On The Brink with Castle Island - Steven Walbroehl (Halborn) on Blockchain Cybersecurity (EP.423)

Episode Date: May 8, 2023

Steven Walbroehl, the co-founder and CTO of Halborn joins the show. In this episode we discuss: Steven's crypto origin story and how he began tinkering with public blockchains. How Halborn's work dif...fers across traditional financial services customers versus decentralized organization customers. Basic recommendations for companies entering the public blockchain ecosystem. Halborn's recent discovery of a zero-day exploit impacting 280 public blockchains. Views on market manipulation and game theory exploits. Halborn's Seraph digital notary product and how it is keeping DeFi protocols safe. To learn more about Halborn visit www.halborn.com  

Transcript
Discussion (0)
Starting point is 00:00:00 Today on the podcast, I sat down with Stephen Wahlberl, the co-founder and CTO of Halborn, the leading blockchain-focused cybersecurity firm. We're investors in Halborn, and I think Steven's one of the sharpest technical minds in the industry. So I want to have them on to talk about the threat vectors that the industry is facing from a cybersecurity perspective. I think you'll enjoy this one. So without further ado, here's my conversation with Stephen from Halborn. Matt Walsh and Nick Carter are partners at Castle Island Ventures. All of these expressed by them or the guests on this podcast are solely their opinions and do not reflect the opinions of Castle Island Ventures.
Starting point is 00:00:31 Guest and host may maintain positions in the assets discussed in this podcast. You should not treat any opinion expressed by anyone on this podcast as a specific inducement to make a particular investment or follow a particular strategy, but only as an expression of their personal opinion. This podcast is for informational purposes only. Brought down by bad mortgage investments, Lehman, which has 25,000 employees, will be liquidated. The federal government loans American International Group, AIG, $85 billion. This is a different kind of market, and the Fed is asleep.
Starting point is 00:00:57 The federal government is stepping it to stabilize Fannie Mae. and Freddie Mac, the two mortgage giants that have been threatened by the housing crisis. The Bank of England has pumped 75 billion pounds more to Britain's ailing economy with a new round of quantitative easing. You print a couple trillion dollars and all of a sudden people start to worry. So out of this worry, we have something called the Bitcoin. Bitcoin. Well, Stephen, thank you for joining us today on the podcast. Excited to have you on. Definitely a very relevant time to be talking cybersecurity. Oh, definitely. Yeah, I'm excited to be here. Thanks, man.
Starting point is 00:01:26 We're excited to be investors in Halborn. So I sort of know your origin story already, but maybe for those who are not familiar with you or Halborn, how'd you get into crypto? What was the path to starting this company? Oh, yeah. No, definitely. So we've been around for almost four years now. And I have a long history in cybersecurity. I've been doing the hacking world for almost 20 years now and worked a lot of big organizations in my history like IBM and some financial companies. And in the cybersecurity world, you have red team blue team. I was originally part of the blue team, but became pretty intrigued with what the red team, the offensive people were doing, the malicious hackers, because they
Starting point is 00:02:06 always seemed like one step ahead of finding exploits and then we have to defend against them. So I started taking some certifications and studied learning to be a hacker. And that's when I found Bitcoin because going on the dark nets to find hacker exploits and viruses and so on, ended up seeing what is this thing that they're trading with called Butcoin? I mean, oh, no, no, this is Bitcoin. Oh, what is this thing? So then I really dug into it. They say, like, you go down the rabbit hole and look at the technical aspect of it. And I became fascinated with how coded and the way it handles finance peer to peer, read the white paper, completely like, saw the future. I was like, oh, man, this is going to be big later on,
Starting point is 00:02:43 the tech itself. And then at IBM, ended up doing some sort contract odds because they started looking at things like World Pay for Stellar. And I was auditing there. Then, because I was going down the rabbit hole, met Rob inside of a marketing channel on Slack for his previous token agency company back in 2016. And I was interested in seeing all the projects coming out from that. And one day, Rob said, hey, does anybody know how to do these smart contract audits? One of my clients here is getting hacked and we don't know what to do. And I was like, I could try. I've done a couple of these things before. You know, it's like, all right, let's meet and save the day. And then it's happened again, happened again, had tons of
Starting point is 00:03:20 these projects that were just getting really like security issues that coming up all the time. and we decided to make a company called token hackers, which we decided was a terrible name very quickly, then we called it Halborn. And since then, start off, it's just us too, to a team of over 100 now. And we're still saving the world of cryptocurrency and blockchain today. Well, you guys have a ton of products and services that I want to get into, but maybe before we do. So you've been in crypto for just a long time. And it obviously has a similar story to a lot of stories, mine included, where you sort of start with Bitcoin. How do you just ideation? ideologically think about the space and how it's evolved. I mean, I remember a world where everyone
Starting point is 00:03:58 said, hey, everything's just going to be built on Bitcoin. And now I feel like the industry is so large. I can't even keep track of it. And it's my full-time job. How have you felt about the space over time? Yeah, you're right. Everything's built on Bitcoin is like, there's no way we can do NFTs on Bitcoin. And then Ordinals came out and like, oh, man, like, okay, that's awesome. Great guys. But it's always innovating. That's what you notice from the very beginning is, you don't expect something to happen. And then they make a use case for it. And the development community starts building it, which is what I love as a tech person, there's a lot of innovation and it moves extremely fast. And that can be good or bad for security the way you look at it.
Starting point is 00:04:32 For us, because it's like a lot of great business, of course, for it. But for the development community, they take security very seriously because it can have bad impacts. So in general, my philosophy on the whole space started off as Bitcoin, which is just very simple, kind of a one trick pony, right, of peer-to-peer systems, global urgency based on, you know, just a trustless network. And I look at this almost as like the core layer, like a network type layer. And then you have, you know, when Ethereum started coming in, that's where you open up a whole world of use cases with smart contracts, you know, the concept of these Turing complete applications. Once that, was there really anything as possible? Because if you could code it
Starting point is 00:05:13 with logic, you could build it. And now we see games that are coming out on Web3. We see financial transactions that like lending and borrowing, exchanges, insurance protocols. So this is why they call it Web3, just like in the early versions of Web 2, where you would have your simple websites that were run HTML or CSS, and then they evolved into these fully dynamic marketplaces like Amazon. And we're seeing that same evolution now in smart contracts and starting off as simple tokens now doing full-fledged metaverses that you can interact with. It's quite amazing. And, you know, a lot of people's perceptions of it. One thing I like to talk about is people think that cryptocurrency and blockchain is just only finances and currency. And it can do a lot more than this
Starting point is 00:06:04 with the use cases there. And I like me personally, I'll kind of end with this story is I like to see all the use cases that really do improve or solve challenges or inefficiencies in the current technology and can revolutionize a lot of the, either where it's productivity or value or transparency using this technology here, which underpins all of it. So that's like my take on it all. I think it doesn't solve everything, but there is a lot of things that can do a lot better than what we have today. One of the things I think a lot about as an investor when you look at the protocol side is just think about the bug bounty that's been on Bitcoin since it started. Think about how many people have been just trying to break this thing nonstop. I feel like whether you're technical or not,
Starting point is 00:06:46 first thing you do when you see Bitcoin is just try to find a way that it's not going to work. So if you're an economist, you're going to be just arguing about that. If you're technically you're going to be trying to break it. And so there's a l. effect there because it's not broken. But these newer kind of Alt-L-Wans and DeFi protocols, there's just frankly a lot fewer people spending time looking at them. So how do you think about the tradeoffs in terms of people that are building apps and choosing which chain to build on? Yeah. Referencing when you first talked about, like, you know, trying to break Bitcoin. There's a lot of people approach it the wrong way, and they think that, oh, quantum computing,
Starting point is 00:07:20 I've always heard this before. Like quantum computing will break, you know, Bitcoin one day. It's unsafe. But if it breaks Bitcoin, it breaks the normal internet as well. And we have bigger problems. It's just Bitcoin. Breaks all the bags, right? Yeah, exactly.
Starting point is 00:07:34 All the bags everywhere. Yeah. Like TLS technology, like SSO the little lock upon your browser, you know, that's pretty much the same tech Bitcoin uses for public, private key. Anyway, so it would break that too. And it would just upgrade it. fork it to another one because it's actually more secure. It's decentralized. So, you know, it'll break Bitcoin, but, you know, it's a resilient network. And this is the same true of these
Starting point is 00:07:55 layer ones. If it's a truly decentralized network, then what you're doing is you are providing resiliency from availability, outages, or disturbances on the network. Now, a single wallet may be like compromised for more reason. But when we talk about the newer layer one generation and like my take on the second part of this question you asked. We have things like Cosmos now, which are more like application-centric chains versus things like Ethereum, which are full, like a mainframe.
Starting point is 00:08:26 It's like a world compute system that everybody shares and even like layer two systems connect to it. So now we have these different types of chains that are, they're pulling some things from security to make a less secure, but also adding more security. So instead of a systemic event,
Starting point is 00:08:41 like on a mainframe where if there's an exploit, like if somebody breaks the Ethereum consensus, then all of Ethereum is going to suffer for that rather than an application-specific chain, which is, you know, a small, you could think of like a para-chain or relay chain that is impacted and may not touch or affect other networks. So you're now dispersing the risk with that. So there's different flavors for it. And there's always going to be a security risk. And it's all about what do you do to mitigate it.
Starting point is 00:09:09 And that's what we do at Halvorn is that we look at the whole ecosystem, everything. in this entirety to provide security. And so you guys are maybe shifting over to what you guys are actually doing at Hal Bourne. It's a really fascinating company because you work with some of the largest financial firms in the world, but you also work with decentralized organizations. So maybe talk a little bit about the products and services and how they differ based on who the customer is. Yeah, we kind of look at this convergence of services and the products that we deliver as
Starting point is 00:09:39 our solutions because they do work together. And then when we offer those solutions, we have the convergence of the tradfi or the centralized finance and the defy, the decentralized finance. So there's a convergence between that too, Web 2 and Web 3. We actually ran statistics on risks and exploits. And we found it's almost 50-50 of the root cause being between a Web 3 security issue and a Web 2 security issue. And that just really highlights our thesis and approach of providing. providing security solutions for both sides of it because it could be an issue purely Web 2 that has to do with blockchain, like a custody platform that you failed to secure your login with the Active Directory or you left your keys there. You didn't harden the server well enough and somebody got onto it. That's all nothing different from normal security that I've done for 20 years. And those issues can lead to Web 3 issues. But then on the flip side, you can have Web 3 pure. issues where you don't know how to code solidity for your smart contract. And now you're taking
Starting point is 00:10:46 your bank and you're taking client payments or your transactions for swapping your loans and your code is not secured. That's like a Web 3 on-chain code flaw. So we have to look at everything holistically and the big picture. Because if you scope out into like a very small area, you're missing a lot of the maybe the layers of the threat vectors that can really occur on the platform. So that's what we look at. It's not one big architecture that we just prioritize based on risk and likelihood of something happening bad to your business. Maybe going a little bit more into the TradFi first. I mean, you guys do a lot in the pen testing space. What are some of the, and I guess that's just an incredibly important space when you have digital bearer assets,
Starting point is 00:11:30 right? I mean, this is unlike anything a lot of these organizations have ever dealt with in the context that the money can just evaporate and it's not being held at the DTCC in the form of a security. What are some of the best practices that you're seeing from some of these, you know, maybe not crypto-native firms that are starting to do crypto things? Yeah, best practices is be proactive. There's the concept of DevOps where it's like the shift left security where don't do it at the end. Like, okay, we built our product.
Starting point is 00:11:57 We're ready to go live. Let's do a quick security check on it because one, that can lead to issues that just impact your delivery. You may find a fundamental flaw that you would have picked up earlier. And now you have to go back and waste burn capital and waste time and manpower to either redeploy it or just scrap it because it's too much of a risk now. So start earlier in your security. Do what I like to call preventative security instead of just reactive. And preventative is the pen testing.
Starting point is 00:12:28 This is where you are looking for the issues before they happen and you're preventing them from happening later. So on the trad-fi world, this would be like a firewall in front of your network. You're preventing malicious attackers from getting in rather than a monitoring system, like intrusion detection system where it's like, oh, the attackers are in here. They took the money. Sound the alerts. It's like damage is done. So always look at having a full defense in depth, preventative and reactive.
Starting point is 00:12:57 And then sort of like a recovery plan, you know, disaster recovery. So this is all, you know, the layers of different types of security have to be considered from the full stack of prevention, detection. and then recovery and focusing on the risk because you're never going to be 100% secure for anything. But first, classify and identify what are your mission critical processes or your assets. Where's the crown jewels that attackers would go after and start there and work with a company like Haliborne or if you have a security team to do threat assessment, find out, okay, well, these are the mission critical assets and processes.
Starting point is 00:13:35 What can we do or how can we get to them or what would be? be a likely scenario that they would be compromised and then build tools or implement tools or processes or get a team to mitigate those areas. And that's always how you structure. And you just do that until you feel like you've gotten to a level of risk that you're okay. Everybody has different risk appetites. Banks and financial institutions usually have a very low risk appetite. So they'll put lots of different layers of controls around that. And then that's just technical risk. Then there's the whole world of like compliance and regulatory risk as well where hey, we do all this really great and we've hardened everything and no hacker can ever get in. And then a log is passed saying
Starting point is 00:14:17 you can't do it anyways. Right. Right. Yeah, that's the we don't really do too much of that. Like we can advise towards it, but we don't do the auditing for the government entities or anything for them. But that's more like privacy compliance. Yeah. And I guess it's, you know, it's probably going well, not only for you, but maybe others in the industry, because you feel like you see fewer of these kind of crypto-native startups where it's, hey, we actually just lost our entire balance sheet because there was some exploit where our CEO's email got taken over. And like, you remember, those would happen in 2015 and 16. Yeah. Now's my algorithmic stable coin had some issues and like, oh, everything is zero now. Right. Exactly. Well, I guess that's a good dovetail over to the defy side.
Starting point is 00:14:57 I mean, I'm continually just shocked at how much capital is put into. some of these platforms that are we later find out are just really not built appropriately. Maybe speak a little bit about that and just what that's like right now in the DFI space. Yeah, in the DFI space, you know, you touched upon something interesting, Matt, with the way you can have a whole balance sheet, like evaporate because of a key being lost. Because in the normal security world, the normal finance world, those type of issues happen. You have backstops and you have, you could reverse things or you can go after the criminal. and even the criminals, when they try to break things or steal funds from that,
Starting point is 00:15:36 they have to go through different types of steps. They have to fish people and then steal credit cards out there. You're not going to go into the server at Bank of America, Wells Fargo, and take the money out of the server or anything because it's a digital representation of, I guess, cash that doesn't work on a smart contract. It's not like a consensus token or some type of like blockchain native asset. So you have a whole different approach on what is at risk with this. You know, you can steal something on chain and transfer it and it's anonymous.
Starting point is 00:16:10 There's the whole forensic part of it is different. So on the defy world, that's where the risk is different and what can happen because you have the actual asset of value is sitting there inside of your wallet or vault. and then you'll have these bridges and derivatives assets around it. So there's the assets at risk from code flaws that can be, if you find an exploit or you find some type of logical component that doesn't work, then anybody can exploit that if they know the code well enough because it's all permissionless, transparent network.
Starting point is 00:16:45 And that's why it's always being attacked and looked at and happens extremely fast. You know, you get that level of transparency from like the security flaw side on traditional finance either. Unless a bank's like a code is on GitHub open source for people. You can see that type of stuff. So there's like these logical issues in the code. And then there's the financial aspect of it all where you're now able to do a lot of attacks like flash loans. And the algorithmic stable point I mentioned earlier is it's using arbitrage between like two tokens in order to have balance based on supply and the price differences.
Starting point is 00:17:22 but if there's not enough liquidity there, you know, it's not like a U.S. treasury where there's like almost unlimited liquidity, there's not enough there to support it, then that can be leveraged as an attack. You know, you can do a, you know, for example, a flash loan, you can borrow enough tokens without collateral to manipulate the price. So I don't think anybody could really do that except a handful of people. And there's laws against that in traditional equities, right? Buy a bunch of Tesla to like short Tesla.
Starting point is 00:17:51 I don't know. So that's different, too. So there's different types of methods that are exposed in this ecosystem. It's quite fascinating to see that. Yeah, as you point out, it's way more than just pure cybersecurity, right? I'm thinking about the mango markets hack where I guess you wouldn't even call it a hack. It's really a market manipulation. And, you know, I guess that guy is in jail at this point, and there is a CFTC process. It'll be interesting to see what the legal side of that looks like. It's all the rules, right? Yeah, he's like, see it. He saw the code says, I could do this, right? And that would certainly be his argument, but I wonder if we need to get to a point where there's some sort of an automatic alert to just shut down a pool or something like that. How do you think
Starting point is 00:18:30 we can build systems to be more resilient here? For sure. This is a great topic to talk about like stuff that Haliborne is doing. We see a lot of these threats as well. And it's difficult to walk the line between, okay, this is decentralized. We don't want to like centralize it by putting restrictions like Haliborne says no or some security person says no, like censor that or stop that. Because then it's like go back to just traditional finances we have already. But there's also the risk factor and we have to protect these funds if we want to see it succeed. So how do you walk that line? And right now a lot of the only tools that we've encountered there are like multi-signature wallets where two signers have to authorize something.
Starting point is 00:19:14 But then how do I know these two signers aren't just the same person or they're working together? to do. So we've developed a tool called Serif. We have five patents on it, and it's a notary solution that lives on an EVM chain. So it's a pretty much a smart contract or set of smart contracts that enable only specific functions, like critical functions, like a withdrawal liquidity. They take all the funds out or upgrade the owner to somebody else, like an escalator of privilege. These are functions in these codes of the smart contract that are extremely sensitive and critical and the ones that would normally be hacked. So we could protect only those and kind of predetermine what is the expected use for this. If this function gets called, why is it getting called? There's a set of
Starting point is 00:20:04 rules. It's kind of like a firewall. Like, you know, you have firewall rules. And if any of those rules are not being met, you know, let's say we never want to withdraw the funds out of this treasury in the excess of $1 million unless, you know, there's a Dow vote that occur there. And if we see any issues on the rule, then what Sarah will do is it's a wrapper around that function to drop the transaction. And it does this all on chain. So it's kind of like a transparent. It's cut, it's non-custodial.
Starting point is 00:20:34 It's using the sense of a notary to either notarize, like sign off like this transaction is what we're expecting it to do or reject it. And if it gets rejected, then it's an on-chain rejection. and we're not co-signing. There's no keys with it. And anybody can be a notary. It's not just Halborn. So what's great about that,
Starting point is 00:20:51 imagine you, Matt, as an investor, and you've invested in a protocol of a smart contract. You just gave them out of $100 million and it's inside the putty pool to help them distribute the rewards. You're like, I kind of want to make sure that's okay, right? I don't want those funds to get hacked. You could be the notary for any treasury withdrawal.
Starting point is 00:21:08 And with that notary, you can have you or your team with that key and say, hey, We need to, you know, take this money out here to deploy it for some new contract developers we want to hire. And you say, okay, yeah, that's a good use of funds. And then you can, like, not notarize that transaction to happen. So you're not blocking it. It's not centralized. You're not saying yes, no to everything they're doing. You're just protecting, you know, unagreed upon use of that function of the withdrawal treasury. And if they do get hacker to lose
Starting point is 00:21:36 the keys, you'll be like, wait, hey, guys, are you trying to like take out everything right now? It's like, no. It's like, oh, reject. Let's go see what's going on and figure out. So it's really awesome protection, I think, that is still in the spirit of decentralization. I think it's a super vital service. It seems like that's the type of thing that every public protocol really ought to have there, you know, as the space moves forward, not having it. I mean, we've seen what happens. I guess lately it's been interesting. Some of these hacks you've actually seen the return of funds, which it's hard to tell. I'm curious your perspective. Is that because they get doxed some way and they're sending back the funds typically?
Starting point is 00:22:10 Why would attackers be sending back money at this point? So it depends on the attacker. I've seen the normal hacker mindset, which I'm very, very empathetic to is a lot of them want to like just show the world that they can do it. You know, they're like, look how elite I am. I can hack your protocol. Look at me. Okay, here's your money back.
Starting point is 00:22:30 I just wanted to get attention, I guess. But in the other ways, if somebody's truly trying to like just get financial gain from it, which I'm sure the majority of them are, you know, it's like off ramps, tornado cash for Ethereum is the biggest one. It's like, okay, where do I get this out now? You know, black market or sell it. And then they just realize that it's not quite as easy as they can, especially when you have things like USDC or USDT or these stable coins. They have in their code like freeze and burn and they can like stop those funds. And then Tornado Cash is really one of the things. Even OFAC, you know, is involved with that too. And the wallets that touch that. So there's a lot of on-chain functional
Starting point is 00:23:07 controls there. And then, of course, the doxing part of it all. This goes back to that web two. to Web3 mix that we were discussing before, you can have complete anonymity with your keys and your wallet, but if you've registered at an exchange, then they're going to know who owns that wallet, K-Y-C'd, or maybe you didn't even do that, but your wallet is tied to another address that that address, you know, you've posted it on Twitter or something there. Now you have an identity tied to that address. So there's always like a real-world pin that you could possibly accidentally expose. And Once you have one, that's all you need. Then you can just start investigating and find them.
Starting point is 00:23:44 It's an immutable ledger of all the crimes you've done, which is why it's fascinating to see the BitFinex hackers and one of the Mount Gox hackers. You know, you catch these people and they have billions of dollars on hardware wallets, but they can't actually spend it. It's a really perverse type of thing. It must be very difficult as a hacker to live in that world. Yeah, exactly. Everybody's watching your wallet too.
Starting point is 00:24:04 And the whole world can watch it if they want to. You can even talk to them on Ethereum. We could like send transactions with like messages like the polymers. like the Poly Network Hacker guy did. He was saying like, all right, Coin Desk, let's do this interview, like live on chain. It's fascinating. I love it. It's like makes my job fun. But yeah, you're right. When a lot of like regulators and law enforcement, they were familiar with it several years ago, how it actually worked. And now that they see like, oh, actually, this is way easier to find the money than just like cash in like a suitcase that goes over the border. Yeah, there's an argument
Starting point is 00:24:34 there that, you know, a lot of politicians would like to have you believe that crypto is just all nefarious people. But it's actually pretty difficult. and maybe you wouldn't be the smartest criminal in the world if you're doing your crimes on chain is my argument. Yeah. And the ones that do it right, they're usually really technical. Like they know how to do coin join and swaps and, you know, if they're doing Ethereum, you know, how to use all these DFI protocols to add liquidity pulls, take it out, go to tornado
Starting point is 00:24:59 cash, do a cross-chain bridge from one to another on like something like Raven coin or something and then back. So it's kind of like walking funds with technical. contracts. I guess that sort of dovetails into the nation state level here. So obviously North Korea has been pretty active on the scene. Has that always been the case where you've had nation state actors in this industry? Yeah. The terminology in the security world is called APT, advanced persistent threat. And that's always the case. There's usually three type of security threats. And one of them is like hacktivists, which are people they don't really care
Starting point is 00:25:36 too much about like financial gain, they just want to send their message or like their political ideals or whatever their hacktivism. Then you just have the normal adversaries that, you know, the ones that stealing funds or causing disruption. And then you have the nation state. And that's usually very targeted, almost like spearfishing in a way. They have a target in mind. They have a specific thing that they're working towards that is in the, for their nation, you know, cyberterrorism, essentially. And we've seen that in the traditional world of things like Stuxnet, if you're familiar with that. So Stuxnet is one of the most famous ones of having a custom virus, like five-layer virus, tailored and coded specifically for like one use case on nuclear
Starting point is 00:26:23 centrifuges inside of Iran on their non-windows motherboards to exploit that and cause disruptions. It's like, that's nation state. It's card research and developers and a team to figure out and they're funded to make custom exploits or tax for a purpose. And that's what we see traditionally. And we can even see that here, I think, behind the scenes on high level defy. But the government hasn't gotten to the point of like full adoption. I could foresee a future where if we're using defy in normal commercial financial services
Starting point is 00:26:58 or government services like CBCs, where now you have nation. state actors researching and developing code to like exploit whatever the Fed coin, their contract is disrupt their financial. So I think from a security standpoint here, it's going to get even more serious in the future. Like security is going to be top of mind in the future, even more than it is now for this whole defy and blockchain and smart contract world. Yeah, you bring up an interesting point on stable coins and CBDCs. I mean, obviously a stable coin kind of has to live on a public chain. and the interoperability with defa is a big part of the value proposition. The good part there, though, is that the collateral is technically offline, right?
Starting point is 00:27:37 So if you're dealing with a USDC, they have the QSIPs, the underlying collaterals at Bank of New York Mellon. So, you know, there's some degree of protection, I guess, just in the way it's built. With a CBDC, I just wonder if you even need a blockchain. I don't know if you have a view on that. Right, yeah, you're tokenizing an asset. Like, there's the whole, like, triad, I think Vitalik from Ethereum talked about, like, you're balancing scalability, security, and decentralization. That's like the triangle of it.
Starting point is 00:28:02 And so what they're using for that is taking away decentralization more to add scalability. And I wouldn't say it's any more transparent than what we would see like on Ethereum, but now they are being able to see their digital assets that are tokenized with collateral offline or in the Federal Reserve Bank's like ledger or something of matching that token. And so you're not doing it there because it's a scarce asset like Bitcoin. that you have to mine, you're doing it so that you can track, monitor transactions, make it faster, scale it. And I guess you, you know, depending on how it's coded, provide more security
Starting point is 00:28:36 for the stability of the assets that are being used. So that's again, it's like, there's another purpose for blockchain. You're getting the values from Swift system is very slow. And if I want to wire or transfer to you on like Friday afternoons, like, all right, let me know if you get it like Monday afternoon. So it'd be pretty cool to have that happen. really quickly for everybody and do that securely. So there's a use case right there, you know, a transparent way. You can verify it with your friend for that and use the code to know that he has the funds in his wallet.
Starting point is 00:29:08 I mean, there's a lot, again, back to the benefits of the technology. You know, not everything needs to be a volatile asset that's like not backed by real collateral, you know, just let's just use the tech. It's better. Totally. I mean, one of the things I'm very bullish on on the longer term, there's obviously some regulatory issues with what I'm about to say. But you can imagine a word.
Starting point is 00:29:26 where a bunch of real world assets get tokenized on blockchains. And you have maybe you own shares in a REIT that trades on a public blockchain. And let's say you want a loan. Let's say that you need to buy a car. You could go through the TradFi kind of non-block chain way of getting a margin loan from your broker or going to get a HELOC. But that's going to take weeks. Why wouldn't you just want to plug it into defy and park your collateral, you know, your REIT shares and get stable coins back in 60 seconds? I mean, yeah, you speed of buying a house too. You can have money in escrow here. You can have a lender broker here.
Starting point is 00:30:00 And like the whole underwriter process and, you know, the lender can have their own rules that are executed against like the user's credit score contract or something. You know, it's like habit spontaneously at the speed of blockchain. And I guess, you know, in that world, you just need to be sure that the pool is safe, right? So to your earlier point, you probably need to have some sort of a notarization mechanism or some sort of a public review on this for any. of these financial firms to get comfortable extending credit in that environment? 100%. Yeah, this product that like Sarah and the patents for it, I personally think we're early
Starting point is 00:30:34 to the market with it because it solves a lot. And for enterprise adoption, let's just say you are a length of giving lending and borrowing. You can use this as an enterprise solution within your company and have one notary be the underwriter to approve it. And you can have the borrower or like maybe in the mortgage team, they're sending in like loan requests to them on chain, their permission to chain or, you know, whatever they want to do it. And the notary will see all the contract transactions come in. It will be populated on their app. And then they say, yeah, this one's, you know, approved because we see the collateral here.
Starting point is 00:31:10 We see the history of transactions. We know that they're high credit. It's not like a new wallet. We've never seen their transactions before. They have enough there. Time lock there for a certain loan. It's like, all right, approve. And then it confirms transaction.
Starting point is 00:31:21 and then the funds get automatically released. So Sarah can be a not just a security prevention, it could be a platform for ticketing system, approval system in a way between two different entities. I mean, that's another use case for it that we can see. It just has to be adopted first. It has to get to that point of doing business on that platform. Yeah, I definitely think that's the way it's going.
Starting point is 00:31:43 One of the things that's been fascinating over the past few months here is that you guys identified a zero-day vulnerability that impacted 280 different networks, including Dogecoin. So it was good timing with Elon putting the Dogecoin logo on Twitter. Talk a little bit. This was called rabies. This was the code name for this vulnerability. So maybe talk a little bit about what happened here.
Starting point is 00:32:04 Yeah, for sure. So timely release for it, but this is actually something that we found quite some time ago. So we were doing an audit of DogePoint. And I know that sounds kind of strange because it's like a public code on GitHub that everybody can see. and it is kind of decentralized. It's like you're just run by the maintainers of Dogecoin and some key devs. But we were auditing it on behalf of a client because they were going to set up some Dogecoin miners on there. And when we were going through it, one of our top engineers, Hassam here at Halborn,
Starting point is 00:32:35 he had found several different critical issues on the main net Dogecoin. And they were, three of them affected the peer-to-peer consensus. So there was like an out-of-memory vulnerability where, you know, if you knew where a, a Dogecoin miner was you could send them consensus command, and they would just run out of memory and shut down. So you could attack the entire main net of Dogecoin at once. And then there was another vulnerability we saw of remote code execution to just really get control of the system externally from it and then get on their wallet. These are extremely critical because in the wrong hands, it could bring down Dogecoin. And nobody wants that, you know, especially Elon. It's like,
Starting point is 00:33:13 I thought Dogecoin was going to the moon, into the grave. So that's the type of thing. We see that. and it's very tricky in order to protect that or fix that because there's this concept that, you know, adversaries use where they will look at updates or patches to the code, you know, especially when it's open source, and when they say, hmm, why did they patch that? What's going? And then they compare the previous that and then it kind of like shows them like, oh, they fix this. And then there's time like because it's decentralized all the people that are running Dogecoin nodes or miners, they need to update to that. the latest patch, just like Windows and Mac that we see.
Starting point is 00:33:50 So there's a window of time where the network is vulnerable. And now we've just kind of like shown what's going on, like, you know, Whitcott Patch. So we were working with Patrick, one of the key developers. He confirmed the issues. He was like, oh, man, thanks for finding this. And like pull that into other normal releases, kind of like sleuth in there, like some of the patches over time.
Starting point is 00:34:12 Nobody really saw that, luckily, because it's been there for several years. And then they all got upgraded. eventually to being past that 51% point where the network is still going to be not at risk anymore. During that time, we also said, well, those coins are the fork of Bitcoin. Let's check Bitcoin. Okay, Bitcoin is good. Thank God.
Starting point is 00:34:32 And then we checked all of the other very, the UTXO-based protocol, proof of work pretty much, and found light coin was vulnerable and Zcash and 200 other, like, smaller ones. So the whole value at stake with this type of issue was like literally in the multi-billions. We're like, oh, my God, this is huge. What do we do? So it's a big risk. So we had to keep everybody to get everybody together from the different decentralized networks. I was hard enough just rallying them all together, showed it to them.
Starting point is 00:35:03 And a lot of them, they know who Haliborne is. We have a really high reputation industry. So we were able to get the main projects patched. They looked at DogePoint. They helped out to get the code in there until they all caught up to. be secured, and then we released the disclosure after all of that. It was quite a ride. That's fascinating. I mean, there has to be some of these teams where it's just hard to get in touch with people. It must be a scramble to try to actually find who to talk to on chain number
Starting point is 00:35:29 154 or whatever. Yeah, for sure, Matt. We didn't see some projects like when they weren't there, we couldn't get in touch with them. But this is like how security disclosures often work. The smaller project will sometimes just be like almost like forced into it. It's like, oh man, everybody's patched except for me. Now I have to go get it done. It's actually a risk to wait for everybody to do it. Sometimes you have to be, hey, guys, this is the drop dead date, and then we're disclosing it. So, you know, keep up or get hacked. And it's like Apple phones. Apple doesn't wait until everybody updates their iPhone until they announce the release. They're like, hey, guys, there's a vulnerability. Update your iPhone is critical. Go ahead. Yeah. So this is an
Starting point is 00:36:06 interesting one because it's a UTXO chain. What does this look like on like an EVM chain? I'm curious, or a modular blockchain even. Do you think that the systemic issues get to the point where eventually you're going to have exploits that impact thousands of different protocols or, you know, maybe L2's L3s. Yeah. Well, I'm not going to say that it can't happen. And we've seen it before on some big chains that we've protected big, those big chains, which is why people come to us for the hard stuff.
Starting point is 00:36:34 You know, like Solana, for example, we work on their layer one and many other layer ones. And all depends on the platform itself. Like Bitcoin, Dogecoin, Solana, they're all running one. layer, essentially. They have their consensus protocol and the UTXO is the distribution of funds through the blocks. And Solana is a delegated proof of stake, but it's the consensus, like the communication of the traffic and like the program executions are happening on the same exact network. EVM is different because you have the smart contract layer that's executing all of the apps. And then you have the consensus layer, the EVM code of keeping the nodes in sync and the distribution
Starting point is 00:37:16 of the ledger. Those are two different areas. So smart contract hacks will never really impact the systemic consensus layer on EVM, but there can be some EVM-based consensus issues. There's a lot of different run times, though, for EVM. Like, there's rust and parity and lighthouse and go or geth. So there's various flavors of it. And I think if the network's robust enough and diverse enough for the platforms of people doing the consensus, you're going to to reduce the risk rather than everybody running the same exact version of the same exact binary of the same exact language. That means if there's one risk there, they're all impacted the same exact vulnerability. So you can see there's different types of mitigation factors depending on
Starting point is 00:38:01 which chain you're talking about. So I think EVM is safe because of that diversification aspect of the code they're running there. That's interesting. Yeah, protection through decentralization in that case, I guess. Yeah. Exactly. Yeah, there's, you want a security job, man? It's like you get it. Yeah, I get it. I feel like I could go sell it. I definitely couldn't build it. Yeah, that's one aspect. And then the other one is like security through obscurity. Yeah, that makes a ton of sense. Well, this is great. Stephen, where can we send people, whether they're at a tradfai institution or decentralized organization, where can we send them to learn more about what you guys are doing? Yeah. So howborn.com is always one of the best sources. Our website has everything that we just spoke about with the rabies vulnerability, the metamass zero day that we found.
Starting point is 00:38:44 some language calls. We have blogs that are put up almost every day about different hacks and going into them, technical perspective. All the services that we offer are there as well. Then we have always interact with us on Twitter. We're pretty active there and on LinkedIn. And we have a way that if you're interested in knowing, hey, do you guys do this or you're an institution that needs a product or service solution? Our emails are on there. We have a contact on there. We can respond to your solutions engineering and sales team are very well adapted to be able to hear and see what the problems are. And we can't do everything for sure.
Starting point is 00:39:19 And we have a lot of partners that can help you that we can recommend you to. But we do do a lot. And Haliborne takes pride in being a really white glove and particularly. We actually enjoy making almost bespoke security programs and solutions for the clients here. And I think that's a sweet spot. And with our ability to know how to secure the Web 2 world and the Web 3 world, the TradFi and the Defi, we're pretty well apt to, hopefully get somebody secure that's interested.
Starting point is 00:39:46 Well, you guys are doing a great job. There's definitely never a dull moment in what you guys are doing. So I appreciate you coming on the podcast and spending a few minutes telling us about it. No problem. Yeah, I enjoyed it. I can talk about this for days. And yeah, never dull a moment. I love every minute of it.
Starting point is 00:39:58 And I love the fact that what we do here is we're helping this whole new ecosystem and this new technology to find its place in the world. Awesome. Thanks, thanks, Stephen. Thanks for listening to another episode of On the Brink with Castle Island. To find out more about Castle Island, visit Castle Island, visit Castle Island, to listen to all of our podcast episodes please go to on the brink dashpodcast.com or just click on the tab in our website. Thanks for listening.

There aren't comments yet for this episode. Click on any sentence in the transcript to leave a comment.