Smart Contract Security 101

welcome back people who are now here so I'm sure you are pumped up caffeinated and eager for our next speaker so he's a CEO and co-founder of web free security company creditshoes.com he is the executive analyst come treasure for hacker one while we are moving towards web 3 let's put our hands together and welcome Shashank to the to talk about this decentralized ecosystem and its need for security [Applause] hello everyone about me uh I'm Shashank I co-founded this company called red shields and it's a web 3 security company and we are building a product called soluti scan so uh you can you know it's like if if you know about web 2 security something then uh it's you

can say it's like soluti is saying scan is something like you know akinetics or nessus for smart contracts so you just upload your smart contracts and you will find vulnerabilities in it so that's what me and my team are doing apart from that like uh previously I was uh before starting this company I was a security analyst for hacker one and previous to that I was a security you know analysis for uh tariff which is a Malaysian based uh you know trading platform and uh before that I was into bug Bounty so from I I was among the earliest bug bounty hunters like I started in 2012 and uh did bug Bounty for a very long

time I was a part of cobalt team as well and hacker one pen test so this is my background and from past two years I am moved into you know it's like web 3 security doing all research and building this product so uh about this talk what I'm going to say is like you know since we have a very short time so I'm going to explain very simple things but they are like you know they have huge impact and they are very common bugs and uh so the problem with web3 is like if I directly jump into vulnerabilities you're not going to understand many things so uh for the first 15 minutes I would say is just focus what on and what

I'm I'm saying because that's the basic building blocks you know how a smart contract works and then we'll talk about vulnerabilities and uh that is essential so you know that's why I'm stressing that you know it's like the initial 15 minutes bear with me uh it will be more about how solidity Works how smart contract Works how blockchain works and then we'll jump into vulnerabilities so what is blockchain so blockchain is a digitally distributed decentralized public ledger so let me explain you in like very simple terms how blockchain works so uh suppose you know there is person a person B and person C okay now person a has 100 rupees 100 INR and person no so what person a does is like

you know he transfers 50 rupees to person B and person B transfers 20 Rupees to person C so if you do the calculation now person a has 50 rupees person B has 30 rupees and person C has 20 rupees now let's talk about the real world scenarios like how Banks work so you know it's like you you know it's like a goes to bank deposits rupees 100 and he has transferred rupees 30 to 52 B and then B has transferred rupees 20 to C so now bank is something where you you are trusting them with your money and the ledger so they maintain the lecture that you know now a has 50 rupees and B

has 30 and C has 20. so the problem is you know it's like uh you know many people started you know not to trust the banks and that's where blockchain came in picture so you know it's like Banks might freeze your account or may I say that you know you don't have 50 rupees but you have like 60 rupees or 30 rupees and that's why this beautiful concept of decentralization came in so there is no ownership there is no centralization there is no middlemen and that's what blockchain is so I'll explain the same scenario what happens in blockchain so now consider another scenario where ABC both of all of them like all three of them have three ledgers okay so and in

every Ledger everyone has mentioned that the first transaction was transacting money from A to B and then B to C and now the same copy is with all three of them and so how it works is like there is no Central Authority so even if a claims that you know it's like I have 60 rupees which he doesn't have B and C can verify so this is how you know it's like Bitcoin works so when you you know you know when you download uh uh you know it's like a node server when you host your own chain so how it works is like from day one when Bitcoin was started and till today right now what

transactions are being happening you download the entire ledger to your system and that's how decentralization work like everyone has a copy of transaction one to transaction right now in their Ledger and that's how you know it's like verification happens like if someone try is to claim like if I have a node server and I try to claim that I have 10 btcs but I don't have it there are numerous people across the world who are running the same Ledger can you know say that my claim is false and that's how blockchain works now uh since we are talking about smart contracts the reason I talked about Bitcoin was because Bitcoin you know it's like the idea of ethereum was taken

from Bitcoin so uh you know vitalik when he you know it's like when he created bitcoin he was like you know Bitcoin is only good for transactions uh why not make it a programmable blockchain so the codes are actually on the blockchain so you know it's like codes are there for everyone quotes are immutable and you know it's like nobody can change so it's like you know it's it's kind of decentralized you know environment where you can store your codes your Logics and that is completely transparent and available to the entire world so that's how you know it's like uh if you see the point to what it says like Bitcoin is a scripting language and it is just

limited to true and false statements of a transaction like if a transaction happened or it didn't happen but blockchain adds additional you know uh additional programmable change like conditions where when the transaction should happen What should happen etc etc and that's how you know it's like uh that's why you know it's like ethereum is called as a programmable blockchain

and the SE programs are called smart contracts so you know it's like we are clear with the concepts of smart contracts uh now you know it's like uh I'll explain the basics of solidity uh because these are very essential so I have a you know it's like a piece of code as well with me uh where I'll try to explain yeah so so solidity programming language is quite similar to any object-oriented programming language so if if you are studying computer science or if you have knowledge about any programming object-oriented programming language like CC plus plus uh you'll find solidity very similar to it with a little bit of changes so I'm gonna Focus especially on what things are different

you know it's like which is related to the ethereum blockchain so the first one is the pragma so pragma basically you see if you see on the the first line so pragma defines that what compiler version we are going to use to compile a contract and this is very essential because you know it's like a solidity has lots of versions and you know the code has to be compiled uh on the on the compatible version so whenever you see that so how it is red is like pragma solidity which is between version 0.7.0 and less than 0.9.0 so uh this is the first concept and then you have contracts so whenever you are writing a contract the first

thing you do is you know it's like you define a contract like you define a contract like this it's it's a very simple concept then uh then we have Constructors so what Constructor does is you know uh when it just runs once so it's very important to learn that Constructor just runs once so when you deploy a contract what it is doing is you know it's like it is creating a variable called owner and it is setting to as message or sender okay this is important so message the sender what it does is like it's a global variable so it automatically states that the person the the you know the the address which is interacting uh

who initiated the transaction it will automatically set it to as an owner uh then we have functions I don't think I need to explain functions they are like General functions you know it's like you write any function like a function like update owner so it's it's a general thing uh now this is very important uh please you know it's like uh if you don't understand do question back because this is related to a vulnerability which I'm gonna explain later on so uh smart contracts have something called modifiers so how modifiers work is you know uh when you define a function so you can see there is a function called update owner which is taking an input as a new address

owner so this function what it is doing is like it is updating the contract owner but it has a modifier called only owner so how this works is like whenever you know this execution happens uh the code will run till here and it will notice that it has a modifier called only owner so before exit executing this part what it will do is like it will first go to this the modifier and the modifier has a required statement like it has to validate if message or sender is the owner like someone who is interacting with the contract is an owner or not and we have seen here that you know it's like owner is defined uh

when you know the contract was deployed the the address which deployed the contract uh is the owner so if this statement goes false then this function will never execute and if this this is true so what this does is this instructs the compiler to go ahead with all these you know later code Logics so this is very important so I'll show I can show you a simple example so how it works if we compile this okay uh okay let me tell you something so what I'm using right now is called remix so you know it's like if you are trying to you know pursue into web 3 security it's a very good tool where you can you know it's

like it's an online ID where you can uh you know deploy your own smart contracts and what it does is like it gives you you know it's like a uh you know they're self-hosted uh blockchain notes where you can you know actually host the code and test out your code so uh uh so how it works is like if you see like if I deploy this code so you know I have to mention the compiler version so as per the code my compiler version needs to be somewhere between seven and nine so I mentioned 0.8.7 so it will compile and then you know it's like when we uh when we deploy this code what happens is like this address

is the owner because this was the address which interacted with the contract so this logic confirms that so now if you see that if I try to you know if I select another account and try to you know update the owner what will happen is like it will throw an error I hope it is visible so uh you will see you know that the transaction was declined the just let me make it up so you'll see the transactions was reverted so why it happened was because there is an only owner modifier which is checking that you know it's like if the only the the deployer can make changes to the new contract and uh then you know it's like um I'm

not discussing about fallback and receive because that's uh that's something I'm not going to talk about so import functions are very simple you know it's like uh in this sample code you can see uh you know it's like when you just like any other programming language when you import a module or external dependencies uh that's how you do in smart contracts as well and then you know it's like uh you have inheritance in smart contracts which is very similar you know it's like contract a is B and then B will uh you know a will inherit uh things from B then uh you have comments and then you know it's like variables and events so what events

are in smart contract is that it's kind of a logger so it logs things on the smart contracts uh okay so now we'll talk about vulnerabilities uh in smart contracts so one of the most common vulnerabilities in smart contacts are Access Control related vulnerabilities and uh you know it's like the concept is kind of same but the Logics are very different in smart context like what you see in web 2 is you know uh account a can access the data of account B and it's something quite similar to similar in smart contracts where you know if there is an admin functionality which was not you know it was not supposed to be accessed by normal user then there is an access

control vulnerability and uh this one is an example of an actual hack where there was a smart contract called hospital and uh they got hacked because I'll just show you in the browser uh okay um I want to you know it's like you know uh give you knowledge about few other things so every contract which is deployed on ethereum there is a website called etherscan where you know it's like if you enter the contract address and if you go to the contract uh option you'll be able to see their source code so the best thing about you know smart contracts are that you know uh most of the smart contracts code are public uh they uh you know just to bring in

transparency what's what I was talking about they published the entire code like the actual code so people can check it that you know it's like if the if the code is doing things as it is supposed to and that's why you know it's like it's even easier for hackers to hack smart contracts because the code code is public but if you see on the other side you know smart contracts are you know it's like uh can be you know it's like audited as well like you know everything is transparent so this is the way you can you know it's like uh you pick up any smart contract and then you can go to etherscan and then check their code

so uh if we see about uh line 130 134 right so if we go to 1348 yeah so if you see this uh if you notice this is a burnt function so what a burn function does in smart contact is it is used to burn tokens suppose I create a token called you know Shashank token and I made like one lakh tokens and uh then you know it's like uh you can mint tokens and you can burn tokens that's a very common terminology in smart contracts so minting means like I'm increasing the amount of tokens and burning is I'm reducing the amount of tokens so if you see here uh what's wrong with that can anyone guess like what's wrong with

this yeah exactly so yes you're correct so the thing is if you see uh so uh in general programming like you will see you know it's like there is something called functional visibility so if you see the function visibility is public so what public means is you know it's like anyone can actually interact with it and since there is no modifier so there is no check so anyone any individual can actually call that function and burn the tokens so uh this was you know uh this was the hospital hack where you know a hacker could burn all their tokens and I have a very similar example uh which we you know it's like uh which we found uh

during our assessment so what happened was like uh what happened was like I was contacted on telegram that one of our clients friend uh who had this uh smart contract called shadow fight and they got hacked and they wanted to notice like how they got hacked and I'll just you know share my experience like how we figured out the hack happened and this is good for you know it's like you know understanding how vulnerabilities happen in smart contracts so uh so the only thing I got was you know the hackers transactions so let's you know let's look at the hackers transaction so these are the list of hackers transactions so the most interesting thing was uh the fourth one

so if you see um a huge amount of shadow fight token was actually burned so how did we guess it was burnt so the the common Logic for burning a token is that you know you send it to a null address so what a null address is that a null address is a zero address so every chain has a null address which is a zero address and that is not controlled by anyone so nobody has the private keys of zero address and uh so you know since like you cannot simply just uh Delete the uh you know it's like delete the tokens in smart contracts so what they do is like when they burn they send

it to the zero address so if you ever like you know when I'll share my slides what you can do is like you can actually click to that zero address and then you'll see it has like billions of tokens and nobody has the authority to it so that's why it is used for you know burning the tokens so the first thing what we noticed was a huge amount of token was sent to unknown address it means the token was burned so something has to be done with the like the hacker did something with uh with you know it's like the burn function so let's see

so if we check the code at line 962

too yeah so yeah it's quite the same you know it's like the burn function was public but the question is like uh how did he manage to steal all the funds like how did he manage to make the money so let's go back to all the transactions so now we know that the hacker what he did was he burned a huge amount of tokens because the burn function was public now let's Deep dive into you know it's like uh the logic so if you see the first two transactions first transaction he deposited a wrapped pnb so BNB is you know since this is benign's chain so he deposits some amount of binance token and the next what he did

was like he bought almost like 9.5 SDF tokens so now unders let's understand this thing like every token which is there so mostly how the work is suppose there are you know 100 000 tokens so and if the price is one dollar per token and suddenly if the number of tokens are thousand the in the rate of e like the the price of each token will increase because there is scarcity so that's what the hacker abused so what he did was he initially deposited uh you know it's like uh BNB coin and then he bought a minute amount of uh you know it's like he spent like ten dollars or something and uh he bought like 10 shadow fight

tokens now what he did was he burned majority of the tokens creating you know it's like scarcity of the token so now his 10 shadow fight tokens were worth three hundred thousand US dollars so what he did was first he deposited the money bought a little bit of token burned rest of the tokens and then he you know because you know again he is exploiting the shadow fight token so definitely it's not very useful for him and since it is available for a very higher price what she's gonna do is he just you know it's like he just buys uh you know just he sells all the 10 tokens which he had like 8.4 plus 0.5 so he

sold almost nine shadow fight tokens for a price of three hundred thousand dollars because of the scarcity and and he ran away with the balance token so this is one of the classic examples you know how people can exploit uh excess control to you know to actually uh completely you know it's like train the entire smart contract uh but again you know it's like uh every excess control doesn't lead to you know like stealing of funds so when you are like actually looking for vulnerabilities in smart contracts you can you know it's like it's not necessary that every time you will end up with you know you know it's like finding a bug which uh which cause

Financial damages sometimes you know it can give an edge to you at you know it's like certain functions or something so uh this was one of our client and uh so what they did was you know it's like they had a contract and where they was you know buying a they were selling their their auctioning their tokens and uh the auction was only available for certain you know whitelisted users so uh not everyone could just you know go and you know it's like uh you know it's like buy so uh for especially for you know it's like you know malicious addresses they added a blacklist that certain person cannot uh perform you know it's like you cannot participate in the

auction so this is what they have created like they have a function called Blacklist and they have a functional quality move Blacklist so again if you see uh there is a missing access control so they forgot to add actually the modifiers so anyone could call their function so if I get blacklisted what I can do is simply I can call the remove from Blacklist and pass my address and then I am again you know it's like I'm not blacklisted anymore so uh this is another kind of vulnerability

uh yeah so uh the second bug which uh okay before moving to the second bug do you have any questions because I wanted to make this more interactive so I kept the slides very less and I wanted to have like more questions to understand like what you know it's like if you have any questions so do you have any questions about access control vulnerability or something like anyone no yeah modifier yeah I explained the modifiers so uh basically how modifiers work is you know it's like uh when you when there is a function which is you know uh uh so okay it's for everyone so the question was like how modifiers work so as I explained you know it's like in

previous uh you know slide so how it works is okay actually I can show you a nice example so see uh I showed you you know it's like how it works is like when you call a function which has a modifier so what will happen is before executing these code it will first check with the modifier so the modifier function states that the required function states that the message or sender should be the owner so not anyone any random uh you know like uh address can actually you know update the owner they have to be you know they have to be the owner to be to update the new owner so let's you know like let's let me just compile the

code for you so I already showed you like if there is an only owner thing you cannot update the address but what if I delete this what happens if I delete this so uh this is the address which is supposed to be the owner so if we deploy this again deploy this again okay it is deployed so uh as per the you know slacks for the rule this is the owner now I'm changing an account um you know I'm I'm calling the contract with another user and I'm trying to make myself admin okay according to work

one second 4B okay

so this is the owner now I change it back new owner ah okay yeah this worked so you see it's like uh when I modify when I remove the owner so initially the owner was this address but next time what I did was I just used any random address and interacted with the you know it's like uh update owner functionality and it got updated it didn't throw any error because the thing is it doesn't have a check for you know uh for the actual owner which was a deployer so if you see the the fourth one was the first one which which deployed so the fourth one was supposed to be the owner but then I was able to you know

like update the contract with the fifth one because there is no modifier to you know it's like validate uh you know it's like who is who is uh making the transaction I I hope that is clear okay and uh yeah so uh there are bugs related to you know integer overflow and underflow so you know it's like you might have heard about overflow bugs saying you know uh binary applications and you know it's it's very very common so let's first understand you know it's like how uh overflow and underflows work and I have a sample code for that

uh okay let's understand this code first so what it does is like you know the the first function over what it is doing is you know uh there is a uint8 so uint 8 means that uh that variable can handle uh values from 0 to 255 that's 2 to the power uh you know 2 to the power of 8 minus 1 that's uh that's the limit so you know it's like you have u in 16 you win 256 etc etc so I'm taking a very you know it's like um smaller value so that's easier to explain so how it works is like you know uh the Overflow what what I'm doing is like you know I'm adding 255 plus 2 but

it's u in eight so what would be the result anyone can answer like what would be the answer for uh for the first one anyone yes it won't be two it would be it would be one I guess yeah but you got concept I guess yeah so what is happening is like when when you define a uint8 what happens is uh the number cannot you know the value can never exceed uh 255. so in Overflow what it happens is like if you add 2 so you know it will go to zero and then one so it circles backs you know it's it's like what you happens in your you know your motorbikes you know when it ends it will start from zero

again so that's a you know it's like classic example of buffer overflow uh uh so and in underflow what happens is like you know uh since again if you subtract a minus B so it's you are reducing two from one so it goes back to the highest number so it won't be minus one because it's a obviously it's a uint it's a unsigned integer it's it is always supposed to be positive and it goes back to the biggest number which is 255. so uh smart contracts are vulnerable to you know it's like overflow bugs and I'll show you one classic example of a hack happened because of the you know overflow work but before that you know

it's like I'll just I'll just compile this code and you know let's show it to you

yeah okay so it is compiled I'll deploy the contract so let's see so you know it's like uh oh the old contract

what one second

yeah so if you see this one so you know it's like uh when I'm doing an addition of 255 and 2 uh the result is the result is one because you know 255 then it moves one more so it goes to zero and then it moves one more and it goes to one and if you go for an underflow what happens is like it goes for the maximum value so what happens in smart contracts is you know it's like if you manage to find a overflow vulnerability what you can do is suppose you know you have 10 tokens and then you know it's like uh if if you if you know it's like uh uh let me give you another example so

you know it's like you have uh 255 tokens and uh then someone sends you one additional token and if uh if the Overflow happens what happens like your uh your address is not now your balance is zero so you know that's that's a disaster for for for a financial application that you know someone who had the maximum amount of money ended up with being at a zero so uh I'll just give you a very classic case and and this one is very funny because you know uh this contract was created uh on 4chan you know it's like 4chan is the place where you have all the funds like you know some weird stuffs you know things

happen so one guy came up with a smart contract uh which was which was purposely made as a Ponzi scheme so you know it was a pyramid scheme so in pyramid scheme what happens is like if you refer to someone and then you get some incentives and then you that guy refers to someone else then you know the incentives flow in you know so you refer and refer and then you make money and and they just wrote it for fun and it went viral on the internet and suddenly everyone was putting money on that you know it's like everyone was throwing money into that contract uh which was supposed to be uh you know it's like it

was supposed to be a Ponzi contract but the the irony was although it was so fun but it had a bug and the bug was that you know uh when they did a subtraction uh they did not go for an you know overflow underflow check so what one hacker did was uh he created One account and he referred to another account so now second uh the first account can you know claim money from the second account so what you did was like he he had few tokens in his first account and second account and he requested for money which would lead to an underflow so suppose you know it's like his second account had 10 tokens

and he requested for 11 tokens now his balance is not minus one but the maximum token which the contract was having so uh so he created two accounts and then manipulated you know the you know manipulated the con manipulated the balance to assign himself the highest possible balance which was 2 to the power 256 which is a huge huge number and then he sold all the tokens to and took away almost like uh I'm sure not sure how much money he took uh yeah it was a eight hundred thousand dollars hack so he took away eight hundred thousand dollars worth of ethereum during that time so right now that's worth in millions so this is one of the

classic bug what happened you know it's like with the p-o-wh coin hack if you just Google about it you'll you'll read That's that that's a very funny story uh okay so uh again that's what I said like my talk was supposed to be very you know short and uh if you have any questions because I know you know it's like many people want to get into web 3 security and uh I wanted to give you like two class two or three classic bugs uh which are which is very simple to understand but if you see the impact it's it's critical like it's you know it's like people run away with millions of dollars so um you know it's like these are some

resources but you know I'm open for questions like if anyone has any questions you can ask anything related to web3 and don't feel shy like just ask anything

anyone

oh yeah

uh hi so first of all great talk uh so we have a lot of new compilers like solidity uh not solidity uh Solana rust so like for the smart contract hacking uh is there any like Learning Resource and also how do you approach of doing a audit for those contracts uh you're asking about resources right your resources and like what's the what's the approach on like yeah actually I wanted to you know like talk about like that's a good question thank you uh you know I wanted to talk about resources if you talk about you know resources for learning smart contract security uh what I would suggest is like first learn solidity like basic Society you don't

have to be a smart contract developer writing protocols and you know Dows or something like just Basics and for that cryptosmbs is a very good website so if you go to crypto zombies it's a fun way of learning solidity where you know you are creating zombies uh using solidity and then the zombies are eating each other and you know it's like creating more zombies it's a very fun way to learn so I think you can do that in a week it's less than a week so uh first learn crypto zombies and then if you want to learn a bit more advanced one and especially for reference I use solidity by example.com it's it's one of

the best you know it's like uh all the concepts of solidity are mentioned there and even today is like uh you know when we want to refer something we use you know solidity by exam sample once you are done with that I would suggest like play that uh ethernet it's a it's a ethernet is a CTF they have almost like 20 uh challenges and you will go through almost all you knows like the challenge will contain you know uh the buffer overflows uh no bugs related to delegate calls compiler version reentrancy access control so that's a that's a very great resource like and you know when you play those challenges uh to exploit those uh

you know it's like CTF you have to actually write the you know it's like uh write the exploit smart contracts like you have to write the exploits so it's one of the best way to you know it's like uh learn um uh you know smart contract vulnerabilities about smart contact vulnerabilities and um and the other thing is you know uh so

and solana-based smart contracts they have a complete different approach so uh what happens in you know ethereum chains is that you know there is a certain governance and that is applicable to all uh and uh you know it's like you store all the data on the Chain but Solana has a very different approach where they use the renting system so you actually buy the storage you rent the storage and uh and they have you know it's like completely different class of vulnerabilities so uh I mean explaining that would require another talk sir let's I won't like go deep in there and regarding you know it's like learning about Audits and everything so yes that's what I say is like learn solidity

then play this uh ethernet challenge but the best part is you know it's like um uh to be you know it's like good a good smart contact auditor you need to have a very uh you know good white box auditing approach because uh unlike web applications you just don't you know it's like make Hidden trials or make guesses you have the contract code with yourself and the best way like we as like uh as an auditing company and my team what we do is you know uh we you know it's like we go through the entire documentation we learned their entire business logic and if you see us like uh there will be a lot of vulnerabilities

which will be related to business logic so uh once you you know go through a documentation they understand how their smart contacts work and what their business logic is doing it's easier to find vulnerabilities in a smart contract uh any more questions thanks um I have the query like uh as a security auditor how can we confirm that we have completed all the test cases and the contact is secure like good question so uh in this if you see yeah I mentioned that so swc registry so you know in web application security you might have heard about ovas ovas has a pretty brilliant checklist yeah um so it's come quite similar you know it's like you have something called sw3

I can show you the website so uh if you see it's like they have listed a quite good amount of vulnerabilities and and their explanation and you know it's like a vulnerable codes so you know it's like when you are auditing uh I mean I have to agree that this is not the complete list because there are a lot of things and lot of research which we found that it's missing here but as a starter guide I think uh if if you have completed this entire checklist you have almost done like more than 70 to 80 percent of the job so uh I think that that's the best reference I mean it's kind of like you

can say OAS checklist for smart contracts sw3 real streets it's a very good one thank you thank you I have a question about fuzzing for solidity contracts because that's pretty popular as well and one of the biggest problems with fuzzing is you don't know when to stop fuzzing right like have you tested every single possible uh code path so do you think it's uh how far how useful is fuzzing in in solid in your your opinion and do you think you can programmatically prove that you have tested every single logic branch in a contract uh yes that's a very good question and I get that quite often so you know it's like a uh if you talk about fuzzing tools uh

there is uh you know it's like consensus wrote uh fuzzing tool called uh you know mythics and they have an open source version called mithril so I mean uh what my belief is that you know uh fuzzing only makes sense when you know it's like when you don't have the contract code with you uh but after specially after the D5 boom after 2019 uh the notion is that if you have a smart contract and if you haven't verified it and if you haven't published the code nobody is going to interact with you you know uh with your smart contract and that is one of the reason we chose like when we were building the product solidity scan we chose not to go

for you know fuzzing because for us it wouldn't make no sense you know it's like if you get the code we compile it and then we fuzz it so uh I mean it's like I don't have a lot of experience in there but that is the reason I you know it's like I chose not to go with a fuzzer because uh you know right now it's like any protocol any company uh it's two things are required first your smart contract should be verified and published and second you have an audit report so uh and uh so everyone is going for a white box or it and regarding your question you know it's like when do we

stop fuzzing so I mean it's like we try to do that and we we had the same issue and we were also exploring like how mythics works and you know it's like the Deep scan can take up to like one and a half hours sometimes or more so uh I mean it's like I don't have a very uh correct answer that when should we stop mostly you know it's like you can add check patterns where it's going into a recursive Loop or something then yeah uh we can have a stop on that but again my point is you know it's like when people are giving you a source code for audit uh and you know it's like finding

vulnerabilities would be much easier like for our scanner it just takes two to three minutes max to you know like list out all the vulnerabilities and the same thing if you are doing by compiling it and then fuzzing it uh I think uh we are creating problems for ourselves uh that that's my answer thank you thank you so much okay so uh regarding your first question if you talk about certifications uh uh I don't think uh um you know it's like I'm the right guy because in my life I haven't done any certification even for web 2 I've been into web 2 security for past 10 years but I never did like I did certification when it I was asked to but

what I would suggest is like uh you know the best way right now is I don't think any company is providing certifications right now or any good something which I could recommend so honestly I don't have an answer for that what I would say is like even it doesn't matter it's web 2 or web3 what I would suggest is like you know uh go ahead for learning things you know it's like when you have skill set I'm pretty sure uh nobody will ask for your certifications or qualifications you know it's like previously I worked with hacker one they didn't even ask my uh you know like if I was graduated or not so uh I think that that you know

your skills matter more and especially when there is less crowd people are people are not going to see the you know certifications are degree that's my personal opinion you know when there is a crowd like you know it's like if you talk about developers like there are lots of developers so sometimes you know companies would ask like are you from this college or from that college but when there is a scarcity you know it's like of talent then uh mostly degree is not the barrier or any certification is not the barrier regarding your second question uh right now we are not hiring but uh uh I think uh quarter uh like 2023 quarter one uh we are going to expand our team

and we'll be will be happening you know we'll have more openings for uh security you know it's like security research team so what our security research team does is like they do Audits and again whatever knowledge we gain from those audits we Supply it to our product and that Circle makes us you know uh uh you know a more productive company so yes uh we'll we might have opening in quarter one or quarter two of next year hello uh thanks for the talk that was really good uh I have one of one basic question but it's still kind of confuses me there was a weird Trend going in the web free space uh like there are uh

there are influencers there are adults adult stars there are uh famous peoples are doing this kind of scam like they create their own cryptocurrency and when they there comes a lot of investment they just diluted so as the blockchain auditor how do we come to know that this cryptocurrency is scam or a fake okay uh this is uh exact you know problem statement it was given to us as an auditor you know it's like when we were taking feedbacks from different different companies so I mean there is no straightforward solution for that so uh you know it's like what we are trying to do is like we are in in our own product as well what we are trying to do

is apart from finding all the vulnerabilities we are you know it's like what we are trying to do is like we are going to publish uh uh for for you know it's like if you just you know if you just scan a contract on our platform it will mention it will make the code into a very readable form like you know uh suppose uh just one example which I gave you know it's like an admin can change an admin okay uh but an admin can also have a functions like they can mint more tokens uh they can you know it's like uh they can destroy the contract there can be a lot of logic related to

you know it's like Authority what an owner has okay so uh so you know it's like tackling that problem what we are trying to do is like uh we are trying to give you know users is a very you know you know it's like in a grammatical way you know it's like in an English format or we are trying to say that okay the admin here has these many Privileges and based on that you know this is a threat score that you know it's like this contract can be a rock pool you know you might if if I'm right you're talking about rug pulls where you know uh if they launch a token and then they you

know they dump into the market so uh you know it's like for that as an auditor what you need to mention in your report is that you know uh the admin has certain privileges and it's not completely decentralized and uh suppose if they have no option to revoke ownership so most of the contacts if you'll see they have an admin functionality but they promise in future that when this contract is stable what they're going to do is like they they will revoke their ownership so uh what happens like there is no admin privileges left anymore so but unfortunately still in smart contracts when we we do say it's decentralized but if you see 99 of the contracts are

actually centralized they have an owner and very few companies I've heard a couple of them who renounce their ownership so there are other things like uh there's something called open Zeppelin has a module called possible so the what it can do is like it can pause a smart contract like it will pause all the functions withdrawals and everything so the main you know purpose of the possible open Zeppelin module was that you know if a smart contact is getting exploited the admin immediately pauses the smart contract but then it can also be abused that you know it's like uh if if something good is happening like the you know like the owner is trying to

steal the money he just stops every transactions he stops all the withdrawals and then takes away the money so if you see at like um you know human level perspective you definitely cannot predict when a scam is going to happen but yes you can at least judge that okay uh if one of the you know like one of the parameters what we use is like we mentioned in the report if the owner like the contract owner uh is not Anonymous like it it is a known personality they have a verified account they are they are they are an actual person so you know most of the Auditors what they do is like they do kyc like

they verify they publicly mention that okay the owners are kyc so you know it's like they are not Anonymous people who would just run away with the money so these are the things but it's very hard to predict but you can you know it's like at least be a little bit sure that this is not a rock pool okay so my second question is to you uh like in the banking scams our first step would be to uh to get to the police station and have a zero Fir and submit that sorry can can you put the mic uh so like in the uh banking scams our first step would be uh to get to the police station have a zero

Fir and submit that zero fir to the bank so what would be the first step in the Bitcoin scams or in the ethereum scams and all the crypto scams so there is a company called chain analysis if you have heard about them so they have done a pretty insane work so what they have done is like see all the transactions are see on a blockchain in Bitcoin ethereum uh if you say it's Anonymous it is actually not so uh you know it's like a you know suppose if you know there was a Bitcoin scam and then you know what they do is like they actually track the address so uh if x address had you know

the the stolen amount of 10 Bitcoin and if they moved that to another address or deposited somewhere so what happens is like most of the exchange like the all the popular exchange as per compliance law uh they actually make their you know uh wallet address public that okay this is the wallet address of binance or you know wazirx or whatever so what happens is like whenever what channel message does it like whenever they notice that a transaction from the stolen wallet is made to uh exchange to cash out because ultimately you like the hacker needs to cash out in real cash otherwise it's of no use for them so that's where they you know catch hold of them that's one of

the method uh to you know it's like track transactions and you know scammers so that's how most of the hackers have been caught so can you repeat the side sorry can you repeat that said that you just heard sorry I didn't get you can you repeat the side that you just said uh it's called chain analysis yeah well that's that's a complete private company like uh you just simply you know cannot so what we are trying to do is like you know one of our side projects uh as quick Shields what we are trying to do is like uh we are creating uh wallet tracker system which will be you know it's like uh which will be actually uh

run by the community so Community will report for uh you know uh scam scammers address or stolen funds and uh uh right now is still in development so what we do is like we'll give you a nice graph that from this account money went to like 10 more accounts and then you can you know it's like Mark them and you know as per the amount of transaction which was like from 10 BTC if 9 went to a different address you would like to you know track it more so you know it's like you can create a line and then again it's uh I I don't want to go much in detail but yes uh since transactions

are on The Ledger it is actually trackable and once they actually move into a centralized exchange that's the point where you you know it's like catch hold of them thank you sir thank you any more questions

hi actually I had a question you said that it's because it's centralized you can get hold of them once it reaches like a centralized server what if they just use a Bitcoin mixture or what if it's a ledger like Monero or something is there anything we can do yeah I mean in that case it's pretty difficult to do that and only thing you can you know it's like bother is they make a stupid mistake or you know it's like make another transaction or uh you know it's like if if the if the wallet where the money was stolen was you know it's like was interacted with someone else so one of the case scenarios where I heard was

you know uh the hacker actually never uh you know withdraw you know it's like made any withdrawal any exchange but he did a transaction to other guy buying some of his services and that guy you actually he tried to withdraw so uh the you know uh the federals got hold of that guy and and through him they reached to the uh the hacker so yeah if you talk about mixers and you know the tornado casting which is happening it is actually not possible right now to you know track them but again the the tornado cash because the tornado cash has a very huge volume uh but against like uh if if the volume is low or

something like that it's it's still kind of trackable but it's hard okay and I just wanted to confirm so smart contracts only exist on ethereum or do they exist on something like Monero as well uh no Monero is not a smart contract platform as far as I know uh it's just a mode of transaction where you know the uh it's it's hard to trace uh you know it's like uh uh you know backlink where the transaction went so Monero is a you can say Monaro is uh you know it's like uh Bitcoin which is non-traceable that's the reason you know Monera was banned from all U.S exchanges yeah that's it thank you hi hey hi where are you okay hi

hello first of all thank you for the talk actually it was great insightful thank you and I wanted to know about the flash loans and uh any interesting findings that happened during your audit related to flash loads yeah uh flash loans you know it's like mostly happens in you know D5 protocols where you know lending and borrowing happens so I mean it's like if you talk about Flash loans uh I know it's like uh mostly when we are doing an audit uh we don't conduct a flash loan attack because that is expensive you know it's like uh you actually put in your real ten thousand twenty thousand dollars to withdraw a huge amount of money so we simply check

the logic and tell them that this is susceptible to you know it's like uh flash loan attacks and mostly what happens is because of price manipulations which was you know pretty well covered by uh rudra and uh you know it's like the rudra and uh arbas from unified team so uh yes like again uh flash loan attacks and any economical attacks I fall in the category of business law project so if you see the logic is flawed like you know uh they are not not doing a due diligence when you know uh some contact can get like some tokens can get inflated value or something like that so flash loan you know it's like that's how flashlight

attack works it's completely business logic thank you