Transcript: AMA: with Mikhail from Certik

Welcome to our new AMA episode 10, today we have Mikhail, a security consultant for one of the largest web3 security firms. He is also the founder of Network Spotlight Elites, a community comprised of different professionals in web3; Lightspeed Venture, Polygon, and Fireblocks to name a few. To highlight the amazing innovation, Mikhail provides a platform for founders to educate their community about what they’re building. You can check out his channel, Network Spotlight with the link in the description.

Linkedin: https://www.linkedin.com/in/mikhail101/

Twitter: https://twitter.com/yerganjiev

Telegram: m1khail101

YouTube: https://www.youtube.com/@networkspotlight

‍

Question 1: What are some technological innovations/ development trends that you see in Web3 that are promising to make this space more secure from hacks and exploits? 

Question 2: Jerome: Apart from innovations or trends in the security space, what do you think will be the next catalyst for the years ahead? Could be a specific protocol, sector, innovation, or new entrants.

Question 3: Pratik: There have been several bridge hacks in the past year, and collectively over 1.2bn dollars have been lost. What in your experience are the most important due diligence factors that we should consider while evaluating a bridge? Are they the same if a centralized bridge or a decentralized one? 

Question 4: Jerome: What’s your view on AI or Automated tools that could help security researchers and auditors in the future? Do you have any other tools, frameworks, or lists of best practices in mind that could help the security researchers and protocols team do a better job in terms of security?

Transcript:

Pratik: Hello everyone. Welcome to our new AMA session with our guest. This is episode 10 and today our guest is Mikhail. He's a security consultant for one of the largest web 3.0 security firms. He's the founder of a podcast called Network Spotlight Elites. It's a community comprised of different professionals in web 3.0, such as Light Speed Venture, Polygon, and Fireblocks just to name a few.

To highlight the amazing innovation, Mikhail provides a platform for founders to educate their community about what they're building. You can check out his channel Network Spotlight with the link in the description of this video. Here are some of the things we discuss in this interview. We talk about some of the technological innovations and development trends that we are seeing in the security space to prevent ourselves from hacks and exploits.

Then we talk about the catalyst, the next big catalyst, in the years ahead in the security space. We talk about why bridge hacks happen and what are some of the important due diligence factors that we should consider when evaluating bridges. And finally, we discuss the role of AI and automated tools to help security researchers and protocol teams to do a better job in terms of security.

All right, Michael, thanks for joining today. So we have a few questions.

I'll start with the first one. In your opinion, you talked to a lot of founders, in the crypto space, in the security space specifically. So what are some technological innovations or development trends that you see in web 3.0 that are promising to make this space more secure from hacks and exploits?

Mikhail: yeah, great question, and thanks so much, for having me on.

I think when it comes to technological advances, there's, cat and mouse chase between innovation and security. Innovation is always a step ahead of what's happening from a security standpoint, but that's the exciting part, right?

We all wanna talk about what's happening on the innovation side, and the biggest advancement that a security firm can make is understanding what's happening when it comes to innovation, right? So it's tough to come up with something that will get ahead of the curve, so to speak, but if we can fully understand what's happening and understand the risks and have more data points, we can do a better job, helping projects avoid those exploits.

So, the more data. A security firm has all the different vulnerabilities, the better off they are because, the better they can understand some of the more common mistakes that a lot of projects make. And also it's understanding the challenges. For instance, right now there are a lot of attacks on the community.

There are ice-fishing attacks and pig-butchering attacks. These are all very interesting names. But these are very common, scams and security concerns that are transpiring within the community. And so for a security firm to truly be advanced, beyond just technology, they have to have a full understanding of what's happening on the vulnerability side.

Jerome: Very insightful. Communities and developers, maybe security researchers still need to create those dashboards. Maybe we ought to just find them, if they're just buried, basically on the internet in the web 3.0, because there are so many different protocols being built out there.

The second question would be, apart from innovation or trends that you see in the security space, and what you mentioned, what do you think would be the next catalyst for the years ahead? Could be a specific protocol, could be a sector, or could be innovation specifically. What's your view on that?

Mikhail: Yeah. From a technological standpoint, right? What's the next step for us?

So we started with Defi, and then we transitioned into NFTs, and then NFTs went into gaming and metaverse, and everyone's thinking, okay, well, what's gonna happen next?

I think that we'll continue to explore these options. But if you look at, Amazon, which started in the Mid 90's, started as a small, tiny little bookstore. And now they're this huge company. You look at it over the 25-plus year period. they have fully transitioned their model.

So the low-hanging fruit was the books. And now they provide so many more services. And I think right now what we're seeing, In web 3.0 is the low-hanging fruit, which is decentralized finance. We are seeing gaming, gaming in the metaverse, and, thus, augmented reality gaming. There's a lot of that going on, but there's going to be a lot more utility to come, from a N F T standpoint, we need something that we're looking at, phones being sold on the secondary market, and how do we track that, right? So N F T could be a good use case there. Another potential possibility is privacy. Privacy's been a very hot topic. There are specific chains right now that are focused on privacy. Now. There are a lot of regulatory concerns around that. So once we get a little bit more clarity, I think that will be a catalyst for innovation.

But even something simple as having a certificate, instead of a paper one, having that in a form of N F T and it doesn't need to be a pixelated drawing, but more of a piece of data that's unique. So there, we're going to continue to explore use cases for NFTs. We will continue to explore privacy. So we'll go beyond decentralized finance and Collection of 10,000 pieces of art.

And on the art side, we'll continue to explore that as well. We're already seeing that a lot of investors are, using art as a way to hedge their bets against inflation. so these are some of the things that I see, along the horizon.

Pratik: Got it. My question is regarding the bridge hack. In the exploits that happen in the past 12 to 15 months, we've lost 1.2 billion to bridge hacks. And so clearly this interoperability space is a big target for the exploiters. So in your opinion, how can we make this space more secure?

What are some of the due diligence factors that we should take into consideration?

Mikhail: Well, for us to, Understand those factors, we have to understand what are the reasons for the hacks, right? So there's a multitude of reasons. The most common thing that I see is, there are just not that many nodes on a bridge.

And so you can easily have a 51% attack just by compromising four out of the nine. If you have a 51% attack of the nodes, then you essentially run the risk of an exploit. So a successful phishing attack can easily take an entire network by doing that.

The other thing is a code glitch that allows hackers to set up a fraudulent signature, giving permissions to specific functions. So these two specific vulnerabilities are reasons for some of the more common exploits that have occurred recently that have made the news. but in terms of ways to avoid it well, increasing validator numbers, you know, that's one way.

Uh, also getting it audited by a reputable security firm because, at the end of the day, you have to ensure that the smart contracts are safe. And that there is a penetration test that is performed to secure the code base that revolves around the smart contracts, the back end, and the front end.

And also, for projects, they can perform bug bounties, right? These are ways to incentivize people to look for vulnerabilities and to reward them for keeping your bridge safe.

So, these are some of the ways to continuously monitor the deployed smart contracts and, some security firms are, doing this. and that allows you to see what's happening on the chain. and if there's anything, that's out of the norm, you're able to see it.

Jerome: I have a follow-up question regarding those tools. So would you say that we should keep them decentralized, meaning that we need to have different parties auditing and looking into it rather than the protocol themselves, or let's say the bridge themselves having the full stack?

Mikhail: Having a third-party auditor is definitely of value because, just like the same way you have a referee in a game, somebody that doesn't have any incentive, you want to make sure that this particular party that's involved in saying that, Hey, this is secure. You wanna make sure there's no incentive there. You wanna make sure that they have a very neutral stance.

Ultimately that's what will lead to trust and adoption.

Jerome: Okay., moving on to the next topic. And it's quite current basically because of chat GPT going full public. So what's your view on AI and or automated tools that could help security researchers and auditors in the future?

And another segment to this question would be if you have any list of, let's say, tools or frameworks or best practices in mind that could have security researchers or protocols themselves, to do a better job at securing themselves and the funds that they carry.

Mikhail: Yeah, great questions. You know, I'm still exploring what, uh, all the capabilities are of chat GPT. It's. Crazy to think about how far we've come.

Uh, I will say that there is a place for automated tools, in the security world. I don't think that it will ever replace humans. I think ultimately that's the biggest asset.

Right now, even if you look at chat GPT, a lot of people are finding, there are still some issues there, right? You can't fully rely on a computer, but, I think, is there a place? Absolutely. And where that place lies is, in an area where you may find some of the more common vulnerabilities. So if you have automated tooling and you're able to capitalize on some of the more low-hanging fruit, because you have a lot of data points that show that these are very common vulnerabilities, within these types of say, smart contracts, then that allows for the experts to focus more of their attention on the parts of the code base that's a little bit more complicated, that maybe involves more of an expertise in engineering.

Maybe it involves a higher level of computer science knowledge engineering, economics, whatever the case may be because all these things are needed to review the code base. It's not just making sure it's secure, but also making sure that from a design standpoint, there's math logic involved and there's a lot of components involved there that, AI at least right now, the automated tools, you don't wanna rely on those things because we're still, there's still a lot of innovation that's happening, and these automated tools, they will capture the vulnerabilities, but that's based on the more common ones that, we would find. So there is certainly a place that would ultimately help reduce the time. That you would need, for an audit.

And, I think that for a lot of projects, especially those that have a very time-sensitive roadmap that could be very useful. And then, in terms of specific tools, I know some auditors who have open-source tools that they used and some auditors don't. I don't know any of the ones I haven't played around with them.

I know that there's a lot that exists and certainly encourages everybody to explore and play around with them. However, I don't think that anything will replace having an actual third-party auditor going in and reviewing the code base. Ultimately, if you go with a reputable firm, That will create a lot more transparency and trust within the community, which ultimately is what you need to have a successful project.

Pratik: That's great. Um, Jerome, do you have any more questions?

Jerome: I would have one regarding those automated tools and the relationship that the third-party auditor would have with the protocol. do you feel like, those automated tools are not really out of reach but somewhat difficult to master by, let's say, solidity developers so that when they actually build the code and then hand it over to the auditor it's let's say in the more final state, or let's say it'll be less of a waste of time for the auditor, or is it not how it would work?

Mikhail: Yeah. I think it depends on the auditor.

I believe that a reputable auditor will not take somebody's word and they'll go in and they'll check themselves because ultimately that's their credibility on the line, right?

So I think that if an auditing firm is, Trying to cut corners for the project just to help the project save money, which we all understand, right? right now, based on these current economic conditions, we're all a little tight when it comes to that. But one thing that you don't want is you don't want to jeopardize the accuracy of the review of the code base. So taking somebody's word for face value I don't believe that's a good idea. I think a very reputable firm will go in and they'll check it themselves as well. I think that It's a case-by-case basis for a lot of the firms.

Some firms may be a little bit more lenient because they want to earn the business and some of the auditors will be more focused on their brand and protecting it and will want to go in and do an audit themselves.

But I think it is a good starting point just to have somewhat of an idea, right? Because if you can catch a few of those things yourself, you can make an update to your code base. And so when you present that code base to the auditor for a review, And, a very reputable auditor should give you certain steps, right? A preliminary phase is then followed by the final report.

But this will at least help minimize some of those vulnerabilities during the preliminary phase so it can help save some time. perhaps, maybe save some cost. I'm not sure what kind of circumstance that would be, but it always helps to do your due diligence first, before submitting it to an auditor.

Pratik: Well, Mikhail, where can people find you?

Mikhail: Yeah, great question. So I'm sure that we can, probably, include the links in the description because my handles are fairly long . But, I'm very active on Twitter. I'm very active on telegram, and on LinkedIn for those that are a little bit more professional.

So I'm happy to provide the links and we can include that in the description.

Pratik: Okay, great. Yeah, send it to me, and then, uh, I can add it to the description for sure.

And then one more question, which conference are you looking forward to in 2023? Have you planned any visits?

Mikhail: Yeah, uh, nothing in stone yet, but I haven't been to any of the ETH conferences. I haven't been to ETH Denver or ETH Barcelona. There's one in July. That's one that I'm interested in. Of course, I'm sure there's gonna be some before that. But the yearly ones that happen are always fun to attend. The Decentral, Consensys, and Messari, are always really good conferences.

But this time I'd like to add a little bit more to the. To the mix.

Pratik: Right on. Well, it was great talking to you, Mikhail. Thanks for joining us.

Mikhail: Likewise guys. Thanks so much for having me on. Thank you for the thoughtful questions, and if anybody has any questions, any concerns, I'm always happy to help.

Perfect. Thank you very much. Thank you. My pleasure. Thanks, guys.

‍