Blockchain Security Series 12 - Stephen Tong (Co-Founder & CEO @ Zellic)
Listen now
Description
Blockchain Security Series 12 - Stephen Tong (Co-Founder & CEO @ Zellic) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) Topics discussed: - 00:56 - Your story: How did you start getting interested in security? - 04:01 - Perfect blue: A weeb team with a CTF problem. Tell us all about it! - 06:49 - Similarities between web2 and web3 security. CTF skills comparison - 09:55 - Traditional security background for auditors - 11:41 - How did you start Zellic and what’s its focus? - 13:05 - Development cycle and security. - 15:11 - Unit testing - 18:35 - Formal verification: The wETH example - 23:27 - The current state of DeFi security - 26:27 - Hacks and kill switches and recovering funds mechanisms - 30:15 - Monitoring and threat detection - 31:05 - Code is law? - 32:18 - Consumer education & mass adoption - 33:19 - Security Alliance - Whitehat Safe Harbor Agreement - 35:35 - The Nomad hack: Audit diffs - 37:50 - Bridges and OpSec importance - 41:30 - Programming languages. Solidity and it’s origin - 43:15 - Rust & Move programming language - 46:05 - Key features of a blockchain programming language - 46:38 - ERC-4626: Standards for yield bearing assets - 47:40 - MPC from scratch - 50:04 - Zellic Forky - 51:03 - How to store crypto safely - 52:55 - Threat modeling - 55:15 - Favorite conferences Summary: In this conversation, Stephen Tong, co-founder and CEO of Zellic, shares his journey into blockchain security and the founding of Perfect Blue. He discusses the similarities and differences between security in web 2 and web 3, the importance of diverse skill sets in the security industry, and the origin and focus of Zellic. The conversation also covers topics such as the correct approach to security in blockchain development, the importance of unit testing and formal verification, and the challenges of ensuring safety in DeFi protocols. The discussion concludes with a reflection on the concept of code is law and the need for balance between being permissionless and protecting users from hacks. Stephen Tong covers the importance of decentralization and how to make the ecosystem more secure. The conversation touches on the initiatives of the Security Alliance (SEAL) and the need for a standardized approach to tokenizing yield-bearing assets. They also discuss the strengths and weaknesses of different blockchain programming languages, such as Solidity, Vyper, and Rust. The conversation concludes with recommendations for safely storing crypto assets and the importance of threat modeling. Takeaways: - Stephen's interest in security began with hacking Minecraft and Counterstrike, leading him to become a skilled auditor and co-founder of Perfect Blue. - The skills required for auditing smart contracts in web 3.0 are similar to those needed for web app pen testing, low-level exploitation, and cryptography. - The development cycle for secure smart contracts should include early engagement with security professionals, thorough testing, and formal verification. - Unit testing is crucial for ensuring the security of smart contracts, and projects should aim for 100% line and branch coverage. - Formal verification involves encoding code into mathematical formulas to prove that it adheres to protocol invariants, but it can be time-consuming and challenging. - While no system can be 100% secure, it is possible to be reasonably sure about the security of a protocol under a given threat model and set of assumptions. - Monitoring tools for detecting hacks before they happen are still maturing and often have false positives, but they are a step in the right direction. - 'code is law' should be balanced with the protection of users from hacks - Initiatives like the Security Alliance (SEAL) contribute to making the ecosystem more secure. - Hardware wallets and compartmentalization are recommended for safely storing crypto assets. - Threat modeling is essential for understanding and mitiga
More Episodes
Blockchain Security Series 14 - Frederik Svantes (Security research lead @ Ethereum Foundation) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) Topics discussed: - 00:00 - Intro - 01:13 - How you started with computers and programming - 02:41 -...
Published 10/02/24
Published 10/02/24
Blockchain Security Series 13 - Pashov (Founder @ Pashov Audit Group) Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher, SEAL member) “There are a lot of hidden gem auditors in the space really. And this is my mission to find them and to work with them” Topics...
Published 09/17/24