Become a Creator today!Start creating today - Share your story with the world!
Start for free
00:00:00
00:00:01
Episode 2 - 100proof
433 Plays3 months ago
riptide & 100proof discuss bounty negotiation tactics, human behavior, incentives, acting in good faith, and why bounty hunters must be paid. 100proof treats listeners to a detailed walkthrough of a juicy bug he found in Morpho. Riptide introduces the ALPHA DROP: on each episode both riptide and his guest will drop a piece of juicy bug hunting alpha to help you find your next big bounty
Recommended
Transcript
Introduction to Mr. 100 Proof
00:00:08
riptide
Is that an intro or is that an intro? All right, I am here.
00:00:11
100proof
That was sick.
00:00:13
riptide
yeah I'm here with Mr. 100 proof, the famed bounty hunter from Down Under. Welcome, sir.
00:00:22
100proof
Good to be here. Glad. Thanks for having me.
00:00:26
riptide
No problem, man. Your accent gives you gives you away. People are going to say New Zealand or or Oz. So hope I didn't dox you.
00:00:35
100proof
There's 25 million of us. It'll be all right.
00:00:37
riptide
I think it'd be good. Yeah, so thanks for
Notable Bug Discoveries and Recognition
00:00:40
riptide
coming on, man. you know I think i think i think you're you're more, you're definitely more well known in this space since, I mean, Kyber, your Kyber bug was 2023, am I right?
00:00:53
riptide
Mid 2023.
00:00:54
100proof
Yeah, that's right. Yep.
00:00:56
riptide
And I would say that probably, I think that's where I heard about you because we had we had been chatting. And I looked through our DMS and you sent me some, uh, some questions on my bug.
00:01:09
riptide
And then I kind of gave you some feedback. And then I think, I think you hit notional though, right in 2022. That was before Kyber.
00:01:19
100proof
Yeah, that's right, September 2022.
00:01:21
riptide
Okay. Okay. And then, yeah, you really blew up with, uh, did you do a writeup on Kyber?
00:01:29
100proof
I did, yeah.
00:01:30
riptide
Yeah.
00:01:30
100proof
That's probably the only really extensive write-up I've actually done, even though I yeah should get around to writing some other things up.
00:01:36
riptide
Yeah, yeah, that's right. Yeah, it was on your site. Yeah, that so that blew you up that gave you Twitter, Twitter bug bounty Hall of Fame. And and it was like, I don't know what the bounty was like a mill. If I remember correctly, am I right?
The Debate on Anonymity in Bounty Hunting
00:01:52
100proof
Yeah, that's right.
00:01:53
riptide
and
00:01:54
100proof
Yeah, I'd also say that really, it was Andy Lee's interviews that also made me pretty well known and you know, It is what it is.
00:02:05
100proof
I didn't think about it too much. There's definitely, I guess, some downsides to being being well-known, but I feel like over the next couple of years I'm going to self-dox myself anyway because it's...
00:02:20
100proof
I think I could probably get away with using my real name as some of the big names in the auditing sphere do, like, you know, Gerard and Christophe and some others as well.
00:02:33
riptide
Pash off.
00:02:34
100proof
Yeah.
00:02:35
riptide
Yeah. To me, I just think I don't see, I don't see an upside to doing that. I think about that and I think, well, why? Like what is, what is in it for me?
00:02:48
riptide
And my brand is this Chad head that people ping me and give me jobs or I look at things and find bugs and If I came out with my identity, people would just tie that to whatever my background is and this and that. And none of that matters because I love this this meritocracy that we operate in. So why would you like why would you consider doxing yourself? I'm curious.
00:03:13
100proof
Yeah, that's a good point. I guess mainly to show that I have nothing to hide. So that'd be something about it. But I think that'd really be the only advantage because I'd still be using the 100 proof brand.
00:03:24
100proof
That's the name everybody knows me under.
00:03:27
riptide
Yeah.
00:03:27
100proof
That's a good point that you bring up there about there not being much of an upside. So yeah, that'd probably be the only reason.
00:03:33
riptide
Cause I think you're, yeah if you build this a non brand, this a hundred proof or pseudo a non, I think it's pretty cool because people see it. They know, they kind of know who you are on Twitter and they interact with you. Word gets around, you get a following and then.
00:03:49
riptide
you know, if you want to be booked for audits, if you want to do that, or, or if you're negotiating, people kind of know who you are and know that you're legit without like, Oh, this is, you know, Bob Jones, and he went to this university. Like, I just don't see how that helps in my view.
00:04:06
100proof
Yeah, I also love what you said about the meritocracy thing because there's no more meritocratic you know thing than bounty hunting or you know participating in competitions anonymously.
00:04:21
riptide
Oh, absolutely.
00:04:21
100proof
You could be anybody. You could be from any background whatsoever. and just do that. And you know, you really can't use that card of like, I was oppressed by X, Y and Z.
00:04:34
100proof
It's because you don't even have to reveal any of those details when you when you get on. So, you know, I say everyone should go for it.
00:04:39
riptide
There's no I'm waiting.
00:04:42
riptide
If there's DEI in the audit competitions, then we got a problem. We've got a big problem.
Mr. 100 Proof's Academic and Professional Background
00:04:49
riptide
But I mean, so like with your background, you were, you had prior, you were, you were CS, uh, you were, you were definitely in tech before this, like deep in.
00:04:58
100proof
Oh, a hundred percent.
00:04:59
riptide
Yeah.
00:04:59
100proof
Yeah. I was a dev for many years and, uh, you know, like, I don't mind sharing this. I mean, I started off. I mean, I always just loved computers. I was into computers before I went to university and I sort of followed that track set down for me, turned out to be a bad idea, but like I went all the way to, cut I went all the way to finishing a PhD, would you believe, which are then never ever used and.
00:05:25
100proof
Along the way, I did come across a couple of cool things that most people don't come across.
00:05:25
riptide
In what?
00:05:30
riptide
What was the PhD in?
00:05:31
100proof
I was in computer science and I was interested in compilers and I was really interested in the idea of like how do you extend a programming language
00:05:32
riptide
What was the?
00:05:35
riptide
Oh, geez.
00:05:47
100proof
with like new syntax and new features without like in in ah ah in a kind of pluggable way rather than just like rewriting big parts of this monolithic tool. Because I just thought it would be really cool if people could like experiment with compilers in a much more kind of plug and play thing so they could like add new syntax and then you could use that module if you wanted to kind of have like a marketplace of ah language features.
00:06:14
100proof
But it turns out it's it's a big research topic and I didn't get very far with it as an idea.
00:06:21
riptide
I think I'm gonna just feel dumb every every guest that I have on here. My my knowledge is like nowhere near yours. I think of that as the coolest thing I'd want to do, but I've never done it. I've never had formal training in computer science. I've never built my own compiler, but I've always thought that was the nerdiest, coolest thing to do. I just, I don't think my brain is big enough.
00:06:45
100proof
Yeah, you'd probably surprise yourself like it's like anything if you find an interest in it.
00:06:47
riptide
Hmm.
00:06:52
100proof
That's probably the biggest hurdle and then a lot of this Yeah, you got to select good sources of information too because like personally I actually hate reading academic papers, which sounds funny for a guys Actually finished a PhD.
00:07:05
riptide
Yeah.
00:07:07
100proof
Like I just find them so dense and and hard to get through. And I think people it would be be much better if people just communicated through blogs like we do. And you know like our blogs are pretty technical.
00:07:18
100proof
It just doesn't seem like that because you can talk in a chatty tone and throw in you know cool metaphors. And you can do a whole bunch of things which just isn't allowed in the kind of academic tradition for bullshit conventional reasons.
00:07:32
riptide
That's true.
00:07:35
100proof
you know oh You know, there's no reason besides, oh, I just want to appear like I'm a serious person and I don't want to upset the apple cart.
00:07:35
riptide
Yeah.
00:07:42
riptide
Yeah. i I read my my Balancer write up and I thought it was so lame. I reread it recently and I thought my gods is so boring. It's just so technical and some some write ups are good that people do.
00:08:02
riptide
to be honest, I'll read other people's write-ups and a lot of them are are the same just as bad as mine and I think man who is reading this like I had my When I did the the balancer one I I had my wife read it and she's like this is the most boring thing i have No idea what you're talking about and then I reread it. and I'm like god. This is this is pretty nerdy This is really nerdy. Even though it's not an academic paper, it's still like, it's pretty dry, man.
00:08:31
100proof
Yeah, I know what you're saying. You know, Shung did one on a uniswap bug that he found, I think. And was really entertaining because he put, he he created this like series of pictures for, and like it was a chat between two people. And that was meant to be like the system versus the user. And so like each action that the attacker took was like,
00:08:57
100proof
you know a little bit of text in a chat and then and then it kind of explained it that way and I thought that was really cool.
00:09:05
riptide
That'd be cool. I need to add some, some flare to my next one.
Reflections on 2024 and Bug Discovery Process
00:09:08
riptide
That sounds cool.
00:09:09
100proof
yeah
00:09:12
riptide
ah ah So what about, what about your 2024? Like, how was it for you for, as far as bug hunting goes, or were you doing audits? Like, you know, give me a, uh, give me an overview.
00:09:22
100proof
I think I had a lack of focus in 2024 and I was kind of working out what I should do to get better. And so I did some private audits and I feel that they actually detracted from my focus and I ended up getting caught up in them quite a bit, even just knowing that something was like scheduled in a few weeks sometimes made me feel constrained and hemmed in for for for for bug hunting, bounty hunting I should say. So I feel like I was scattered and all over the place in the first half of 2024.
00:10:01
100proof
And then I guess things picked up in the second half.
00:10:07
100proof
So I landed a bounty with Morpho. I have permission to talk about that yet, and the blog post is still coming.
00:10:15
riptide
Tell us, tell us as much as you want to disclose.
00:10:20
100proof
Oh, sure. Okay. I mean, that's a fun thing. So if you go to their risk documentation on their website, then you'll see there's a credit to me in there for for basically they had to modify their risk documentation just a little bit to make people aware of a situation with I guess what you would call a nested vault. so
00:10:50
100proof
In a lending vault, you have... Yeah, I'll run through it. okay so yeah This will take a couple of minutes though, so strap yourselves in listeners.
00:10:57
riptide
Okay, go ahead.
00:11:01
riptide
you Sure, sure.
00:11:04
100proof
so You have these lending vaults and basically you've got to have LPs which stake some underlying token and that's going to actually be lent out for borrowers.
00:11:17
100proof
And in return for these deposits, the LPs get shares in this vault. And hopefully, the value of those shares is going to go up over time as the borrowers pay interest back into the vault. I mean, that's that's really the incentive there. And you should make a return that way. But there is actually a way in which the value of your shares could drop.
00:11:43
100proof
And that' that will happen if there's a delayed liquidation. So basically a liquidation that happened too late so that there is a small amount of insolvency in the vault. And therefore, the price of your share goes down. And this is only true if the vault does something called bad debt socialization, which is basically just to share the hit amongst all the LPs that are in that vault.
00:12:13
100proof
Okay, so that's some pretty basic kind of lending vault knowledge there. So it turns out that you can in Morpho have, you can actually lend out vault shares from another vault if you want to. And this is where things get a little bit dicey because
00:12:40
100proof
If there's a big price swing, it could be the case that a liquidator knows that the volt share price is going to lower in like, as soon as the liquidation is called. They just know because it's been delayed long enough now that they know that the price is gonna instantaneously change. Now, maybe I'll use some concrete figures here. So let's say that the volt shares,
00:13:06
100proof
had gone up to 1.2 to 1 over time. So it started out at 1 to 1, but it's gone up to 1.2 because of like all the payments of interest that have come in. But because this liquidation is about to occur, which is late, there's going to be some bad debt socialization. And the value of the vault share is actually going to go down to 1.1 instantaneously. And you know this is going to happen. And it might only happen once every three years you know when there's a huge price shock to some cryptocurrency or some token.
00:13:43
100proof
Okay, so if you know this if you know this is going to happen and you have access to borrowing those vault shares, so this is like a nested vault which actually has the LPs actually stake vault shares from another vault in there, well what you could do is then you could borrow those shares sell them at 1.2 for the underlying token and then then you could liquidate The price goes down to 1.1 and now you have this debt of vault shares but you buy them back at 1.1 and so you've made the profit difference between 1.2 and 1.1.
00:14:23
100proof
so it's not a you know It's not a bug, per se, in the sense that like this is just something that you kind of have to keep in mind for when when you create a vault and how to set it up. So basically, submitted this to Morpho. They said, this is a valid situation, and people who are creating vaults should definitely know about this so that they can choose between whether to do bad debt socialization or use some other method to deal with late liquidations.
00:14:56
100proof
And now they're aware of it, but they did actually reward us for it, which was just, which which was great. So yeah, that was it.
00:15:04
riptide
And, and all, all listeners now get a Coursera certificate on Morphovolts after listening to that.
00:15:10
100proof
Yeah.
00:15:12
riptide
That, so how did you, how did you come across this?
00:15:17
100proof
Well, okay, I guess just reading the code and thinking about the economics of it.
00:15:24
riptide
But was this, uh, when I say like, but yeah you know, a lot of bug hunters, myself included are always interested in how do you find the bugs? And so when you, when you say you're reading the code, but why did you pick morpho? How long you had you been looking at it? Were you randomly just searching for patterns? Were you just, are you going through line by line contract by contract? Like, how are you doing it?
00:15:49
100proof
Right, right. This was definitely one that came very late in the piece where I thought about the problem really deeply and the eventual sort of flash of insight came rather suddenly out of the blue. But this was one of those ones that involved like kind of understanding the system completely.
00:16:16
riptide
you're You're whiteboarding the whole thing?
00:16:18
100proof
No, it just happened in my head, really. But, you know, I do, not so much whiteboarding, I just like type scenarios into a text editor a lot of the time. You know, just, I'll say something like, user, you know, LP stakes this much, user borrows this much, then price shock occurs and then you just go through these like kind of scenarios and then,
00:16:46
100proof
eventually you get to it. I guess the insight in this one is that are many different ways to short things, and I think it's worthwhile learning all of them, but lending is like a a classic way in which things can be shorted, essentially. But there's many, many subtle ways to short things, and I'm always on the lookout for those.
00:17:07
riptide
Hmm.
00:17:08
100proof
Because this is essentially what's going on here. You're shorting something. So you you know that there's going to be a price movement. So you do something to your benefit before the price movement.
00:17:16
riptide
it's interesting I had I found a bug in dolomite a while back because they forked the ydx and one of their contracts and this is all disclosed and disabled now so one of their contracts was a was assigned a proxy contract that no one was using but it was enabled as a global operator so it could
00:17:17
100proof
Yeah.
00:17:39
riptide
it could you Users could authenticate through it and then act on the the main margin contract. And yeah it had a simple EC recover bug where you could you could be the zero address. And so I was able to exploit that, but then the only exploitation I could do was basically take on cause the protocol to accrue bad debt.
00:18:06
riptide
And I couldn't think of a way to amp it up to kind of maximize it more or really like any second order effect after
Personal Life and Youth in Web3 Security
00:18:17
riptide
that. And I was kind of disappointed in that because I was thinking hard and hard and hard just is before LLMs like gave you other insight and more ideas. And I just couldn't think of any any other scenario where it was like, okay, it's bad for the protocol, but why?
00:18:33
riptide
Well, you know, I just couldn't do much with it. So, uh, interesting to hear that on your end. I mean, you found a way to kind of to think about shorts and, and yeah, that's, that's cool. I mean, every situation is different. Like I said, my brain definitely smaller than yours.
00:18:51
100proof
Obviously, I looked around. Well, you know, on that last comment, I'd definitely say that Dead Roses is a hard act to follow. So I listened to like half of that podcast last yesterday when I saw it was up. And he's I've got a lot of admiration for someone who can just find so many bugs.
00:19:15
100proof
and so consistently. And I'm also a little bit jealous that he's so young and doesn't have you know the the level of adult responsibilities that I do now. you know I struggle for every hour that I get to audit because I've got two young children and it's literally just like every hour of my day is taken up with something and I just try and maximize the number of hours I can do auditing but it is not even close to what I could have done if I discovered this in my 20s.
00:19:47
riptide
tell me about it. I know and this is a
00:19:48
100proof
But better late than never, right? The Chinese proverb that like the best time to plant a tree no best time to planet tree is 20 years ago. The second best time to plant a tree is now. I just let that go through my head and think, well, Web3 security wasn't around when I was 20. So let's try and take advantage of it now. Let's not to have too much in the way of regret.
00:20:12
riptide
It's a game for all ages. I was surprised when when we met in Bangkok at ETH Bangkok that we were similar ages, which was cool to see.
00:20:13
100proof
Yep.
00:20:21
riptide
And then you introduced me to, I can't think of his name, someone else who I met who's also in the same range range, which is really cool because it is dominated, you know, it feels like that sometimes by the younger guys.
00:20:36
riptide
And we we all know they just have all the time in the world to dominate. I mean, all I'll drop this you know just to roast myself. i was in I don't do the competitions, right? I did one for Code Arena. I was invited to do it. And it was for Wildcat Protocol.
00:20:56
riptide
and So who else is doing it with me? See dead roses is on there because he hears I'm doing it. So I say I'm like, all right and literally I've done no competitions on code arena and so I don't even know like it's a different mindset like When I search for bugs when we search for bugs as criticals highs all that stuff. Okay, you have to really prove it It's a different story when you're doing these these competitions so i'm looking and and they say oh i just report every finding okay so i'm i'm just reporting everything and uh dude i got creamed like i had i had i don't even know it's like i was just i was supposed to be a zenith researcher like a top tier and i was just down there just down there with the commoners just down and he he plays first he got the only high findings
00:21:50
riptide
And he asked me, he's like, Hey, man, did you really go hard? on like I'm like, Yeah, man, you know, I spent three, four days going deep into it. And the the contest was like two weeks. But I mean, after three, four days, like, I'm kind of toasted on a code base sometimes. And so he's, he's good. That's all I can say is he's really good, consistent. He beat me on that one. And is what it is, you know, but you got to watch out these young guys eating our lunch.
00:22:18
100proof
Well, hopefully this the pie is expanding.
00:22:22
riptide
It's, it's forever expanding. And that's why I don't care because there's so many contracts out there every day. How many contracts do you think hit the blockchain? My God. All right. Every, every chain, how many new contracts that aren't spam you think hit all chains combined each day?
00:22:39
100proof
Do you know this figure?
00:22:40
100proof
Because I don't.
00:22:40
riptide
I have no idea.
00:22:42
riptide
I just guess. What would you think?
00:22:45
riptide
thousand two thousand thousands yeah i mean how many contracts yeah how many are deployed right now just even on mainnet i think it's probably like i want to say a million maybe i'm totally wrong but it seems like it's just a never-ending supply
00:22:46
100proof
That's a great question. Yeah, I'd say it's thousands, but I mean a lot of them would just be people testing little small things and that kind of thing, right? Yeah. How many of note hit the chain chain each day, right?
00:23:09
100proof
Yep, I know what you're saying.
00:23:10
riptide
It's it's incredible. So but I don't worry about it. I don't worry about all these contests. I don't worry about people having audits. I think the pie is going to continue to grow. I mean, for all of us. So the more guys we can get doing it. Hey, great, man. You know, the cream rises to the top.
00:23:27
100proof
Yeah, so I know this was meant to be a freeform conversation, but you did just remind me of something that I did want to talk about today, which is one thing I was surprised about in 2024 was how quickly things were starting to get centralized.
00:23:35
riptide
Tell me, what do you got?
00:23:42
100proof
you know it's like And I even had ah i haven't even have a little metaphor to talk about this with. I don't know if you've ever watched Deadwood, the series about gold mining town in the Wild West.
00:23:53
riptide
I've heard of it, heard of it, never watch.
00:23:55
100proof
Yeah, anyway, it's great, right? But basically, what happened was a bunch of people went out to the West and when they first got to California,
00:24:07
100proof
There was, like, gold nuggets just sitting in the river and stuff like that, right? So you just go in there, like, pick them up, and you'd be rich, right?
00:24:12
riptide
here
00:24:16
100proof
And then the gold rush started, and everyone traveled across the country to, like, find all this gold. And so, you know, that's well and truly happening with 3Sec already, you know? Like, to me, that's what Code Arena was when I first found out.
00:24:28
100proof
I was like, oh, yeah, there's gold nuggets sitting in the stream here. This is great. I felt even a bit late then. And then yeah, I think ah ah there has been a big gold rush, but there's this is point in Deadwood in the series where this industrialist turns up and he's like everyone's in there with their like little pickaxes and stuff on their own little plots and stuff and he just rocks up and he's got like all this machinery because he's got lots of capital and he's got all this machinery and he just starts mining for the gold and basically eating everyone's lunch that way and I feel that
00:25:04
100proof
The big platforms are actually, what that I think that's what happened with the big platforms. like Whether that's good or bad, all the competitive audit platforms have you know basically started trying to snap up a lot of talent by offering various inducements of various kinds. right And that kind of binds you to to working for them.
00:25:32
100proof
and i guess
00:25:34
100proof
I might just have to, you know we might have to just suck that up and join them, or you know we might try and remain fiercely independent. But I think it was much easier to be independent even as early ago as 2023 than it is now.
00:25:53
riptide
You mean as an auditor?
00:25:57
100proof
Definitely as an auditor, and I don't think it's happened yet for bounty hunting, but Perhaps there is some way in which that can become, that becomes more centralized.
Independence vs. Centralization in Bounty Hunting
00:26:07
100proof
At the moment, that's I think that's what the appeal is because I think I've been employed long enough in my life and I just like, yeah, I like being a lone wanderer and just sort of hunting on things that I want to and so on.
00:26:20
100proof
Preferably without you know too much time pressure or feeling of competition breathing down my neck, yeah.
00:26:20
riptide
I'm with you.
00:26:22
riptide
Yeah.
00:26:28
riptide
but What about regarding the centralization about for the bug bounties? You could say immunify. really kind of cornered that market. I mean, they have probably host I think more than anybody else. But as far as centralization, I mean, they're all hosted on there. So it kind of makes you funnel through there in a way. Good and bad aspects of that.
00:26:53
100proof
Yep.
00:26:55
riptide
the, auditing the with the contest and all that, I feel like, and I've seen it, you could still make a name for yourself as an independent auditor, if that's your gig by just building your brand and doing the independent audits. And I think guys like, uh, bytes 32.
00:27:11
riptide
He made that find audit tool, runs a telegram group, all that stuff to connect people with just the best auditor for the price and independent guys. I think that's really cool to kind of take market share away from the the big shops.
00:27:28
100proof
Yeah, I think they'll always be.
00:27:28
riptide
Have you seen that? No.
00:27:30
100proof
Sorry, what was that?
00:27:31
riptide
Have you seen his, his, uh, his find audit site?
00:27:36
100proof
Yeah, no, I have. I think it's great.
00:27:37
riptide
Okay.
00:27:39
100proof
Yeah. I think I saw his first announcement of that on X. Yeah.
00:27:48
riptide
Yeah, it's just such a big pie. I think if you want it and you're you're willing to do it, then it's there. like The money's there, the work's there. And I agree with you on time pressure too. That's one of the reasons I like just not doing audits or anything because you know you're boxed in for a week, you have some results to deliver, and bounty hunting, you could just you know be your own boss and work on some bug that Turns out to waste your entire week instead.
00:28:17
riptide
And it turns out to be nothing.
00:28:17
100proof
Yeah, it often does.
00:28:18
riptide
Yeah. Like a fucking idiot. But you know, what do you do?
00:28:23
100proof
Yeah, and I think another thing that attracts me to bounty hunting is this distinction between honing and forging.
00:28:23
riptide
I'll take any day.
00:28:30
100proof
So I got this from a science fiction author called Neil Stevenson, but I really love the idea. So he talks about the difference between like
00:28:42
100proof
I guess cultures that forge which is discover something. I think also Peter Thiel's got this idea as well going from zero to one. He's got a book called From Zero to One and the idea is that like forging is actually much, much harder than honing. Honing is just like improving something that already exists. and so you know like AI was forged by the people who discovered LLMs. I guess that's open AI, the first ones to really like capitalize on that.
00:29:13
100proof
And now you've got all these other market players, and they're the ones that are honing it. yeah And then and if you look at the USA, the USA has basically forged most of the important technologies of late the 20th and the 21st century, whereas other countries and so on are more in the sort of honing business where they take an idea and they make it like they actually make it better than it was before.
00:29:39
100proof
but they're just honing it. like Think of Japanese cars, for instance. you know like They worked out really great ways to manufacture it, but it's not like they invented the car. you know so Now, I know that was a bit of a long-winded intro.
00:29:57
100proof
I'm in this business because I want to forge some bugs, like whole new classes of bugs, because I just feel like, what music for yeah, that's very nice.
00:30:03
riptide
while using Forge. yeah
00:30:07
riptide
there joe
00:30:09
100proof
yeah but Yeah, I want to be the first to discover a certain class of bugs. you know i just think there's I just prefer to be that person rather than like
00:30:14
riptide
Yeah.
00:30:18
riptide
That's holy grail, man.
00:30:19
100proof
becoming the expert in like finding a certain class of bugs or becoming an expert in finding lots and lots of different kinds of bugs.
00:30:20
riptide
I think that's our holy grail.
00:30:27
100proof
I think they're a different skill set and that's what I'm in the business for. So I think that's going to mean that there's going to be more time between findings for me because that's kind of what I'm focused on.
00:30:39
riptide
i I respect that a lot. And I know the commitment that that takes and that, and it, it really takes your time because you have to go so deep and think so outside the box and it usually leads to nothing. But I totally respect that. I also have that goal to find something that is, is a new class of bug and that no one's thought of. Like it's so cool. A new pattern or just something, something unique is always, I mean, I think it's what we strive for. Really cool.
00:31:09
100proof
100%.
00:31:12
riptide
let me Let me kind of ask, because I love to hear everyone's methods on this. My method is very different than yours, I'm sure.
Techniques and Tools for Bug Hunting
00:31:21
riptide
what When you say, hey, I'm opening up the computer, I have no current projects I'm looking at, how do I how do i find a target? How do you find your bugs?
00:31:33
100proof
I'm refining this, but there are definitely some like really obvious first steps, which probably everybody does. It's like, look at immunify, look at some other platforms, but then also look at DeFi Llama. It can be really cool to track how things change over time. like Just a quick example, I remember I was looking at Pendle when it only had a 250K bounty on immunify and then I was just like tracking it on defile armor and it just had this explosion of TBL like early 2024.
00:32:04
riptide
Mm.
00:32:06
100proof
Now it's got like billions of dollars of TBL. and so and then And then consequently they put their bounty up to like 2 million I think and that's on Cantina now that's hosted there.
00:32:19
100proof
that's that's That's an interesting thing to do, like is just look at DeFi Alarm, because sometimes, although they don't have a bug bounty program on a Munify, if you find a drain all the funds bug, there they're going to reward you for that. Anything less, maybe not, if you don't have a bug bounty program. But you know you still you might you might hit it big that way.
00:32:39
riptide
It's the same thing that roses said he goes on T5 llama. I should try that more Yeah,
00:32:44
100proof
It's just fun to track it there. yeah It's got a really nice interface.
00:32:49
riptide
yeah those guys are great almas shout out to the llamas whoever they are No
00:32:49
100proof
Yeah.
00:32:54
100proof
Agreed.
00:32:59
100proof
Sorry, what else did you, I forgot the rest of the question. Oh yeah, what do I do when I open up the computer?
00:33:06
100proof
Yeah, okay, there is, yeah.
00:33:06
riptide
Yeah, you open it up.
00:33:07
riptide
You have nothing, nothing to load. You have no bugs in queue, like no ideas. Like how do you just, you're starting fresh. What do you do? Besides go to default on where, which, which discord.
00:33:14
100proof
Yeah, that's that's me that gets me heaps of potentials. But then the next thing I love to do is just jump on the Discord, so like see how much traffic is going on there, and then just read through some of the comments.
00:33:27
100proof
like search Sorry, the Discord's for all the projects that I've just made a short list of.
00:33:32
riptide
Okay. You're a discord hunter. I see.
00:33:36
100proof
Yeah, I feel like you can learn a lot about just the general vibe of a project from doing that. And you can like search for key phrases. like One obvious one would be bounty. And then you see if they actually do have a bounty program or not. And then off usually a lot of them will say, no, we don't have one, but we've been known to pay out bugs if they're good. And you're like, oh, OK, I guess I could do that.
00:34:01
100proof
That's actually what I did for Kiva originally. you know So that was how I discovered that they'd actually paid out before, even though they didn't have a bounty program. That was cool.
00:34:15
100proof
Yeah, that's sort of something I do. The other thing is, if a project is live, studying Etherscan can just be a good thing to do.
00:34:25
riptide
Oh yeah.
00:34:25
100proof
Just start looking at their contracts and just look at what...
00:34:27
riptide
Now you speak in my language.
00:34:29
100proof
yeah I mean, I love Etherscan.
00:34:29
riptide
You mentioned the E word.
00:34:30
100proof
It's great.
00:34:32
100proof
it's ah you know It's not the greatest interface in the world, but it's got some very powerful features hidden amongst there.
00:34:39
riptide
Do you ever use Rsec?
00:34:39
100proof
Yeah.
00:34:44
100proof
I have not, no.
00:34:46
riptide
It is like, if so if Etherscan is down, you could pull up parsec.fi and they launched, I want to say a year ago, and they tried to kind of capture some of the momentum from Etherscan. And maybe they do. I don't use it. I tried it a few times. It looks pretty good. You just have to get used to it, but definitely keep it as a backup when Etherscan goes down and just just something else to try out. They might actually have some features you might like.
00:35:14
100proof
Yeah, there's another tool that I did actually get some use out of, which was CodeSlaw,
00:35:20
riptide
I love Cozla.
00:35:22
100proof
because if you find a bug in one project, you can just see if it exists somewhere else as well.
00:35:29
riptide
There's a caveat with code slaw though, is I talked to the guy who made it in their telegram. They don't, I mean, they don't index everything they index. He's got some sort of algorithm where they index most, some of the most popular contracts. So if it's like, it won't, it won't search anything like the entire blockchain. That's the problem. But it does find yeah a lot of decent matches, I'd say.
00:35:53
100proof
Yeah.
00:35:55
riptide
But if you've used the one by, I think it's by the Hexence guys, Glider.
00:36:02
100proof
No, I haven't used that one either.
00:36:05
riptide
Are you aware of it yet?
00:36:07
100proof
I honestly couldn't tell you what it is at the moment, but I've heard of the name.
00:36:11
riptide
It allows you, it's they built it solely to search for patterns in in contracts. And it searches everything, searches the entire chain. I think they have it on multiple chains now, but they they built their own, it's like a, I think it's a Python style language. And you can create your own queries and you could say, hey, I wanna search for ah functions with without a non-reentrant modifier.
00:36:41
riptide
and then it'll let you go into the function and say okay and then I want to look for you know these variables being set to this like you can get very specific the barrier is you need to learn the syntax or maybe train an LLM on the syntax and have it help you and there's a lot of false positives if you're willing to put the time in I think is ah this this is an alpha drop the remedy
00:36:51
100proof
Mmm.
00:37:05
100proof
Yeah, now that you've explained it, I have actually played around with it, and it looks useful.
00:37:06
riptide
i Okay, yeah, I haven't put enough time into it.
00:37:09
100proof
Yeah. And I will totally remember to use that in the future. I mean, I just took some notes right then. That's another important thing, note taking.
00:37:17
riptide
Note taking.
00:37:17
100proof
That's something I do a lot. And I do read over them too occasionally as well, because you can't just take the notes. You've got to read them as well.
00:37:26
riptide
How big is your notes file?
00:37:27
100proof
But oh, man, it's huge.
00:37:31
riptide
and and what And what is it called? Is it notes.txt or notes.md?
00:37:36
100proof
It is organized into directories, right? There's folders and there's multiple notes dot.md. I use Markdown exclusively pretty much for my note-taking, so they're all .md files.
00:37:46
100proof
so Yeah, yeah.
00:37:49
100proof
But yeah, it's, you know, like just plain text, it's great. You know, you can search it. It doesn't, yeah and you know it's going to remain compatible with a bunch of tools into the future. It kind of future-proofs you.
00:37:49
riptide
awesome.
00:38:00
riptide
Yeah, I don't use notion or I don't use anything. It's just notes dot.md. That's all I need.
00:38:06
100proof
Yeah.
00:38:07
100proof
Yeah, totally.
00:38:07
riptide
Has every single bug note in there.
00:38:09
riptide
Giant file.
00:38:10
100proof
Yeah.
00:38:11
100proof
Yeah, totally.
00:38:11
riptide
All kinds of shit.
00:38:13
riptide
All right. Let's go.
00:38:13
100proof
But I did do it. I did do a word count recently and I was like, that's a lot of words, man.
00:38:20
riptide
Well, some of the shit is probably really outdated too, or like dead end bugs.
00:38:20
100proof
Oh, a hundred percent is like, yeah.
00:38:24
riptide
Yeah.
00:38:25
100proof
You can't say it's all valuable, but you know, like, I am actually keeping notes for an eventual set of memoirs that I'll write once I leave the space. Because, you know, there's a lot of stuff you just can't talk about right now, but in maybe five years I can talk about it, you know, because, you know, you've got certain obligations to people and certain stuff is sensitive and you don't want to, like, burn people or anything like that.
00:38:43
riptide
Yeah.
00:38:48
100proof
So, yeah, I keep a lot of notes and one day there'll be a tell-all book that I write.
00:38:53
riptide
In your memoirs. Oh, this is something unique.
00:38:54
100proof
Yeah.
00:38:56
riptide
No one's going to do that. Only you.
00:38:57
100proof
Well, now I've given away the alpha, so maybe everyone's going to do it.
00:38:58
riptide
That'd be awesome.
00:39:02
riptide
I agree with you man, that'd be awesome.
00:39:02
100proof
Yeah.
00:39:05
riptide
Dude let me, so let's, I really want to drop this alpha drop again. So I had this, I brought it up to you like I wanted to start this this part of the podcast. We'll put it in randomly I
00:39:16
100proof
Sure.
00:39:18
riptide
but I wanna have this this little alpha drop where hopefully I share something and then the guest shares something that's just something that could help people find some bugs that that come from that notes.md file.
00:39:31
100proof
100%.
00:39:31
riptide
So so i'll I'll start. So I picked one and this is kind of a cool thing that I've i found some bugs on recently. So this is hot, glowing hot alpha.
00:39:43
riptide
is what I call breaking the chain. So I explore a bunch of transactions, contracts everywhere. And what I was looking for was instead of the usual ones where yeah max critical, this and that, I said, hey, what about where could denial of service bugs lead to? And so I started looking through the traces of just different transactions that I found interesting. And if you look through the trace,
00:40:12
riptide
look through the trace and see where other contracts that it calls. So just look for every call within a large trace and then say, well, can I break this? Can I break the trace and call that contract directly? Like, is this permissioned? Can I take the same parameters? Maybe it was a proof. Maybe it was something that that first call gave to it. Can I take that and modify it?
00:40:36
riptide
or can I front run it and then do a denial of service or something like that. And that's turned up quite a few things. So that's my alpha drop, breaking the chain, check the long traces and look for the calls in there and see what you can do with them. All right, give me yours. What do you got?
00:40:52
100proof
Wow, that's a really good one. And I wish I had like a us um ah ah ah specific alpha drop like that right now.
00:41:02
100proof
So I maybe misunderstood your question. and i've kind of got like four I've got four bits of like high-level advice that I think you wouldn't hear elsewhere.
00:41:05
riptide
Just a zero address.
00:41:12
riptide
That'll work, too. Do it.
00:41:14
100proof
may And so,
Skills and Strategies in Bounty Negotiations
00:41:18
100proof
These ones are more to do with being a bounty hunter than being a competitive auditor.
00:41:23
riptide
Dude, that's alpha, too. It's good. Drop it.
00:41:26
100proof
The first one is that I think there's a rich vein to be mined in studying um literature on testing, which has been done like turns out there's a lot more of it out there than you would think.
00:41:46
100proof
And it turns out that people were kind of doing this the stuff we're doing like 20 years ago at Microsoft and other institutions like that. There's even books on it.
00:42:00
100proof
And I would just say, like have a look out there for any book or blog post that you can find on manual testing rather than automated testing, because the manual testing seems to be much more akin to what we do as bounty hunters.
00:42:16
riptide
Mm.
00:42:17
100proof
Meaning that it's not just unit tests, like every you know every project's got unit tests suites, but manual testing's all about getting in there and just using having a human in the loop that tries to break things. And I was kind of surprised that there's actually a whole bunch of books out there with some really good advice and one author that I've looked at already is James Whittaker.
00:42:47
100proof
So just look that guy up, have a look what books you can find and all blog posts and just have a quick read on that. Now the other one, I'm still learning this one.
00:42:58
100proof
I don't think I've got the answers on this yet, but I think that negotiation skills are like a key skill that bounty hunters need.
00:43:08
riptide
Mm hmm.
00:43:11
100proof
and I reckon I've made all the mistakes. I reckon I've appeared really needy. I reckon I've used language that was a bit, you know, fiery, all that kind of stuff. I haven't been really learning about the psychology of these yeah you know of the people behind the projects. I think I've just been you know kind of like a lawyer, thinking like a lawyer, or or just being autistic about it, thinking, you know you you know if I can just show you where you sit in your own bug bounty program that you would pay out for this bug, then you'll of course agree with me. But that's just not how it works. like People are people. and
00:43:53
100proof
You probably want to use some kind of psychological techniques to try and convince people to your side. I'm still learning this. I don't know how it's going to be done, but that's something I'm really interested in looking at in 2025. Like I'm thinking about it quite a lot and I'm watching some YouTube videos about it and just trying to get ideas about it.
00:44:14
riptide
That, that's very, very good. I like that.
00:44:17
100proof
Now, the next one is i've I'm not saying doing this do this all the time, but maybe team up with a partner to do some bounty hunting.
00:44:29
100proof
i think I've been doing that with a bounty hunting partner. I haven't got his permission to talk about it. well I just didn't even ask him, so I'll just leave his name out for the moment.
00:44:40
100proof
but
00:44:40
riptide
And this is, this is a gentleman I met in Bangkok, right?
00:44:45
100proof
Anyway,
00:44:46
riptide
Okay.
00:44:47
100proof
anyway So that's been fun and like you know it actually makes me more motivated because you kind of got someone to bounce ideas off and also you do feel a little bit competitive with them as well, which can be good in small doses. and But the one really good thing that came out of it was that we set up a Discord server to discuss all our leads and that has the added benefit of forcing you to write your ideas down and communicate them to someone else. And you'd be surprised how much more stuff you come up with while you're actually writing stuff down and and explaining it. And second, that server
00:45:31
100proof
now contains a whole bunch of documentation, more than you'd normally take when you're just doing bounty hunting by yourself. At least that was true for me. So that's my third bit of alpha, is that like if you're working with someone, you get the add of bit benefit of like communicating in written form, which forces you to think more clearly, and you get the documentation. And that's my three bits of alpha for today. Maybe I'll come up with some more on the fly later.
00:45:57
riptide
No, very good. And I like the third, I still haven't worked with anyone with any bug hunts, but i I know it's probably beneficial. I just, I just prefer this completely unstructured kind of thing.
00:46:09
riptide
Maybe if I worked with someone who, who also was like, Hey, uh, I'm not going to check into the discord for three days and don't worry about it. Maybe, maybe then it would work.
00:46:20
riptide
Cause that's kind of how I roll.
00:46:20
100proof
yeah Yeah, totally.
00:46:23
riptide
Uh, I won't.
00:46:23
100proof
I mean, I'm not saying I would do it all the time, but so far I've enjoyed it so much that I'm going to keep doing it for a while longer.
00:46:30
riptide
I wanted to touch on negotiations. I think that's a great topic. So I'll sum up. yeah Everyone wants to save their money to go and take a college economics course. I actually liked the course in negotiations. And two couple things the two things that I took away from it were one was this thing called an anchor price, if you heard of negotiations.
00:46:53
riptide
which is basically you start the negotiation and wherever someone throws that first number is kind of mentally where the other guy puts that number. So if you're buying a car, say, hey, I'll offer you a five and the thing's worth 15, that guy is going to say, what the hell is this guy low balling me or, and you can't give a low ball or else he might just dismiss you, but it has to be in a certain range where he says, oh, maybe it's not worth 15. Maybe it's worth five.
00:47:20
riptide
but now he's thinking around that five and his counter offer will hopefully be around that number. So same things with negotiating negotiating your bounty, same principles apply. And the other thing is it's called BATNA, best alternative to a no negotiated agreement. So as one of the counterparties to say a bug bounty negotiation, when you're talking to a team on Twitter or through immunify and you say, okay, well, you know,
00:47:48
riptide
what is my best alternative if i can't get an agreement with these people uh what's my alternative can i just say hey well you know you have no bounty well i'm not gonna bother disclosing to you i did a lot of work on this bug you guys can find it on your own that's it maybe that's your your best alternative but you need to know these things going in so that way you can kind of structure the negotiation in your favor and not be you know, not be prone to giving away too much for and no money, perhaps, whatever it is. And another thing with negotiation, when has happened to me recently, like say you get into a Twitter group, or sorry, not a Twitter group, Telegram group with the parties, the devs, everyone, and you're about to disclose a bug, you kind of have to strategically hold things back
00:48:41
riptide
until you can get some sort of assurance whatever that is for you that hey they're going to they have a bounty program they're going to reward you or or something because Why are you doing it? It's for at the sake of the industry. Great. Are you doing it to eat? Great. Whatever your motivations are, make sure those are met. If you just want to spend all your time hunting bounties and just reporting them for nothing and say, Hey, don't reward me. Great. That's, that's great. Uh, whatever you want to do. It's very altruistic, but if you want to get paid, uh, you have no obligation. This may be a, a point many don't agree with, but you have no obligation to disclose anything.
00:49:23
riptide
You know, if you find something and then, uh, the other party says, Hey, you know, we're not going to pay you, but we're going to fix it. Thanks. Fuck off. Well, you may have spent weeks on that. And now, now what you've made the ecosystem safer or, you know, what's, what's the reward for you? So I feel a different way on that. I don't know about you. What do you think?
00:49:47
100proof
Yeah, it's a great question. I'd say my views on this have changed a little bit. So, you know, I still have some bright lines in the sand, like not wanting to, <unk> I'll never take part in a white hack unless, you know, I've been given permission to do so. But I think I'm re-examining some other things and it is no doubt about it that you lose all your leverage the moment you disclose your report completely to someone else. And there's nothing you can do if they decide to pay you nothing like a lowball amount or just ignore you and do and do nothing about it.
00:50:33
100proof
or you know drag out the payment process for three months or something like that. There's nothing really you can do about that. So this this leverage problem is one that needs to be solved. And what I heard from your comment there was that, like well, perhaps you don't even give away that leverage in the first place. you know like i personally would feel you know i've heard I personally think that you could run a foul of extortion laws in various districts if you say, I must be paid for this.
00:51:09
100proof
thought you could ask for other things like I want a direct line of communication, I want everything answered within a timely manner like 12 hours, 24 hours,
00:51:23
100proof
ignoring you know, communication for longer than that is and unacceptable.
00:51:30
riptide
Mm hmm.
00:51:30
100proof
You know, perhaps perhaps you could even ask whether you could disclose via an audio call so that you kind of, you know, them and that might be beneficial to them, that might allow them to like have a quick debate with you about the impact and you can explain it to them nice and quick. And also you get like a sense for what the project's like. I don't know, but what what I'm saying is, yeah,
00:51:54
100proof
Although I wouldn't necessarily say, you you must pay me if I disclose this, because you could run a foul of like you know things.
00:52:00
riptide
run Right, right. You want to do it all legally.
00:52:03
100proof
but But you do want to be treated fairly. And so you could ask for other non-monetary things, I think, in advance.
00:52:12
riptide
Well, let me ask you this because this is a real scenario and this is why my thinking on this has changed.
00:52:14
100proof
Yeah.
00:52:17
riptide
So, uh, I found a bug and this is still ongoing, right?
00:52:18
100proof
Yeah.
00:52:22
riptide
I found a bug and I i put it out on Twitter. I said, Hey, uh, it was a $40 million dollars drain. And I said, is it worth more or less than 3000? Because that's what they offered. And I was like, you fucking kidding me. And because this is what I did, I disclosed the full thing, just like always. And I'm like, hey, you know, that's, this is just, it's the right thing to do, right? So I just close everything. And then they're like, hey, yeah, three grand. Okay. So we eventually put it up to 10 and I'm like, okay. And then I found another bug with these guys. And now it was a $250 million dollars drain.
00:53:01
riptide
These are big numbers, huge numbers.
00:53:03
100proof
huge numbers.
00:53:04
riptide
and
00:53:04
100proof
It's hard to believe that anyone would would do that.
00:53:07
riptide
It's crazy. Space is absolutely crazy. And so I'm like, well, I'm not disclosing it to you. You know, I said, we need to come to some sort of agreement that I would be compensated on some sort of normal scale or or something if the finding is, you know, it's, it's like, like you're saying, you don't want to do any, there's no extortion. Like I don't, if I found something, I don't have to report shit to anybody.
00:53:34
riptide
You know, and I just did it with these guys and they pay me a pittance. So I'd rather just not say anything and I'll just not report it if you're not willing to be fair about the whole thing.
00:53:45
riptide
So that's, that's a predicament that I'm in that I'm kind of frustrated with. And I really don't know how to proceed. I don't think they know how to proceed, but I'm not just going to work for free and I'll just hold onto the finding and and just keep it by my side.
00:53:58
riptide
You can go and go have someone else find it.
00:53:59
100proof
yeah Yeah a lot of people have kind of a fairly extreme view that you know that a lot of stuff should be done for the good of the space out of you know pure pure altruism or whatever but I don't believe altruism scales right and I personally believe that the best thing that humans have done is organize societies in such ways that private What am I looking for? Personal level good outcomes are aligned with societal good outcomes. It's the ultimate win-win. And I believe that those things, that does actually scale basically. So like the free market is just an example of that, right? you Both people, if they really know what they're exchanging the goods for, they're both coming out better.
00:54:56
100proof
on the other side of that trade, right? And I mean, countries that have free markets are a lot richer than countries that don't. So you can just see there where it's like personal gain is aligned with societal gain.
00:55:09
100proof
And in the case of Web3sec, I think introducing reward and money for disclosing bugs has actually been a good thing for security overall.
00:55:21
riptide
Absolutely.
00:55:21
100proof
And I think it's been way better than if we didn't have that And we just relied on people's goodwill. It just wouldn't happen nearly as often.
00:55:29
riptide
No. No.
00:55:30
100proof
I mean, you literally couldn't do the job because you'd have to have another job on the side.
00:55:30
riptide
People operate off incentives.
00:55:35
100proof
So you'd you fact you know what I mean? You wouldn't have as much time to do it. Everyone needs to eat.
00:55:41
riptide
ah ah Exactly. It's, it's, it's a difficult topic to discuss because I think people say things in public that they don't actually believe in private or if they're, if they're doing those things in private. But I, I like to give people the benefit of the doubt, anyone that I deal with, I, I try to get an assurance like hey,
00:56:00
riptide
you know, am I talking to the right guy? you have a bounty program? Like, I just like to put that out there. And then 99% of the time, oh, hey, hey yeah, we we reward appropriately this and that. Okay, great. Just not that, hey, expect someone to do all this work for free for you. That's just, that's not how it works.
00:56:19
100proof
Yeah, I've had another couple of ideas as well around how we could improve things for white hats.
Future of White Hat Recognition and Social Credit Systems
00:56:26
100proof
But I don't know if either of them would work. you know So one was, what if there was like an organization, almost like a white hat union that just would basically put out negative PR for every time somebody got lowballed. So it's and it's it's not like just like having the ah ah bug,
00:56:54
riptide
Wall of shame.
00:56:55
100proof
what was it?
00:56:55
100proof
Bug bounty wall of shame, yeah.
00:56:56
riptide
yeah
00:56:57
100proof
Which was a great idea, but it's what's what's different about it is it's that plus a dedicated group of people that are like willing to like put out PR about it more not just at the time that it happens, but they they do it.
00:57:09
riptide
An intern constantly posting.
00:57:12
100proof
they do it you know you have They have retrospectives every so often, like you know top 10 worst ones that happened in the last six months, for instance, you know that kind of thing.
00:57:16
riptide
Yeah. yeah you could You could even have just have a cron job or I'm sorry, AI agent.
00:57:21
100proof
And how would you pay these people? My thought was that white hats who benefited from it could pay them a small amount of the money, their bounties for that kind of thing.
00:57:31
100proof
if anything If there were any good outcomes, they could pay them some money so that they could actually put out that PR on a regular basis.
00:57:45
100proof
yeah guess You could do that.
00:57:46
riptide
You could you could have an AI agent just tweet out, just keep rehashing, you know, all the info.
00:57:50
100proof
Yeah, exactly. And I guess the second idea I had was like, well, review sites seem to have worked really well for like Google, Amazon, Uber, and so on, you know, and it really seems to actually improve people's behavior like remember how bad taxis were before Uber?
00:58:11
riptide
Oh yeah, yeah.
00:58:11
100proof
like But some for some reason, getting complete strangers to drive you around actually works better. It's cleaner, it's a nicer experience. you know And all because you have this some review thing.
00:58:23
riptide
People knock on social credit scores. Yeah.
00:58:26
100proof
Oh, sorry, what was that?
00:58:27
riptide
and you say people knock on social credit scores, but really they're already in place.
00:58:31
100proof
Yeah.
00:58:33
riptide
If you're going to rent your house out via Airbnb, or if you're going to offer a passenger a ride in the Uber, everyone has ratings and you're not going to pick up the guy who's got a two star rating because whatever happened in the last ride.
00:58:47
riptide
I mean, it sucks, but when you're on the other side of that, sometimes it's really good.
00:58:48
100proof
Yeah.
00:58:55
100proof
It's good to be intellectually honest about social credit systems. I've always wondered what's actually going on in China when they talk about how terrible these social credit systems are. Not that I'm like pro or against it.
00:59:07
100proof
I just would like to know more about what's actually going on there and whether I've just been you know sold some propaganda.
00:59:10
riptide
Yeah.
00:59:13
100proof
Because it would be so easy. Yeah.
00:59:13
riptide
I think selectively, I'm like them, but not everywhere.
00:59:17
riptide
It can't be it cant everywhere.
00:59:17
100proof
Yeah, yeah, yeah.
00:59:18
riptide
that That's just, that's like Australia. No. ah's very well be be ah I think selectively where you can opt in, like if I'm going to use Uber, I know they're going to be ratings, but China, I mean, they're, you know, they just go full bore with everything.
00:59:31
100proof
Yeah.
00:59:35
100proof
Right, right, right. They can actually keep you in your district you know and not allow you to travel if your social credit's bad enough.
00:59:40
riptide
Yeah. that's
00:59:41
100proof
That is pretty authoritarian. I can already draw the line on that at first principles.
00:59:47
riptide
I think I think I don't want the government to do social credit scoring is maybe if the government's starting because then I can opt in or opt out to I mean we we have it with credit scores of financial credit scores isn't that but the government doing it just they'll just fuck it all up and turn in some tyrannical crazy place.
00:59:53
100proof
Yeah.
00:59:58
100proof
Hmm.
01:00:07
100proof
Yeah, most likely.
01:00:09
riptide
Yeah.
01:00:12
riptide
Oh man, uh, anything else? Mr. Mr. Proof, we made it to one hour.
01:00:18
100proof
Oh, fantastic. I mean, this could be a good spot to stop. there's one more thing I want to do. I want to give a shout out to a guy um X who calls himself Korok.
01:00:31
100proof
And so that's K-O-R-O-K. And I'm just interested to follow his experiment on trying to solve the loss of leverage problem that we we bounty hunters have.
01:00:41
riptide
Shout out to Gorak, met him as well.
01:00:43
100proof
Yeah.
01:00:44
riptide
Very smart guy.
01:00:45
100proof
Yeah, I just think, I mean, I'm not saying it's going to work, but I think his ideas are worth looking at. I mean, first of all, he just wants to have everything on chain so that, you know, it's public rather than private. And that's, transparency is always a good thing. And yeah, and then he's just kind of trying, I think he's trying to build an on chain justice system.
01:01:07
100proof
which at first sounds like how could that possibly work but people forget that like cryptocurrency itself is not just code it is Its success relies on the people who are interested in it.
01:01:22
100proof
If no one was interested in the code, then it wouldn't be worth anything. So everyone's got to agree that it's fair. you know The code's fair. And if you can come up with some kind of on-chain justice system, that could be kind of cool
01:01:22
riptide
Mm hmm.
01:01:35
100proof
want to see how that goes.
01:01:38
riptide
Yeah, definitely. Yeah, we'll have to stay on it. Gorak, we're watching.
01:01:42
100proof
Yep.
01:01:43
100proof
Eyes on.
01:01:44
riptide
Cool, man.
01:01:45
riptide
Well, thank you for coming on. Appreciate it. And maybe I'll see you at the next ETH event.
01:01:51
100proof
Yep, hopefully.
01:01:52
riptide
where Maybe. Yeah.
01:01:54
100proof
Definitely want to hang out with you again sometime. It was too short last time.
01:01:57
riptide
Yeah. All right, brother. Well, good talking. I'll see you on the blockchain.