Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Don't Get REKT - Security Edition 2026
Recorded: Feb. 26, 2026 Duration: 1:18:15Space Recording
Full Transcription
Music
Music
Music
Music
Music
Music
Music
Music
Music
Music
Music
Music
Music Music Music Music Music Music Music Music Music Music Music Thank you. Oh The Oh I'm going to go to the next video. Thank you. I'm going to go to the next video. Hey guys, welcome you, Bibi.
I don't know if you see it.
Let me know.
You can, I'll put you up here as a speaker.
Just, I think we're just waiting for one more speaker, actually.
So hang tight, everyone.
We'll be starting pretty soon. Thank you. Thank you. All right, guys, hang tight.
We're just getting our speakers together, pulling a few of them up.
Give me one second.
We'll be struggling very, very soon.
Thank you. I'm going to use the same thing. I'm going to use the same thing. I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing.
I'm going to use the same thing. I'm going to use the same thing. Okay, great we got Jack up here. Wonderful.
Let's see. Thank you. Thank you. Okay.
All right.
We're just waiting for one more speaker to join here. I know sometimes
faces can be like a little buggy, so it's, you know, it's always going to be a little
patient, you know, in getting everybody together and on board. So give me one second. Let's
see. All right. Heather on board so give me one second. Thank you. Yeah, so okay.
All right, so I think we can get started.
Okay, great.
We got everyone.
Perfect.
Okay, sorry, guys.
Sorry for the pause there.
We're just trying to get, waiting for all the speakers to join.
All right, so now we got everyone.
This is good.
Good vibes.
Okay, so let's get started with no further ado.
Hey, everyone. Welcome to today's X Spaces.
Today's X Spaces, our topic is Don't Get Wrecked.
This is the Crypto Security Edition.
I'm your host, Sonali Giovino.
And so in the last few years, crypto security has moved from niche to absolutely
essential. Hack events like Terra Luna, dozens of bridge exploits, and massive DeFi protocol
hacks have shown that education and vigilance are the best defense. So today we are joined
by security and DeFi builders from Hacken, Routescan, DeFi, and
of course our team from DeFi, folks who live and breathe smart contract safety, audit risk
management, and user protection.
I'm going to have each of our guests introduce themselves, who you are, your role, and what
your project is focused on. Maybe right now, let's start with
Hakim. Hakim, if you can introduce yourself. Good evening, everybody. My name is Igor. Thanks
for having me here. It's a pleasure. I think we've known each other for many, many moons.
So I'm Igor, and I'm Chief of Growth at Hackin.
Hackin is a full-spectrum cybersecurity
company that specializes on
all things security that pertains
to blockchain.
And that's what we do
in a nutshell.
But that actually entitles
a lot of different elements inside, but
we'll talk about all that during
today's conversation.
Awesome.
Thank you so much, Igor.
And yes, we have known each other
for many, many moons.
It's always good to reconnect
with our little,
our family of Web3 priests.
Okay, great.
And so let's also hear from Veefy next,
if you can introduce yourself.
Hi, I'm Westo.
I lead all things technology at Beefy and at CAF.
I've been in this space for about six years and super focused on security.
Amazing.
Yeah, one of the things I honestly love, you know, I love that you're working with, you're with Neithi and that's an OG protocol that's been around for a while and it's like so, so much respect to that project and that you're also involved, deeply involved in security. So I think that's really beautiful.
So I think that's really beautiful.
All right.
And also, next, I'd love to introduce
one of our key team members from DeFi.
Artem, if you could please introduce yourself
and maybe also share a bit about DeFi.
Hey, guys.
Do you hear me? Loud in tech.
Yeah, yeah. So, hey, my name is Artem. I'm a technical guy in D.Fi.
So we are working on really great stuff, the scope of security,
RAC database and portfolio tracking in DeFi.
So yeah, really happy to be here with you guys to discuss what happens in the market in the area these times.
Awesome. Thanks so much, Artem. about DeFi. DeFi is a portfolio dashboard and security also has a lot of security tools
as well to help users identify any sort of like risky tokens and contracts and be able
to navigate the space much safer. So yeah, so thank you. Thank you to all the speakers for joining us. Now, let's dive into some of these questions. So security isn't just theory. It's been tested in the real world. exploits in 2023 alone and hundreds of millions more in 2024.
What does this tell us about how far security still needs to go in Web3?
Now, by the way, I just want to mention, so we'll probably like ask these questions to
like maybe like per question, like maybe one or two speakers.
Feel free to, if a question sounds really juicy for you,
just like throw up your hand so I don't like,
you know, miss you.
But if you don't get to respond to a certain question,
don't worry, I will make sure I call on you for the next one.
So does anyone, feel free to put up your hand for this one,
otherwise I will just call on you.
Let me know if you want me to read the question again.
I'll take this one.
Okay, okay.
So with that comment that we've gotten more exposure in terms of dollars amount and dollars lost, that is correct.
Or USDT, whatever would be the appropriate currency.
But number of attacks have gone down.
And in 2025, the number of attacks have gone down,
but the amount per incident has risen.
And the reason for that is because the TVL's maturity of the projects
were growing. And so the projects
are becoming more filled with user base and more people are trusting them. So if we're trusting
them and we're giving them our money, the projects needs to reciprocate and also implement security
at the full spectrum of things. You can't implement security as a bolt-on approach.
Security needs to be as a continuous monitoring, continuous reviews, and an ongoing event.
It's for the life cycle of the event.
The sooner the industry understands that, the better we're going to be.
But for the time being, I think the dollar amounts are going to continue to rise, but
the number of attacks are going to continue to go down.
Can I comment?
Yeah, go for it, Wesley.
So one of the major issues of the space is that there's a lot of new developers or people
that are new to the industry, maybe coming from, let's say, Web2 or something.
And people don't really take or don't really know how to secure their protocols
or they do things and cut corners. We see a lot of like admin leaks, right? So people
who have EOAs that have access to upgrades that gets leaked, people then go ahead and
you know can upgrade maliciously the protocol and take funds. We've also seen a lot of Oracle manipulations,
just like really easy.
I think there was actually one today.
It just seems like there's not like multi people
on the team that are like actually verifying
whether or not the Oracle is correct.
I think today there was a hack where somebody submitted
a Bitcoin Oracle price instead of the US dollar price,
which leaded to obviously incorrect values
and people
were able to hack a lending protocol.
There's also places in the contract where maybe like let's say you only want certain
people to interact with those certain functions.
And so like the access control stuff is actually hooked up wrong or it doesn't have access
controls where it should.
So it's like really like these easy to fix, easy to see mistakes
where if you just had a little bit more verification on the team side, if you had a little bit more
knowledge on you know whoever's building it, also like learn from past hacks and behaviors, we can
clean up the space. It's not necessarily like these big like every once in a while we see one where it's
like an actual like math mathematical error that was like could have been caught by the code and
you know but I'd say majority of times nowadays it's really just simple mistakes that we keep
re-seeing over and over again that could have been fixed either by better control testing just
better overall processes internally is what I usually see.
Yeah, I would like also to add a few words regarding the what the
previous speaker mentioned. So it's really regarding the minor issues in the smart contracts.
So I think it's because of vibe coding also.
Because now, vibe coding becomes more and more popular.
But one of the drawbacks of this initiative, of this solution is that a lot of people start coding something without full understanding what's going on. I think we lost you, Arden, in terms of your audio. All right.
I think we'll go to...
Sorry, I'm not hearing anything.
If anyone else is hearing something, let me know.
And if not, I'll go to the next question.
No, I think he's gone away.
Oh, okay, okay, gotcha, awesome.
Thanks for the confirmation.
Okay, all right, so going on to the next question now.
So big losses, and, like, there's been a lot of big lessons.
and there's been a lot of big lessons.
So protocols like, for example,
like Terra Luna, Axie Ronin,
Poly Network got wrecked.
What are some of the biggest takeaways
for DeFi builders and users
from these historical events
from your experience?
What are some of the biggest takeaways
that people can walk away from in terms of learning lessons.
I'll give this to Igor.
Oh, wait, I think Igor is coming back in as a speaker there.
I know, sorry, guys.
Sometimes this basis can be a little buggy.
Actually, sorry, let me give this one to Jack.
Jack, let us know if you're there.
I think you have the mute on. Hey, Jack, let us know if you can hear us.
Oh, I see you just went off as a listener.
Wait a second.
Let me pull you back up.
There we go. sorry guys i i I dropped off.
I suppose you didn't hear.
No worries, I got you back.
Welcome back.
All right, just getting a Jack up here.
Okay, so why don't we pass the question while Jack is still coming up.
All right, so sorry, I'm going to repeat the question.
So, protocols like Teriluna, Axie Ronin, and Polynetwork got wrecked.
What are some of the biggest takeaways for DeFi builders
and users from some of these historical events?
Maybe actually you can pass this one first to West Hill.
I mean, some of these were, like, let's say,
I think the Ronin bridge was the multi-state bridge, right?
Terra Luna had a lot of other issues associated with it.
I think at the end of the day, I think the protocol structure just wasn't going to last.
But some of these are experiments.
We're in a space where we're trying new things, right?
And so sometimes experiments don't work out. And I would say that was probably like the Terra Luna stuff
they got very large the fundamentals of their business didn't really work out and then obviously
there was some malicious actors from some liquidity pools that ended up starting to the fall of
that but for like the Ronin bridge specifically there was a multi-sig, right?
And I think it was like either three or five or two or three or something like that.
And a majority of the signers got taken or like hacked.
And then they were able to then execute whatever they want.
And so that's where I think like, especially like at Beefy, when we're looking at like
our safety standards for protocols, we actually require the people implement time locks. If not, you'll see a big yellow warning on beefy thing. It's not how they do not have a time lock implemented. But this prevents that exact exploit from happening, whether or not like you trust the people who are on a multi-sig, if three people are together somewhere, there's no reason that somebody
couldn't take them and say, hey, go ahead and execute this action or this action.
So instead, if you have a time lock, it kind of creates a little bit of a blocker for you
to just immediately go ahead and execute something maliciously.
Also, everybody can watch the time lock.
It becomes a little bit more trustless if there's an
action that can upgrade or something else that's malicious.
You know, somebody out there can see that react to it. It gives
people time to react to it. So in general, that's like our best
practice.
That's awesome. I love that DP is taking such clear approaches to security. And I think
that's a very valuable thing, especially for users, especially for new users that are exploring
the protocol. Yeah, curious, Igor, your thoughts on this one as well.
My connection has been horrible.
If you don't mind repeating the question, I just got back in.
Oh, yeah.
Yeah, no problem.
Yeah.
So the question was like, criticals like Terra Luna, Axie Ronan, and Playnetwork.req,
what are some of the biggest takeaways for, especially for DeFi builders and users from
especially for DeFi builders and users from some of these historical events.
some of these historical events?
I don't know if I'm going to repeat myself, but in some of these, not myself, but somebody else here,
some of these cases were where they have done an audit, they had done a code review,
and then they have modified the code.
So that's not, audit is not something, like like i said it's not something that it's done once it's a continuous um have multiple uh
multiple providers review it we always recommend having two or three people uh companies or or
people reviewing and have as many eyes on it as you can. Add bug bounty as additional resources.
So it's important to approach this not as just like a mandatory something
that you have to do to appease to somebody.
Security needs to be approached as an important part of it
to protect yourself, community, investors, users, and so on.
It's kind of like how you take care of your project,
and you have to implement different layers of protections.
So there's coding issues that could be there.
Companies sometimes miss different vulnerabilities.
But at the end of the the day you need to have
structured layers of protection having architectural support where security is
implemented into it making sure that the logic of the code is put together well
and then of course having the actual manual code audit.
And then in addition to that, we recommend also doing like a bug bounty.
So that's where you have a lot of eyes simultaneously with proper motivation,
looking at it and trying to find bugs.
So all those cases were just, you know, we're talking about some of the older hacks and exposures.
Things have substantially changed, and what I'm talking about now has become norm.
But for those cases, it wasn't. It was definitely something that we were still learning as an industry altogether.
Yeah, I think those are really good points, especially for new builders that are entering the space,
I think those are like really good points, especially for,
especially for new builders that are entering the space and,
you know,
even just like existing ones that are looking in terms of like,
what are some key things that they should take in mind, you know,
as they like work on many of these DeFi protocols and, you know,
just the projects they're with right now.
That actually is on,
on the point of like codes that kind of takes us to our next one.
And this is kind of a juicy question.
So let's get into this one.
So now for this question, this is like about security failures happen in so many places.
Most losses aren't just from code bugs.
aren't just from code bugs.
Things like drug tolls,
phishing scams,
compromised keys,
and fake contracts
have cost users massively,
massively too.
Which category do you think
is the most underrated risk?
I'm sure you guys have seen
a lot of different types
of security issues.
Yeah, so curious from your experience, which category do you see as the most underrated risk?
I'll just send this one over to Arvin.
Yeah, I think from my standpoint, one of the top risks is like a social effect right so you when people start using crypto start
investing in something start using staking unstaking they really don't
understand how how approvals works work for example right and they they don't
you know double check the links that somebody sends to them also
it's really popular thing that people store their private keys somewhere in telegram
saved messages or somewhere on on a google drive which is totally unappropriate so and also
uh maybe it's not related to hacks, but also it's related to vulnerabilities.
There is a statement that money somewhere on the platforms like Binance or other trading platforms,
this money is not your money because you don't own them, right?
So the the the keys are on the platform not on your laptop, right? Or not on your in your ledger, right?
So I think one of the top vulnerabilities is the people themselves
Do you mean like the users or, you know, like team members?
No, I mean, I mean users.
I mean users like when user store the private keys or their wallets somewhere in unsecured places, somewhere in Telegram or or google drive so it's inappropriate for sure
so i think this is one of the top vulnerabilities that people can can face please
if i if i may add to that um as as a b2b2B business, so our main emphasis is making sure that the businesses are protecting themselves.
And if we're talking about the weakest link in this and most underrated thing, it's the employees.
So I would think that they are the ones that are needing the training.
They are the ones that are needing the training. They are the ones that are allowing the
access. Bybit is a perfect example of that. Access controls need to be tightened. And I think that
we are underestimating the importance as we're maturing, as we are working remotely, and as we are allowing our employees work
on their laptops, at Starbucks and other places, we are exposing ourselves.
The companies are not implementing proper security measures.
They're not teaching their employees what the security measure looks like, what are
their recoveries, what are their responses? What are the protocols of behavior
and do's and don'ts? So from a security standpoint for a company, as part of the previous
question, how come we're increasing the dollar amount, but number of hacks is because we need
to start thinking of it as a corporate business, not just as a DeFi projects, those that, you know, we're still discussing rock pools, although they've become less and less.
But the businesses that are surviving, businesses that are becoming and turning into something,
you know, magnificent, something that's becoming corporate structure, enterprise structure,
they need to implement internal security measures.
And I think that's highly undervalued.
Nobody likes procedures.
I get it.
We are definitely becoming more institutional.
We're becoming more corporate.
We're becoming more bureaucratic.
But if we want to grow, if we want to stay at some low level with a million, five million
TVL and we're happy with it okay fine but we're all striving to be on a grand level and we
all try and go go higher and that requires processes that nobody likes and
if you notice businesses are hiring mature employees now they're not looking
for a d5 guys you know DGNs we all wearing suits now. We're all kind of becoming corporate.
So, I mean, I remember when we all used to wear hoodies and sneakers
and we had anonymity as an option.
Like, try to go and get an audit or try to implement or list somewhere
without being proper KYC and KYB and the whole process.
So, yeah, we have to kind of live with it now.
Yeah, really good points there, actually,
both from Igor and Artem.
So that's kind of like you said,
like a lot of the security people are now becoming
core pieces of like the team now.
I want to,'re actually going to circle back to that point.
But right now, I just want to go in this direction.
So not all security is technical, of course.
I'm curious, how important is community feedback
incentivize bug bounties and ethical disclosure in preventing
recommends of before they happen. So that's a some of this one
to was oh.
I mean, we have so much good utility now like bug bounties
are a great incentive to get white hats and a lot more
people to look at your code and find mistakes. Traditional audits though you're like relying on
some experts and they work out very nicely especially for I think they're like a necessary
part of like I was shipping anything that's going to hold money to production. But you're relying on, let's say,
a few people, right? Like one, two, three people auditing your code base over a specific amount of
time and hoping that they find all of the bugs. And so that's why people don't just go to one
audit usually, especially if you're going to have something that's going to hold millions,
millions of dollars. You're going to go to multiple different auditors, get different
perspectives, you know, have people look at it from a different angle um bug bounties
kind of fulfill that for you uh so uh not that they're a replacement for audit they are 100
not but once the code is live you know you never know if something wasn't you know was missed or
somebody didn't see something and so being able to have a bug bounty in place,
at least at a level that is encouraging enough
for White Hats to go and independent security research
to go look at the code base,
it ends up drawing lots of different eyes.
It's also a reason that I kind of grown a little bit
to like contests in where you have a lot of different people
with different backgrounds, you know,
looking at the code and all competing to find the correct bug and to win the highest payouts.
Those are very helpful when it comes to the actual like technical code level of like looking
at your code base.
That's awesome. And also curious for you guys, do you also see a lot of, do you get some
of this from community feedback in terms of any security issues or bugs? Or are you, yeah,
just curious what your experience is in that.
I mean, generally speaking, the people who are building the product are probably
the most technically proficient to look at it beyond like independent security researchers that
you hire so I'd say in the community side it's mostly for us doing educational pieces on how the
code works and maybe like how they independently can be a little bit more secure I'd say we get
like less of just like independent people coming up and if they are they independently can be a little bit more secure. I'd say we get like less of just like independent people
coming up and if they are, they're usually,
white hats are trying to participate in the bug bounty itself.
So, I think it's a mutual process of like both
the obviously securing, we were just talking about this earlier
and I wanted to comment in on that too,
but like users really need to be educated.
A lot of them are new to the space.
They don't really understand hotkeys versus cold wallets
and how to actually manage their funds.
And they click links that they're not supposed to.
And they, we have to manage both Discord
and Telegram communities to make sure that people
aren't scamming and sending DMs.
And people get their twitters taking
or their you know x profiles taken over they get you know hacked on their domains it the security
process doesn't just stop at the smart contract level it's throughout the entire uh protocols
system so anywhere we're going to communicate with the user so if that's on the front end if
that's inside a discord community if that's on our x account that's on our front end, if that's inside a Discord community, if that's on our X account, that's on our Telegram, like we need to take security measures for those things
as well, not just on the smart contract level, which obviously is a huge focus for us.
Amazing.
All really good points and sounding very diligent on from the BP side.
So now one of the things that are also really good to look at is the automated tools
and how they are becoming more essential.
So like automated security tools.
So like, for example, there's like real time scanning for DeFi.
We have like the scanner and the shield.
But yes, for the real time scanning, there's pattern detection, and there's AI-powered
monitoring, you know, and that is rising.
Now the question is, can automated tooling ever replace human judgment, or must it always
be, or must it always be augmented?
So maybe we can pass this one to Artham. Yeah, I think it's possible to detect most of the,
not most, but crucial vulnerabilities with some automated tools
because now there are a lot of different tools that scans code
that also with the help of AI can validate even the some particular functions also emulate
uh transactions but yeah i totally agree with the previous speakers that it's not enough we need to
people that that are working in the teams also the users to be educated enough because
are working in the teams also the users to be educated enough because um it's not possible to
cover everything you can cover the the top vulnerabilities but users and developers have
have to be the like the the main validators the main reviewers of this code
Yeah, really good clients.
Igor, do you have any comments on real-time scanning for security tools?
Of course I do.
Of course I do.
So I agree with Arjun.
They're getting better.
They can find a lot of bugs.
Everybody's working in that direction to have that tool.
Not one I believe is there to replace it yet.
Requiring us to have continuous security.
So if you have a tool that scans it, that's good.
Depending on the complexity, if it's a standard like ERC 20 token then probably most
likely chat GPT will do it but if we're talking about complexity common sense
you know mathematicals complexity are getting much much much harder and much more involved. So I think that there are being bugs missed
through the AI. AI is doing a great job identifying them, the ones that it is identifying.
And it's finding some criticals and high risk and so on. But I think unfortunately with time,
after the exploits will happen, after this wave of everybody asking to use
AI for as as an auditor or as a replacement for security only then will we find out was it
Enough or not. I at this point
Think that this is where we're headed
We are all we're all working in that direction
But I don't think we are quite bit there yet as a continuous tool as a preventive as an additional tasks. Yes, they're they're good and they're and they're they're convenient. They're a good way to prepare. So that way when people come to us, they already have, you know, majority of the stuff fixed and it's easier for us to to to to identify. But we are still finding a lot of issues after they use
the tools.
We are still finding a lot of common sense problems in the actual coding.
And then a lot of people are coming with vibe coding situations.
And when they bring the code after being created by LLM and then audited by LLM.
They bring it to us for, you know, let's call it stamp of approval.
We still find bugs.
And when they go back to repair them, we find two more bugs after that because they went to a model asking them to repair this bug.
And that created another bug out of it.
So it's kind of a loop here.
And I think that we shouldn't underestimate the importance of security and we shouldn't completely rely on AI just quite
yet yeah makes sense also I would like to add that now it's it's really easy to code and wipe code with Solidity right so on EVM blockchains but if you're
talking about for example sui lm so far lm's are not like trained enough on on
this language on languages that sui uses for example and it's not even easy to
code I'm not talking about even auditing the code.
Okay, so two really good points. So like one, you know, the scanner can catch some pretty important issues, but then once it's fixed, there's a couple of new issues.
And then there's certain languages that are in code that the AI can't necessarily
always catch or read. Yeah, I think that's, yeah, that is definitely interesting. I wanted to
just kind of circle back to something Igor said. Igor, when you said like, you know,
catch some issues, but sometimes once that's fixed there's two
more issues that come up uh are you finding like if there's a new issue that comes up does the ai
catch those or are you are you saying that those are things that definitely have to be
caught by more human mechanisms so i can't say what ai catches because when they come back to us for remediation um meaning that
after we do the discovery they go back to fixing it and then they come back to us for a final
check to make sure that that's that's been fixed i'm assuming that it's catching some other things
but when it comes to us it is missing something so the idea is that it's it's potentially creating one solution and creating
another problem by fixing previous one so it is it is happening and so it's
like I said it's getting better and better but it also it also goes as far
as the on the complexity so right now, the manual audit is still preferred way.
And I don't know.
There's no 100% guarantee right now with AI, right?
So we haven't had enough use cases.
There hasn't been enough study.
So I'm assuming because the influx of these AI auditors, AI scanners, AI tools are coming out, people are starting to rely on it.
Unfortunately, they're looking for this as an alternative to save money.
And I understand that.
But then that should be something related to a user and letting them know that this was done by an audit,
deposit your funds here, deposit your assets here at your own risk.
So yeah, so it's kind of like a catch-22 where we're all wanting to go there,
but we're all hesitant to rely on them 100%.
At least people in security are hesitant to do so right now,
but we're all hopeful that it's gonna come soon.
Absolutely.
Great points.
Now also looking at DeFi.
So DeFi innovation of course is really exciting,
but also it can be a bit risky.
Now some yield farms and APY chasers lost millions because they focused on APR
over security. How do we balance innovation and that sort of like exciting chase for that APR?
How do we balance that, sorry, innovation and risk when launching or joining DeFi products?
Maybe Wazo can share some insight.
Yeah, so I mean, generally speaking,
yield percentage is mostly associated with risk.
The higher the yield,
and this obviously is not a one fit all solution,
but like in general speaking, like the higher the yields,
the more risk associated with that position.
Now in like very small moments of time,
that could be not necessarily true.
Like let's say just a new reward
like launched for a pretty secure protocol
and it's gotta be like diluted,
but eventually markets kind of correct themselves.
And over time, you know, the more secure,
less risky yields, you know, will decrease. And then obviously, the ones that you're getting,
you're getting 15% right on stables, like, why is that? Generally speaking, it's because you're
taking a little bit more risk than the yields that you're getting on the 5% side. So I'd say
yield chasing is fine, as long as you're in a diversified basket. Know that you're
like in an emerging industry, that people are trying new products, new innovations.
And so there's risks associated with each of those. And so for those risks, obviously
you can get outsized yield than you can get anywhere else. But obviously when you, if
you're not including those risks into obviously, when you if you're not
including those risks into your overall portfolio assumptions that you could have a total loss at
some point, then you're doing yourself a disservice. That's a really good, really good point,
actually. And it's actually a good reminder to you, I think, for a lot of users that are
chasing deals just to understand
like the greater the percentage the higher the risk is going to be that's actually if i may that's
actually a really good point um on the yield chasing a lot of people are and um a lot of
these projects are slapping like a finger in the air like what kind of number i like today let's
put 25 percent right and how are these how
are these yields are generated uh what we started to do actually on that note last year uh with with
the large uprise of of stable coins and so on now we started to do audits for uh yield making sure
that the yield are sustainable uh understanding where they're the the interest is deriving from and making sure that the
institutional guys that are trying to come into the industry, trying to move their fiat
into digital world, they understand that their risk tolerance is zero.
It's not like a little bit, just like a couple of percent. It's zero.
So in order for them to do that and in order for us to understand, we need to ask, where is this yield coming from?
That's very important.
And so I encourage people to actually ask questions before you deposit money.
Our money takes us a lot of time to earn, a lot of effort.
It's silly just to assume that somebody's gonna want to
you know easily give us 25 on our deposits uh is it another bernie madoff situation is that what's
going on i don't know so uh that's why you know trust but verify kind of that that's what's hacking
uh one of the hackens uh topics is uh so ask him. Don't hesitate.
Ask him who has validated it.
How did you calculate that yield?
Don't be afraid to ask where you put your own money.
Really, really good point.
And it's, you know, especially for a lot of users that, you know,
sometimes we get to even think about those things because, you know,
they get really excited in the moment.
So, yeah, that is really key.
If you're not sure, don't be afraid to ask.
And, you know, a little inquiry can go a long way.
Now, speaking on kind of bridging off that topic as well.
as well. So when everything looks safe, you know, maybe it isn't. One of the things, this is, I think,
So when everything looks safe, you know, maybe it isn't.
also another really juicy question to, you know, can be for all the speakers as well. Flash loans,
so there's flash loans, Oracle manipulation, and MEV attacks have historically been used in big
exploits. Do you think Web3 security education keeps up with these sort of like
evolving attack strategies or is there something that needs to be really adjusted there?
Maybe we can send this one to Artem. Yeah, so I think I don't have the numbers. I haven't checked these types of attacks like MVV attacks or Flash Loan bots. um attacks that has been done uh like using these vulnerabilities uh decreased a lot because of what
we see now we see now like uh the the amount of transactions the much lower than like previous
years but in general stc i still see that uh any bots gaining some money still, right?
But yeah, like turning back to the main ideas,
so still people should be aware about this attack at least.
For example, it's possible right now to use RPC node
with protection from these attacks, right?
But I'm not sure that people are aware about that.
So usually people use public RPC nodes
that are publicly available, that are free.
So, and then they are not even aware
about these types of attack.
How to protect?
Yeah, it's like, it's about education as well, right?
So even now when crypto is not so
popular right people still have to to be in trends right they still if they
still use the wallets their wallets like for example that let it be even few
times a week or months they still have to be aware about these malicious attacks.
Yeah, absolutely. And I'm not sure if Igor or Wazzo, if you have any comments on this question as well.
If not, we'll move on to the next one.
I missed that one, so I'm gonna skip.
Okay, yeah, yeah, no problem. I'll do it.
I can comment real quick.
So, flashbones work for manipulation.
Flashbones are generally a pretty useful tool for arbitrage.
Or they're a useful tool for a lot of So like, or they're useful tool for like
a lot of different actually things you can sort of like build on chain. Unfortunately,
they get a bad name because the only reason people really kind of know about them is because
they're utilized to grab a lot of money and manipulate, let's say pricing on things. And,
you know, can lead to a lot of the exploits. Think of it as being able to borrow lots of money
at 0% interest for one block, manipulate something, repay the loan and take all the profit. That's
how flash loans essentially works. Oracle manipulations, because of flash loans, can
happen if your Oracle is tied to specifically, let's say an LP or something like that, because the flash loads can happen if your Oracle is tied to specifically like
let's say an LP or something like that, because you can borrow lots of money from one place,
manipulate the price of the LP, the Oracle shows something different, take an action
and then extract from the protocol.
So as long as your Oracle's and I think like a majority of the cases, you know, people
are using, you know, proper Oracle's, either time-weighted oracles or oracles from providers like Chainlink, then those
attacks really can't happen as long as they're implemented correctly.
I mean, what was the other thing that you, oh, MEV.
So MEV can happen on chains that are like non-sequencer chains, so like Ethereum, and they call it the
dark force. This is why using like private RPCs is super important. Essentially, it's think about
if you're submitting a transaction and it's sitting out there, anybody can like monitor
the mempool of the transactions that are sitting there and can either like, if you're going to make
a trade, they can manipulate the pricing on the liquidity pool. So essentially, you think that you're going to get into a trade at a certain price,
they push the price way down, make you buy at a worse price than you're going to,
and then move the price back up and take the profit.
So yeah, I mean, those are all things that we have to consider as builders all the time.
And it is especially important depending on where is the builder you're building
and how it's going to interact with your protocol.
Really good points.
And I'm really glad, Wizz, actually that you spoke on Flash Loans as well
and also the NUDs because I think there's a lot of people that don't always realize.
I think there is a bit of a bad rap sometimes with that,
but there's also people that are very naive in terms of understanding of how those are used or can be used.
Now, also, this next question looks at security from, I would say, almost a standpoint of culture.
If we were to look at that as something that we can invite the whole space to sort of participate in.
Now, do you think there should be industry-wide standards for certification bodies or smart contracts and protocols similar to iso in
traditional tech uh just curious what your thoughts are on that why and why not
um yeah feel free to continue yeah i just wanted to quickly say that uh having standards is really good solutions right so
that that's why we have like uh erc standards right erc protocols that uh that uh push push
people use like the same approaches but on the other way uh all the standards you know can make people blind you know sometimes so anyway only
revolution or evolution of something can uh can bring up you know some weak places
and you know to also it's a driver of new solutions new new platforms new ideas right so it's like you know uh we need to have a balance right i'm not
on the one side we need to have some kind of standards and policies but on the other hand
we should take this risk you know to to try something new and it's not
so easy to avoid you know issues and problems with that and mistakes
so easy to avoid, you know, issues and problems with that and mistakes.
I'd agree completely, but then I'm also super pro regulation and compliance and standards.
It makes it easier by creating framework and rails on which we operate on.
And that makes it easier to understand the do's and don'ts, right?
So there's CCSS standards.
There's C4 that created these cryptocurrency security standards.
And then there's many, many other things.
So the ESO standards were created because, you know, you need to be complicit.
SOC has been created for certain things that you need to do bare minimum to implement as
mandatory requirement of security into your project, into your facility or whatever.
into your project, into your facility or whatever.
So by creating standards,
we are mandating a bare minimum implementation of security
on regulatory level.
So by getting a license,
nobody really thinks about it.
Everybody thinks about whether or not your securities
or your utility and making sure that you're licensed
in the proper region and so
on. But all that is created to make sure that whoever receives a license, whoever is operating,
is operating by standards that have been created to protect the consumer. So at the end of the day,
we should have standards to make sure that people that are building stuff are building
stuff with
proper end result
I guess
I think that's really good
and actually just curious
for you Igor like what are you seeing
and what are your thoughts also for like certification
bodies like for projects, maybe requiring a certain sort of certification and you know, meeting those
kinds of standards. Is this something that you can see being applied to the web-free space kind of
as a set thing or do you see challenges in that being adopted?
Is that thing or do you see challenges that being adopted?
Um, so it comes down to regulators are implementing that.
Uh, for example, we closely work with, uh, ADGM, Vara, uh, Bermuda.
They're, they're great examples of how regulation should be by regulating and not over regulating.
should be by regulating and not over regulating.
But people are flocking to those that are creating clear standards.
So you guys create a genius act that they created a foundation and, and, and, and a
will to show that they're, they're looking towards opening up the, um, the platform for,
for all of us.
Right.
But then the clarity act is the one that's going gonna, you know, finalize all of it and give us
Silly as it may be but it's gonna give us clarity and into how to operate right now
Everybody's is operating based on an assumption is gonna go through and we understand, you know, logic in it
But those regulators that have created clear guidelines
certifications requirements and do's and don't, and require annually for projects to go through certification and compliance measures.
Those are the ones that are having the serious projects come to and register there because they don't want to go through this rigorous process of regulation and not understand.
through this rigorous process of regulation and not understand.
So regulators are solving that problem for us by implementing,
and we're happily helping them with it, creating security standards
and making sure that they are not overly regulating,
helping them to understand what's a proper regulation
and what proper certification needs to be implemented.
So I think there's going to be more certifications.
I think there's the RWA standards, there's ERC standards,
there's security standards, and I believe that there's going to be
more and more different things popping up, something along the ESO.
I think that's great. I think a lot of us are looking forward to seeing more of that, for sure. And ESO.
I think that's great. I think a lot of us are looking forward
to seeing more of that for sure.
Seeing protocols just kind of aligning
and meeting certain standards
and also certifications around security.
And I'm sure that's going to be ever evolving
as it gets updated with new security issues come up.
Okay, all right.
So I think we're slowly coming to the end of our spaces.
Now, let me just throw one last question into here.
So now we take a look at like on the topic also,
protocols, audits, and say, risk control,
security tooling has for sure definitely
exploded. One of the questions we have, a lot of people have questions around audits and let's say
audit standards. So one of the things we look at is that nearly 40% of audited projects still face exploits within a year.
Why isn't auditing alone enough?
This will be our final question.
I don't know if Quazzo, you'd like to add some insight.
So, I mean, auditing's great, but like I said, you're not going to just like we talked about the bug bannies a little bit earlier.
There's always a case that you can miss the bug.
Also, like protocols like BFE, right?
Our contract code might work as it's expected, especially during maybe the audit process and how it was originally thought of.
But if you're building on top of other protocols, you know, they could be updating their
protocols or making changes, which can lead to unexpected results on your protocol itself.
So it's the composability layer that also throws a risk in there. We talked a little bit about AI
and, you know, how maybe like AI could be a replacement or an additional feature for auditors, and actually it is a
feature for auditors at this point. But it can be very helpful in the future. And then
at the same time, it's also a risk, right? Because we have a lot of people now utilizing
AI tools that are ever-growing in knowledge to find exploitable venues within different
protocols. We actually have a lot of, there's a lot of
different auditing firms now that run their own AI models, essentially, and they'll participate
in contests and bug bounty programs. So for as much as we have white hats out there, we also
have black hats doing very similar things, working on their AI tooling, trying to find complex methods of exploits within protocols.
And so it's kind of a race to find all of the bugs at this point.
But the auditing process and the security process does not start or stop after the audit and the launch of the protocol.
It's a continuous thing. You should be getting continuous audits on your protocol.
Every single little change,
if you're gonna upgrade a contract
and you think it's an insignificant change,
it should still have a third party senior researcher
like looking at it just to make sure that they can verify
that it functions in the way you want it to function
and then it doesn't break any other downstream code changes.
So I think there's
just a lot of the post audit process is just as important as the audit process itself.
I agree on that. I have to say in our case for for the reason that stuff happens, and once again, we spoke about employees being the weakest link.
What Hacking does for that reason, we do, after an audit is complete, we run a bug bounty platform, a bug bounty contest on the contracts that we've audited.
bug bounty contest on the contracts that we've audited.
And then if there is a finding,
then we actually put our own money to cover that, right?
So it's kind of like one of those,
put your money where your mouth is.
So that's why our reputation precedes us.
And that's why people come to us.
And that's why we've been around for nine years.
But then you also have to understand an audited contract.
That's all it means in that sentence.
It's audited.
But we have to put kind of expertise behind it.
How many people have?
A lot of developers found themselves thinking that there's more money in security than there
is in development.
And so a lot of them were creating contracts, creating them with mistakes, and now they
understand kind of how auditing works and how to find mistakes.
And they go and they start auditing. So you have to really take into consideration those projects that have been
audited, who has worked on that audit.
There's a lot of great names, a lot of our colleagues that are doing great work.
We personally use at least two people auditing at the same time.
So that way, yes, it's, you know, overhead of the
process is a little bit, you know, higher. But at the same time, we are putting the reputation
and people are trusting us. So if you come into us and you're kind of hiring us to validate and
to verify and to make sure that people that are trusting you are going
to trust you because you've done an audit, that audit actually needs to mean something and not
just a stamp from somebody that used to be a developer that wanted to start to make a little
bit more money. And I mean, no disrespect to any of the auditors. There's a lot of great ones,
And I mean no disrespect to to any of the auditors there's there's there's a lot of great ones but do do your due diligence
Because you know majority of the people are looking for a better price
And they're they're asking for a price and they're not asking for expertise of the auditors. So that that's a huge point
Really good points. Yeah. Yeah, also just wanted to that uh right now in the market there are a
lot of like fake auditors i would say so a lot of small companies that uh claim that can develop
smart contracts for sure yeah they can develop but developing smart contracts doesn't mean uh having
uh like um skills to evaluate contract right to to proceed with um audits so that's why uh sometimes
uh companies that not really aware about the market about the how the things work they
not really aware about the market, about the, how the things work, the, uh, order all this,
uh, from these small companies.
And then like the result, the results can be like disaster.
You know,
the funniest thing is that, um, majority of the problems are found, uh, in contracts
where somebody comes and says, just put a stamp on there because my team is the best they're the leaders they're the best you you've never worked
with anybody the professionals the team that we have and we don't need an audit
just just put just put a stamp on it and it's just like this is where you find
the most critical bugs and this is where you find logic and and the funniest
thing that derived from these conversations it's like alright this is
definitely not happening.
But yeah, I agree with Artip, yeah, for sure.
Oh, man, watch out for those projects, guys.
Don't look over here.
Don't look over here.
Just give us a stamp.
Everything will be all good.
Well, first of all, I just want to, we're coming to the end of our spaces.
I want to thank a lot of our guests for sharing such honestly genuine and really amazing insights on around the security space.
Very, very insightful and especially educational for a lot of users and also builders that are entering space and already in the space.
So, first of all, a big thank you so much to our guests.
Thank you, Igor from Hacken.
And thank you to Weso from Bifi.
And thank you to our, yeah, Southern Ophiets.
Wanna say some goodbyes,
but we're gonna be closing the spaces for all.
But thank you so much for all your insights today.
Thanks. Pleasure to be here.
Thank you, guys.
Awesome.
Thank you. Not your keys, not your coins.
I like it. I love it.
Good trademarks all around.
All right, guys.
So crypto security is more important than ever.
With billions lost to hacks, scams, and exploits,
staying informed and vigilant is the best wealth defense.
Thanks to everyone listening.
Stay safe, stay educated, and most importantly, don't get wrecked.
Have a good day, everyone. Thank you. Thank you. Thank you. Thank you.
