ah I think at least it should be an average of these two types of projects in our space.
00:43:26
riptide
Yeah, I agree. yeah You made me think of a hilarious story about this. is i was at ETH Amsterdam, I think in 2021, I don't know, 2019, one of those times.
00:43:39
riptide
And I'm at the hackathon. And I'm at this desk and this Solidity dev is next to me. and we're talking about whatever.
00:43:45
tpiliposian
of
00:43:46
riptide
And he's he's like, oh, they hired me onto this project, blah, blah, blah. And he says, the guy behind me is the CEO. I'm like, okay, great. I'm doing the hackathon. And the CEO's on this headset.
00:43:59
riptide
And he's talking with some investor. And I, oh, you i shit you not, right? The guy says, I overhear this. He says, well, yeah, yeah, no, it's is secure. Yeah, we have you see the audit down there at the bottom? That means it's 100% secured.
00:44:14
riptide
ah And I'm laughing.
00:44:15
tpiliposian
Mm-hmm.
00:44:16
riptide
The devs looking at me, man, we're having a laugh. But this is true, man. They'll put up a bounty. They put up whatever signals. And I get it, man. they They want to signal to investors that their money is going to be safe. This is audited, secure until it's not. But I get it.
00:44:31
riptide
you know I've been around marketers. You want to run a business. You want to pump it up. I understand. It's not the right way to do it But man, but it's always going to be an issue, man.
00:44:44
riptide
I don't know what call dirty bounties, where they're just up there.
00:44:47
tpiliposian
yeah
00:44:47
riptide
and And then you get the programs. We got that other problem with just not paying. I'm to call them dirty bounties.
00:44:56
tpiliposian
yeah yeah exactly
00:44:59
riptide
Yeah, what do you do, man? So, Tiger, we met in Bangkok. Am I right? where you put me in an arm bar immediately.
00:45:08
tpiliposian
Yeah, yeah just yeah you said to me that my avatar, this Venom one, is aggressive.
00:45:17
riptide
ah said it was terrifying.
00:45:17
tpiliposian
After that, I'm remembering it any time I saw your tweets in the Twitter.
00:45:28
tpiliposian
But to be honest, I can't like make the AI to to make my avatar a bit like kinder or not so much aggressive every time I like put yeah
00:45:40
riptide
I think you made it more aggressive.
00:45:46
riptide
oh That's cool, man.
00:45:46
tpiliposian
but I'm not so much aggressive I like put my aggression on the maths in the sports I'm doing so in the life I'm and not so much aggressive
00:46:00
riptide
What was your method? Because you, like I look at, I couldn't do auditing. I think it's it's just not for me, right? If you're, let me ask you this. What was the longest assignment you were on? The longest engagement?
00:46:15
tpiliposian
Oh, it was, if I'm not mistaken, six weeks.
00:46:21
riptide
Six weeks, same code base.
00:46:21
tpiliposian
It was ah yeah yeah it was a huge project. like They have their AMMs, their stablecoin, so everything.
00:46:33
riptide
How do you kind of lock in and bring that same that same hunger to work every day? like say say that Say the protocol is boring. like Say you don't want to look at that type of stuff. Say you're you're really interested in some obscure new idea, and this is a ah fork of something, but you that's your job.
00:46:52
riptide
You've got a crank on it for whatever amount of weeks. Like, how do you, how do you do that every day? Do you, do you have some sort of method? I know you use b BJJ to kind of get that energy out, but like, how do you, how do you do it?
00:47:06
tpiliposian
I'm taking my laptop to the BJJ gym. and I'm teaching my laptop how to break the something. Yeah. But seriously, I just, I'm like a kind of person a person that loves, I'm like idealist.
00:47:26
tpiliposian
So I love that everything he is in their place. So the only thing is, I felt like, is a job for me because i i love very much to go over everything and put everything in their places.
00:47:45
tpiliposian
i And what like keeping me motivated is the mindset that i I always think that there is a bug and I should find it because like like the CTF, you know, you you know that there is bug, right?
00:48:00
tpiliposian
And you need to find
00:48:01
riptide
Mm-hmm.
00:48:03
tpiliposian
I'm just ah like giving my brain the order that there there is a bug until the last day of the audit I am doing in this mindset.
00:48:14
tpiliposian
I am waking up, you know, I am waking up every day and hoping that saying to me that ah today is the day I will find that one bug that will change my life.
00:48:30
tpiliposian
and every day I'm waking up with this mind, i swear. Like i'm I'm going to that one bug that will change my life and in every project, in every protocol, every day I'm searching this, I'm trying to find this one bug.
00:48:36
riptide
I love it.
00:48:53
riptide
What about those days where you get up and you you open VS code and you're like, this is so fucking secure. There's no way I'm just not going to find anything. How do you talk yourself out of that?
00:49:05
tpiliposian
Oh, yeah. i You know, Ghegul, he's in Unified Top 9. Yeah,
00:49:14
riptide
I do. I do. We're going have on here.
00:49:18
tpiliposian
yeah, yeah. yeah Great. So I started to... He's my good friend. We started to talk together maybe...
00:49:31
tpiliposian
more than one month when he joined Texans. So I learned from him that there is no code that there is no issue. Like yeah his mindset is so much Hunter's mindset that I'm every day I'm admiring it. He even not like watching where the code is being audited, how much times it's been audited, like you are opening the code.
00:49:58
riptide
Mm-hmm.
00:50:01
tpiliposian
He is like very, very fast going to the functions that he need to check. And here is the, here is the issue. Like, and this is motivating me to not, uh,
00:50:14
tpiliposian
not believe that there is no issue. like you can find like You need to have the mindset that there is always the issue. Because whenever you switch your brain like to think that that's it, there is no issue here, I think you will not find an issue after this.
00:50:36
riptide
100% correct. that That happens to me and that happens to, i think, every every bug hunter and probably every auditor at some point.
00:50:40
tpiliposian
Mm-hmm.
00:50:45
riptide
But man, that it's it's comparable to, I'd say, do any sort of training, like do do a long run, do a marathon, and you hit those walls and you start to doubt yourself and you're your own worst enemy.
00:50:59
riptide
And it's the same when you open up a code base
00:50:59
tpiliposian
yeah yeah
00:51:02
riptide
And it's been reviewed by all the top names. And you're just thinking, ah as soon as you say, oh, fuck, you know, there's no like I've looked at it for six hours today. It's just ah there's nothing here.
00:51:14
riptide
When you do that, you need to close the laptop, go exercise, go to sleep and just say, hey, I'm going to hit it fresh tomorrow.
00:51:18
tpiliposian
yeah yeah
00:51:22
riptide
And you'll come up with some new ideas and you could try something else.
00:51:26
tpiliposian
Yeah, yeah, exactly. I'm taking my family to the countryside to, like, it can be that one day I will not even open the laptop. So a to to continue after with the fresh mindset.
00:51:43
tpiliposian
Exactly. I can even, like...
00:51:44
riptide
Absolutely.
00:51:46
tpiliposian
ah open some ongoing contests, ah try to do it a couple of hours to for my brain, like to switch to definitely another project, which is different.
00:52:01
tpiliposian
So when I come back to to my project, the mind is fully refreshed, let's say.
00:52:11
riptide
Is there a reason you don't bug hunt on the side? Because Giggle was doing that at Hexans, right?
00:52:18
tpiliposian
oh Yeah, to be honest, we with Gegul started to do contests, but not full-time because, you know, with the full-time job, it's it' not easy to compete full-time in the contests because the for me, like, and for him, the priority is our full-time job.
00:52:39
tpiliposian
And we are doing like in the weekends, a couple of hours just for that purpose to distract from our everyday project, to brainstorm together with another ideas, with different attacks and refresh our minds.
00:53:03
tpiliposian
and And that's it. So to be able to like to do a full-time contest, I guess, with a full-time company job, it's in my understanding, it can be effective.
00:53:20
riptide
Yeah, and and theyre obviously big trade-offs, and everyone's in different stages of their life. So if you're if you're a dude who's early 20s, man, you got nothing else to do but just grind it.
00:53:29
tpiliposian
Mm-hmm.
00:53:31
riptide
You're going to outwork me, I'm sorry to say. i have to balance other things. So yeah it depends what you're doing, but I get it.
00:53:37
tpiliposian
yeah
00:53:39
riptide
Yeah.
00:53:41
tpiliposian
yeah yeah because we we wanted to work each other so much but now i'm at sertora he's in hexane so we are trying to do like the couple of hours in the weekends together try to break something yeah
00:53:56
riptide
That's pretty cool.
00:54:00
riptide
That's very cool, man. Well, cool. Well, Tigran, we're about at an hour, man. um I think this is a great insight from one of the great auditors out there. And it hands off ah Mr. Black Belt as well. that's I got to give you props on that, man.
00:54:18
riptide
Very cool.
00:54:19
tpiliposian
Thank you so much. it It was really pleasure for me. I enjoyed every minute of this podcast and it's an honor.
00:54:29
riptide
Every fucking second. Awesome, man.
00:54:31
tpiliposian
Yeah. yeah
00:54:33
riptide
Thanks for coming on, man. ah To everyone out there, just want to say um we also have another deal with Immunefy now. If you are a dev and you have a protocol and you're going to launch a bounty or a attack-a-thon, hit me up. I'll give you a referral code and then help support the podcast that way.
00:54:51
riptide
Also, if you're not in the discord, please join. We talk about all kinds of bug hunting stuff in there, share alpha tools. And then there's also the sub stack where I give you live bugs and they're usually low mediums, but I try to get somebody else to look at them. Maybe you can amp that up into higher severity.
00:55:10
riptide
So pretty awesome stuff, but I dig and thank you very much for coming on and we'll see you next time on the blockchain.