2023 Should be the Year of Web3 Security
Despite 2022’s turbulent impact on the crypto industry, Immunefi CEO Mitchell Amador believes this year could encourage better Web3 security.
The CEO of Immunefi, Mitchell Amador is optimistic about the future, despite the events of 2022 eroding investors’ trust in cryptocurrencies and digital assets. However, events such as the Terra-Luna downfall and the FTX collapse will make the industry more resilient and the technology stronger, Amador says.
Is blockchain technology developments accelerating past the red flags? And how are white hat hackers being incentivized?
We dive into all that and a whole lot more in this episode of Word on the Block with Forkast Editor-in-Chief Angie Lau.
- Securing the Future: “There’s going to be an incredible amount of wear and tear. There’s going to be an incredible amount of stress as we figure out how to do this safely. But when we get to the end of that road, we’re going to have ultra efficient, ultra low-cost, ultra trustworthy social infrastructure that people will look back on and be like, ‘Well, of course it was going to be on-chain. How could it be any other way? What are we going to do, pay 10,000 times the cost to send money around the world?’”
- Fraud: “This problem of fraud fundamentally that occurred, it wasn’t a code problem. It was a human problem. And that this is the stress that is putting the industry under, at least in where the American market is concerned, is very, very good because it shows the effectiveness. This massive stress on the industry shows the effectiveness of decentralized finance.”
- Cross-chain bridges: “Every bridge, every bridge project understands that if they succeed, they will be a central point, a central piece of the, you know, the river of cash flows worldwide. So you have the millions, tens of millions, hundreds of millions of dollars into securing these things. And you have to go through all this complexity to do so. And if you make any mistake. There are attackers who would love the chance to take all that money. And so that’s why bridges can help by the very nature of how grand they are and how important that they’re going to be in the future as key financial infrastructure in the decentralized financial world that makes them the biggest possible target for potential attackers.”
- CBDCs: “We’ve already seen billion dollar hacks, so to speak, in traditional financial institutions that are more quiet. But we’re going to see an explosion of that with the rise of CBDCs. And the funny thing is we’ll recognize the value of it. CBDCs are going to be wonderful for market efficiency. It’s just the bankers say that because it’s obvious the transaction costs we incurred today are very large compared to what they could be. But we’ll all be looking then and be like, Wow, those DeFi guys. They are so much more efficient, so much more secure. We were hitting them with a stick. We didn’t know we couldn’t do a better job. And this will in turn push more and more money into DeFi.”
- Whistleblowing for transparency: “There is a fundamental need for a kind of whistleblowing function that brings transparency, that is already baked into the culture of this industry.”
Angie Lau: The cryptocurrency market lost over US$2 trillion in value last year and over US$3.7 billion in hacks alone. That all happened with Terra-Luna’s algorithmic disaster, Three Arrow’s contagion, and, of course, FTX — once the industry’s golden child, now a very distinctive black eye.
So if anyone needs a New Year’s resolution, look no further than the cryptocurrency industry.
Builders have been pointing at centralized finance, or CeFi, as the point of failures in the industry last year. But decentralized finance, or DeFi, has had its own battles with hacks.
So how will this industry evolve to its next chapter? And can it stop the rising number of exploits?
Today we dive into the front lines of this cyber battle.
Welcome to Word on the Block, the series that takes a deeper dive into blockchain and all the emerging technologies that shape our world at the intersection of business, politics and economy. It’s what we cover right here on Forkast.News. I’m Editor-in-Chief Angie Lau.
Welcome to the show. Let’s get right to it.
We are in conversation with Mitchell Amador. He is the founder and chief executive officer of Immunefi. This is a blockchain security firm that has handed out nearly US$66 million in bug bounties since December 2020. Mitchell, thanks for joining in.
I love it — bug bounties. It sounds like a sci-fi movie, but in fact, it is very real. Explain bug bounties and the way that you really incentivize this emerging industry of Web 3.0 and blockchain and crypto and DeFi and all of these things, and came up with something that hopefully makes this industry a little bit more resilient with bug bounties.
Mitchell Amador: Well, resiliency is good. We’ve definitely done that. But the hope is that we build real antifragility. So the great advantage of what we’re doing with DeFi, with blockchain in general, is opening up finance to the entire world, creating this trustless system for anyone to engage. Now the consequence of that is the innards of this new financial system are all open, they’re all transparent and anybody can poke around and if there are any mistakes anywhere in people’s code, they can be exploited. Now, that’s very scary because there’re bugs in absolutely everything software-related. And so when we saw this, we knew we need a solution. We need a solution that’s going to operate at a global scale. How do we incentivize protection of software, of code, when most of that code is going to be transparent to the entirety of the world and it’s going to be involving billions and eventually trillions of dollars? What do you do? Well, you can’t stop vulnerabilities. They’re going to be there. People make mistakes on the best of these. But what you can do is get a million eyes looking at every single piece of major code in the world that’s storing this value and in front of a million people’s eyes, no vulnerability survives for very long. So a bug bounty is just a way to create a prize, a massive financial and social incentive for the entire world security community to review and safeguard code together, find vulnerabilities, and then make the disclosure so that the entire system is safe. But we’ve really seen it supercharged where blockchain is concerned.
Lau: In blockchain, you have incredible technology, you have smart contracts and crypto transactions, and it’s supposed to be immutable. And then all anyone can point to as the greatest failure and point of weakness are the hacks. Isn’t blockchain supposed to be immutable and so secure? And then how do you explain these hacks of hundreds of millions of dollars?
Amador: With blockchain, we have this incredible ability to digitize, to remove friction and costs from social infrastructure. And that’s just what finance is finding — better ways and cheaper ways to move goods and services around. But now we’re taking all this very sensitive business logic that once lived in people’s heads where there was liability and courts and all these very expensive but effective constraints on bad behavior. And we put it into code. And the nice thing about the code is that it has no need for most of these constraints. It does what it says. But the problem is people write that code.
And so what is there to say?
Well, we have this new system for incorporating business logic, for coordinating society. It’s dramatically more efficient — thousands, tens of thousands of times more efficient — than hiring thousands and tens of thousands of people to do the same functions. But it is as safe as the designers’ discipline in their code. So there’s going to be, over the next several decades, as there already has been with the rise of computers, an incredible amount of wear and tear. There’s going to be an incredible amount of stress as we figure out how to do this safely. But when we get to the end of that road, we’re going to have ultra efficient, ultra low-cost, ultra trustworthy social infrastructure that people will look back on and be like, ‘Well, of course it was going to be on-chain. How could it be any other way? What are we going to do? Pay 10,000 times the cost to send money around the world?’
Lau: But what would you say the sentiment is right now? What is the mood? How are you starting off this year? As you take a look at the landscape and what you need to do, does what you’re doing at Immunefi potentially protect us from the fraudsters, from the Ponzi, from the front running and all of those things? Or is this just one tool in the weaponry that still needs to be developed?
Amador: Probably the most important answer I can give is to the first question. So how are we feeling? I would say we’re feeling very optimistic about the future. So we see the direction the technology is going. From a big picture, when you think of the level of civilizations and how blockchain is going to be impacting the world, it’s hard not to be very, very happy with how the technology is developing and when we see the problems that we hit.
This problem of fraud that occurred, it was a fundamentally human problem. Itt wasn’t a code problem, it was a human problem. And the stress that is putting the industry under, at least in where the American market is concerned, is very, very good because it shows the effectiveness. This massive stress on the industry shows the effectiveness of decentralized finance. So, by comparison, while we had liquidations left, right and center, while we had an enormous amount of market stress, while we had all these concerns, all the DeFi protocols, which is our primary job to protect, they operated like clockwork without problems, without stresses themselves. It was very beautiful, quite frankly, to see how effective these things could be. So that’s the first thing I would say. I would say we’re optimistic about the future, and from the perspective of the many builders in the space to be able to go through the fire.
Lau: Do you think there’s room for Immunefi and/or the industry to create, in the same way that you’ve done with a bug bounty, a whistleblower bounty, that points out these failures or really huge red flags which ultimately were revealed through some really great investigative journalism? But it’s surfaced to the top. And when people saw it, they had every right to be very worried and concerned. Do you think that there’s room for that? Have you thought about that over at Immunefi?
Amador: We have. Various parties suggested it to us. This is something that we should explore.
Of course, we thought that hacks would be the most serious problem that needed to be solved. And so we focused our energy on that, something I don’t regret. Have we thought of it? We are certain that this will come to exist, whether by our hand or someone else’s. There is a fundamental need for a kind of whistleblowing function that brings transparency, that is already baked into the culture of this industry and of this market. So it’s just a matter of lining up the financial incentives. And a variety of parties such as us have shown how you can create that from scratch, how you create a market for engaging in healthy prosocial behavior [and] how you can be paid to do what is right. So it’s just waiting on some very savvy, slightly eccentric person to come along and decide that they want to solve it. I bet it’ll be a very talented journalist. I hope it will. Who will come along and say, I’ve cracked the code? Here’s how we can financially incentivize whistleblowing at scale.
Lau: It’s a great point. Hold on to that thought. We’re going to take a quick break, Mitchell. But everyone, when we return, we’re going to be diving into the gaps in blockchain architecture that are filling these hacks. But let’s see what the industry can do with it. Don’t go anywhere.
Lau: Welcome back. We’re here with Mitchell Amador from Immunefy.
Let’s nail down the cross-chain bridges here, because it seems like that is an area of vulnerability. This is where we have two protocols that need to interact together in an interoperable way. And these bridges allow these two protocols to transfer value, smart contracts, whatever it is. It is the on-ramping and off-ramping on these bridges that seem to create really huge vulnerabilities. It drained US$1.3 billion of crypto last year. That’s a third of the lost value in 2022. Why? Why such vulnerability here?
Amador: The reason for that is that the central point of aggregation for funds for intrepid people moving across chain. If we think of every chain as a new market or as a new country — well, it takes time. You have to go through all the checks. Now, every one of these protocols, these blockchains, is like its own massive database stores. The data in a different way has its own conditions. And when you’re moving value to another chain, what you’re really doing is you’re locking the value you have on one chain in this bridge contract and then getting some copy of that that you can go freely spend in this new market, in this new environment to do whatever it is that you’d like to do. This results in over time mass aggregation of resources as they get locked up into this bridge. And you can see someone making many, many hops across the same set of bridges. If they’re going through five or 10 different blockchains and they’re using a bridge every single time, you could see how more and more and more capital is getting locked there. Now, it just so happens that communicating between databases really isn’t that easy, especially when they are very, very different in their construction and architecture. And so these bridges not only aggregate value, but they’re also very sensitive and difficult to protect.
We combine that with some of the most demanding security requirements in the world. Most of these are obligated to be trustless. The problem historically was the trustful component such as the Harmony hack. Someone got access to the MultiSig. Or the Ronin hack — again the hacker got access to the MultiSig. So you have these demanding requirements to be trustless, as we see with the number of the better bridges like Wormhole, LayerZero. But that means you have to have all sorts of layers of protection. You need monitoring and very secure code on whatever chain you’re interacting with on one side and on every other side. You need monitoring of any keys or stoppage functions. You need monitoring of how those keys are stored on chain. So something like the Guardian Network for Wormhole, there’s a variety of others you need monitoring for all of that off chain infrastructure. You need monitoring of any of the oracles that you’re using to make sure the value is the same, that you’re not being defrauded. It’s very, very complex.
Lau: And it’s very costly.
Amador: Very. Every bridge is a global play.
Amador: Every bridge project understands that if they succeed, they will be a central piece of the river of cash flows worldwide. So you have the tens of millions, hundreds of millions of dollars into securing these things. And you have to go through all this complexity to do so. And if you make any mistake, there are attackers who would love the chance to take all that money. And so that’s why bridges can help by the very nature of how grand they are and how important that they’re going to be in the future as key financial infrastructure in the decentralized financial world that makes them the biggest possible target for potential attackers.
Lau: So then comes the business model of if it’s so costly to protect the base value, the principle of the money, or the value flowing between the protocols, who pays for it? There’s value there, but who picks up the tab?
Amador: That is the great question that you need to ask the people operating bridges, because they have a plan for that. Bridges are like the seven seas on which global trade runs today. Who picks up the tab for that? Well, you know, effectively, the World Trade Organization and arguably the United States Navy pick up the tab for that and they accrue certain benefits as a result of doing so.
The bridge parties, while very important, are surely foreseeing their own right to accrue certain benefits as a result of creating this globally critical infrastructure. So far, we haven’t seen strict monetization. I’m sure that will come. It has to come in order to safeguard trillions of dollars in value. And that’s what they’re all aiming for.
Lau: So these funds that are out in the wild now, is there a way to recover them? Is there a way to get it back?
Amador: Absolutely. And there have been a great number of successful cases in the recovery of funds. Now, the great advantage for criminal activity in crypto is the ability to almost effortlessly and, due to single error and minor errors, take a vast amount of value.
The flip side of that is that crypto is a very dangerous place to operate criminally because there is a permanent record of every step that you take. This is not a place where you can hide, and if you made even a single mistake in the process of moving that value out, you can be tracked down and you can be persuaded to return the funds. And there have been a great number of cases like such. Crypto is an ideal environment for a one-off opportunity. But for a career, it’s a horrible and dangerous place to be. And we’ve seen this many, many, many times. Even some of the suspected attackers in the Ronin case were the Lazarus Group, North Korean Hacking communities. And even then, some funds were recovered that they would not give back willingly. It’s very hard to get away with what you steal in our industry. And there have been cases that are four, five, six years old where people are found later. Do you want to bet that you can hide for eternity? Because when you’re hacking on chain, that’s the bet you’re making, whether you know it or not.
Lau: You always have to look over your shoulder or at who’s glaring at you behind the screen. It’ll always catch up. This is the universal truth of life, whether it’s on-chain or off.
Let’s take a quick break, Mitchell. When we return — the FTX hack. We want to talk to you about that, the infamous Lazarus Group, and a whole lot more when we come back.
Lau: Welcome back. We are with Mitchell Amador of Immunefi and you named some of the bad guys, Lazarus Group, all the rest. We talked about recovering funds. We’re starting to see crypto being used as the method of payment even outside of blockchain and hacks. But I’m talking about hacks of local hospital databases, local businesses, national business databases, and they ask for crypto. Is this a smart idea?
You talked about how there’s a way to recover it, but who’s doing that? Is it the FBI? Is it the rating authorities? Is there a group that are the bounty hunters and who will track down who the bad guys are via blockchain? How do people get retribution here and recovery of funds?
Amador: Well, the order of those two terms is very important. Retribution versus recovery of funds. Because depending on who you go to, you’ll get one, but you won’t get the other.
Lau: That’s right.
Amador: So the short answer is that there are multiple groups. There are private businesses that are engaged in the effort to recover funds. And there are also state institutions for various countries that recover funds in the course of criminal investigations. Now, in the case where the states take possession, you will typically get retribution over a timeline of many years, but the parties affected will not typically receive any money back. In the case where you go to private business, which is where all the success and the recovery of funds has been, these parties will make a case in the course of their investigations for the recovery of funds, and they will, if they are successful, return the funds to the affected people. There may or may not be criminal consequences afterward for the affected people. There are a variety of independent firms and investigation firms in the course of doing this. One could say this has breathed an amazing life into private investigation firms worldwide. They have a whole new market that they never knew existed, and it has come to reward them very amply. So to turn back to the early question, is crypto a good place to do crime? Not really. As we’re quickly seeing the millions of eyes to protect code against hacks is proving very, very successful, very much due to the financial incentive. But those same forces work on the investigation side. You can have 1,000 people following your trail. If you made a single mistake, well, the jig is up.
Lau: I love that the tables are starting to turn. Is time of the essence? If this happened to you immediately, do you get on this immediately? Obviously, as we know with anything, time is of the essence. But what is the time window that’s better?
Amador: Historically, it’s been indefinite. So the real problem with crime and crypto is that if you steal the funds, there’s no place to put them. They’re all marked. They’re all trackable.
So, There’s this race against time where — thankfully — we have these armies of investigators now combing on-chain through the transaction activity to find out where this money went and reclaim it to its rightful owners versus the criminals trying to hide for as long as they possibly can until the tech matures, not even a certainty such that they can move that value. A very strange mix.
Lau: Yeah, for sure. What about the Lazarus Group? The North Korea Hackers? Presumably they’re there. They’re taking crypto, they’re hacking. Are they sitting on those funds? Can they offload those funds in a jurisdiction that they can walk around freely? They’re probably state heroes, you know. What about different jurisdictions outside of Western and developed infrastructure eyes?
Amador: So for guys like the Lazarus Group, they’re not worried about this at all. Not in the least. And state-level actors have no problems cleaning the money. Cleaning the money is a problem for private people, not governments.
For them, they just walk away with it. You’re going to see and I believe it’s not a certainty. We have already seen the introduction of many more of these state-level attacking groups in crypto because they see it’s the future. They see it’s going to work, they see it’s going to be incredible. They know CBDCs (central bank digital currencies) are going to be running on very similar rails and they would benefit from having teams and institutions that are directed at harming their opponents and getting a financial reward.
Lau: You raised a huge point in the future. The world is going into CBDCs. Could this potentially trigger such economic losses if there’s a successful hack that’s now sovereign jurisdiction versus another sovereign jurisdiction? This is now a foreign relations issue.
Amador: The scary part about that is we’ve already been in that world for a long time.
You’re probably familiar with the hack on the Bank of Bangladesh, which was also a Lazarus Group product. They built their expertise for attacking crypto by attacking central banks first. So you already have these state-on-state espionage, theft of value and funds, and resources that’ve been occurring for a long time — first via human means, then via the digital infrastructure that many of those banks manage.
There’s a reason banks around the world have massive cybersecurity spends because they need it, otherwise they will be robbed. Those places are not safe for your money either. You just don’t hear about it. And now in the world of CBDCs where we’re going to have all this DeFi-like infrastructure operating under similar conditions, you have the exact same security concerns.
We’ve already seen that there have been billion dollar hacks with traditional financial institutions that are more quiet. But we’re going to see an explosion of that with the rise of CBDCs. And the funny thing is we’ll recognize the value of it. CBDCs are going to be wonderful for market efficiency. It’s just the bankers say that because it’s obvious the transaction costs we incurred today are very large compared to what they could be. But we’ll all be looking then and be like, ‘Wow, those DeFi guys, they’re so much more efficient [and] so much more secure. We were hitting them with a stick. We didn’t know we couldn’t do a better job.’ And this will in turn push more and more money into DeFi, oddly enough.
Lau: That is a crystal ball prophecy. I’m going to mark that one and file it for sure. That is definitely a level of insight that we have not particularly heard around CBDCs and the threat thereof. Certainly the promise, but therein lies a lot of risk and you’ve articulated very clearly what that is. Thank you for that.
I want to ask about FTX here. The day after FTX filed for bankruptcy in November, the exchange reportedly lost around US$650 million to a mysterious Hack. Although the bankruptcy documents stated that it lost $372 million, The hacker’s identity is still unknown. What might have happened here?
Amador: It seems like the same old skullduggery that’s happened so many times in traditional finance. Massive losses of such cases are almost always an inside job. So that proved true for CeFi as well. Could this be a massive hack by an external actor? Possibly. But I think the balance of probabilities is that it was something else, and it probably follows the same pattern as the long history of CeFi hacks and the long history of financial losses and traditional finance.
Lau: But to wrap up this very interesting conversation to kick off the year, where do you see this year’s attention going from your perspective? The trust has really been eroded. And part of it is not only can I not trust the actors and maybe even some of the platforms, it feels really scary out there. But where do you think the attention is going to be this year?
Mitchell Amador: The attention will be on the builders for the latest and the greatest tech. We are creating this massive amount of infrastructure for securing this code. You now have systems like Immunefi for operating at scale, you now have better and better formal verification tech, you now have better auditors, you now have better monitoring solutions. This whole stack of incredible technology that’s being created on the security side. And you also have this incredible stack of technology being created on the side of DeFi and bridges. There’s a lot of really interesting new financial products. We are all waiting for fintech to innovate, and they kind of never really did. But DeFi is innovating and some of the products are just really quite incredible. And so this amazing combination of factors is coming together on this new blockchain infrastructure. And the builders are just going to quietly keep building what the rest of the world does not understand is the future of finance and commercial transactions, such that by the end of this year, people will be like, ‘How could I have missed that such incredible technology with world-changing impact was developed in such a short span of time and was made so safe?’
Lau: Well, thanks for doing your part. And we do our part. It’s on all of us to continue to gain knowledge and educate. And that responsibility also rests equally on the shoulders of our audience. And thank you, audience, for joining us here. Mitchell, I want to thank you for your insights and your perspective. I know I got smarter and I hope everybody who’s watching realizes that they got a little insight into the future in a really deep way. So thank you very much, Mitchell.
Amador: My pleasure.
Lau: And thank you, everyone, for joining us on this latest episode of Word on the Block. I feel a little smarter right now. So thank you. And I hope you feel that way, too. I’m Angie Lau, Forkast Editor-in-Chief. It was great spending time with you today. Until the next time.