On The Brink with Castle Island - Chris Blec (DeFi Watch) on the Pursuit of Transparency in DeFi (EP.220)

Episode Date: June 7, 2021

Chris Blec is a researcher and the founder of DeFi Watch, a project dedicated to identifying points of centralization and risk factors in DeFi, in particular the presence of admin keys. In this episod...e:  How Chris got interested in DeFi  How he first noticed the risk of admin key usage  The changing nature of admin keys and multisigs  Whether project multisigs reduce dependence on trust  Why worry about Admin keys in the first place?  Have DeFi projects improved their key management and trustlessness over time?  Chris' letter to 0xPolygon Chris' plans with DeFi Watch  Should Bitcoiners care about DeFi? About admin key failures?  Why transparency is a self-regulatory measure    Sponsor notes: Copper is transforming how institutional investors engage with digital assets by developing award-winning custody and next-gen trading infrastructure. Headquartered in London, the firm is scaling rapidly across Asia and North America to bring its suite of products to a wider pool of institutional investors. To learn more visit copper.co or reach out on Twitter, @CopperHQ Aave is a decentralized, open source, and non-custodial protocol where users can deposits and borrow digital assets, and earn interest on those assets. Head over to aave.com to experience and learn more about DeFi.

Transcript
Discussion (0)
Starting point is 00:00:00 Hello and welcome back to On the Brink. Today's episode is brought to you by Copper and AVE. Let's start with Copper. It's the global provider of blockchain infrastructure solutions for institutional investors who are actively trading digital assets. Its award-winning custody application is connected to 25 of the largest exchanges in the world, ensuring safe storage and movement of assets for the biggest crypto hedge funds, market makers, family offices, and high net worth individuals. Their clear loop system, is the first off-exchange settlement network for digital assets. It's the safest way to trade balances in custody across multiple exchanges without requiring on-chain settlement, on-chain movement of assets. To learn more, visit copper.co or reach out on Twitter at CopperHQ. This show is also brought to you by AVEA, AVEE. AVE is an open source and non-custodial liquidity protocol where users can earn interest on deposits and borrow digital assets.
Starting point is 00:01:00 It's a decentralized community government protocol. More and more about AVE at AVE.com. Brought down by bad mortgage investments, Lehman, which has 25,000 employees, will be liquidated. The federal government loans American International Group, AIG, $85 billion. This is a different kind of market, and the Fed is asleep. The federal government is stepping it to stabilize Fannie Mae and Freddie Mac, the two mortgage giants that have been threatened by the housing crisis. The Bank of England has pumped 75 billion pounds more to Britain's ailing economy
Starting point is 00:01:29 with a new round of Concentive Easy. And print a couple trillion dollars and all of a sudden people started to worry. So out of this worry, we have something called a Bitcoin. Bitcoin. So Chris Bleck, you have done a huge amount of stuff actually.
Starting point is 00:01:44 I remember we met in D.C. at one of the Fintech summit, put on by Chris Brummer back in the day. And then years later, you're one of the number one. I don't want to say influencers, but people discussing Defi on YouTube. YouTube, one of the top DeFi YouTubers, and now you've launched this pretty cool initiative,
Starting point is 00:02:07 Defi Watch. I'd say, at least as far as I'm aware, you're best known for trying to raise awareness around admin keys and the risks that they pose. You know, you had this really interesting letter to Polygon. Anyway, we're going to get into all that. Welcome to the show. Very excited to talk with you. Thanks, man. Yeah, I think we might have first met at like an MIT Bitcoin thing a few years ago. And then definitely in D.C. Yeah. I'm not sure which one was first, but it was definitely like around the geeky,
Starting point is 00:02:39 either Bitcoin tech or Bitcoin regulation stuff, which I've always been fascinated with. Yeah. It's such an interesting space. It kind of not that many folks that are into crypto are also like that dialed into regulation. Certainly not. There's not that many self-regulatory initiatives in the, industry for better for worse. Yeah, I've always been more interested in the regulation, the tech, the privacy, et cetera, than the price action and the, you know, the events and the conferences
Starting point is 00:03:13 that just focus in on pump, pump, pump. Not so interesting to me. Yeah, I want to say you're like the number one champion of trying to get to the ground truth of the risks of some of these protocols. I don't think that's an exaggeration. I've seen. I've seen. cited some of your work and papers that I've written about Defi. So grateful for you having done it. It's still, I think there's a lot to be done because these contracts and protocols just proliferate so quickly. And it's hard to sort of keep up with the risks there. Maybe to zoom out a little bit, just tell us about, you know, how you got interested in defy in the first place. Well, I'm a Bitcoiner first.
Starting point is 00:03:59 You know, probably at this point, yeah, over four years in the space since I really, when I say in the space, it's from the point at which I, you know, the infamous rabbit hole, liberty, privacy, all the self-sovereignty, all the things Bitcoin can do for users. So that's what drew me in. And fast forward a few years and Defi started to burgeon up. And I've never been a maximalist as far as technology goes. I'm always exploring different stuff. But I always bring the Bitcoin first mindset to it. So Bitcoin is my benchmark when I look at anything else in crypto, including defy and Ethereum. So when it first started to bubble up, it became interesting to me because I've always been under the impression.
Starting point is 00:04:45 And it's true. Everybody knows like Bitcoin is a decentralized currency without a whole lot of decentralized ways to use it. you know, services, decentralized financial services. So when DFI started to make that promise to the community that it could provide decentralized financial services where we didn't have them before, whether or not it was for a Bitcoin, that interested me. And I knew right away that it was an opportunity to help mold the space potentially or try to mold the space into something better than what it might become. You know, and to this day, I believe that D.FiFiFiFi's I could end up in one of two places. It could either end up in a place where it truly does provide
Starting point is 00:05:28 beneficial, decentralized services for people who want financial freedom and economic liberty, or, and this is more likely at this point, unfortunately, or it could end up as big banking 2.0 and giving superpowers to the banks that have been ripping us off for hundreds of years. You know, so that's the dichotomy that I see. I see it definitely heading in that big banking direction. But what I try to do is I try to raise awareness because most of the people using it still don't recognize that. They still think it has more in common with Bitcoin than it does with JP Morgan. And I think that's a huge mistake.
Starting point is 00:06:13 And if we don't educate people about that, it'll just keep going down that road and the lines will get blurred. And people won't understand the difference between decentralized and centralized anymore. That's my biggest fear. That's quite a stark tone to start us off. That's my forte, man. I'm all about dark and gloomy. At what point did you start to get concerned about like points of centralization that you had noticed in Defi? When I first discovered Defi, I didn't know what I didn't know yet, you know?
Starting point is 00:06:47 So I was still, and I'm not a developer or an economist. I'm just a regular guy who is into this stuff. So when I came in, you know, I saw the ways that people were using compound and MakerDAO and these different technologies to basically replicate things that you could do with banking. You know, and I didn't realize, yeah, what kind of centralized control was necessary to make that stuff happen. So I created a lot of video content. I've always been excited about like creating video and just learning materials and,
Starting point is 00:07:21 making things easy for non-developers to understand because no matter what cryptocurrency or technology we're talking about, I really believe it's important that regular people feel comfortable using it. So I was doing that in the beginning. Then, yeah, I think it was like in 2019 some point, maybe about two years ago or a little less than two years ago. Amin Soleimani wrote a paper, who's another, you know, prominent Ethereum guy, wrote a paper about, or a blog post about compound's admin key. And he described how it worked, you know, basically it's just a Ethereum address that can be used to modify key parameters of the code, which for me, it opened up my eyes because, you know, yes, you deploy smart contracts on Ethereum and they're immutable.
Starting point is 00:08:18 But what I didn't recognize up until that point was that you can. could basically have these variables, parameters, et cetera, within that, that could be changed. And those could range from just a single, you know, address that might be used in some way to entire chunks of logic. Yeah. You know, so when you have that kind of flexibility, it suddenly raises the question, like, how is this decentralized anymore? And that's when it started to open up my eyes. And I sort of moved away from creating educational content about just how to use this stuff and onboarding people and more to creating content about the risks and about what you need to know before you jump into this space with both feet. So it's probably fair to say maybe you can disagree with me on this that most kind of D5 protocols have some sort of admin key or off switch.
Starting point is 00:09:13 actually I don't know if that is a fair characterization a good chunk of them do some of them don't like I guess uniswap is sort of the canonical example where it is literally just code that is deployed to the blockchain then people can choose to contribute liquidity to it and to move to the next version of uniswap they deploy new code and then you can choose to use the v2 or the v3 etc But many other projects maintain some measure of control over the contract. Can you sort of just explain to us why you would want to do that, like what the purpose of that would be? So there's so many defy projects now that I'm not sure if it's most or what percent have it. I will tell you that out of the top defy projects, since we started this discussion,
Starting point is 00:10:13 about a year and a half ago, most of the top defy projects have moved away from having the sort of stereotypical admin key and towards tokenized governance. Okay. Where they use the, you know, they air drop their token and they use that to replace the admin key, essentially. It can do the same kind of stuff,
Starting point is 00:10:39 but you need those votes in order to execute the transaction. So most of the time you will find these things in new defy projects. Because every defy project that is launched, is launched kind of it with an air of uncertainty around, is it going to work? And the fear of these developers is they're going to launch code, they're going to deploy code in a way that they cannot edit it and not change it.
Starting point is 00:11:06 And it's going to have a bug, and they're going to lose everybody's money. Right. So in order to protect themselves and their users, They keep that centralized control, which could be in the form of a single Ethereum wallet or it could be a multi-sig wallet or Dow. There's a lot of different ways they can do it. But they keep that with that justification in mind. That's why they say they do it.
Starting point is 00:11:30 So it's being a bit uncharitable. You're right. Obviously, tokenized governance is very popular among, especially among the more blue chips, I suppose, you could call them, where you're done. delegating control over these system parameters. When it comes to tokenize governance, which I suppose is, you know, less exposed to some of these key risks, are there, you know, if you drill down into it, are there still risks that, you know, large token holders could potentially influence the system? Yeah, absolutely. I've written a lot about that, too, about the distribution. of the tokens, you know, and a lot of projects claim that they're widely distributed and that
Starting point is 00:12:17 it couldn't happen. But the problem is when you look at it from, I like to say from the Bitcoin point of view, the trustless point of view, you just don't know what is on the record and what's not. And you don't know which investors, which founders, which employees of the startup that produce this protocol, what they have in wallets that aren't on the record. And the question is, how many people would a regulator have to get into a room and threaten if they don't vote in a certain way to make such and such change to comply with such and such new regulation? How many people would they have to get in a room and threaten for it to happen? And in a lot of cases, I would even speculate in most cases is probably less than 10. Right.
Starting point is 00:13:06 You know? Yeah, like the bus factor type thing. it's a great point. I believe, and maybe you can correct me on this, that there have been instances where flash loans have been used to borrow tokens on a short-term basis in order to tip a certain vote over the edge type thing. Yeah, the only one that I know of for sure where that happened was with MakerDAO with a specific proposal.
Starting point is 00:13:34 But then right after that, they woke up and they fixed, that potential exploit, you know, but I think that's a lot less of a concern now than what I was just mentioning, you know, sort of like the collusion among, or the potential collusion among founders and investors to comply with the regulation where if they don't comply, then their business loses value. Their token loses value. If regulators come along and say, do this or we're going to shut you down or tell your token holders that this is now about. volus token. Their incentive, the problem with all in all these situations is when you have the financial
Starting point is 00:14:15 incentive so strong for the founding team and for the investors to get a return on their investment, they're going to do whatever they have to do. So with Bitcoin, if the possibility came along where the price could get hurt because of XYZ regulation, nothing would change. But with these defy projects, they can make changes that would make sure they keep the value of the token afloat. So returning to the classical admin key, there are a bunch of configurations there as well, right? Like in some cases, you just have one kind of naked admin key that really controls critical system parameters and others.
Starting point is 00:14:54 You've multi-sigs. Are there like other categories there? Or is that sort of like the two common approaches? Those are the primary ones. People have used Dow's as well, which is similar in theory. to a multi-sig in that regard, you know, where it's just trying to spread out the perceived risk, you know, but there are still plenty of defy projects that use one single Ethereum account as the admin key. And the biggest problem with those is that users have no idea and there's
Starting point is 00:15:28 no way to prove how they're being secured. Right. For all the user knows, and this has happened a few times, the developer could be keeping that Ethereum. Ethereum account in a metamaskot wallet that could be compromised, hacked, exploited, whatever, private key extracted, put into a hacker's computer, and bam, they own the smart contract now. They can do anything. They can mint unlimited tokens. They can transfer all funds to their own wallet. Obviously, when you get that private key, it's over.
Starting point is 00:15:59 So that's the crazy thing. And some of those projects have achieved $10, 20, $50, $100 million in users' deposits that have ultimately just gone by by because of stupid stuff like that. It's incredible the scale of this stuff. In terms of like the specific risks of an admin key, there's clearly the hack. What would you say are the other like possible negative externalities of having this concentrated power in one or, you know, like a small multi-sig of keys? The biggest vulnerability is is the fact that you have to trust.
Starting point is 00:16:38 what the team is telling you with regard to a number of things. First of all, you have to trust, you don't have to trust how many signers there are and what threshold they have to meet in order to execute because that's on chain. You can see that. You can also see which addresses have been designated as the multi-sig, key holders, as the signers. That's on chain too. What you don't know is for each of those addresses,
Starting point is 00:17:05 is the sole person in possession of that address, the stated keyholder. Okay, we obviously don't know that. Same with any crypto situation. You don't know. You can't prove that you're the only one who's ever had that private key or that demonic phrase or whatever.
Starting point is 00:17:20 So that's one big problem. You have to trust in that. Number two, you don't know, and there's no way to prove that more than one person on the team doesn't have multiple keys. So if there's eight total keys, one person on the team might have three.
Starting point is 00:17:35 Don't know. Not saying it's likely, just saying it's possible, right? So right off the bat, when you use a multi-sig in that way, a lot of people perceive this as, okay, we don't have to trust it as much. There's more people involved. You know, there's a higher threshold that they have to cross in order to be bad guys.
Starting point is 00:17:53 But 100% of it is based on the skill and the integrity and the honor of that team, which right there, it's an existential problem in my book. You know, it should completely write off the validity of a multi-sigas, a way to prove that a project is like, you don't have to trust it as much. I think it increases the amount of trust that you have to have in it. So I want to talk about a few case studies. We were talking just before this about this website, wrecked.news, which lists a bunch of smart
Starting point is 00:18:29 contract exploits. I mean, a mind-boggling number, truly. and some of them have to do with the compromise of admin keys, others not. But you're telling me that the second biggest one ever, according to this leaderboard, at least, uranium finance was apparently an admin key exploit. Is that right? Yeah, as far as I know, this is one project that actually basically lost the admin key. You know, so it was, it was, I don't know if the details were ever released as far as how that happened, but I could tell you the most likely way that could happen is just carelessness on the part of the owner of that single admin key.
Starting point is 00:19:15 So, you know, if it's not a multi-sig, you're just talking about one Ethereum address with one private key that may or may not be held in a secure way. And keep in mind, too, it doesn't have to be, even if it's held securely at the time of the creation of the defy project, That doesn't mean when that wallet was first set up, it could have been set up two, three years ago, right? You go in, you'd create, you got your 12 or 24 word seed phrase. Maybe you don't know as much about OPSEC at that point. You're sitting in a coffee shop. There's a camera on you. You have key logger software on your computer malware.
Starting point is 00:19:51 You know, you don't know what. You know, somebody's watching. You know, so you set it up back then and then two years later, suddenly it's a admin key sitting on one of your accounts. Okay. boom compromise it was compromised before you ever created the project so we don't know exactly what happened with that one but somebody got their hands on on the account whether they hacked in and just took the private key out or whether they already had the mnemonic or you know these are the situations we find ourselves in multiple times and as you know like you said like it's it's millions
Starting point is 00:20:22 and millions of dollars and the biggest problem is that users when they're putting their money into these things are not asking these questions like they're not looking at how these admin keys are set up, what the skill level of the developer is, you know, how it was set up before, you know, how the wallet was set up. These are all questions I would ask is somebody who's been immersed in this, but people are just coming in and dumping $10,000, $100,000 into these projects. Just thinking it's as solid of a trust model is Bitcoin. That's the big fallacy. Like literally people think it's Bitcoin level trustless. where it's completely the opposite.
Starting point is 00:21:03 It's worse in my book than a centralized exchange in that regard. You have to trust one single developer. A lot of times they're anonymous. It's like, what are you doing? It doesn't make any sense. So you've been chronicling this stuff and ranking some of these projects on their trustlessness. You've seen a lot.
Starting point is 00:21:23 What would you say? There's probably a lot to pick from. What in your view is one of the most concerning setup? or situations you've ever seen in terms of a lot of funds exposed to, you know, really critical, you know, and undesirable situation as far as an admin key is concerned. So, I'm sorry, excuse me. I hope you can edit. I can, yes. Okay. So there's been a few in the past that have really caused a lot of concern.
Starting point is 00:21:58 one specifically was or is called Harvest, which uses one single admin key, one Ethereum wallet, not a multi-sig, in possession of an anonymous developer that nobody, as far as I know knows who it is. At the time I first brought it up, they didn't have any sort of time lock, and a time lock basically is a smart contract that adds a delay. So whenever they want to execute a transaction with that admin key to change something, it has to wait a certain period of time on the chain before it can actually occur. So there was none when I first called it out. Right after I called it out last year sometime, they had an exploit.
Starting point is 00:22:44 They're on that wreck leaderboard somewhere. And then they added a 12-hour time lock. That was a bad one. It's bad because when you have one admin key in the hand of a one, anonymous person, you're even not, you're assuming it's a human at that point, right? Could be an alien from outer space. Yeah, it's like that's, I mean, for me, it's beyond reproach as far as like redeemability. Currently, the biggest point of concern in my book is, is what's going on with Polygon.
Starting point is 00:23:12 And Polygon is an Ethereum. I call them DeFi chains. They're kind of like side chains, but they have bridges back and forth to Ethereum. and they typically have higher levels of centralization. And by and smart chain falls in this category and Phantom and there's other ones out there. But Polygon is grown into the biggest one. They currently are at a $11 billion total value lock. They're actually, I think by this time this week, they could be considered to be the biggest
Starting point is 00:23:47 defy project period. Right. As far as rankings on a site like DeFi Lama or something. something like that. So the, I've raised this on Twitter a few times recently. And, you know, it was raised before, but I think I, like my loudmouth style got more attention to it. The fact that a single multi-sig controls the security of the entire network. And there's now, you know, $10, $11 billion writing on it. For me, it's not the, it's not the scariest as far as anonym and as far as a single key versus a multi-sig,
Starting point is 00:24:26 it's the scariest as far as the centralized risk of the, like I said before, the skill honor and integrity of the team, the signers themselves, and how they would stand up to a number of situations, how they would stand up to regulatory scrutiny, how they would, you know,
Starting point is 00:24:45 where they're incorporated, what kind of jurisdictions they're dealing in, because now we've crossed the line from just like the defense, community sort of losing money in a hack or an exploit, we're crossing the line from there into all of a sudden this is a massive honeypot for a regulator in another country that might not be so crypto-friendly with, by the way, with Polygon being started in India, which as we know already is not the most crypto-friendly country in the world, you have to, you'd be naive to not
Starting point is 00:25:18 start thinking about what potential outcomes could occur when you have five of eight signers capable of basically compromising the security of the entire network. So it's not just about hackers and, you know, computer sign, Infosec exploits. It's also about modeling out the security dynamics, including attackers like state-level attackers, as these systems get larger and larger and larger and as nation states have like heterogeneous reactions to them with some presumed to be like very antagonistic. Absolutely. Yeah, I think the big mistake a lot of people make
Starting point is 00:26:04 is starting from the point of view of the defy user. You know, I'm thinking, okay, as a user, what might happen to my money when I deposit it here? You know, it might get stolen. It might get frozen. It might get whatever. But not enough people are thinking from the point of view of the actual real world centralization that's happening. And in a case like this where you have an $11 billion blockchain, whose security relies on five of eight multi-signers acting in a way that you believe they're going to act under incredible potential pressure. That's where to, when you start to think about that, you just take crypto out of it for a minute, right? Let's just say there's eight people in Europe and Asia where I believe they're all based, but I'm not totally sure all the signers, that each holds a key to $11 billion.
Starting point is 00:27:04 If you can get five of those people together to use those keys, you can get access to significant funds. How many, it's not, I could see a movie being written about it. It's like, you know, that show Money Heist, but it's like, let's put together a strategy to, you know, and we've seen it with Bitcoin. Obviously, people know there's real world situations you can find yourself in. So you have to start thinking about that with these keys as well. You know, this is real world stuff. And regulation in India and China and places like that become a real, a real question. Yeah.
Starting point is 00:27:40 You know, when you have that kind of real world implication of actually five people who could. make a big, big modification to the protocol. So you actually wrote them a letter, which was that the first one that you've written from the kind of Defy Watch letterhead? Yeah, yeah, because typically I've tried to engage, whether it's, you know, in their chat or message boards or just on Twitter. And what I found is, as time has gone by over the past year, I would say is we've been in this kind of defy bull, right? It transformed from a minute for the tech to, I just know, gains, gains, right? It's all about getting the yield, yield farming and D-Gen stuff and like all that stuff.
Starting point is 00:28:31 And the majority of the conversation has really been focused on that. And developers have taken advantage of that, right? So any critique, any criticism of any project results in people who only want that token price to go up just completely shutting it down. And so it's really, it's hurt the conversation. So what I've been trying to do is find other ways to raise the questions. You know, because I think that a big thing too is this conversation has only been happening in the defy community. I really believe as kind of a Bitcoin first person that this is the kind of. stuff that could have a tremendous impact on on bitcoin regulation too you know because it's a regulator
Starting point is 00:29:17 in india doesn't know the difference right so you know there's there's there's implications here that go far beyond just ethereum so yeah i've tried to start to to to really think through these points put them in almost like a inquiry letter type of format because i want people to see i don't just want the developers to see it and shut it down i want everybody to think about these things. You know, I'm not doing this necessarily to strengthen Polygon or to help them fix it. I'm doing it because I want every user to be conscious of these things and to be aware of what's going on as they get involved with it when they're making that decision whether or not to use it, knowing the risk it's opposed to the whole space. So regarding your point
Starting point is 00:30:03 about Bitcoin is what are you saying that if enough people lose money through, potential collapses of these D5 protocols that will just potentially bring down regulatory ire which will hurt all crypto assets the entirety of the crypto space is that kind of the idea yeah i don't think it can be ruled out we've seen kind of like you know small problems come up and then they get fixed with a shotgun blast of regulation right so it's i don't think it's unreasonable to think that certain governments or jurisdictions would lump everything together. And, you know, obviously, Bitcoin's a lot less vulnerable to centralized attacks, right, than defy. But why risk it? Like, if we can raise the issues now and we can self-police them,
Starting point is 00:30:58 then why shouldn't we? Yeah. We should try to get ahead of it before others try to jump in and they end up hurting the whole space and scaring people off from it. So I'm presuming that you got a mixture of reactions when you've raised these points to various D5 projects. So I'm sure a lot of kind of scorn or just rejecting the idea that there is a problem. I mean, have you also achieved positive results? I mean, have some of these teams actually changed their best practices in response to sort of your critiques? Yeah, I'd say it's been about 50-50. So over the past couple years when I've raised issues, some projects have just completely ignored, shut down, mocked, ridiculed.
Starting point is 00:31:45 A number of those ended up getting exploited and hacked or, you know, experiencing a problem. How do you feel when that happens when you warn about something and then the bad thing happens? I feel, well, you know, there's, there's. I look at defy users in two categories. One is the user who just doesn't know any better and who doesn't have the information. And those are the people who I try to speak to and I try to give them the info they need to avoid losing money. The other half is that degenerate gambler that knows it's a huge crapshoot and who knows they could lose money. And I do think that I'm getting through to the people that want to learn.
Starting point is 00:32:29 And I always get messages from people to say, oh, I pulled my money out before they exploit. thank you, you know. But it still sucks. I hate to see it because there's always going to be people that get caught up, good people that think they're doing something smart with their money, for their family, whatever, and they're going to get caught up in it. But it's never good. It's never a good thing.
Starting point is 00:32:50 You know, so, and I don't take joy in it. I definitely don't take joy in it. It's just really, it's a sad thing to see people lose money. And I think people that think it's ever great that something gets hacked or X-plied. I just, people always forget about just the average Joe who, you know, lives in Indiana and who learned about this yesterday. He's like, oh, you know, maybe I can earn that 500%. He just doesn't know any better.
Starting point is 00:33:15 And the next thing you know, he lost it all. You know, so that's not cool, you know, so I never take joy in that. So I, sorry, I interrupted you before you were saying about occasional or 50% positive engagement. What does that look like when you're successful? Yeah. So there's been some cases like one was with sushi swap. I noticed that one of their,
Starting point is 00:33:38 they have a couple of multisigs that have different abilities. They sort of like have like this division of power with their multi-sig system. One of them was able to sort of make changes to itself that sort of immunized it from like, you know, it gave it the power to give itself more power in a sense. I forget exactly what. It might have been a time lock or something like that that it could change or remove. And I brought it up to the team. And this is the way I usually start.
Starting point is 00:34:08 Like, I'll usually go into their chat, ask a couple questions, see if they're willing to engage. When they're willing to engage, then let's engage. Like, if they're willing to take the feedback and make a change quickly, then that's great. That's the perfect outcome. It's solved in a couple hours. And with them, that's what happened. You know, they saw the issue two. They made the change.
Starting point is 00:34:27 You know, so there's been plenty of instances where it's resulted in. in good stuff. The problems start when they don't want to engage directly. And as soon as you get those token holders involved, it's, you know, it's very, very difficult to have any meaningful conversation because the messages, the narratives just get completely lost in this sea of greed and nonsense, you know? And defy is, and crypto at large, right, is, it's different from any other space in that regard, where you have this sort of amorphous sea of voices that all they care about is making more money
Starting point is 00:35:05 and anything that gets in their way needs to be destroyed. And overcoming that is very challenging. You know this too. It's like it's very challenging to keep a thoughtful point of view on this stuff while also being loud enough that you can be heard over that mess. You know, and in Defi, I think it's even worse than other crypto projects just because of that sort of Wild West Anarchy vibe, right? So, yeah, like I said, it's about 50, 50, but the 50% that haven't been productive, a bunch of them got exploited. And, you know, there's other ones that have not, and they're still chugging along, but they still have the same kind of risks.
Starting point is 00:35:55 and people just continue to participate. Do you have a standard list of best practices or suggestions that you extend to DFI projects in terms of Q management? I've been asked for that quite a bit. And at the end of the day, I have a hard time doing that because I don't believe that a DFI project should have a key. I don't believe that having a centralized point of control is a good. good thing ever for this space because I think that the mere presence of that could evolve either into a tokenized governance structure like we were discussing before where you still have sort of like that decentralization theater where you still have that small group of people
Starting point is 00:36:44 who basically avoided the problem of having that key by distributing these tokens and maybe they still have control through all these different waltz they have it either evolves into that or it evolves into something, you know, where it could be easily regulated and turn into something way worse than a traditional bank. You know, so I'm of the point of view that I'm not the person who's here to try to help you figure out how to keep your admin keys safe. I'm here to tell you that that defy with admin keys or with multi-sigs or in some cases with tokenized governance will inevitably lead to something worse than traditional finance today. And I believe that those situations, the natural course of events,
Starting point is 00:37:36 will leave us prone to more surveillance, less freedom. You know, the digital dollar is coming. And I could see a lot of the stuff that's being invented with Defi. I could see a lot of it being co-opted by governments. it definitely won't be decentralized at that point. But the elements, you know, decentralization in a lot of cases with this stuff, with Ethereum especially, is no longer, it's no longer about trustlessness or removing centralization. It's about permissionlessness.
Starting point is 00:38:09 You know, and permissionlessness itself within a permissioned setting could be very, very dangerous in my regard. You know, so I think that a lot of this stuff could lead to something way worse than what we have now. And I don't see any way to fix that other than just to push more projects to sort of do the Uniswap model. You mentioned Uniswap before. Uniswap is one of the very few DeFi projects that does not have any admin key, was released in a fully immutable way, deployed, unstoppable code. Yeah. Versions one, two, and three. Version four, I don't know. But it's the three that are out so far have been completely trustless in that regard. Yeah, that one is definitely a model. Something that strikes me is like having seen your work, you know, a lot of the early
Starting point is 00:39:00 investigations you did, you know, the way you summarize a lot of these projects is like it's very unclear, they're not disclosing anything about their IAN miniki or multi-sig setup. And then like over time, like the disclosure seems to get a little better. Aside from like going in discords, how do you, like, do these investigations? Like, are you looking at ether scan, like, look at the contracts themselves? Like, what are, like, your tools to, like, investigate, you know, the trustlessness of these projects? So I mentioned I'm not a developer. You know, I'm sort of like an amateur technologist in that regard. So I, my path has typically been to, I've taught myself enough about how solidity works to be able to look at EtherScan
Starting point is 00:39:50 and look at the read contract tab and the right contract tab and look for specific clues. And that's usually where I start. The hardest part is usually finding which smart contracts you need to be concerned about. So what I try to do is I look for the ones that have the most value or the most control over value, they could be vaults or bridge contracts or, you know, there's like staking contracts. There's a number of different points within these systems that are usually have something in common.
Starting point is 00:40:22 So they're not that hard to find. But then trying to figure out if they have owners and if they have admin keys. Yeah. And from there, it gets challenging because just because a defy project has an admin key doesn't mean it's like, a god mode we like to say admin key it doesn't mean it can do anything some projects limit more the powers and the abilities that those keys have so at that point it starts to get a little i do look at all the functions on you know on a block explorer like ether scan but then i have to ask questions
Starting point is 00:40:57 and i have to ask the developers or other people that i know who can sort of dig deeper into this than i can what can this thing do is it capable of of draining all the funds, of changing all the code. What I try to do, though, is I don't really care about every single thing it can do. I try to find the worst thing it could possibly do. Yeah. Because the worst thing you could possibly do is usually pretty bad. So if I ask the question, if this key was lost, stolen, whatever, could that person holding it drain every last dollar in the smart contract?
Starting point is 00:41:35 If I hear somebody of the developer say, well, yeah, sure, they could. It's like that would never happen. But yeah, obviously, like, that's all I need to hear. Yeah. I don't research if it's likely. I research if it's possible.
Starting point is 00:41:49 And if it's possible, then everybody needs to know that it's possible. Because what's possible is going to happen at some point. You know, and again, it goes back to that Bitcoin point of view. If it's, if it's possible today, even 0.1% possible that somebody could crack Bitcoin. cryptocurrency and drain wallets, that would be a pretty big deal, right? So it's just as big of a deal if there's a 0.1% that somebody could get their hands on a defy admin key and drain the funds. You know, that's how I look at it.
Starting point is 00:42:21 So that's typically how I research. It's not super specific or in depth a lot of times because I don't think it needs to be. I just want to inform users about what's possible. And just that mere fact alone usually blows a lot of people's minds and causes them the rethink the project that they're using. So you seem to be moving more and more towards, you know, being pretty assertive here and, you know, maybe laying the groundwork for a self-regulatory organization that will actually help, you know, surface in a kind of structured way.
Starting point is 00:42:56 The risks here. What's your pitch to, like, defy enthusiasts in terms of self-regulation as opposed to you know, simply ignoring the problem, for instance. I haven't really figured that out yet. You know, it's, the biggest challenge here is, is getting projects on board. You know, it's one thing to get users to understand the risks and to be concerned about them. And over the past year, I think a lot more people have become aware and concerned as far as the users go. And there are plenty of developers who message me and ask me for advice or how can we avoid these pitfalls.
Starting point is 00:43:42 That too. But the biggest projects out there, once they're reaching a billion dollars locked in their project, by that point, they've got capital flooding in, they've got investors breathing down their neck. They've got a token. They've air dropped it. They're now responsible for keeping a high valuation on. and the concerns about centralization get lost because they don't care anymore. They've already reached the point where they're now running a business, and they've got to provide a return to their investors.
Starting point is 00:44:20 So that's the stage at which it's most important that projects care about this stuff, but it's also the stage at which they're least likely to care about this stuff. So the way I'm looking at it right now is I don't think there's, any way to get like projects to agree to self-police in the way that we need to. I think that it needs to come in the form of pressure from users and not just users of DeFi, but users of crypto in general, you know, because there needs to be scrutiny applied. We need to get to a point where people look at a project that has a multisig like Polygon, 5 of 8 multisig that secures the entire network and just laughs and just laughs. Like this is absolutely
Starting point is 00:45:05 insane. Who would ever stand for this? We're not there shocking. It sounds like we should be there, right? But we're not there. Mark Cuban just announced yesterday he's investing in Polygon. Like there's a number of, you know, like big names that are coming in and like, you know, they're supporting this kind of security. And a lot of them, you know, if we asked Mark Cuban today, he would probably say, you know, they got to start somewhere. You know, they're going to decentralize later. Blah, blah, blah. We've heard that before. fast forward one year, two years, five years, they're still not decentralized. They've been noticed by regulators.
Starting point is 00:45:42 Lots of things can happen in that time. So again, we're not in the game of like what's likely. We're in the game of what's possible that could happen and how could it jeopardize crypto. So conversely, you know, what would you say to a regulator that is, you know, smart and, you know, trying to get smarter about defying these risks specifically? I would say to focus in on the kind of points that I've been raising as far as what is the centralization risk look like. You know, what is possible with these admin keys and multi-sigs?
Starting point is 00:46:20 Can theft occur? Can exploits occur? A lot of the smart contract exploits that we've seen, I believe, and there's no way to prove this, but I don't see how, some of them could not have been done from the inside. Yeah. Because nobody knows the code of a smart contract better than the person that wrote it. So one time out of 100 or 200 or 300, you have to think that there's been a sneaky developer. It left a little bug in the code that later went back and said it was an outside.
Starting point is 00:46:53 So it's like there's all of these nuances that you have to look at. From a regulation point of view, I honestly, I don't think that I don't see how regulation can can from a government could work. I just don't see it because you're going to drive everybody into anonymity very quickly. And once they go anonymous, then how do you regulate anything at all? You know, so it's the only way that we can help this space is by, like I just said, like making projects that keep centralized points of risk and things like that, completely laughable to educated users.
Starting point is 00:47:31 Users have to abandon them because they know they could lose money versus a project that doesn't have that centralized point of risk. I see a huge challenge. My biggest fear is that regulators try to do something, which has nasty side effects for crypto at large, and is completely ineffectual for defy because you can launch these things anonymously and have all these different, you know, all over the world, people are doing that. and it's not stopping users from participating with them. So I would tell regulators, keep trying to get educated, definitely understand the kinds of points I'm raising, think about what those answers are that we're not getting from DFI projects,
Starting point is 00:48:10 and then think about how could we possibly fix them without educating users. That's where I would start at least. It's going to be challenging, though. Well, Chris, you've undertaken on what appears to be a grueling and largely thankless mission, but I think an important one. So this has been really fascinating. Thanks for coming on.
Starting point is 00:48:33 Thanks, Dave. Yeah, really enjoyed it. Pleasure. Pleasure. Appreciate it.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.