The Good Tech Companies - How Spherex is Tackling Smart Contract Vulnerabilities
Episode Date: May 16, 2024This story was originally published on HackerNoon at: https://hackernoon.com/how-spherex-is-tackling-smart-contract-vulnerabilities. Eyal Meron discusses his transition ...from Israeli cyber expert and CISO to spearheading cybersecurity innovations at spherex. Check more stories related to web3 at: https://hackernoon.com/c/web3. You can also check exclusive content about #innovators-in-web3, #eyal-meron, #former-ciso-of-bank-leumi, #israeli-cyber-community, #cyber-security-challenges, #web3-infrastructure-layer, #smart-contract-vulnerabilities, #good-company, and more. This story was written by: @ishanpandey. Learn more about this writer by checking @ishanpandey's about page, and for more stories, please visit hackernoon.com. Explore the intersection of cybersecurity and Web3 with Eyal Meron in our "Innovators in Web3" series. Discover how his experiences as CISO and his current role at Spherex are shaping advanced security strategies in the blockchain sphere.
Transcript
Discussion (0)
This audio is presented by Hacker Noon, where anyone can learn anything about any technology.
How Spherex is Tackling Smart Contract Vulnerabilities, by Ashan Pandey.
Join USA's We Sit Down with Ayal Marin for our Innovators in Web 3 Inches series,
where Ayal shares his journey from a seasoned cybersecurity expert in the Israeli cyber
community and former CISO of Bank Leumi to leading strategic visions at Spherex.
Ashan Pondi. Hi Ayo, it's great to have you here for our Innovators in Web 3 Inches series.
Can you share how your experience as someone who spent many years in key roles in the Israeli cyber community and as CISO of Bank Leumi shaped your journey and strategic vision at Spherex?
Ayo Marin. Hi Ashan, happy to be here. My vision for Spherex stems from many
years of tackling cyber security challenges, together with maintaining a level of protection
required in the financial sector. Web3 is still a relatively new digital space, which has the
potential to disrupt the way the global economy works. It is actually a fundamental element in
the digital transformation of humanity,
but its cyber component must be solved in order to enable the realization of its potential.
When we look at the cyber situation within Web3, it's clear that the infrastructure layer is well protected thanks to the principles of decentralization and cryptography. The users,
on the wallet side, receive quality treatment both in maintaining the private key and in
verifying that its UC corresponds to the owner's intention. Whereas, the application layer,
the smart contracts and the interactions that take place within them, is a weak link that is
a source of various types of hacks and compliance gaps, in a way that must be upgraded. The current
ratio between the scope of activity and the scope of hacks does not allow for a stable financial
ecosystem. Attacking contracts is where the ROI for the attackers is the highest and it is not
for nothing that they are attracted to the space. The monetization is fast. They are one step from
the money. The code is exposed to them, which makes it easy to find vulnerabilities, and
finalized transactions are immutable so that after a quick attack the advantage is completely on the side of the attacker. Therefore, the security standard must be upgraded in order
for the space of Web3 to realize its potential, and we at Spherex made this upgrade the core of
our mission, as well as our challenge. Ashant Pandey, Spherex's mission is to address major
security vulnerabilities in smart contracts. How do you translate this
mission into a viable business model that also promotes widespread adoption of your services?
I'll Marin. First, it is important for me to emphasize that the underlying concept of Spherex
is to not allocate more resources for security, rather allocate correctly. The principle of an
audit, for example, is important. Code should be tested to minimize the chance that it has bugs before it is deployed in production, but is budgeting two or three
audits the best way to allocate said resources? Is it worth paying for a thread detection service
when a professional hacker can easily bypass it? And even when there is an alert, at best the
contract will be paused. We at Spherex have developed a proactive security solution,
which is embedded within the Web3 project and gives it a security and compliance envelope as
part of the ongoing operations of the project. Damage is avoided to begin with, and THE business
continuity of the project is guaranteed. And all this happens 24-7 without a man in the loop.
Also, the Spherex security layer is completely modular,
and the security envelope of a project can be adapted to its current needs in its lifecycle,
so that the security evolves and adapts itself to its needs and budget, and does not freeze while on the other side there are hackers who invest enormous resources in order to win the learning
competition. Ashant Pandey. With the rapid evolution of digital assets and blockchain
technology,
how does Spherex stay ahead in identifying and countering new types of cyber threats?
Aisle Marin. A big advantage for security solution providers in the blockchain ecosystem
is the fact that the data is public, including all past attacks. Any capability that we develop
is back-tested against all the infamous hacks and also retested and improved against any new hack that could prospectively occur. This information is how
we verify the strength of security coverage and how we maintain the upper hand against hackers.
Furthermore, our team includes forum members of senior security researchers who volunteered to
analyze attacks while assisting those who were attacked to mitigate damage. Ashant Pandey. Spherex has introduced asymmetric countermeasures to combat smart contract
vulnerabilities. Could you explain the implementation process and how these
countermeasures integrate with existing blockchain protocols?
Io Marin. In a nutshell, we offer our own smart contract that serves as the security engine for
functional smart contracts. When a
project is built and assess smart contracts to implement its business logic, it can integrate
the protection contract that we developed and get a set of capabilities that allow verification
during the execution process of each transaction that it does not cause damage or behave in a way
that deviates from what has been tested and approved. The most advanced capability we have developed, or our flagship product, is exploit prevention. This ability prevents edge cases and ensures that
whoever found a vulnerability, that is, a malicious way to use the code of the contract,
will not be able to do so without first sending the attack for approval.
And so the power actually returns to the owners and legitimate users of the project.
They are protected because the definition of what is allowed and what is really required to be
allowed relies on what they see fit to do in the protocol in order to realize its true purpose.
Ashan Pandey. How does Spherex balance the need for robust security measures with the imperative
of maintaining high performance and low overhead in blockchain transactions?
Ayo Marin. On a practical level,
the capabilities we have developed rely on a lot of research aimed at making sure that the logic
implemented on-chain is low in computational resources and adds minimal overheads, while
being independent on not requiring closing the loop with analytics tools that run off-chain.
The on-chain capability is backed by off-chain support and analysis tools but they are a not part of the process of ongoing on-chain security. This is how we reach a situation where the
increase in gas consumption is very low. But the more important thing in my eyes is, as you said,
the right balance. And a correct balance, when it comes to security and stability needs of
financial services, is one that does not try to lower gas consumption at the cost of compromising security. A correct balance is one that prioritizes security and stability above,
then deals with reducing resource consumption. Ashant Pandey, you've mentioned that human error
is a significant factor in smart contract vulnerabilities. What are some key strategies
or practices that SphereX promotes to mitigate such risks?
I.O. Marin. Our solution's strength, in essence, is that it does not require human analysis and or project logic. And what makes it both scalable and immuno-human error is the in-depth understanding
of how a protocol is supposed to work. I.E. SphereX as a solution self-learns from the
protocol's data automatically. In this way, it basically neutralizes the dependence on the human factor,
a dependence that leads to both malfunctions and expensive and long processes.
Ashant Pandey.
Looking forward, how do you perceive the future of cybersecurity in decentralized environments?
What are the biggest challenges and opportunities you foresee?
Io Marin.
It is important to reiterate that Web3 is still an emerging and ever-evolving ecosystem.
And therefore the ongoing battle, or the learning competition between the defenders and the
attackers, is far from being decided or understood. I estimate that the adoption of technologies,
like ours, is inevitable and will allow a fundamental change to the equation.
Multi-layered protection,
with an emphasis on a proactive layer that makes use of the unique characteristics of the space for the benefit of the defender and not against him, is not just nice to have but an imperative
addition that will open up a new space for moonshot ideas and opportunities for the community.
Don't forget to like and share the story.
N. Info-Vested Interest Disclosure.
This author is an independent
contributor publishing via our business blogging program. Hacker Noon has reviewed the report for
quality, but the claims herein belong to the author. Hashtag D-Y-O-R. Thank you for listening
to this Hacker Noon story, read by Artificial Intelligence. Visit HackerNoon.com to read,
write, learn and publish.