53 mins ago
5,890
Host: Alex, Mint Ventures Research Partner
Guest: Zhou Yajin, CEO of BlockSec, Blockchain Security Company
Statement: The content we discussed in this podcast does not represent the views of the institutions where the guests are located, and the projects mentioned do not constitute any investment advice.
Hello everyone, welcome to WEB3 Mint To Be initiated by Mint Ventures. Here, we continue to ask questions and think deeply, clarify the facts, explore the reality, and find consensus in the WEB3 world. We will clarify the logic behind hot topics, provide insights into the incident itself, and introduce diverse thinking angles.
BlockSec's service scope and target customersAlex: In this episode, let's talk about a topic that is closely related to you, which is the security of the crypto world. Before we encounter real risks, we often think that we will not be victims of security incidents in the news. How to build a firewall for your assets and allow yourself to invest in a secure environment is a compulsory topic before we embark on the crypto journey.
In this podcast, we invited Zhou Yajin from BlockSec, a blockchain security company, to talk to us about the topic of encryption security. Please say hello to us by Teacher Zhou.
Zhou Yajin: Hello everyone, I am Zhou Yajin, currently as CEO of BlockSec. I am also a researcher engaged in cyberspace security at Zhejiang University. I am very happy to meet everyone.
Alex: OK, let's get to the topic of today. I believe that a lot of listeners may not have that understanding of blockchain security companies and security services. Please tell us first about BlockSec, what kind of service content you provide, what kind of people and institutions will become your customers.
Zhou Yajin: OK, BlockSec is a Web3 security company. We were founded in 2021 and was co-founded by Teacher Wu and I. When it comes to Web3 security, the first thing that comes to mind is security auditing. In fact, BlockSec's business scope is not just about security audits, we also mentionProvides a range of other security products and services. Specifically, services can be divided into three major sectors.
The first section we call is security against on-chain protocols. On-chain protocol is some smart contracts that we deploy on the blockchain to carry out some DeFi or NFT, or other activities. How should the security of these contracts be guaranteed? BlockSec provides secure audit services and secure monitoring products.
The second part we are more concerned with is the security of assets. The so-called asset security is the assets that users have at hand. For example, these assets are in their own contract wallets or invested in some on-chain protocols. How to ensure the security of these user assets is also one of our BlockSec's service scope.
The third part is compliance and supervision. We have found that more and more traditional financial institutions are entering the Crypto industry. Including the news we have recently seen, these traditional banks in the United States have issued some stablecoin assets on the chain, including Crypto, which has entered the cross-border payment industry. In fact, after these traditional financial institutions entered this industry, they brought a problem to supervision. Regulators did not know how to supervise, and these institutions did not know how to comply with regulations. So we are also helping regulators to supervise these players entering the Crypto industry, or to help these traditional institutions entering the Crypto industry comply. These are the three scopes of our business.
Our customers have a wide range of coverage. What you can think of is project parties that do decentralized finance or other services on the chain, such as providing Lending platform on the chain and decentralized transaction platforms. These project parties are our customers. We can help them do some secure audits before deploying and putting the smart contracts on the chain, and review whether the smart contracts they develop have security vulnerabilities through a security perspective. If there are security vulnerabilities, they need to be fixed in time. At the same time, when their protocol is deployed on the chain, we will also have a 7×24-hour monitoring platform to monitor the security risks of their protocol. If any security risks occur, our platform can promptly notify the protocol and can automatically block risks and attacks.
So these developers and project parties who deploy smart contracts on the chain are typical customers like us. The second type of typical customers are those who own assets, which may be some high net worth customers who own some assets in the contract wallet, orIt is said that these high net worth customers will go to some agreements on the investment chain. Our services and products can help them better monitor the security of those protocols they invest in. Just like the front and back of a coin, from the perspective of the agreement project party, we can help them improve the security of the agreement.
From the perspective of high net worth clients who invest in their agreements, we can help them monitor the security of the agreements they invest in. Once the agreement he invests in has security risks, such as being attacked, he needs to withdraw his funds as soon as possible. The third type of customers is the supervision and compliance I just talked about. This type of customers is mainly some regulatory agencies. For example, the CSRC in Hong Kong is actually our customers, and some overseas law enforcement agencies need to investigate digital currency crimes. They need to use our tools and platforms to facilitate some investigation activities such as withdrawing evidence, tracing funds, etc. This is basically our overall business and the scope of our customers.
Three suggestions on encryption securityAlex: I understand, Teacher Zhou just talked about the types of customers, what kind of needs they have, and a rough industry situation. Then the second question may be more relevant to individual investors, especially the majority of our audiences are those who have just started to enter Web3 to learn and try to invest.
If you have a friend who has just entered the field of crypto investment and knows that you are engaged in encryption security services, please give him three suggestions on encryption security. Which three suggestions would you give him?
Zhou Yajin: This question is very good. My friends often ask me some safety advice. They also want to enter this industry, but I also heard that many people will encounter some risks. We once had a joke saying: If you have not been fished or scammed after entering the Crypto circle, you will not become a veteran player in this field. Of course this is a joke, but you can indeed find that there are many risks in this industry.
If you want to make three suggestions, the first one must be something that everyone will think of, which is about private key protection. In the Crypto field, how to prove that you own this fund is actually to use the private key you own to prove your ownership of this account. A private key is a string of numbers, which is not bound to your personal identity. Once this string of numbers is lost or leaked, others can have control of your own funds just like you. This is very different from our real world. In the real world, your bank password is leaked and you can callIf you ask the bank to freeze the account, no one can withdraw the money. But in the Crypto world, if your private key is leaked, the person who owns your private key can transfer your funds from your account without limit.
Usually, there are several ways to protect private keys. For example, we have a hardware wallet, use a contract wallet or a mobile phone APP to protect private keys. Each method actually has its own advantages and disadvantages. Through my own experience and the overall experience of some of our security friends around us, the basic principle is to write down the mnemonic of the private key. Write it down and put it in the safe. No matter whether the safe is owned by your own or the bank, save it well and don’t move it normally, and you can’t use it. Then use a device that you are relatively trusted, whether it is a hardware wallet or a mobile phone, to store your private key. This phone must be a dedicated device. Don't engage in any other operational activities, just to manage your own digital assets. This is the first suggestion.
The second suggestion is to have a sense of security and risk when trading on the chain. In essence, you only need to remember one sentence: pies will not fall from the sky. We found that when trading on the chain, the risk of phishing users face is very high. Many KOLs and OGs, including the crypto circle we are familiar with, have encountered phishing attacks and lost a lot of money. If an inexplicable website requires you to connect to your wallet to get the so-called airdrop reward, you need to be more careful at this time and be aware of safety.
The third suggestion is that you need to understand a little bit of basic knowledge of crypto assets. Basic knowledge refers to the concept of authorization in crypto assets. This is different from traditional finance. For example, you have a type of digital assets, USDT or USDC. Through the signature on the chain, you can authorize the assets to a contract or other users for use, and such authorization can only be achieved through your wallet to sign a bunch of weird things that you can't understand.
So when signing a wallet signature, if you don't understand or are deceived, you sign an authorized transaction, and others can use all your digital assets. So you need to have some basic understanding of authorization so that you will not sign such a transaction by mistake when signing a wallet signature. To sum up, the basic suggestions are: the first is to protect your own private key and give some actionable methods; the second is to be careful when conducting on-chain transactions, and be safe and do not be phished; the third is to have a basic understanding of Crypto's authorization mechanism, so that some authorized transactions will not be signed by mistake.
Alex: I actually have a lot of high net worth friends around me. They are also OG or veterans in the industry. Logically speaking, they have some of the security awareness you mentioned, but every year I hear some big players around me being stolen. There is a saying in the industry that if a professional hacker catches you, he knows that your wallet is rich, and if he uses all the resources available, it is often difficult for you to escape. Do you think this statement makes sense? Is this really the case?
Zhou Yajin: Your question is very good. In fact, security issues, especially when it comes to Crypto security, are essentially an unbalanced confrontation. If you have enough assets in your wallet, you will easily become the target of targeted attacks by others. Once you become the target of other people's targeted attacks, others will use a lot of resources, whether it is the social worker's resources, technical resources or other resources, and design attack methods against you based on the target's daily behavior patterns, life habits, etc. In this case, it cannot be said that it is 100%, but it is very difficult for you to defend, because others use a lot of resources to fight against you, and you are the only one. So it's a very asymmetric confrontation.
In this case, I think the basic principle is that the first is that we people say that wealth does not reveal wealth, that is, you should not disclose the assets you own, and avoid leaking the relationship between your personal offline identity and the identity of the on-chain assets. The second point is that even if you are a high net worth user and may have been leaked by others, you need to isolate your assets as much as possible. That is to say, the assets you operate on daily basis may be at most 100,000 yuan in your dedicated wallet. If others target you, you can only cheat the 100,000 yuan at most. And your other large amount of assets should be placed in a wallet that you basically don’t need to use. If you need to use these assets, you need to find a security expert to help you review a better set of operational processes and specifications, which can avoid very large risks.
Three most impressive security incidentsAlex: Understand, this suggestion is indeed very important. Can you share with us three of the most impressive security incidents since we started working? It can be experienced by you yourself, or it can be your friends or some of your experiences.
Zhou Yajin: I can share with you a security incident that we actually participated in and were deeply impressed by. The first exampleI remember it was on February 10, 2023, and there was a protocol on the chain called Platypus Protocol that was attacked. It is a platform for lending and other features. There is a security vulnerability in this protocol. Through this vulnerability, hackers stole nearly 9 million USD assets. The reason why I was impressed by this is because the hacker made a mistake when attacking the Platypus protocol. When he attacks a smart contract, he needs to develop a smart contract by himself. A smart contract can be understood as a string of code that can operate on its own. When a hacker attacks, he deploys his own attack contract, and the attack contract completes the entire attack process.
But attackers are also humans, and we all know that as long as they are humans, they will make mistakes. He made a mistake when writing attacks smart contracts, which had a vulnerability that could be exploited. This vulnerability can withdraw the funds stored in the attack contract, which is also the funds obtained from the attack platypus protocol. As a security company, we are actually always on the follow chain attack incidents, and we have a set of attack detection engines that can sense all attacks that occur on the chain at the first time.
It coincidentally happened that when the platypus was attacked, we had detected it immediately. We will independently analyze this security incident, such as what is the cause of its attack and what is the vulnerability. At the same time, we will also contact the project party to help them and tell them how to patch and deal with it. During this process, we discovered a hacker's vulnerability and told the project party that we could exploit the vulnerability. Then we developed a string of code with the project party to extract the attack funds, which is 2.4 million from the attacker contract. This is also the first time in the entire blockchain security history that we call it hack back, which means that we use its vulnerabilities to withdraw the funds it stolen to return to the project party. This is a particularly interesting confrontation, and I was quite impressed by it.
Alex: Did you have a cooperative relationship with Platypus before, or did you start to communicate after this incident?
Zhou Yajin: We actually had no cooperative relationship before, and we only contacted us after this incident. I can extend the process of handling security incidents. We have a set of security attack engines inside. When a security incident occurs, our engine will call the alarm as soon as possible, and an emergency response team will analyze it together. First, let's look at which protocol is attacked, and then we will use various methods, whether it isOn-chain Twitter or other methods, we will try to contact this project party.
In the case of Platypus, we did not have their contact information before. We contacted the project party through Twitter and helped him analyze the entire reason for the attack, because many times the project party doesn't know why the attack was attacked. Anyway, the money in the agreement is gone, but the reason is not clear. At this time, the security company needs to help him conduct analysis. After the analysis, it involves how to repair the protocol.
If the reason is clear, we need to fix this vulnerability, how to apply the patch, whether it is safe after the attack, and track the stolen funds, we also need security companies like us to help him together. We will deal with the project party throughout the entire emergency response process. Specifically for this case, we actually had no contact with this project before, but fortunately, during the disposal process, we contacted it in time and were able to recover part of the funds. In fact, more cases are caused by us who discovered the attack, but we cannot contact the project party.
Then the second case is also quite interesting, which happened in 2023. Our Chinese listeners may be more familiar with it because this case involves a project called ParaSpace. ParaSpace can pledge Boring Ape's NFTs and borrow other assets to get them out. I know that many Chinese OGs are actually holders of Bored Ape NFTs. This protocol actually has a security vulnerability, and it should have been attacked in March 2023. I clearly remember it was a time period like morning or noon in Beijing time. After our system immediately warned us, we first contact the project party and we have to analyze the reasons. However, we found that the first attack transaction that was exposed by our system was reverted on the chain. Revert means that the attacker had insufficient handling fees when attacking, which resulted in the attack transaction not being successful when it was launched. But his attacks on the trading behavior and trace have been exposed on the chain. Our system can also detect this kind of transaction that we call reverse, which means that it fails but is on the chain again. This is the ability of our engine, and it can be judged that this is an attack transaction. After judging, we thought of a way to say, can we simulate the behavior of attack transactions and automatically generate an attack transaction like it.But this attack requires quotation marks, and we need to replace the profit-making address in the transaction with our address. In this way, the funds in the currently in danger agreement can be rescued and placed in our own security account, and then contact the project party to return the funds to them. This is similar to saying that the bad guy's knife is almost cut, but for some reason, the first attempt was not successful. We can also try to withdraw funds in advance using the same method, so that when the attacker attempts to attack for the second time, there is no funds in the protocol and the attack will fail.
After we had this idea, we actually had a system inside that we could quickly automate such things, and then automatically generate a "attack" transaction, post it on the chain, withdraw the 5 million US dollars of assets in the ParaSpace protocol, and then we contact the project party to return the funds to them. This is actually very interesting. It is the highest amount in history. We call it rescue, which is an action to save funds on the chain. If it weren't for this rescue, their assets might have been robbed.
But after this security incident, it actually caused a lot of our thinking, because there are many security moral and ethical issues. For example, after we observe an attack, although the funds in this agreement are withdrawn, this is essentially an attack transaction. It simulates the attacker's behavior. Although the funds are withdrawn out of good intentions and returned to the project party, it is strictly an attack. This involves compliance and security ethics issues.
Our thought at the time was that when you see a bad person stabbing a good person with a knife, should you take action to stop it, or let it develop. I think we choose to stop it, although there are some moral and ethical issues and safety ethics. After this incident, we also deeply realized that on-chain security cannot save funds through the hack back we just mentioned, which is the method of hacking it back. The project party should be allowed to know the security risks he faces as soon as possible. He must know that the project is attacked, and then he can configure some automated operation strategies.
When these security incidents occur, our system tells him that he should be able to pause the protocol automatically, so that the attack will not succeed. It not only prevents attacks and saves users' funds, but also does not have any security ethical risks. This is after these two incidents, we developed the subsequent phalcon attack monitoring and blocking.The whole idea of the product. This is the second major security incident in my mind.
Alex: I seem to have noticed this security incident at that time. You just talked about protective attacks. I would like to ask a detail, that is, after the revert attack you mentioned just happened, you must need an internal discussion and decision-making to see if you want to do protective attacks. How much time has it been separated from discovering this incident to completing the decision to protect funds?
Zhou Yajin: It's very fast. It takes about a few minutes from the first time we know and finally finish this matter. Because the company has formed a very complete security processing process, it will immediately discuss and make decisions after knowing the security matters. After the decision is made, because there are already some automated tools, it can be done quickly.
Alex: understand.
Zhou Yajin: The third case is the Bybit security incident that everyone should have paid attention to recently. In February, US$1.5 billion of assets were stolen. This attack is also the single security incident with the largest loss in the security circle so far, and its losses are very different from the two security incidents I mentioned earlier. The previous two security incidents were caused by contract vulnerabilities, but Bybit's security incidents actually have nothing to do with the vulnerabilities in smart contracts. We call it the trust chain too long. In a system with such a large capital volume and such a long trust chain, the attacker found the weakest link through the attack of social workers and then completed the attack. Specifically, Bybit uses a contract wallet called SAFE, which is a smart contract wallet to manage it.
SAFE is a multi-signment wallet. You can understand it as a lock that requires three people to open at the same time. This lock can be opened and the funds inside can be withdrawn. This lock is made by a project party that provides such a contract wallet. You will find that the trust chain in this system is very long, including developers of SAFE wallets, people who operate SAFE protocols, and when using SAFE wallets, they have to go through the UI interface in the browser, and operators of SAFE wallets, which are employees of Bybit with three keys, or people with funding permissions. They have to go through the computer browser or through their hardware wallets to operate this SAFE wallet. You will find that there are many aspects involved in this.
IWe talk about safety. In fact, the most difficult thing when it comes to safety attack and defense is that when it comes to defense, you have to prevent any shortcomings in your system, because the water level of the system's safety depends on the shortest board in the system. An attacker does not need to break through the very good parts of your system. He only needs to find the weakest point in your system, and then use that point to launch an attack to complete the entire process. The entire attack process in the Bybit case is like this. He may find that first of all, this is a targeted attack, because he found that the Bybit SAFE wallet, which is the smart contract wallet, has a lot of assets. The target he selected is the developer of this SAFE wallet, because we just said that no matter who operates it, he must use the UI interface provided by SAFE, which is its website to operate your assets.
If I can break through the developer's computer through social workers or other means, let the developer deploy a malicious code on the SAFE website, and then when anyone goes to the SAFE website to operate his wallet, the operation behavior seen is inconsistent with the operation behavior that occurs on the actual chain, but normal users do not understand it. For example, when a normal user goes to the bank APP to operate, he sees 100 yuan transfer in the bank APP, but in fact, 900 yuan transfers, but I don’t know, because what I see in this APP is 100 yuan transfer. Then if you break through the APP developers or the SAFE wallet developers, so that the operators see the operation interface and actual behavioral rules in the wallet, you can complete the entire attack process. It is actually done in this way.
How can it get this developer permission? It was through some social workers' attacks that finally completed the entire attack process. In this, even when the SAFE developers are compromised, we actually have other opportunities. For example, if you can tell you what the transaction you signed when you sign your wallet is inconsistent with the transaction you see on the website, there is actually a chance. In the past, many banks had U Shields. If you have experience, you will find that there will be a display when you press the button on the U Shield. It tells you that you are transferring 500 yuan now. Are you confirming or not? You can confirm on the U Shield device. It actually solves this problem, because even if my APP is attacked, the APP tells you that you transferred 100 yuan, but when you finally confirm, the U Shield told you that you transferred 500 yuan, and you find that it is inconsistent.
Specifically, in this Bybit case, if you have such a better reminder ability in the wallet you signed, it can actually prevent such attacks. But the most regrettable thing is that in this case, the signed hardware wallet is not particularly well made. After SAFE's UI was compromised, it signed such a malicious upgrade transaction, and then the attacker took over the wallet and transferred it to $1.5 billion. So this is a very impressive thing.
A revelation this matter brings to us is that cross-verification must be done when it comes to large amounts of funds. You cannot trust the information a single provider or single point tells you. If you rely on information told by a single vendor or a single interface, as long as this is compromised, the system link will be gone. Therefore, cross-verification must be done, and a third party must help you verify whether what you see is real through the perspective of a third party. In such a case, the risk can be further reduced.
Experience social worker attacksAlex: In the case you mentioned just now, there is a word called "social worker attack". Perhaps not all listeners can understand the meaning of this concept. Can you explain it?
Zhou Yajin: The full name of social engineering attack is social engineering attack. It does not use some technical means, but a set of attack methods designed for you, your work habits, interpersonal relationships, your work responsibilities, etc. I can give you a case of social worker attacks that I have personally experienced, which is easier for everyone to understand. As the CEO of BlockSeo, I often receive some information, mainly two types. The first type is some invitations to participate in podcasts, conferences, and interviews. The second category is some investment institutions, who will contact you about some investment opportunities. I met someone who sent an email through the company's email saying that he was an investment institution and wanted to discuss some investment opportunities.
We have a strong sense of security. We will observe its email and domain name, and sometimes we will do some back-tuning, look at his company's website, and the investment profilio. After doing the back adjustment, I found that this was a pretty decent institution. Although I had never heard of this institution, I made an appointment with him at Calendar. But at this time you will find that the first strange phenomenon happened. When Calendar was on a meeting, he did not provide you with any meeting links.
We usually make appointments for meetings and will connect to zoom, google meet or other meeting software. But he didn't provide any link to the meeting, just made an appointment. When it is time to hold a meeting, you email him and say we are already holding a meeting and send me your meeting link. He will send you a meeting link immediately. After you click on this link, you will find it strange. He asks you to download a software.
If you have no experience at this time and feel that you are about to have a meeting, he will use your anxious mind to keep urging you through emails and bombard you with emails. If you are eager to facilitate this opportunity, you may install the software without hesitation, but in fact it is a video conference containing malicious elements that will steal your private keys in your computer. This is a social worker attack I have actually experienced. So you can find that the attacker will attack my position in the company and the job responsibilities I assume, using the mentality I was anxious about before the meeting.
Alex: I saw that there was a very high attention in the industry two days ago. The founder of a certain agreement said that when he was attending an offline party, his mobile phone left him for about ten minutes, and about a few million funds in his mobile phone wallet were stolen. Suppose this attack happened when his mobile phone left, is this also a social worker attack?
Zhou Yajin: Yes, I think it belongs to a social worker attack, but it actually does not belong to the social worker attack in our usual sense. Because in this case, his mobile phone is only left for a while. Of course, the main purpose of others inviting him or approaching him is to get his mobile phone, but how to unlock the mobile phone and obtain the funds after getting the mobile phone, actually there are some very strong technical support in it.
Security principles when interacting with blockchain protocolsAlex: understand. We just talked about many very representative major security incidents. Back to the time when we ordinary people do blockchain protocol interaction, as you said, many of the projects you previously served were Defi protocols, and many of us interacted on the chain were Defi protocols.
When we interact with these Defi protocols or other protocols, do we have some security principles that need to be followed? I believe that most ordinary users do not have the ability to read code, and may not even have the ability to read signed information. In this case, how can we minimize this risk?
Zhou Yajin: I think if ordinary users want to do on-chain transactions, they must first do some back-tuning of the project party. I think it is quite important. If you invest in a on-chain project, if you have a small capital and try it out, it may be fine. But if you say very seriously that I am an investor to invest in on-chain protocols, at this time, because your capital is relatively large, you may need to perform better due diligence on the project party. The due diligence here is basically divided into the following levels.
The first level is who the founder of the project party is, and whether it is anonymous, because some on-chain protocols are anonymous protocol projects. You have to know the quality of this protocol, you have to know who the founder is who appeared in public, and whether he has ever been rug After the history of the project, this is very important. That is to say, you must first make some back-tuning of the composition of the agreement itself and the identity of the founder.
The second point you need to make some back-tuning of the technical capabilities of the project party. You can see if the project party has been audited by a relatively top security company. Like what you just said, many users may not understand the technology and code, and cannot understand the audit report, but you can pull down the audit report and simply review Some core key points. For example, which auditors are, their reputation is good, and whether there are some security vulnerabilities in this report. It does not mean that the core security vulnerabilities are found in the report, which means that the agreement is not safe. It just means that the security company may be more conscientious. It has found some security vulnerabilities, which will reduce the overall security risk of the project party. It should be dialectically viewed. With the back-to-back of the project party, you should basically use a gradual approach when interacting, and do not use a large amount of funds at one time, so the risk is relatively high.
Another, it is necessary to use some professional security tools, such as some attack monitoring, some tools and platforms. If your capital volume is relatively large, you must always grasp the security risks of the protocols you invest in. You can use some platforms, such as our phalcon The platform monitors the overall security of the agreement you invest in. For users with relatively small funds, I think the main thing to prevent when doing on-chain transactions is the risk of phishing. After all, the probability of the agreement being attacked is relatively not that high, but the risks of on-chain phishing, authorization, etc. are indeed possible for ordinary users to happen at any time when they are on-chain.
Preventing these risks is to say that you should not be too greedy and not have pies falling from the sky. When you interact, try to confirm that this is an official website, not a counterfeit website. As for howTo confirm that it is an official website, it may still require a certain amount of information collection and organization. Of course, you can also use some security tools to identify phishing websites. In this way, some risks can be avoided.
Alex: I noticed an incident. Two days ago, Binance placed many tokens for projects, saying that the operations they could provide were not up to standard in all aspects, so Binance put it down. Then the project party said that due to various problems, the project will not be operated in the future and is in a semi-destroyed state.
So assuming this user may have used the DeFi protocol a year or two ago, no one in charge of the project party at present, and no one knows who the code upgrade permissions are on. In specific cases like this, will the funds in the wallet be threatened by hackers or people with ulterior motives because their upgrade permissions are not properly managed, and if your previous authorization is not cancelled, the funds in the wallet will be threatened by these subsequent impacts.
Zhou Yajin: Yes, this is also possible. Especially as you said just now, if a user authorizes his own funds to some agreements, and no one may maintain these agreements and smart contracts in the future, then if the authorization is not cancelled, there may actually be security risks. Regarding the solution to this problem, we have always suggested that ordinary users should review their authorization more regularly. You can revoke those authorizations that you do not use.
Many users may not know which project parties they have authorized to. We have made a tool called authorization diagnostic tool. If you enter an address, we can tell you which protocols this address has been authorized to. We found that many users actually authorize dozens of protocols, and many protocols are now inactive, and these protocols that are inactive and do not have security upgrades may have security vulnerabilities. As long as there is a security vulnerability, others can transfer your funds through the vulnerability of the agreement you authorized, which is actually a very big risk.
Alex: understand. I have another question about the security of interaction. In the past, some of the attacked DeFi protocols or other protocols, we found that using DEX and other protocols is relatively less stolen or attacked than those like borrowing or pledgeing. Does this have anything to do with the smart contract type of these two types of protocols? Or is there any other reason?
Zhou Yajin: You are right. Relatively speaking, DEX's security risks will be more important than other lending and Yield farming and some financial-derived protocols have lower security risks. Because first of all, the overall protocol of DEX is relatively simple, the protocol in DEX on the chain is a constant product such as xy=k. Of course, Uniswap V3 is slightly different, and the basic core is the constant product formula. First of all, its protocol is simple, and secondly, it already has a very good reference example, which is Uniswap. Many DEXs are derived from the Uniswap fork, so you only need to make some simple modifications to deploy DEXs on a chain. Its overall position with security risks will be a little lower.
But for lending, Yield Farming, or other leveraged lending, and some more complex functions, the design of its own protocol is relatively complicated. For example, when we build a lending platform, it sounds like I put an asset A in it and lent asset B. As long as I control the health of its entire asset, it will be OK. But for example, the type of assets of the collateral you want to support, the price of assets fluctuates, and then if you want to support leverage, how can you always keep the user healthy even if he pays off your money. The complexity of its own protocol will be higher, so the probability of these protocols being attacked is greater. I think this is the first reason.
The second reason is that DEX itself does not save money. Of course, the money in DEX is the liquidity provider, that is, the money you provide liquidity is placed in it. And the people who really use DEX just swap, put token A in, and token B will come back immediately, so your assets are not in the DEX Pool. Even if DEX's Pool is attacked, most users will not lose, and the losses are those who provide liquidity. But on the lending platform, it is different from other platforms. Your assets are actually placed in it, and you are over-collateralized. If you have some other more complex protocols, you will have many users' assets retained. After it is attacked, the group of damaged users will be equivalent to a relatively large number. I think this is the second reason.
And we also found that in the past, DEX has actually been attacked. The reason for its attack is relatively simple. First of all, the risk exposure of DEX is actually authorization. When you want to swap, you need to authorize your own tokens to the DEX routing contract. Although the routing contract does not save money, if there are some arbitrary execution vulnerabilities in the routing contract, then it is possible to sweep away all funds authorized to DEX users. We found that DEX has vulnerabilities that cause relatively large losses are mainly this type, but this type is relatively easy to discover. As long as you are a relatively qualified auditor, it is actually easier to discover.
Alex: So in the case of authorization vulnerability you just mentioned, if an audit company finds that DEX has arbitrary permission to execute such arbitrarily, it will generally suggest it that this is unreasonable, or will remind everyone of this matter when the report is disclosed?
Zhou Yajin: Yes, this must be a loophole, it must be unreasonable. If you allow the security company to audit, it must fix this, which is a very critical vulnerability.
The current situation and potential of the blockchain security industryAlex: OK, we just talked about a lot of specific issues in security offense and defense, as well as how to protect the security of personal assets. Let’s talk about the last question today, about the situation in the blockchain security industry.
As you said, in 21 and 22 years, there were a lot of DeFi, and the number of customers in the blockchain security industry was very large. So to this year, what is the current level of the security industry? In addition, its current development status and profit level are roughly what is its level?
Zhou Yajin: This is a good question, because in the blockchain security industry, you have to always know where the current stage of the industry is and where the ceiling is, so as to better develop the company. At present, there is actually no recognized data about the market cap of the entire blockchain security industry. But there are some reports online, or based on their own calculations, they think that the overall scale of blockchain security industry is about 3 billion US dollars a year. This scale is actually relatively small compared to the traditional network security industry. For example, in 2024, the scale of the entire traditional network security should be around 100 billion US dollars. The difference between 1,000 US dollars vs. 3 billion US dollars is actually quite big.
I think this is related to the current development status of the entire industry, because blockchain security is essentially a secure product and service serving the blockchain industry. The overall blockchain industry is actually still in its early stages. For example, the time period that had developed better before was when Defi Summer was, some new innovations came in.
In the past one or two years, after the wave of financial innovation of Defi Summer, there seems to be no particularly good and more innovative thing coming in, resulting in the scale of the entire blockchain industry actually reaching the highest TVL in 2022. I remember that at that time, the highest level of the entire blockchain-secured TVL should be 177 Billions, which is more than 100 billion US dollars. But today I took a look at the data before participating in this show. Now the entire TVL is 99 Billions, which means it may be a little more than half from the peak, which makes it seem like the development of our blockchain industry has encountered a bottleneck.
But at the same time, we have also discovered new potential in this industry, that is, traditional financial institutions are slowly entering this industry. There are some signals from traditional financial institutions entering the industry, such as traditional banks issue stablecoins on the chain, and they are in compliance with regulatory compliance. Traditional payments, such as Stripe, are supporting Crypto payments. Some cross-border payments are used to solve the payment problems faced by traditional cross-border e-commerce through Crypto.
So we will find that although there is no innovation like the DeFi Summer brought in 2021 and 22, which triggered a new high in TVL, traditional financial institutions and merchants with real-life scenarios entering this industry, they will bring compliance to the entire industry after they come in. If an industry wants to develop relatively largely, it must develop in compliance with the regulatory framework and system. I think this is the opportunity we can see in the last one or two years. So overall, the overall scale of blockchain security industry is still relatively small and is still in its early stages. However, with the entry of traditional financial institutions and more and more supervision and compliance, I think the potential for explosion here is still relatively large, which is my own observation.
The moat of the leading security companiesAlex: OK. I was very impressed by it. In 21 or 22 years, I felt that blockchain security companies, especially those who do smart contract audits, were very profitable. Even some well-known security companies can ask you to arrange audits quickly if they can be given a favorable treatment to you. What are the main moats of those security companies that do you think are the most important?
Zhou Yajin: I think there may be a few points. The first point is to talk about brand and trust. Especially security auditing, it is actually a service with very strong requirements for brand awareness. You just mentioned that when the market was better, the audit was very popular.It takes a long time to queue. In fact, the top security audit companies are still in this situation today. It does not mean that a project party can provide human resources immediately. The top branded security companies are still in such a state of insufficient supply. So I think a moat is brand and trust. How to establish a better brand image in the blockchain security industry and the trust brought by the brand, whether trust comes from users, project parties or other participants, this is very important.
The second point is the need for innovative technologies that are safe. Apart from solving blockchain security problems and doing security audits, are there really no other solutions that need to be supplemented? Secure audit It can only solve the problem that the project's smart contract is deployed on the chain before it is deployed. However, after the real project is launched, the project party may change the parameters, and it may do some daily configurations. The daily upgrades do not conduct audits due to queues or cost considerations. That is, many of them have security problems due to various reasons after the smart contract is deployed. We cannot rely solely on security audits to solve such problems, but we must have some innovative security technologies and products that can solve such problems. This is also what I think BlockSec is very different from other blockchain security work. In addition to having secure audit services to smart contract security before the agreement is launched, we also have a platform that can cover the monitoring and blocking of attacks after the smart contract is launched. This is also the only blockchain security company in the world that has both intelligent audit and attack monitoring and can cover the entire life cycle of smart contracts. This is very important, that is, you must have safe and innovative technologies and products that can help users truly solve problems in this market.
The third point is compliance, supervision, and geopolitical impact. The Crypto industry will eventually need to be under compliance and supervision to obtain large-scale development opportunities. Not everyone agrees with this view, but we have been in this industry for so many years. We can see that the development of this industry must be under the sunshine, under the compliance and regulatory system, so that the traditional old money can be attracted to this industry. Under this situation, we will provide early compliance and regulatory products and services. Compliance and regulatory products and services require you to have a deeper understanding of the regulatory and compliance requirements of this industry, and then you can turn them into product-based products. In addition, the so-called geopolitical influence is that some regions actually have some geopolitical considerations when choosing suppliers. For example, Hong Kong regulators may prefer products that are not from U.S. suppliers. So when you have a deep understanding of regulatory compliance, have better products, and have some geographical impact, I think this isThe moat of blockchain security companies.
Alex: Understand. Today we have a lot of dimensions about encrypted security. We have talked about it from a specific security incident to some security principles that everyone needs to pay attention to, and including the development scale of the entire industry. Thank you very much for Zhou Yajin for being able to share these insights on our program today. I hope we will have other opportunities to talk about more related topics in the future.
Zhou Yajin: Thank you Alex.
