 So hello everyone. Good morning. Thanks for joining for this session. We are having quill audits with us and we'll be discussing a lot of questions and one use case related to hyper ledger how audits are done and what are they up to so that we can make some good decision in future over to Pradeep. So, I'm Pradeep. I represent quill audits. I had the marketing division at quill audits. If anyone of you have already heard about quill audits, you would know what we do. For those who do not know, quill audits is basically in the business of securing smart contracts, securing Web3 projects. And we do it in a very passionate way in a way that our mission speaks for itself. Our mission is we are here to make Web3 a safer place. The testament of that is we have done already 700 plus projects. The clients are global, are spread across the globe, and they speak highly of us. And if you look at the world's rankings, we are at number three or number four. So we are a fast growing. We are making a very positive impact and we audit smart contract for the sole purpose of making the whole Web3 technology to evolve in a positive direction. So this is about quill audits. This is about me. Sanket, do you want to share about what you do at quill audits? Sure. So, I mean, another thing I would like to add to Pradeep's description of quill audits is, our CEO Pritam has said multiple times that the money is in the court. And if the money is in the court, but the court is written by developers and developers are humans who make mistakes. So it's important that we do not understand the flaws in the court, which could lead to potential disasters. In terms of the funds that have been deposited by users into different protocols. So yeah, that's it. And my name is Sanket and I work on products on different products in quill audits. So quill audits is a cybersecurity firm and we do audits primarily, but simultaneously we are also developing cybersecurity products to automate cybersecurity, given the fact that audits do tend to be really difficult. But nonetheless, audits will not go anywhere because tools are only suggestive measures. And my role is to understand how we can benefit users and how we can give them options to assess the cybersecurity protocols implemented by different protocols before investing into them. And also understand the vulnerabilities present in smart contracts by developers that have been written by developers. So yeah. Thank you very much for the introduction. Karthikeya, maybe you can now tell a bit about what Hyperledger has about us and how have you been, you know, over the years. Sure. So Hyperledger is one of the oldest community, which we have in India. It's one of the largest community under Hyperledger Foundation. We have close to 1500 people. And Hyperledger is having different, different chapters all across India. Noida is there, Mumbai, Hyderabad, Bangalore. We ranked second just after Bangalore. And we used to organize all such meetups where developers can understand, take some idea, take some inspiration. So it's always an open source community. And I also contribute to Hyperledger Foundation in different ways. So let's move on to our today's topic. Shall we start with some questions or you want to pick up some? Sure. On that note, maybe, you know, I'll have a continuity of what you were talking about and maybe you can answer the audience about that concept. Just wanted to ask in that regard, how does Hyperledger handle authentication and access control? So Hyperledger have a different ways of handling it. We have our own set of rules and regulation, which we can write it on configuration file. And then organizational level dependencies are there depending on how you make the nodes. There we have authentication things. Take a pause one minute. Yeah. Sure. Yeah. Can we take some questions which you can answer? Sure. Yeah. Go ahead. Like, have you done any audit for Hyperledger? Sanket, do you want to answer that question? Yeah. So not to my knowledge. I mean, we usually work with Solidarity and Rust based projects on Solana and majorly work on projects with Polygon and Binance Smart Chain. So Hyperledger is, I believe an enterprise level tech. Okay, my video is so sorry. Just a second. Yeah. So Hyperledger being an enterprise level technology and being a niche skill. I mean, the number of audits that do come are very less. So to be honest, our exposure to Hyperledger is very limited. Okay. So I would also like to understand, there is one more thing called Hyperledger BESU, which does work with Solidarity and EVM based things. You can also upload something on Ethereum main network and something. So have you worked on some kind of audit with Hyperledger BESU? I mean, we in general avoid work, I mean, not as an avoid, but we don't have that sort of expertise working with Hyperledger fabric. And the thing is that as Pradeep earlier mentioned, I mean, I understand that it uses Solidarity. But to be honest, since we don't have a lot of exposure to the infrastructure, and we tend to deal with individual protocols that are currently developing their projects with Solidarity or Rust. So we have auditors that have expertise, that have built certain protocols on these languages. Our auditors are used to auditing protocols that are made on these languages. And since, as I mentioned, Pradeep also mentioned that our service is a testament to the best quality that is out there. And since we believe in making the three safer with the best quality as well, we avoid taking on projects that we can't deliver the best. Okay. Okay, so I have one more question if you can take that. Let's say, how convenient it is to use some kind of libraries like OpenZplane? Like, do you recommend using it or? Yeah. Okay. I got your question. Yeah, so from a security standpoint, it's fine because all these libraries are audited and already have the security implementations in place. So what we do in terms of, so okay, so in our audit process also, so firstly, we try to get a hang of the code quality while gathering the specifications from the clients. So our focus is on the complex code that has been written by the developers of the project. And I mean, using standard libraries like OpenZplane or code from Uniswap or Pancake, so usually comment out or, you know, we consider that as a dead code because these are already audited. This code is already audited and the cybersecurity implementations are there. And then we try to look for consistent coding style and follow the style guidelines for us or solidity. And then we make sure that the contracts can be compiled and tested for formula tests. So this is how we work. And I mean, there is no harm in using OpenZplane standard libraries or, you know, taking code from different organizations that are open source and whose code has been audited. Okay, thank you. And moving forward, I'll have one more question. So do you use, do you do mostly the audit of coding manually or there are certain tools which you. Okay, so basically, so as I mentioned, the first part is to look for the specifications and understand what the protocol, how the protocol wants the contract to behave, what is the intended behavior of the contract that it has coded. So as I mentioned, after testing the code, removing the dead code and marking the complexity, marking the complex part of the code, what we do is we freeze the code and specify the commit hash. Oh, sorry, specify commit hash, yes. And then we do a manual review as you as you guys already know, we look for unusual behavior, common security vulnerabilities, like BSCW, guidelines and everything. So then we do functional testing, in which, you know, it is the contract is deployed in a sandbox environment using hard add the Nash or different tools. We also do gas analysis, look for, you know, latest attack vectors, say, escrow manipulation or access control, authentication, token supply manipulation, things like that. And to your point, we also use different automated testing tools, like mythics, mythil, you know, and then solgraf or solidity courage also we use. We also use LIDAR. So we have a myriad of tools at our disposal and we try and test all different tools. We also have some internal tools that we use. And part of my work in the coming, in the coming months, I believe would be to develop such tools to help us identify different attack vectors in code and how the content and functions is wrapped and passed through all that code to find that code and to find, I mean, as you mentioned, code in open discipline. So part of my work would be to find code that is already present in standard libraries and then separate that from complex code and then analyze the complex code for different attack vectors and possibilities of vulnerabilities and exploits. Yeah, okay. So thanks for answering that. I have a few more questions. Sure. So the other question I would like from you to get it answered is, so developers always think through like before deploying it to main network, they should test it properly in some local environment or maybe on test network. Yeah, so let's suppose if I put something fishy on some some vulnerability mistake and I have put it on main net. Yeah, so now what will you advise? I mean, the advice would be, I mean, obviously, if you're getting audited, the code audited. So, I mean, we would have to redeploy the code by testing it for the vulnerability, and we'll have to test it in a sandbox environment by, as I mentioned, freezing the code and specifying the commit hash, and then we will audit the code manually for each line. And once we do find the vulnerability that could be exploited, we will try to fix the code and redeploy. Yes. Okay, so there's one question. Maybe either you or Pradeep can answer. Somebody's asking in chat what kind of skill we need to have a career in the three securities and future scopes. So I think you can also cover some bit of private blockchain also here. Sure. No, so we would love for you to actually give more insight on how a career in security for private blockchains, you know, that could be made because I mean, I honestly don't have a lot of exposure to that. So what do you think? So I would like to add in one point here. In order to make any career in this thing, one of the things that Quill Audits does is we have conducted one cohort wherein we train enthusiasts with the basics of auditing. And so that they can start initiating these practices in their career and step into the world of Web3 auditing and security. This is something that as a step to support Web3 guys, I think one of the things that is absolutely important in an evolution of a project is auditing itself. So any company or anybody who wants to enter into Web3 or maybe who is an entrepreneur. So these founders should take into consideration the security and auditing aspects, which means that in their technical team they should also have people who are knowledgeable about these things. So to support that and to drive such participation, we have already done this cohort and other cohorts are in the pipeline, which will be announced later. But this is just wanted to put this award in because it's totally worth it. So I think to answer the question exactly, an auditor is somebody who has good expertise with or the development part of things. Because once you know how to code, probably and you know the my the nitty gritties and the details and the techniques to sort of ensure. I mean, you know the best practices basically because you've been coding so much and so frequently and building different projects. So what this does is it gives you a handle on how different codes can be manipulated or what are the flaws that you need to look out for while writing the code. So an auditor is basically an experienced developer who has some techniques or a method to identify flaws and vulnerabilities. And I know solidity I mean is not that old a skill wherein you say that you know I have 10 years of expertise and I will be an auditor. But in one year or six months or maybe 1.5 years if you've been coding on solidity, then you must know that you know there are certain things that you need to look out for while you are coding and stuff. And obviously there are cohorts like ours and many other cohorts as well that do offer you know strategies to look out for these flaws and vulnerabilities in contracts. So to summarize I would say I mean learn solidity and whatever comes before it just the basics then practice on solidity for some time develop projects. Showcase your projects at different hackathons and try to get it try to get its flaws exploited by different people and then develop your own techniques and then also join different cohorts or there's a lot of substance available online also a lot of medium blogs. We have our own roadmaps to development and best resources and practices on our portal called Web3 Suggest as well which indexes all the information about development and how to become developers and how to get into different careers into Web3 security and Web3 in general. And then probably you know just try to get some more experience by taking out bug bounties for different projects. So immunifies one such platform that allows you access to different bug bounties by different protocols. So once you tend to go through the code for these protocols and try to understand what sort of vulnerabilities can be exploited or exposed. That would probably give you more experience and help you to understand you know how you can better your methods. So I think I hope that answers the questions for public blockchains and I mean Karthik I would love for you to sort of shed some light on how we can do the same for private blockchains if I'm sure there must be a difference. Yeah so I also as part of my day job I also work for one of the big four where I do some kind of audits and with my past experience in auditing some of the private blockchains I would say your knowledge of understanding one architecture is very very important. Like how the data flows through how that entry point is there and how well you can understand one architecture. Okay and read as much as possible about the securities that itself is very very important. I'll give you one example in every audit is very different basically to me whenever some audit will reach out to me I have to think through the architecture first. And you can understand every project and every implementation is different in its own architecture so there is no specific thing or thumb rule that we have to follow. Okay so let's say if the architecture contains private key and public key of the user so you have to think through is the public key and private key secured properly. Is it put into Hasecock wallet or how it is like made secure so some some general principles you have to derive actually from the architecture itself how the data is actually flowing how everything is like kept in place. How well it is documented documentation plays a very very vital role at least for your team to understand and for others also to understand. So document is a very important role that also I believe is one part of auditing when we audit we also used to take care of how well you have documented certain stuff like how are you protecting your password. They should not be single admin to one cloud provider or whatever cloud you are using. So first is and very very important is read as much as and through all the architectures which are available. You can you can Google it around what is the architecture of let's say. Broader architecture might be available for npci or something okay so broader architecture of some supply chain was must be available. The broader architecture of so many NFTs are available architecture means just not means the smart contract some other API calls are how it is done. So there are several such examples which are already existing. Go through those architecture and understand because it seems it's a private blockchain your architecture is already in your control. Okay, so when when the architecture itself in public blockchain we don't deal much with the architecture because that is not in our control. So reading as much as about the architecture that will actually help. Okay, so I can pick some questions on I think Shane has made a very valid point in terms of security of any project. So, I mean, you know, as you were also mentioning that probably the business logic and how things work apart from, you know, the court part and the business operations work and the stakeholders involved are also very important. And, I mean, more so, even in, I mean, in public blockchains, I would say, I mean, obviously the business logic is important, you need to understand how you need to offer probably any other protocol is working. But what do you think is its implication in a private blockchain or in a private blockchain segment. The question is for me. Yeah, I missed the question I thought you're asking this question. No, no, no, no. I will allow Shane or to also. Okay, so please, if you can allow Shane to answer that would be your view. Shane, I will come. Hi. So yeah, I mean, we, in my firm, we actually deal mostly in the private blockchain and I'm sorry Shane to interrupt. Can you give a brief introduction about yourself and then you can take the question. Sure. So I'm currently a developer for the surface Asia blockchain that for one of the big four. The roles includes in like developing the proof of concept solutions and some auditing mainly for the central banks and enterprises. So yeah, so as I was saying, some of these risks, especially when dealing with a large and complex systems such as like the central banks. So what we discovered is some of the vulnerabilities right. It does not come from the course but mostly of what is not in the course. So for example, like, because they have their internal controls, and they also have their governance that we have to match with our, like you said infrastructure. So, in case of, for example, is, maybe I should give one example, for example, like is multi sick really needed in the private private blockchain right. I know it is multi sick, for example, in the public chain. It will be more secure in that way, but it's arguably introducing more risk if you are implementing it in the private blockchain. Why because now you have two wallets that you have to be secure. This not only costs more, but it's also introduced more actors that interacting with the blockchain. So I guess this kind of like perspective on whoever thinking about making a career in a private blockchain space that it depends on the industry right. So dealing with like renewable energy industry, their requirements is way more different than the central bank or the banks or the financial institutions. So, getting the understanding, or on the how the operation works, who are the actors that we're dealing I think this will be like a very, very important in developing a much more secure architecture. I think on this note, I have to request some kids because some kids has, you know, has a case study to sort of present which has, you know, which is absolutely interesting in this context and some kids we want to share that piece of information with us please. I'll share my screen. All right. Is my screen visible. Yes. Okay, perfect. Yeah. So, right, so on second of December, am I audible yes. Okay on second of December 2022. We had anchor protocol, which was, you know, exploited and more than $5 million were lost and not only were they lost other, you know, other protocols using their services also, you know, had to be at the brunt of this crash. So, I mean, I'll just briefly explain what anchor protocol is. The anchor protocol was based on DLT and was basically an integral part of, I mean, you know, the new web and this was before Web 3 was termed as Web 3. There were just cryptocurrencies and blockchain and the different underlying technology. So we'll just talk about its staking platform. It has a lot of different services, but we'll just talk about the staking protocol since that was the part that was hacked. So anchor basically what it does is it allows you to stake your cryptocurrencies for different blockchains and in return it gives you and it gives you its own cryptocurrency called AETH or ABNB or AMATIC, which basically what you can do is it represents the currency that you had deposited plus these staking rewards for that currency. And, you know, that is how the pool of users that had staked their currencies are rewarded through the anchor currencies. So, I mean, you know, you can deploy development nodes and build the apps and everything. But there are a lot of benefits to, you know, becoming stakers on anchor Web 3 platform, which, you know, which result from basically two types of tokens. A anchor B and anchor C. So you will see two types of tokens moving forward, ABNB B and ABNB C. So the two types of tokens are basically reward earning and reward bearing tokens. So ABNB B is a reward earning token. So basically the number of these tokens increases in your wallet and it's pegged one to one to BNB. For example, if so, for example, one ABNB is equal to one BNB. So then if your reward is to BNB and you had deposited 100 BNB. So currently you will have 102 ABNB B. And the other token is ABNB C, which basically is which basically just represents the tokens, the reward, but in terms of the value of the token. So if you have deposited 100 BNB and your reward is 102 BNB, then your ABNB C will still be 100, but the value of each ABNB C will increase. Yeah, so, okay, so basically, as I mentioned, the ABNB B and the ABNB C are were the two models of tokens in which anchor used to reward its users. So they were actually updating some of the reward policies and schemes in the contracts for these two tokens and while updating these contracts, they were using the private key. But the hacker, while the update was going on, was able to steal the keys because of the update, the private key was not and the private key was not completely secured. So the hacker was able to, you know, just steal the private key from the deployer's wallet of the deployer's wallet, which allowed them to gain absolute control of what I mean the wallet and allowed them allowed the attacker to mint more tokens to his address. So as you can see on the screen, the attacker minted 10 trillion tokens to address to his address. So these are some of the on chain details. I'll share this PPT with you guys so that you can see what actually happened and make more sense of the flow of things. So these are the address and I mean, obviously on different block explorers, you can go and check what actually happened. But if you go to Nansen dot portfolio, it allows you to see basically that what are the funds in each of these address. So if you just go to Nansen and you can just paste these contracts right now, I think the funds would be depleted, but around 2nd December when it happened, you would see that how the hacker had implemented the contracts and you know, minted 10 trillion tokens of ABNB to his own wallet. This is a short activity that anyone can do. Yeah, so basically, this is what I was talking about from an address the hacker, you know, had deployed this contract and if you want to see how this implementation contract was created. So anchor was so this is the hacker only the deployer because he had the private key so it uses basically the hacker use the private key to deploy ABNBC tokens which are the reward earning token, which means the value of the token increases instead of the number of tokens increasing. And he implemented this to mint more tokens. So now you can see in this transaction after minting the tokens he had transferred these tokens to his own wallet and for that he had to pay a gas fee and for this gas fee he transferred the 1.125BNB from deployers compromise wallet to his own wallet. So you can see that not even the gas fee the hacker had to spend of his own. So in different attack vulnerabilities, or maybe you can see even, you know, like a honeypot or anything. Mostly what hackers do is they use their own funds, firstly, to get a sense of liquidity and how the pools are working and everything but in this case, hacker did not have to spend anything. And secondly, because I mean, he had already bought an access of the private key of the deployers wallet. So I mean it's one of the most basic things to keep your private key most secure and we often take it very lightly that you know, I mean it's the private key and obviously no one would expose it if such a multi billion protocol could do such a simple mistake then probably I mean you know we should implement more cybersecurity protocols or probably use a cold storage or whatever I mean you know there are a lot of different ways to keep your private key secure even while exposing it while updating a protocol. But there are a lot of things you can do to safeguard your private key, while doing such updates and such a protocol should have kept them in mind, given the fact that you know, more than I mean I think almost 30 billion dollars have been lost in more than 800 hacks in the past seven or eight years and in the last year alone, I think around 2.5 3 billion dollars have been lost. And obviously, after minting all these tokens and depleting the pools from pancakes of ABNB tokens, he started, you know, just transferring the amounts to tornado cash after bridging the funds to Ethereum and polygon using the seller network and you know the multi chain or you can see the use of seller network to convert the to convert the funds to Ethereum to convert USDC Binance peg USDC to Ethereum and to polygon and then you and then sending those funds to tornado cash and tornado cash is basically I mean it's a protocol for laundering cash so that so basically you put some funds into tornado cash and it divides the funds into multiple wallets and different things basically it allows you to I mean not exactly launder the transfer cash and make it more difficult for other people to track the flow of funds by distributing these funds into different wallets different accounts different currencies that sort of stuff so you can see immediately after the crash this happened and another interesting I mean another interesting impact of the price dropping was that there is this protocol or maybe another staking platform called Helios so yeah so there is this another protocol called Helios which is a staking platform it uses a delayed I mean it uses an oracle but the information of ABNBC dropping by 100% was you know it was it was delayed so the information did not reach to them in time because of which the one of the hackers hacker was basically what they did was they put I mean they deposited I think 183,000 ABNBC and took out a loan of 16 million dollars in his tablecoins so basically using 183,000 tokens of ABNBC they were able to extract 16 million 16 million dollars worth of stablecoins yeah so as you can see on different chains so tornado cash as I mentioned it helps you to convert and send cash sorry send funds into different wallets and you know it's sort of untraceable so the hacker used tornado cash to send to convert funds to different tokens of different blockchain so if you can see there is one there is BNB and then there is matik polygon matik and then there is ethereum so three different chains used three different tokens on three different chains to send it to tornado cash and basically make the funds untraceable for the authorities so as I mentioned you know about Helios also so I mean post that exploit the primary motive of anchor has become to alert different organizations or different platforms that have allowed the trading of ABNB tokens basically anchor tokens to stop trading and obviously we had to use a new private key and secure all the smart contracts with the key to prevent the tampering so I mean next I mean the current steps that anchor could take for ensuring that you know all the users are you know none of the users are harmed in the long run and there is still some trust in their protocol because even though the staking protocol did make some mistakes anchor protocol also offers a myriad of different services which people will still keep on using regardless of the hack so they had to instill confidence in people so that they don't stop using the they don't stop using anchors different other other different services. So, firstly, I mean they should ensure that all the liquidity providers to different pools on different protocols are identified about you know, I mean the people who provided liquidity to pools in which these tokens were traded they are identified they are you know just notified about the hack and they are notified about what actually happened and how anchor can compensate them. So, then obviously they will have to purchase $5 million of the NB which was the amount that the hacker ran away with and they would have to fill in the damage created to different liquidity pools. But in this case there were two types of people one were the liquidity providers that were caught off guard right and the other type of people were they knew that the hack happened they were also liquidity providers but then they made use of this information that ABNB price had dipped by almost 100% and by making use of this information they actually were able to dump the token and make profits. So, it will be interesting to see how anchor can identify probably by taking snapshots of the before and after of funds of wallets. So, yeah and then this is in the scheme of things to launch new anchor BNB tokens and airdrop to affected ABNBC and ABNB users by as I mentioned taking snapshots of users who were affected before and after the exploit actually happened. Yeah, so the snapshot okay so yeah as a user the primary task should be that you should stop buying ABNBC tokens at any point from any pool and just wait for the anchor BNB airdrop and just redeem it against the stake. So, that was it. Thank you. Very interesting, Sanket. Indeed it's very important to sort of be as an end user. It's very all the more important to know about these hacks. So one of the things that we also do, you know, in this context is that we publish a well researched well studied newsletter that is, you know, that is curated for the benefit of not only people who are technologically, you know, informed about the audits and programming languages and everything but also to people who are in the world of investing who are interested in engaging with projects and things like that. So, I think, from that standpoint, following our newsletter is very important because that is absolutely great wealth of information that you are getting at your fingertips every week and a very highly curated valuable information. Shane has a question for us. Do you guys have any involvement with proof of reserves audit? If any, what are the key risks and takeaways from the project? Yeah, so at the moment we don't do proof of reserve audits because primarily it deals with issuing a Merkle hash certificate by checking, I mean, you know, it's just not something that at the moment we are involved with. I mean, there are a lot of different organizations that are into this. In fact, I think someone from our team has shared the reference for what three suggest. So to ensure that, you know, you invest into protocols and exchanges that do have a Merkle certificate or a proof of reserve. We have created a list of exchanges that do have a proof of reserve or a Merkle certificate to ensure that you only invest, I mean, you know, the FTX, you don't lose money in disasters like the FTX. So that is there in that three suggest. Yeah. But at the moment to answer your question, we don't do proof of reserve audits. Okay. Do you mind if I ask question? I think I just wanted to ask, are there any security best practices or guidelines that organizations should follow when they are using or probably consider they are considering the using of hyper legend? Yeah, so there are almost same kind of guidelines what we do for public blockchain as well. Here is specifically what is very much important is how well we keep our private key public key secure in some wallet, like as you call it or something. And then the architecture point of view, you have to build the whole architecture by yourself, like we do it on Kubernetes mostly. So if your Kubernetes port should be well secured, and the other aspect it relies again on which cloud you are using, let's say Azure or something, then you have to understand more details about the security of the cloud. And how well protected you are on your cloud by firewalls and some other kind of security aspect when it comes to blockchain stuff. It's about the private key public key how to secure and rest all is almost same. How we do it for other applications which are on Kubernetes or on cloud securities. I can take few more questions. Are there any third party security audits or certifications for hyper ledger projects? Do you have any recognized hyper ledger basically officially they don't give anything, but I still recommend that one should definitely go through cloud architecture and cloud certification cyber securities. And that will be very, very much important. Then about the DevOps, if they have some DevOps security certification done for Docker Kubernetes, those things will be very, very much helpful. But how does hyper ledger also ensure the integrity of the data, like on the network, for example, to prevent tampering or manipulating of the records. Is there any built processes that protects the integrity of the data itself? So for integrity purpose, we depend on the consensus, how this consensus is actually working. And we also provide the explorer. What Sanket was showing us also an explorer where you can identify, verify several other things. So the explorer for hyper ledger is also same where it helps you to investigate any run transaction which have happened. And it's a permission blockchain. So whenever we are enrolling one organization, so it's a close consortium, you know, so the different organization make one consortium to for this private blockchain. And these organizations have their own set of rules which they can write in some ML file. Those rules are very, very critical to examine and those rules, you can understand. I'm just giving you a very generic and layman example how hyper ledger used to work. When somebody is joining the consortium, they have to go through the rules which we have already written. And those rules are very much critical to examine. So those rules are written in this gamma files. And the certification also we should do is for hyper ledger foundation gives their own certification. If you do the certification, you will get to understand all details and understanding the best understanding you will get once you pass that examination for hyper ledger about the ML files, how these are actually configured. configured. So config config configuring one organization is a very critical part. Cloud security is the second critical part. And third is this thing, what we say private key and public key security. The rest, you know, smart contract is same how we do smart contract also exist in private blockchain. Hyperledger allows you to have smart contract in different different languages. There are primarily three go lang, then JavaScript, and one is Java. Okay. And smart contracts in this is mostly analyzed manually. So there are no such tools, which Hyperledger is providing currently for the chain code here. The smart contract is called as chain code. When Eliza chain code, we are still trying to develop such tools where you can analyze your chain code. So primarily, there are four things I would say. First is this configuration file, then the cloud security, then this is smart contract. And last is the DevOps infrastructure security. Awesome. Thank you for the answer. Yeah. So, okay. So, I mean, I just wanted to ask since I don't have a lot of exposure with Hyperledger in public blockchain, we use cryptographic hashing to maintain the integrity. So, I mean, is this is the same case with Hyperledger, since you mentioned, I mean, the bit about the chain code. So is that how it works with Hyperledger as well? Can can you please repeat the question? I follow. Reading one of the comment. Okay, okay, that's okay. No, so I was just saying that in public blockchains you have cryptographic hashing. That's how I mean, you know, sort of the smart contracts also do on blockchain. So since you didn't mention about the chain code in Hyperledger as well, so do we also have cryptographic hashing to maintain integrity in Hyperledger? Yes, it's it's same as it is low. So how we have a typical blockchain, like previous has is matching with the next has and all. So the blocks are created in such a way. So that's how same thing happens here. But little bit difference is we don't have continuous blocks flowing up whenever there is one transaction that will form one block. So in public blocks and what happens there are like 30, 20, or sometimes hundreds of transactions in one block. Whenever there is one transaction that will create a block. And meanwhile, it will be silent. And if there are two transactions at the time it will take two. But on an average, there is only one transaction at one time in one block. So this and also the cryptographic things is same. It uses our 256 to hash it and there's some encryption and same kind of block structure. The only difference I can say the major big difference you can visualize is the formation of block in public blockchain is continuous block which is flowing up whenever transaction is coming. It's just capturing bundling all the transaction. But here in this, in this case, what happens is it's just sits for even in private ethereum. Yeah, private ethereum also there is like blocks are like keep on generating. Yeah, even when the data is not there. Even with even some transaction is not happening. The blocks will be keep on generating. But when it comes to hyperledger, the blocks will appear only when you do some some kind of transaction. Understand. Thank you. So if you have some more question from audience, we'll take up and last half an hour is only for audience if they want to interact with us. If we don't have we'll wind up. So Shane Ashok anybody I probably have a question right. So do you deal with any tokenization on hyperledger fabric? And if that is the case, and how would you ensure that the tokenization is as secure as those implemented by the standard of ERC, for example? Yeah, so with the latest release of hyperledger 2.0, they have given us this flexibility to have our own ERC 721, ERC 20 or any such solidity, EVM based smart contract. But it really depends on the use case where you want to use the ERC 20. Okay, since it's a private blockchain for what purpose we will be using it, your token will have no value until you list it on some exchange. I think that's that's the thing. So still figuring out if the use case is demanding if the use case requires such kind of token, then we should use it. Otherwise, I'm still thinking for a best use case where ERC 20 or such thing can be, you know, good fit for a hyperledger based application or architecture. Did you get my point? Yeah, but in terms of the implementation, so for example, is that the use case of tokenizing like, for example, electricity. So on this, and we want to clear an FTFA. So if you personally wish to choose fabric or make soon for this purpose. Yeah, I'll choose. See, since this is a good use case, let's say for tokenizing electricity grid, what how much electricity you are using this for this purpose, I'll definitely use hyperledger fabric because it is taking us to a private consortium. Okay, so these electricities will be privately deal. We need not to put it on public blockchain. And a base who based private blockchain I'll prefer. Hyperledger base who based private blockchain that will be more helpful than hyperledger fabric because hyperledger fabric comes with a lot of configuration details and some different different other things. And these two will get rid of us and masses can adopt it very easily. Is there any security concern on tokenizing on tokenizing like this? I know that we can deploy the ERC contract in February, but it does not work the same as the one that you put on the edge of the chain. It's my understanding correct. Security concerns for this one will be as same as how we do it in public blockchain. Maybe what Sankeet and Pradeepa discussing is about let's say if ERC 20 is deployed, then what are the vulnerabilities are there in the smart contracts? Same vulnerabilities will be here because both the smart contracts are same. So we in that case, the security concerns will be only those controls which we look for normal ERC 20 in public blockchain. All right, thank you. I mean, do you guys have any more questions? We would love to take them up. Anyone else? Kartike, I have a question about a generic question about in the interest of auditors who might be who might be interested to take up a career in enterprise blockchains or promotion blockchains. You said, you know, there are internal processes that we that you follow for hyperledger. So if somebody wants to become an expert in enterprise blockchain or permissioned blockchain, what kind of, you know, certifications are probably what kind of training would help? Does hyperledger conduct any security related trainings in specific in the interest of people who are interested in this field? Yeah, yeah, yeah. See, when it comes to private blockchain, it's just not not one technology. So yesterday, I was reading about some funny meme on LinkedIn itself, like there was one hiring happening for blockchain expert. And below that, they have written there's nothing like blockchain expert. There are different different options available right now, polygon, ethereum, many are there. And when it comes to private blockchain, it's just combination of all those technologies we have gone through, it has DevOps, it has Node.js, completely Node.js. The smart content is also in Node.js API is also in Node.js your your your securities with cloud, how well you can secure firewalls, many other things. So you need to be expert of each of those things, you have to get one certificate for Kubernetes, you have to get one certificate for maybe in securities of Kubernetes, or maybe you have to get, definitely, you should have a one certification for cloud security, you should have one certification for hyperledger foundation from hyperledger foundation itself for hyperledger fabric. So combining all those you can get this thing. Is that answer clear? You have to be expert of cloud security, you have to do one cloud security, let it be GCP, AWS, or Azure, or anything. Because you will be ultimately hosting it on that. Then some normal cyber security security is related to APIs. Okay, your APIs are written in Node.js, then your infrastructure based on Kubernetes, you have to be expertise on Kubernetes as well, then you have to get one certification for hyperledger foundation itself. So anything like that. So that will be a bunch of those technologies will help. Sure, sure. So we have a question also from Ashok. He is asking I would like to know the demand for auditors as a career in the future. So I would say Ashok I think the technology itself is evolving in a positive direction and there is a lot of you know, there is a lot of hopes in on this technology to be replacing the existing ones, right? So from that standpoint, you can, you can already witness the kind of innovations that are happening in the NFT space, in the DeFi space, in the enterprise blockchain, like hyperledger itself. So the undeniable fact of any technology that is evolving is the security aspect of it, which remains as one of the concerns which has remained in the past, which will also remain in the future as one of the important aspects. So security guys will already have will always have a demand, I would say. And you know, because this is an evolving technology, it is all the more important that security guys are in the forefront of any innovation and take part actively in any product development or so. So from that context as well, the auditors, you know, become a very integral part of any Web 3 project. I hope I hope this answers your question Ashok. Thanks.