On The Brink with Castle Island - Steven Walbroehl (Halborn) on Blockchain Cybersecurity (EP.423)
Episode Date: May 8, 2023Steven Walbroehl, the co-founder and CTO of Halborn joins the show. In this episode we discuss: Steven's crypto origin story and how he began tinkering with public blockchains. How Halborn's work dif...fers across traditional financial services customers versus decentralized organization customers. Basic recommendations for companies entering the public blockchain ecosystem. Halborn's recent discovery of a zero-day exploit impacting 280 public blockchains. Views on market manipulation and game theory exploits. Halborn's Seraph digital notary product and how it is keeping DeFi protocols safe. To learn more about Halborn visit www.halborn.com
Transcript
Discussion (0)
Today on the podcast, I sat down with Stephen Wahlberl, the co-founder and CTO of Halborn, the leading blockchain-focused cybersecurity firm.
We're investors in Halborn, and I think Steven's one of the sharpest technical minds in the industry.
So I want to have them on to talk about the threat vectors that the industry is facing from a cybersecurity perspective.
I think you'll enjoy this one.
So without further ado, here's my conversation with Stephen from Halborn.
Matt Walsh and Nick Carter are partners at Castle Island Ventures.
All of these expressed by them or the guests on this podcast are solely their opinions and do not reflect the opinions of
Castle Island Ventures.
Guest and host may maintain positions in the assets discussed in this podcast.
You should not treat any opinion expressed by anyone on this podcast as a specific
inducement to make a particular investment or follow a particular strategy, but only as an
expression of their personal opinion.
This podcast is for informational purposes only.
Brought down by bad mortgage investments, Lehman, which has 25,000 employees, will be liquidated.
The federal government loans American International Group, AIG, $85 billion.
This is a different kind of market, and the Fed is asleep.
The federal government is stepping it to stabilize Fannie Mae.
and Freddie Mac, the two mortgage giants that have been threatened by the housing crisis.
The Bank of England has pumped 75 billion pounds more to Britain's ailing economy with a new round of quantitative easing.
You print a couple trillion dollars and all of a sudden people start to worry.
So out of this worry, we have something called the Bitcoin. Bitcoin.
Well, Stephen, thank you for joining us today on the podcast.
Excited to have you on. Definitely a very relevant time to be talking cybersecurity.
Oh, definitely. Yeah, I'm excited to be here. Thanks, man.
We're excited to be investors in Halborn.
So I sort of know your origin story already, but maybe for those who are not familiar with you
or Halborn, how'd you get into crypto? What was the path to starting this company?
Oh, yeah. No, definitely. So we've been around for almost four years now. And I have a long history
in cybersecurity. I've been doing the hacking world for almost 20 years now and worked a lot of
big organizations in my history like IBM and some financial companies. And in the cybersecurity world,
you have red team blue team. I was originally part of the blue team, but became pretty intrigued
with what the red team, the offensive people were doing, the malicious hackers, because they
always seemed like one step ahead of finding exploits and then we have to defend against them.
So I started taking some certifications and studied learning to be a hacker. And that's when I found
Bitcoin because going on the dark nets to find hacker exploits and viruses and so on,
ended up seeing what is this thing that they're trading with called Butcoin?
I mean, oh, no, no, this is Bitcoin. Oh, what is this thing? So then I really dug into it.
They say, like, you go down the rabbit hole and look at the technical aspect of it. And I became
fascinated with how coded and the way it handles finance peer to peer, read the white paper,
completely like, saw the future. I was like, oh, man, this is going to be big later on,
the tech itself. And then at IBM, ended up doing some sort contract odds because they started
looking at things like World Pay for Stellar. And I was auditing there. Then, because I was going
down the rabbit hole, met Rob inside of a marketing channel on Slack for his previous token agency
company back in 2016. And I was interested in seeing all the projects coming out from that.
And one day, Rob said, hey, does anybody know how to do these smart contract audits?
One of my clients here is getting hacked and we don't know what to do. And I was like,
I could try. I've done a couple of these things before. You know, it's like, all right,
let's meet and save the day. And then it's happened again, happened again, had tons of
these projects that were just getting really like security issues that coming up all the time.
and we decided to make a company called token hackers, which we decided was a terrible name
very quickly, then we called it Halborn. And since then, start off, it's just us too, to a team
of over 100 now. And we're still saving the world of cryptocurrency and blockchain today.
Well, you guys have a ton of products and services that I want to get into, but maybe before we do.
So you've been in crypto for just a long time. And it obviously has a similar story to a lot of
stories, mine included, where you sort of start with Bitcoin. How do you just ideation?
ideologically think about the space and how it's evolved. I mean, I remember a world where everyone
said, hey, everything's just going to be built on Bitcoin. And now I feel like the industry is so
large. I can't even keep track of it. And it's my full-time job. How have you felt about the space over
time? Yeah, you're right. Everything's built on Bitcoin is like, there's no way we can do
NFTs on Bitcoin. And then Ordinals came out and like, oh, man, like, okay, that's awesome.
Great guys. But it's always innovating. That's what you notice from the very beginning is,
you don't expect something to happen. And then they make a use case for it. And the development
community starts building it, which is what I love as a tech person, there's a lot of innovation
and it moves extremely fast. And that can be good or bad for security the way you look at it.
For us, because it's like a lot of great business, of course, for it. But for the development
community, they take security very seriously because it can have bad impacts. So in general,
my philosophy on the whole space started off as Bitcoin, which is just very simple, kind of a one
trick pony, right, of peer-to-peer systems, global urgency based on, you know,
just a trustless network. And I look at this almost as like the core layer, like a network type
layer. And then you have, you know, when Ethereum started coming in, that's where you open up
a whole world of use cases with smart contracts, you know, the concept of these Turing complete
applications. Once that, was there really anything as possible? Because if you could code it
with logic, you could build it. And now we see games that are coming out on Web3. We see financial
transactions that like lending and borrowing, exchanges, insurance protocols. So this is why they call
it Web3, just like in the early versions of Web 2, where you would have your simple websites that
were run HTML or CSS, and then they evolved into these fully dynamic marketplaces like Amazon.
And we're seeing that same evolution now in smart contracts and starting off as simple
tokens now doing full-fledged metaverses that you can interact with. It's quite amazing. And,
you know, a lot of people's perceptions of it. One thing I like to talk about is people think that
cryptocurrency and blockchain is just only finances and currency. And it can do a lot more than this
with the use cases there. And I like me personally, I'll kind of end with this story is I like to
see all the use cases that really do improve or solve challenges or inefficiencies in the current
technology and can revolutionize a lot of the, either where it's productivity or value or transparency
using this technology here, which underpins all of it. So that's like my take on it all. I think it
doesn't solve everything, but there is a lot of things that can do a lot better than what we have
today. One of the things I think a lot about as an investor when you look at the protocol side is
just think about the bug bounty that's been on Bitcoin since it started. Think about how many people
have been just trying to break this thing nonstop. I feel like whether you're technical or not,
first thing you do when you see Bitcoin is just try to find a way that it's not going to work.
So if you're an economist, you're going to be just arguing about that. If you're technically
you're going to be trying to break it. And so there's a l. effect there because it's not broken.
But these newer kind of Alt-L-Wans and DeFi protocols, there's just frankly a lot fewer
people spending time looking at them. So how do you think about the tradeoffs in terms of
people that are building apps and choosing which chain to build on?
Yeah. Referencing when you first talked about, like, you know, trying to break Bitcoin.
There's a lot of people approach it the wrong way, and they think that, oh, quantum computing,
I've always heard this before.
Like quantum computing will break, you know, Bitcoin one day.
It's unsafe.
But if it breaks Bitcoin, it breaks the normal internet as well.
And we have bigger problems.
It's just Bitcoin.
Breaks all the bags, right?
Yeah, exactly.
All the bags everywhere.
Yeah.
Like TLS technology, like SSO the little lock upon your browser, you know, that's pretty
much the same tech Bitcoin uses for public, private key.
Anyway, so it would break that too.
And it would just upgrade it.
fork it to another one because it's actually more secure. It's decentralized. So, you know,
it'll break Bitcoin, but, you know, it's a resilient network. And this is the same true of these
layer ones. If it's a truly decentralized network, then what you're doing is you are providing
resiliency from availability, outages, or disturbances on the network. Now, a single wallet may be
like compromised for more reason. But when we talk about the newer layer one generation and like my take
on the second part of this question you asked.
We have things like Cosmos now,
which are more like application-centric chains
versus things like Ethereum,
which are full, like a mainframe.
It's like a world compute system
that everybody shares
and even like layer two systems connect to it.
So now we have these different types of chains
that are, they're pulling some things
from security to make a less secure,
but also adding more security.
So instead of a systemic event,
like on a mainframe where if there's an exploit,
like if somebody breaks the Ethereum consensus, then all of Ethereum is going to suffer for that
rather than an application-specific chain, which is, you know, a small, you could think of like
a para-chain or relay chain that is impacted and may not touch or affect other networks.
So you're now dispersing the risk with that.
So there's different flavors for it.
And there's always going to be a security risk.
And it's all about what do you do to mitigate it.
And that's what we do at Halvorn is that we look at the whole ecosystem, everything.
in this entirety to provide security.
And so you guys are maybe shifting over to what you guys are actually doing at Hal Bourne.
It's a really fascinating company because you work with some of the largest financial firms
in the world, but you also work with decentralized organizations.
So maybe talk a little bit about the products and services and how they differ based on
who the customer is.
Yeah, we kind of look at this convergence of services and the products that we deliver as
our solutions because they do work together.
And then when we offer those solutions, we have the convergence of the tradfi or the centralized finance and the defy, the decentralized finance.
So there's a convergence between that too, Web 2 and Web 3.
We actually ran statistics on risks and exploits.
And we found it's almost 50-50 of the root cause being between a Web 3 security issue and a Web 2 security issue.
And that just really highlights our thesis and approach of providing.
providing security solutions for both sides of it because it could be an issue purely Web 2 that has to do with blockchain, like a custody platform that you failed to secure your login with the Active Directory or you left your keys there. You didn't harden the server well enough and somebody got onto it. That's all nothing different from normal security that I've done for 20 years. And those issues can lead to Web 3 issues. But then on the flip side, you can have Web 3 pure.
issues where you don't know how to code solidity for your smart contract. And now you're taking
your bank and you're taking client payments or your transactions for swapping your loans
and your code is not secured. That's like a Web 3 on-chain code flaw. So we have to look at
everything holistically and the big picture. Because if you scope out into like a very small area,
you're missing a lot of the maybe the layers of the threat vectors that can really occur on the
platform. So that's what we look at. It's not one big architecture that we just prioritize based
on risk and likelihood of something happening bad to your business. Maybe going a little bit more
into the TradFi first. I mean, you guys do a lot in the pen testing space. What are some of the,
and I guess that's just an incredibly important space when you have digital bearer assets,
right? I mean, this is unlike anything a lot of these organizations have ever dealt with in the
context that the money can just evaporate and it's not being held at the DTCC in the form of a security.
What are some of the best practices that you're seeing from some of these, you know,
maybe not crypto-native firms that are starting to do crypto things?
Yeah, best practices is be proactive.
There's the concept of DevOps where it's like the shift left security where don't do it
at the end.
Like, okay, we built our product.
We're ready to go live.
Let's do a quick security check on it because one, that can lead to issues that just
impact your delivery.
You may find a fundamental flaw that you would have picked up earlier.
And now you have to go back and waste burn capital and waste time and manpower to either redeploy it or just scrap it because it's too much of a risk now.
So start earlier in your security.
Do what I like to call preventative security instead of just reactive.
And preventative is the pen testing.
This is where you are looking for the issues before they happen and you're preventing them from happening later.
So on the trad-fi world, this would be like a firewall in front of your network.
You're preventing malicious attackers from getting in rather than a monitoring system,
like intrusion detection system where it's like, oh, the attackers are in here.
They took the money.
Sound the alerts.
It's like damage is done.
So always look at having a full defense in depth, preventative and reactive.
And then sort of like a recovery plan, you know, disaster recovery.
So this is all, you know, the layers of different types of security have to be considered
from the full stack of prevention, detection.
and then recovery and focusing on the risk because you're never going to be 100% secure for anything.
But first, classify and identify what are your mission critical processes or your assets.
Where's the crown jewels that attackers would go after and start there and work with a company like Haliborne
or if you have a security team to do threat assessment, find out, okay, well, these are the mission
critical assets and processes.
What can we do or how can we get to them or what would be?
be a likely scenario that they would be compromised and then build tools or implement tools or
processes or get a team to mitigate those areas. And that's always how you structure. And you just do
that until you feel like you've gotten to a level of risk that you're okay. Everybody has different
risk appetites. Banks and financial institutions usually have a very low risk appetite. So they'll
put lots of different layers of controls around that. And then that's just technical risk. Then there's
the whole world of like compliance and regulatory risk as well where hey, we do all this really
great and we've hardened everything and no hacker can ever get in. And then a log is passed saying
you can't do it anyways. Right. Right. Yeah, that's the we don't really do too much of that.
Like we can advise towards it, but we don't do the auditing for the government entities or anything
for them. But that's more like privacy compliance. Yeah. And I guess it's, you know, it's probably going
well, not only for you, but maybe others in the industry, because you feel like you see fewer
of these kind of crypto-native startups where it's, hey, we actually just lost our entire balance
sheet because there was some exploit where our CEO's email got taken over. And like, you remember,
those would happen in 2015 and 16. Yeah. Now's my algorithmic stable coin had some issues and like,
oh, everything is zero now. Right. Exactly. Well, I guess that's a good dovetail over to the defy side.
I mean, I'm continually just shocked at how much capital is put into.
some of these platforms that are we later find out are just really not built appropriately.
Maybe speak a little bit about that and just what that's like right now in the DFI space.
Yeah, in the DFI space, you know, you touched upon something interesting, Matt,
with the way you can have a whole balance sheet, like evaporate because of a key being lost.
Because in the normal security world, the normal finance world, those type of issues happen.
You have backstops and you have, you could reverse things or you can go after the criminal.
and even the criminals, when they try to break things or steal funds from that,
they have to go through different types of steps.
They have to fish people and then steal credit cards out there.
You're not going to go into the server at Bank of America, Wells Fargo,
and take the money out of the server or anything because it's a digital representation of,
I guess, cash that doesn't work on a smart contract.
It's not like a consensus token or some type of like blockchain native asset.
So you have a whole different approach on what is at risk with this.
You know, you can steal something on chain and transfer it and it's anonymous.
There's the whole forensic part of it is different.
So on the defy world, that's where the risk is different and what can happen because you have
the actual asset of value is sitting there inside of your wallet or vault.
and then you'll have these bridges and derivatives assets around it.
So there's the assets at risk from code flaws that can be,
if you find an exploit or you find some type of logical component that doesn't work,
then anybody can exploit that if they know the code well enough
because it's all permissionless, transparent network.
And that's why it's always being attacked and looked at and happens extremely fast.
You know, you get that level of transparency from like the security flaw side
on traditional finance either.
Unless a bank's like a code is on GitHub open source for people.
You can see that type of stuff.
So there's like these logical issues in the code.
And then there's the financial aspect of it all where you're now able to do a lot of attacks like flash loans.
And the algorithmic stable point I mentioned earlier is it's using arbitrage between like two tokens in order to have balance based on supply and the price differences.
but if there's not enough liquidity there, you know, it's not like a U.S. treasury where there's
like almost unlimited liquidity, there's not enough there to support it, then that can be
leveraged as an attack.
You know, you can do a, you know, for example, a flash loan, you can borrow enough tokens
without collateral to manipulate the price.
So I don't think anybody could really do that except a handful of people.
And there's laws against that in traditional equities, right?
Buy a bunch of Tesla to like short Tesla.
I don't know. So that's different, too. So there's different types of methods that are exposed in
this ecosystem. It's quite fascinating to see that. Yeah, as you point out, it's way more than just
pure cybersecurity, right? I'm thinking about the mango markets hack where I guess you wouldn't even
call it a hack. It's really a market manipulation. And, you know, I guess that guy is in jail at this
point, and there is a CFTC process. It'll be interesting to see what the legal side of that looks like.
It's all the rules, right? Yeah, he's like, see it. He saw the code says, I could do this, right?
And that would certainly be his argument, but I wonder if we need to get to a point where there's
some sort of an automatic alert to just shut down a pool or something like that. How do you think
we can build systems to be more resilient here? For sure. This is a great topic to talk about
like stuff that Haliborne is doing. We see a lot of these threats as well. And it's difficult
to walk the line between, okay, this is decentralized. We don't want to like centralize it by
putting restrictions like Haliborne says no or some security person says no, like censor that
or stop that. Because then it's like go back to just traditional finances we have already.
But there's also the risk factor and we have to protect these funds if we want to see it succeed.
So how do you walk that line? And right now a lot of the only tools that we've encountered there
are like multi-signature wallets where two signers have to authorize something.
But then how do I know these two signers aren't just the same person or they're working together?
to do. So we've developed a tool called Serif. We have five patents on it, and it's a notary solution
that lives on an EVM chain. So it's a pretty much a smart contract or set of smart contracts
that enable only specific functions, like critical functions, like a withdrawal liquidity. They take
all the funds out or upgrade the owner to somebody else, like an escalator of privilege. These are
functions in these codes of the smart contract that are extremely sensitive and critical and the
ones that would normally be hacked. So we could protect only those and kind of predetermine what
is the expected use for this. If this function gets called, why is it getting called? There's a set of
rules. It's kind of like a firewall. Like, you know, you have firewall rules. And if any of those
rules are not being met, you know, let's say we never want to withdraw the funds out of this treasury
in the excess of $1 million unless, you know, there's a Dow vote that occur there.
And if we see any issues on the rule, then what Sarah will do is it's a wrapper around
that function to drop the transaction.
And it does this all on chain.
So it's kind of like a transparent.
It's cut, it's non-custodial.
It's using the sense of a notary to either notarize, like sign off like this transaction
is what we're expecting it to do or reject it.
And if it gets rejected, then it's an on-chain rejection.
and we're not co-signing.
There's no keys with it.
And anybody can be a notary.
It's not just Halborn.
So what's great about that,
imagine you, Matt, as an investor,
and you've invested in a protocol of a smart contract.
You just gave them out of $100 million
and it's inside the putty pool
to help them distribute the rewards.
You're like, I kind of want to make sure that's okay, right?
I don't want those funds to get hacked.
You could be the notary for any treasury withdrawal.
And with that notary,
you can have you or your team with that key
and say, hey,
We need to, you know, take this money out here to deploy it for some new contract developers
we want to hire. And you say, okay, yeah, that's a good use of funds. And then you can, like,
not notarize that transaction to happen. So you're not blocking it. It's not centralized.
You're not saying yes, no to everything they're doing. You're just protecting, you know,
unagreed upon use of that function of the withdrawal treasury. And if they do get hacker to lose
the keys, you'll be like, wait, hey, guys, are you trying to like take out everything right now?
It's like, no. It's like, oh, reject. Let's go see what's going on and figure out. So it's
really awesome protection, I think, that is still in the spirit of decentralization.
I think it's a super vital service. It seems like that's the type of thing that every public
protocol really ought to have there, you know, as the space moves forward, not having it.
I mean, we've seen what happens. I guess lately it's been interesting. Some of these hacks you've
actually seen the return of funds, which it's hard to tell. I'm curious your perspective.
Is that because they get doxed some way and they're sending back the funds typically?
Why would attackers be sending back money at this point?
So it depends on the attacker.
I've seen the normal hacker mindset, which I'm very, very empathetic to is a lot of them
want to like just show the world that they can do it.
You know, they're like, look how elite I am.
I can hack your protocol.
Look at me.
Okay, here's your money back.
I just wanted to get attention, I guess.
But in the other ways, if somebody's truly trying to like just get financial gain from it,
which I'm sure the majority of them are, you know, it's like off ramps, tornado cash for
Ethereum is the biggest one. It's like, okay, where do I get this out now? You know, black market or sell
it. And then they just realize that it's not quite as easy as they can, especially when you have
things like USDC or USDT or these stable coins. They have in their code like freeze and burn and they can
like stop those funds. And then Tornado Cash is really one of the things. Even OFAC, you know,
is involved with that too. And the wallets that touch that. So there's a lot of on-chain functional
controls there. And then, of course, the doxing part of it all. This goes back to that web two.
to Web3 mix that we were discussing before, you can have complete anonymity with your keys and your
wallet, but if you've registered at an exchange, then they're going to know who owns that wallet,
K-Y-C'd, or maybe you didn't even do that, but your wallet is tied to another address that that address,
you know, you've posted it on Twitter or something there. Now you have an identity tied to that
address. So there's always like a real-world pin that you could possibly accidentally expose. And
Once you have one, that's all you need.
Then you can just start investigating and find them.
It's an immutable ledger of all the crimes you've done, which is why it's fascinating to see
the BitFinex hackers and one of the Mount Gox hackers.
You know, you catch these people and they have billions of dollars on hardware wallets,
but they can't actually spend it.
It's a really perverse type of thing.
It must be very difficult as a hacker to live in that world.
Yeah, exactly.
Everybody's watching your wallet too.
And the whole world can watch it if they want to.
You can even talk to them on Ethereum.
We could like send transactions with like messages like the polymers.
like the Poly Network Hacker guy did. He was saying like, all right, Coin Desk, let's do this interview,
like live on chain. It's fascinating. I love it. It's like makes my job fun. But yeah, you're right.
When a lot of like regulators and law enforcement, they were familiar with it several years ago,
how it actually worked. And now that they see like, oh, actually, this is way easier to find
the money than just like cash in like a suitcase that goes over the border. Yeah, there's an argument
there that, you know, a lot of politicians would like to have you believe that crypto is just
all nefarious people. But it's actually pretty difficult.
and maybe you wouldn't be the smartest criminal in the world if you're doing your crimes on
chain is my argument.
Yeah.
And the ones that do it right, they're usually really technical.
Like they know how to do coin join and swaps and, you know, if they're doing Ethereum,
you know, how to use all these DFI protocols to add liquidity pulls, take it out, go to tornado
cash, do a cross-chain bridge from one to another on like something like Raven coin or something
and then back.
So it's kind of like walking funds with technical.
contracts. I guess that sort of dovetails into the nation state level here. So obviously
North Korea has been pretty active on the scene. Has that always been the case where you've
had nation state actors in this industry? Yeah. The terminology in the security world is called
APT, advanced persistent threat. And that's always the case. There's usually three type of security
threats. And one of them is like hacktivists, which are people they don't really care
too much about like financial gain, they just want to send their message or like their political
ideals or whatever their hacktivism. Then you just have the normal adversaries that, you know,
the ones that stealing funds or causing disruption. And then you have the nation state. And that's
usually very targeted, almost like spearfishing in a way. They have a target in mind. They have a
specific thing that they're working towards that is in the, for their nation, you know, cyberterrorism,
essentially. And we've seen that in the traditional world of things like Stuxnet,
if you're familiar with that. So Stuxnet is one of the most famous ones of having a custom
virus, like five-layer virus, tailored and coded specifically for like one use case on nuclear
centrifuges inside of Iran on their non-windows motherboards to exploit that and cause disruptions.
It's like, that's nation state.
It's card research and developers and a team to figure out and they're funded to make
custom exploits or tax for a purpose.
And that's what we see traditionally.
And we can even see that here, I think, behind the scenes on high level defy.
But the government hasn't gotten to the point of like full adoption.
I could foresee a future where if we're using defy in normal commercial financial services
or government services like CBCs, where now you have nation.
state actors researching and developing code to like exploit whatever the Fed coin, their contract is
disrupt their financial. So I think from a security standpoint here, it's going to get even more
serious in the future. Like security is going to be top of mind in the future, even more than it is
now for this whole defy and blockchain and smart contract world. Yeah, you bring up an interesting
point on stable coins and CBDCs. I mean, obviously a stable coin kind of has to live on a public chain.
and the interoperability with defa is a big part of the value proposition.
The good part there, though, is that the collateral is technically offline, right?
So if you're dealing with a USDC, they have the QSIPs, the underlying collaterals at Bank of New York Mellon.
So, you know, there's some degree of protection, I guess, just in the way it's built.
With a CBDC, I just wonder if you even need a blockchain.
I don't know if you have a view on that.
Right, yeah, you're tokenizing an asset.
Like, there's the whole, like, triad, I think Vitalik from Ethereum talked about, like,
you're balancing scalability, security, and decentralization.
That's like the triangle of it.
And so what they're using for that is taking away decentralization more to add
scalability.
And I wouldn't say it's any more transparent than what we would see like on Ethereum,
but now they are being able to see their digital assets that are tokenized with collateral
offline or in the Federal Reserve Bank's like ledger or something of matching that token.
And so you're not doing it there because it's a scarce asset like Bitcoin.
that you have to mine, you're doing it so that you can track, monitor transactions, make it
faster, scale it. And I guess you, you know, depending on how it's coded, provide more security
for the stability of the assets that are being used. So that's again, it's like, there's another
purpose for blockchain. You're getting the values from Swift system is very slow. And if I want
to wire or transfer to you on like Friday afternoons, like, all right, let me know if you get it
like Monday afternoon. So it'd be pretty cool to have that happen.
really quickly for everybody and do that securely.
So there's a use case right there, you know, a transparent way.
You can verify it with your friend for that and use the code to know that he has the funds
in his wallet.
I mean, there's a lot, again, back to the benefits of the technology.
You know, not everything needs to be a volatile asset that's like not backed by real
collateral, you know, just let's just use the tech.
It's better.
Totally.
I mean, one of the things I'm very bullish on on the longer term, there's obviously some
regulatory issues with what I'm about to say.
But you can imagine a word.
where a bunch of real world assets get tokenized on blockchains. And you have maybe you own
shares in a REIT that trades on a public blockchain. And let's say you want a loan. Let's say that you need to
buy a car. You could go through the TradFi kind of non-block chain way of getting a margin loan from
your broker or going to get a HELOC. But that's going to take weeks. Why wouldn't you just want to
plug it into defy and park your collateral, you know, your REIT shares and get stable coins back in 60 seconds?
I mean, yeah, you speed of buying a house too.
You can have money in escrow here.
You can have a lender broker here.
And like the whole underwriter process and, you know, the lender can have their own rules
that are executed against like the user's credit score contract or something.
You know, it's like habit spontaneously at the speed of blockchain.
And I guess, you know, in that world, you just need to be sure that the pool is safe, right?
So to your earlier point, you probably need to have some sort of a notarization mechanism
or some sort of a public review on this for any.
of these financial firms to get comfortable extending credit in that environment?
100%. Yeah, this product that like Sarah and the patents for it, I personally think we're early
to the market with it because it solves a lot. And for enterprise adoption, let's just say
you are a length of giving lending and borrowing. You can use this as an enterprise solution within
your company and have one notary be the underwriter to approve it. And you can have the borrower
or like maybe in the mortgage team, they're sending in like loan requests to them on chain,
their permission to chain or, you know, whatever they want to do it.
And the notary will see all the contract transactions come in.
It will be populated on their app.
And then they say, yeah, this one's, you know, approved because we see the collateral here.
We see the history of transactions.
We know that they're high credit.
It's not like a new wallet.
We've never seen their transactions before.
They have enough there.
Time lock there for a certain loan.
It's like, all right, approve.
And then it confirms transaction.
and then the funds get automatically released.
So Sarah can be a not just a security prevention,
it could be a platform for ticketing system,
approval system in a way between two different entities.
I mean, that's another use case for it that we can see.
It just has to be adopted first.
It has to get to that point of doing business on that platform.
Yeah, I definitely think that's the way it's going.
One of the things that's been fascinating over the past few months here
is that you guys identified a zero-day vulnerability
that impacted 280 different networks, including Dogecoin.
So it was good timing with Elon putting the Dogecoin logo on Twitter.
Talk a little bit.
This was called rabies.
This was the code name for this vulnerability.
So maybe talk a little bit about what happened here.
Yeah, for sure.
So timely release for it, but this is actually something that we found quite some time ago.
So we were doing an audit of DogePoint.
And I know that sounds kind of strange because it's like a public code on GitHub that everybody can see.
and it is kind of decentralized.
It's like you're just run by the maintainers of Dogecoin and some key devs.
But we were auditing it on behalf of a client because they were going to set up some Dogecoin miners on there.
And when we were going through it, one of our top engineers, Hassam here at Halborn,
he had found several different critical issues on the main net Dogecoin.
And they were, three of them affected the peer-to-peer consensus.
So there was like an out-of-memory vulnerability where, you know, if you knew where a,
a Dogecoin miner was you could send them consensus command, and they would just run out of memory and
shut down. So you could attack the entire main net of Dogecoin at once. And then there was another
vulnerability we saw of remote code execution to just really get control of the system externally
from it and then get on their wallet. These are extremely critical because in the wrong hands,
it could bring down Dogecoin. And nobody wants that, you know, especially Elon. It's like,
I thought Dogecoin was going to the moon, into the grave. So that's the type of thing. We see that.
and it's very tricky in order to protect that or fix that because there's this concept that,
you know, adversaries use where they will look at updates or patches to the code, you know,
especially when it's open source, and when they say, hmm, why did they patch that? What's going?
And then they compare the previous that and then it kind of like shows them like, oh, they fix this.
And then there's time like because it's decentralized all the people that are running Dogecoin
nodes or miners, they need to update to that.
the latest patch, just like Windows and Mac that we see.
So there's a window of time where the network is vulnerable.
And now we've just kind of like shown what's going on, like, you know,
Whitcott Patch.
So we were working with Patrick, one of the key developers.
He confirmed the issues.
He was like, oh, man, thanks for finding this.
And like pull that into other normal releases, kind of like sleuth in there,
like some of the patches over time.
Nobody really saw that, luckily, because it's been there for several years.
And then they all got upgraded.
eventually to being past that 51% point where the network is still going to be not at risk
anymore.
During that time, we also said, well, those coins are the fork of Bitcoin.
Let's check Bitcoin.
Okay, Bitcoin is good.
Thank God.
And then we checked all of the other very, the UTXO-based protocol, proof of work pretty much,
and found light coin was vulnerable and Zcash and 200 other, like, smaller ones.
So the whole value at stake with this type of issue was like literally in the multi-billions.
We're like, oh, my God, this is huge.
What do we do?
So it's a big risk.
So we had to keep everybody to get everybody together from the different decentralized networks.
I was hard enough just rallying them all together, showed it to them.
And a lot of them, they know who Haliborne is.
We have a really high reputation industry.
So we were able to get the main projects patched.
They looked at DogePoint.
They helped out to get the code in there until they all caught up to.
be secured, and then we released the disclosure after all of that. It was quite a ride.
That's fascinating. I mean, there has to be some of these teams where it's just hard to get in
touch with people. It must be a scramble to try to actually find who to talk to on chain number
154 or whatever. Yeah, for sure, Matt. We didn't see some projects like when they weren't there,
we couldn't get in touch with them. But this is like how security disclosures often work.
The smaller project will sometimes just be like almost like forced into it. It's like,
oh man, everybody's patched except for me. Now I have to go get it done. It's actually a risk
to wait for everybody to do it. Sometimes you have to be, hey, guys, this is the drop dead date,
and then we're disclosing it. So, you know, keep up or get hacked. And it's like Apple phones.
Apple doesn't wait until everybody updates their iPhone until they announce the release. They're like,
hey, guys, there's a vulnerability. Update your iPhone is critical. Go ahead. Yeah. So this is an
interesting one because it's a UTXO chain. What does this look like on like an EVM chain? I'm curious,
or a modular blockchain even. Do you think that the systemic issues get to the point where
eventually you're going to have exploits that impact thousands of different protocols or,
you know, maybe L2's L3s.
Yeah.
Well, I'm not going to say that it can't happen.
And we've seen it before on some big chains that we've protected big, those big chains,
which is why people come to us for the hard stuff.
You know, like Solana, for example, we work on their layer one and many other layer ones.
And all depends on the platform itself.
Like Bitcoin, Dogecoin, Solana, they're all running one.
layer, essentially. They have their consensus protocol and the UTXO is the distribution of funds
through the blocks. And Solana is a delegated proof of stake, but it's the consensus, like the
communication of the traffic and like the program executions are happening on the same exact
network. EVM is different because you have the smart contract layer that's executing all of the
apps. And then you have the consensus layer, the EVM code of keeping the nodes in sync and the distribution
of the ledger. Those are two different areas. So smart contract hacks will never really impact
the systemic consensus layer on EVM, but there can be some EVM-based consensus issues.
There's a lot of different run times, though, for EVM. Like, there's rust and parity and
lighthouse and go or geth. So there's various flavors of it. And I think if the network's robust
enough and diverse enough for the platforms of people doing the consensus, you're going to
to reduce the risk rather than everybody running the same exact version of the same exact binary
of the same exact language. That means if there's one risk there, they're all impacted the same
exact vulnerability. So you can see there's different types of mitigation factors depending on
which chain you're talking about. So I think EVM is safe because of that diversification aspect
of the code they're running there. That's interesting. Yeah, protection through decentralization
in that case, I guess. Yeah. Exactly. Yeah, there's, you want a security job, man? It's like you get it.
Yeah, I get it. I feel like I could go sell it. I definitely couldn't build it.
Yeah, that's one aspect. And then the other one is like security through obscurity.
Yeah, that makes a ton of sense. Well, this is great. Stephen, where can we send people,
whether they're at a tradfai institution or decentralized organization, where can we send them to learn more about what you guys are doing?
Yeah. So howborn.com is always one of the best sources. Our website has everything that we just spoke about with the rabies vulnerability, the metamass zero day that we found.
some language calls. We have blogs that are put up almost every day about different hacks and
going into them, technical perspective. All the services that we offer are there as well.
Then we have always interact with us on Twitter. We're pretty active there and on LinkedIn.
And we have a way that if you're interested in knowing, hey, do you guys do this or you're
an institution that needs a product or service solution? Our emails are on there. We have a contact
on there. We can respond to your solutions engineering and sales team are very well adapted
to be able to hear and see what the problems are.
And we can't do everything for sure.
And we have a lot of partners that can help you that we can recommend you to.
But we do do a lot.
And Haliborne takes pride in being a really white glove and particularly.
We actually enjoy making almost bespoke security programs and solutions for the clients here.
And I think that's a sweet spot.
And with our ability to know how to secure the Web 2 world and the Web 3 world,
the TradFi and the Defi, we're pretty well apt to,
hopefully get somebody secure that's interested.
Well, you guys are doing a great job.
There's definitely never a dull moment in what you guys are doing.
So I appreciate you coming on the podcast and spending a few minutes telling us about it.
No problem.
Yeah, I enjoyed it.
I can talk about this for days.
And yeah, never dull a moment.
I love every minute of it.
And I love the fact that what we do here is we're helping this whole new ecosystem and
this new technology to find its place in the world.
Awesome.
Thanks, thanks, Stephen.
Thanks for listening to another episode of On the Brink with Castle Island.
To find out more about Castle Island, visit Castle Island, visit Castle Island,
to listen to all of our podcast episodes please go to on the brink dashpodcast.com or just click on the tab
in our website. Thanks for listening.
