Projects
![]()
No projects found
Investors
New
DAO Treasuries
DATs
Lend / Borrow APRs
Chains
Categories
Spaces
Hacken Talks with Polkadot: Multi-Chain Security Unlocked
Recorded: March 25, 2025 Duration: 0:56:33Space Recording
Short Summary
The discussion highlights the importance of security in the crypto space, emphasizing collaborations like PolkaDOT and Hacken Proof's partnership, proactive security measures, and the role of bug bounties. PolkaDOT's initiatives, such as the Assurance Legion and PAL, provide educational and financial support to enhance security. The industry faces significant security challenges, with $2.2 billion lost to exploits and phishing scams, underscoring the need for robust security strategies.
Full Transcription
All right, we are all set.
GM, everyone, good morning, good day, good evening.
Welcome to Hackin Talks, our special edition with PolkaDOT and Hacken Proof.
We are here to talk about something that impacts every project, founder, and every investor in Web 3, which is security.
And not just in theory, we are getting into trenches with real stories, real lessons, and real tools that make a difference.
I'm your host, Mr. Fantastic, and I will be moderating today's deep dive into the Web Free Security,
backbounties, and how we are pushing the boundaries of proactive defense.
We got an all-star line up today, real builders and battle-tested security specialists,
ready to break down what's working and what's not in crypto security.
So let's get right into it.
I'd love every guest of ours, every speaker to give a short intro about your, yourself, your project, and how you are involved in Web3 security.
Can we start with Vincent maybe? How you doing? Feel free to unmute yourself.
Hello.
Hey.
So, Vince, CISO at Parity for about three years, Parity was a key contributor of the PolkaDOT
SDK, but we know there are a lot of over-parachain on that ecosystem too.
So in 2025, there have been multiple initiatives which have happening, including the support
of smart contract natively with Polka.
And more granular.
Is that just me?
Seems like we lost mic connection.
That shouldn't be a problem.
Vince, in worst case scenario, try to mute or unmute yourself.
If that doesn't work, try to rejoin the stage.
We'll make sure to give you the necessary permission.
Do you hear me now?
Yes, absolutely.
Oh, sorry, I apologize. I will restart.
So, Amvins, the season of Parity, for about three years.
As you know, Parich is a key contributor of PolkaDOT, but there are many over-contributors,
project and Parachie. Regarding the project itself, in 2025, there have been multiple
initiatives, which have happening. Seems like it's happening again.
It's okay. That's just the beta test. The better version, guys. Twitter is a new app, right? Everything happens. I'm very sorry about that, guys. Do you hear me correctly? Absolutely. Absolutely. Don't worry about that.
Okay, so I will not repeat unless did you get everything or do you want good proof?
Yeah, cool, sorry, go ahead.
Like all fine, all fine, maybe just last two seconds, that's it.
Yes, perfectly fine. We're welcome you to the stage, happy to have you here.
And who else, who else? Alex.
Would you introduce this help in your project?
Let me be the next.
So Alex is here, a security engineer for last decade probably.
It was focused on web application security before.
After that, joined the WebTree market as a security engineer did a lot of smart contract audits, penetration testing.
And currently,
I'm a studio at Hakenproof, leading web 3 bug bounty platform.
We work with a lot of layer 1 protocols, including PolkaDOT and the parity div itself.
So happy to be here today.
Hope to share some insights from current bug bounty market.
The pleasure is ours. Thank you very much.
And last but not the least, Yehor, how are you doing today?
Yeah, what's up? That's a year, real one.
And, yeah, so a bit about me.
So yeah, to say, not say a lot.
I'm security researcher investigating blockchain activities and trying to uncover bad actors,
currently working at extractors particularly and in hacking in general.
Awesome.
What a well-packed stage. All right guys, so let's kick things off with the recent ECH Denver.
A lot went down and Alex had boots on the ground.
There was a common backbound initiative. So is there a...
Could you give us to Alex? Could you give us a recap?
What was the biggest takeaways? Maybe unexpected moments?
So yeah, just to wrap up what actually happened, so during the East Denver Huckathon,
we organized an activity with parity team which was focused on discovering security issues
in parity products like Polka.sdk, like PolkaDOTSdK, like PolkaDOTRleys infrastructure,
and PolkaD Bridge. So during that activity, like we had a lot of
participants we basically got more than 7 000 scope reviews what that mean that many many
hackers yeah we would say like that we're checking our scope and trying to to find the
security vulnerabilities in mentioned targets successfully we didn't get any valid security
issue in holka dot infrastructure so it's safe and
And we're still really happy to see that amount of participation,
especially that main focus of is Denver Hackathon is on developers.
People who are trying to build something, not break something.
So still, the amount of participant was pretty nice,
and we were happy that we had a chance to organize it.
That's a good insight.
I had a follow-up question about if there was any submission that surprised you or, you know, made you sweat a little bit.
But since you had, you said that no particular bugs was found,
I don't even know if it's...
I think it's good, right?
Meaning...
Yeah, I mean like every submissions which we receive making me sweat a bit
because I'm always worried that we've got the real critical issue.
And, you know, like with such a huge DVL and stakes under risk,
you're always sweating until you're fully sure that it's not valid.
So...
So...
We can't share any information from the reports itself, but there were around 20 submissions in total.
So, yeah, that's what all what I can say right now.
I got you.
I got you.
You're right.
I mean, of course, you have to go to the very deep, to the very root of it.
And if you're working in security, you kind of have to be paranoid enough, right, to expect the worst and be prepared for the worst.
Because, you know...
Well, that's kind of what we do here in the Webster Security.
But I'd like to zoom out a little bit because Backbounties has become a considerable pillar in crypto defense.
But they're not all created equal.
So I would like to just throw in the question to the panel and for you guys to dissect it.
From your experience, guys, what is the biggest trade-offs, maybe benefits, pros and cons, specifics,
between self-hosted bank bounties and third-party managed bounty programs?
Who'd like to be the first?
Happy to give a go?
Absolutely.
So, as you just mentioned, in Denver was quite beneficial because we attracted a lot of new researcher to look at the bounty.
And this is the most important things initially with a platform or if you do internally, you want to attract people.
Because more you attract people, more you have people taking the system, providing.
And we're like that.
Yes, providing feedback about the security, including if it's not valid, it's helping.
The second step is about doing the triaging.
And the triaging here is always a difficult balance between internal team and external Bounties.
It's about assessing if it's just fake noise, if it's
real things which may require additional context or additional interaction with potentially a proof of the exploit.
And here it's about partnership between the parties because it's difficult to automate and the reality may be a little bit blur at least initially.
The last two steps are remediation, which here is again more focused by the internal team,
but the platform can help because they got a lot of experience too.
And last, it's about
going through the payment interaction with the reporter,
including QICs and overall practicalities,
which is a very important piece to recognize the effort of the researcher.
And it's something where the platform can help a lot in addition of internal teams.
Yeah, 100%. I mean like even that the crypto is not something new. Yeah, we have blockchain as a technology for a very long time already.
But I still like to say that we are still early because there is still not enough security engineers who are really experienced to discover
security issues in blockchain solutions. They're still really complex and
It's not that easy to discover a really critical severity issues which could lead to the loss of funds
While bad players, yeah, they are not asleep as well and they are always trying to find something inside your protocols
So yeah, Bug Boundy is definitely like a last security line for the blockchain solutions,
blockchain products.
Because even after you passed a lot of audits, you still
need to have a place where independent security engineers can submit something, communicate with the team, ask the questions, and etc., etc.
So, yeah, as Vincent said, probably the main benefit of
third-party platforms is attracting new communities to your solutions because we have so many of them.
All of them are different, is different tech, and it's not that easy to bring new people into it,
to ask them to take a look into that.
Absolutely makes sense.
I'm not the most technical person, but security concerns me very much.
And I just have this question, if a project is, let's say, on a light budget, but still wants a solid coverage,
what would be the correct choice to self-host a bug bounty or to go through third-party bag bounty providers such as Heckenprud, for example?
It really depends, but definitely you need to have at least something.
I don't like the idea when the project is trying to use.
email addresses as something where you should submit security issues because
Like, people lose emails in their inbox.
So basically, your security report can be easily lost in your inbox.
So if you have at least a public bounty page or even Google form or something, it's much better than nothing, definitely 100%.
But currently, we have so many solutions on the market where you...
which you can use for free or for very cheap or reasonable amount of money.
Like we have different models on different platforms.
Some some of them charging you success fee only.
It means like,
They may charge you only if you have valid submissions.
Some of them may charge you a subscription.
It's also a reasonable model if you want to be sure about your security budget
and plan it at the beginning of the year, for example.
And...
The nice insight from subscriptional model is that the platform will not push you for higher payouts.
Because for example, with success fee, they always may try to push you for bigger payouts because this is the place where they can earn more.
Yeah, just to wrap up how success fee works.
For example, if you pay to Whitehead $1,000, probably 10%, some platforms may take even more.
It will be charged on top of your payout to the platform.
This is called success fee.
While in subscriptional model, you can pay as much as you want, not want, but as much as you pay for Whitehead and still have that limited amount of subscription which you pay to the platform itself.
It can be monthly, early, or something like that.
So, yeah, Vincent, what do you think about different pricing model?
What do you think is the best one for crypto projects to choose, especially early stages?
Yeah, so it's not an easy question.
So I would say first...
It's very important to have segregation of duty between the different stakeholders and for the money not to influence bad behavior,
but only to recognize investment of researcher.
That's why a percentage of the Bunti being paid to the platform may create some time challenges.
A second thing which may sometimes create challenges is about the amount.
It's not always easy to find the right amount.
It's again finding how much the project is able to pay and how can the project can reward the researcher.
For example, what we have done is we are able depending on the criticality of the Bounty reported to fast track access to the PolkaDot blockchain academy.
which is not directly about money but it's about being part of the ecosystem and learning
about the ecosystem and improving your skills or having interaction with specific people in the
ecosystem so money is an enabler but should not be the only focus makes total sense uh and uh
while money is an enabler and basically people who
perform these researches and hunt for bugs. Someone calls them white hats,
someone calls them ethical hackers and
I am wondering what do you think guys is it enough like the the money that people get for get for finding bugs is it enough to stay?
Ethical?
Because if I were someone who is, you know, a developer myself and maybe I know a thing or two about vulnerabilities here and there, sometimes I would probably, you know, if the reward is not that big and...
If the damage that I can deal to a project is significantly higher, I would, not personally,
but I would probably consider going black and not be ethical at all.
So do you think people, like the amount of boundaries, the sizes of these bounties, are enough
for people to stay ethical?
As of now, let me start here.
So let's be honest.
If you are a North Korean hacker,
you will not participate in bug bounty payouts.
Doesn't matter how many they will propose to you, you know?
So let's be straight on that topic at least.
So of course, if you propose the bigger amount,
you may attract more attention.
But as Vincent mentioned, most of cases,
It doesn't mean that you will pay it, of course, because maybe you will never receive the critical issue.
But the more important thing is that if you will receive that amount, if you will receive the critical issue and you put $1 million as a bounty pay out for that, is you able to pay that amount?
Or after that payment, you will close your operations just because you don't have it at all.
I mean, like, the huge TVL of the project doesn't mean that they have that huge amount of money in their pocket and can just pay from that, you know?
So in most of cases, we are dealing with startups.
So we definitely need to figure out other kind of incentives, which we can give to the security engineers.
And it's not always about money.
In some cases, you can check the other projects who can provide.
Like, even Hall of Fame means a lot if you're contributing to huge ecosystems like PolkaDOT or Ethereum.
You can check how much bounty is a purpose to whiteheads.
It doesn't mean that they don't have this money.
It means that it's not just about the money.
If your project can propose only money as an incentive is for your contribution, it means that
Maybe you have a bad project and you can't give anything else, you know, to the security engineer.
But I've seen a lot of cases where after the discovery of critical issue,
the project can hire the security engineer and give him like contractor job or something.
So it's also a nice approach to attract new community members, new contributors and new builders into that.
But yeah, so my take is that the amount which you can propose to the white hats is not the only way to do incentives.
Because if it's a black hat, they don't care about how many you pay for bounty payout.
That's it.
Yeah, that's a very valid point actually.
Yeah, and just that.
I mean, like, of course there is always some demons in our souls who are sitting and saying,
okay, better to steal this money and live a rich life. But unfortunately,
Or fortunately, if you are not a North Korean hacker, probably we or other security companies
will find you and you will go to the jail.
You know, like very few examples we saw which were never discovered and people live in the
happy life after the heck.
Yeah.
Blockchain doesn't forget.
Sooner or later, since it's all on the public ledger, it's all transparent.
Sometimes even if you use some mixers and else, like you never know when you might slip in if in one year, two years, five years or ten years, some of the wallets that should never had
a common transaction would magically have a link between themselves and which could be a crucial
piece of puzzle figuring out who you are and what's your identity the bonnie and clyde from bit
feinex hack went to the jail after eight years so by by a stupid mistake but yeah they got
they go to the year.
Yeah, pretty much.
Blockchain doesn't forget.
So, since we're already talking about, you know, hackers and just overall, you know, security of Web3.
Because honestly, as far as I'm concerned, more than $2 billion were lost in 2024.
due to security breaches, whatever the reason was.
Right. And I'd love to hear a perspective from Yehor, since you've been knee-deep in the trenches.
Can you share some of your recent finding in the multi-chain and the Web3 security?
Any patterns or blind spots that...
Do you think most teams are missing or not really focusing at while they should?
Yeah, sure.
So you mentioned more than 2 billion stolen last year.
So to be precise.
There was 2.2 billion, more than $2.2 billion dollars, were so, you know, assets stolen as the results of exploits.
So these are smart construct vulnerability, success control exploits and stuff like this.
And about six, like more than 600 millions was lost due to fishing scams.
So this is a major threat to the, this is a major threat to Web3 and to its users.
And this is a barrier, I would say, I mean, fishing is a barrier to, like for Web3, for becoming, you know,
for becoming these you know go method option and stuff like this yeah so and to to give a few
maybe practical devices for for everybody not to be a victim of fishing scams so do not click any
links from the untrusted people first maybe a second is
When you approving your transactions, you verify the source.
And like, so when you sign a transaction or submitting transaction, for example, approving your tokens,
so verify the source that is trusted, the website,
And the first thing I would say is do not approve infinite amounts of tokens, for example, when you up to swap the tokens or deposit it to Avey, for example, approve only the amount you want to spend because
because this is a really dangerous thing.
And first of all, you need to realize when you approve for an infinite amount.
So this means like when you want to swap 100 USDC, but you approve them,
the infinite amount, you know.
Then these contracts,
which, like for example, unit swap,
it's, you know, further,
it will be able to send the tokens out of your account.
I mean, these USDC, which you have approved.
And if...
For example, this Uniswop, yeah, Uniswap pretty safe, I would say, but if it is some other smart contract, some other, you know, decks or anything else, you might be, I mean, this smart contract might be hacked.
And if it is compromised, then any approvals which you was granting to this smart contract,
So like, smart coins might just transfer your tokens out of you.
And this is a pretty damaging threat for Web3 users.
And so actually, to, like last year, it was almost $3 billion worth of USD stolen due to exploits and due to...
and due to fishing scams. And the major threats, I would say it is the access control
exploits. So basically operational security of the projects. And due to this threat, it was like
almost 80% of the losses was due to this particular attack vector.
So not fishing.
No, not fission. Fishing is pretty huge damage and pretty huge threats, but I mean, access control is the number one threat. So this is from our analysis from last year security report, the
This course will actually security report will be coming soon, so stay tuned actually.
And I want to hear from Vincent regarding his analysis and observations regarding attack trends, maybe and what he is witnessing.
Yes, thank you.
So I would agree with what you have articulated at the end.
I think the different attack based on what I've seen and what I share with peers can be
organizing three buckets, the one which relate to the pure code and logic, smart contract
and equivalent, the one which relates more to Web 3, Web 2 and DevOps.
use, and the last which is more about obsec and people.
So if we look a little bit about V's three,
the first one has significantly decreased
because projects are more investing on security.
People are more mature to include security reviews.
As a consequence, there are less occurrences,
but when there is a bug or vulnerability on that area,
there is a big impact, and there have been not too many reasons.
The second piece, which we may want to call more Web 2,
it's where a lot of projects continue to face challenges.
And here it's important to be unborn.
It can happen to almost everybody.
Nobody is completely immune of that.
It's everything related to how your infrastructure is secure,
how your credential are managed,
how your keys and secret are accessible,
how you release pipeline may be exposed,
especially with the supply chain risk.
And here, it's a constant focus.
There have been a lot of attack on that area
and some successful, including very recently.
The last one, which is about people, usually it's easy to blame people,
but it's not, we are all human and it's not that straightforward.
And here, as you mentioned, these are the usual teaching,
sometimes more refined, not that refined,
but people need to be helped with simple tools,
simple UI, sometimes some technical measure,
they may like or less like,
And eventually it's about their day-to-day behavior, meaning any of us can click a fish.
The question is, what will happen if you click a fish?
If you do your daily job, you don't have privilege access and you don't have access to all the system,
you are contaminated, the blast radius will be small.
If you work with privilege admin access, you've got
network access to everything, and you may not have a multi-sig, you are in an over situation.
So it's about making the life more difficult for the attacker without being too much difficult for the user.
Yeah, there is always this trade-off between convenience and security of things.
that is happening in every single app and you know users are whining okay why should i put my
two-factor authentication in my central exchange account and etc and like you know centralized
exchanges or other crypto projects they're concerned about their security their user security
but also you know making it
Not as, you know, protecting people, well, also giving them at least some kind of air to breathe because not everyone, not everyone feels like, you know, it concerns them.
I like to give this, you know, analogy that CyberSec and Web 2 and Web 3, it's literally like healthcare.
Most of the people, they don't think about their health.
until they are in pain.
You know, like you, unfortunately, it's nice if you go to and do regular medical checkups.
If you think about your sanity and, you know, you proactively approach for health.
But most of the times we go to the dentist,
or to the, I don't know, to any given doctor, only when something went wrong and we're like, damn, we have to rectify it.
And from my perspective, personally, I see the same approach in Web 2 and Web 3.
Of course, we can see right now a lot more people having a,
you know, a lot more companies, projects, having a role, a dedicated role of chief
informational security officers.
But in my personal opinion, I think that we are still, you know, still the industry
is handling these risks much more on the reactive side.
Would you agree?
Yeah, I mean, definitely.
And due to, yeah, actually your analogy,
which you was putting, made me reminisce a bit,
but yeah, I like it.
So what I can say is,
regarding proactive approach of security incidents and stuff like this.
So I've already shared the insights.
I mean, these are not pretty insights, but this is just what we have to care about.
The operational security of our projects in Web3 and access control exploits as a result of flows in these security systems.
These, so that the biggest defy exploit last year happened not due smart construct vulnerability,
but due to operational security flow.
And this was radiant capital exploit for about 55 million.
And so their multi-seek was compromised.
And unfortunately, they suffered the exploit on two chains.
First was...
arbitrarium and the second was B&B chain and you know regarding proactive approach I
believe you know you're doing those all those things I mean audits and back bounties which are
you know already standard measures
And, you know, for this Web3 security, and everybody cares about it.
I mean, a lot of people care about it.
But actually, these, you know, these practices, they are aiming to find the vulnerability before it being exploited, yeah.
But what we are doing, what we want to do when, you know, it is exploit, yeah, and you try to avoid it.
I mean, by security orders and stuff like this, but the reason exploit.
So you maybe want to have some monitoring system which immediately detects this exploit and trying to mitigate it.
So, in fact, Arvidian Capital, which I've already talked about it, they had the incident response set up, but their measure was to pause the protocol.
And pausing the protocol is something which have nothing to do
when your operational security is, I mean, exploited.
So, yeah, they paused the protocol after suffering the exploits on B&B chain.
I'm sorry, in the Arbitzum, they paused the protocol on B&B chain, but still get hacked.
And this is a lesson that you want to be, you know, prepared.
for different types of attacks.
In this case, they were prepared for smart construct vulnerability exploits,
but at the same time, you want to be prepared for access control vulnerabilities,
and those type of attacks.
Yeah, so these are my insights.
Maybe Vincent have, you know, his own,
I actually have a question to Vincent because you just mentioned, like it's an awesome topic.
The like I like how the conversation just naturally stirred itself into the proactive approach.
in attack mitigation and just overall making your system more secure.
I'd love to hear Vincent's thoughts on the on-chain monitoring.
Does it have any growing role in a security strategy at PolkaDOT?
Sure. So regarding proactivity, you're right, it's very important. In the PolkaDot ecosystem, there are multiple initiatives. I will share a few of them, not all of them, but few which I think are making an impact.
One is about the Pocadot Assurance Legion, which is helping the Porkadot project to have security audit perform,
and which is promoting security tools to support the Pocadot ecosystem.
And these were including projects who don't have enough people resources or fund resources to do that are helped if they figure some criteria.
Another initiative which is helping is there is what we call the Polkada Security app where you can find many resources like the top 10 vulnerability.
You need to be aware, prepared and how to prevent them.
more than 50 audit reports to learn from previous audits,
different further, tools to check dependency,
a war game to play red team, blue team,
or vulnerability disclosed in the past.
So all these information made available to the community
help people to be more proactive.
It's not perfect, but it's a beginning.
And as you mentioned, the last one is,
when there is an issue, when there is an issue, being prepared to react is not an easy topic.
We are working on it at different occasions. One thing which has been beneficial so far is being part of the Security Alliance, the SEAL.
Some of the people may know with, for example, the C-911,
which is a very impactful team,
which is able to help when there is a real act in order to contain and react.
So now to your specific point about monitoring,
different projects are already doing monitoring.
There are multiple conversations via OpenGov, which is a
to sponsor initiative about bringing more monitoring and monitoring not only for security perspective,
from a business enablement perspective, and yes, it's an area where there is active focus.
Just a question to the, thank you Vincent for your, that's an incredible valuable insight.
And I just have a follow-up question to you and to other, to our guests on our panel.
Do you see security monitoring as...
as a new evolution of Web 3 security or is just a very useful and necessary addition.
Because like my point of view is that when we make a security audit or a buck bounty,
there is a certain set of smart contracts, let's say, in their current state at a given moment point in time.
And when you audit this specific smart contract, you audit it and with every single day that passes the relevance of this audit phase, right?
Because the audit is most relevant on the very same date when it was released.
Because right after that, there could be some changes.
You know, the system could get modified somehow.
The smart contract could start...
engaging with other smart contracts and maybe other, you know,
so basically the system, the overall infrastructure could change,
and thus an audit that was made one month ago, two months ago,
if like, you know, it could be much more relevant, much less relevant,
or even not relevant at all in some cases,
if the modification to the infrastructure were big.
So my question to you is since we already have, you know, such security measures as smart contract audits and bug bounties that are well established in the industry, do you see security monitoring as something that will...
eventually, you know, all these smart contract audits and bank bounties, they will eventually shift in security monitoring and will be substituted.
Or on-chain things, on-chain monitoring tools are just like a necessary and useful addition to make the security approach more robust.
Sorry, it took me three minutes to ask my question, but I really wanted to kind of give my thoughts on that.
So what do you think, guys? Security audits are evolving into on-chain monitoring,
or is just a new, fresh way of making your security more robust?
I'm happy to try to give to that one.
I would say definitely the latter.
It's about what we call in some time in security defense in depth.
It's not A or B, it's A and B.
And to your points, the monitoring will complement for people who have not been able to focus on it so far,
the over measure.
But it's not in replacement.
It's to bring more visibility.
The good thing is in web free, a lot of the data already exist on chain compared to over industry.
So it's more about making it visible and accessible.
Makes total sense.
Anyone else in the audience on stage has any opinions on that?
Yeah, I agree. Definitely agree with Vincent. So you have to care of any of those things, you know, all of those things. Because it all started when, you know, back, you know, five years ago when Ronin Bridge was hacked on 600 million, all the keys from multisicle was storing in the same computer. And, you know, actually...
And we evolving from that point, yeah?
And, you know, our operational security getting better.
Still, it is, you know, a lot of flaws in there,
a lot of projects, pressure security, but still we evolving.
And regarding on-chain monitoring, for example,
you know, you, my...
There was times when the project was seeing the...
I mean, for example, stakeholders were seeing that protocols as dark forests, you know,
and then you actually need them to monitor, you need to understand what's happening in real time with your
smart contracts with your, you know, system which is deployed on blockchain. So it's also evolving.
And the same with back bounces, the
strategies of triage and how we deal with all this stuff also evolving.
And, you know, industry is maturing at the same time.
So, I believe, you know, regarding actually, Mr. Fantastic,
regarding your question about ethicality and is it enough, you know,
this amount of bounty, is it enough to not go unethical?
This is, I believe this is not
when you go, this is not like lottery pocket and you just, yeah, here is 10K bounty and here is one million possible exploit payout.
But this is not a payout and that's a thing.
You're kind of thinking about committing the cybercrime and this is definitely a bad thing.
And I believe from the human perspective, this is nothing, nothing, nothing.
It's like rubbing a bank, I mean, from the ethical point of view.
So, but yeah, there's a lot of bad folks you already mentioned about ones.
I mean, North Koreans who are trying to, you know, go on the other side of the tree.
And that's why we have to, you know, become, you know, better equipped to fight those guys in that sense.
Yeah.
It just a way of how the industry become more mature.
Because monitoring solution is not something new.
Like we just taking the best practices from
Web 2, let's say like that, from web to world, yeah.
We have IDS, IPS, IPS systems like for maybe 20 years.
I mean, like incident detection mechanisms and incident prevention mechanisms.
So monitoring tools is just a copicating of that best practices and mirrored.
for on-chain reality, you know, where we can reuse it.
Same with bug bounty, same with smart contract audits, yeah?
Just penetration testing and bug-bounded, good practices which were used there.
And that's why we are using it here.
So, yeah, it's not a replacement of one of the processes,
it's just an additional layer of security which should be put in the game.
Yeah, guys, honestly, I think we've covered everything.
We've covered a lot, like from IfEHEver, Bounty Insights, like Bounty Strategies,
you know, the real world, Web3 exploits, proactive defense, a lot of useful insights
and opinions were shared.
And I want to thank you, our dear guests, and to everyone.
in the audience for tuning in and of course to the people who are going to listen to replay.
And maybe before we wrap this space, I'd just love to give each of our speakers just the last moment to share their final thoughts,
whether it's advice to builders' vision for future of security or just the message to their community.
Sushko, would you start?
Yeah, so first of all, thank you for the invitation
and for asking me to be part of that discussion.
It was really insightful.
But what I remember,
the Vincent mentioned that there is a PAL initiative,
which kind of similar to seal,
but for Polka Doha ecosystem.
And if I'm not wrong,
maybe Vincent will correct me if something is not that way,
but the PAL has...
the initiative to provide grants for bug bounties and security itself.
So if you are building on top of polka dot, you can check that poll documentation and
probably get some grants for security initiatives for for your products, project,
because I mean like security is important, isn't it?
That's why we are sitting here.
So, so yeah, thanks again for inviting me here.
Thank you. Vincent, what you have to say.
Thanks all for attending and listening.
And maybe on my end to conclude,
I think we need to be as good as attacker and bad guy
to continue to share and to work all together.
So all security researchers are welcome in the PolkaDOT ecosystem
in order to help us to be more secure.
Sweet. Thank you very much.
Thank you.
Yeah, first of all, again, thanks for having me.
And here, so, yeah, just stay Veptory safe.
I would say it's not just safe.
It's Veptory safe.
Do not click any links, verify your source.
Do not approve infinite amounts.
And, yeah, again, stay VAP3 safe.
Thank you.
Awesome. Massive thanks again to all our amazing guests and to everyone who tuned in.
Remember, Web 3 and Crypto security is not a feature. It's the foundation.
You may lose a portion of your money when you make a bad investment, but when you lose crypto, it's definitive.
Like it's forever. You most likely won't get it back.
So stay curious, stay vigilant.
And until next time, it was Hacken. Mr. Fantastic. Signing off. Take care.
Bye.
Host
Hacken🇺🇦
from
Hacken Token
