 Live from Nassau in the Bahamas, it's theCUBE covering Polygon 18, brought to you by PolyMath. Hey, welcome back everyone. We're live here in the Bahamas. theCUBE's exclusive coverage of Polygon 18. I'm John Furrier with my co-host Dave Alonzo, Dave Bolls, co-founders of SiliconANGLE. We start our coverage of the cryptocurrency, ICO, blockchain, decentralized world, internet that it is becoming the beginning of our tour 2018. Our next guest is Hirtesh Sani, who's the advisor at Pink Sky Capital, but also the co-founder of host.io. Welcome to theCUBE. Thank you so much for coming on. Thanks for coming on. Thanks guys. We had a great chat last night and you're doing some real good work. You're one of the smartest guys in the business. I've got a great reputation. A lot of good stuff going on. So take a minute to talk about who you are, what you're working on, what you're doing, and the projects you're involved in. Well, so first of all, thank you so much for having me. It's really exciting to see the progress of high quality content being created in this space. So my name is Hirtesh Sani. We have a team based in Las Vegas. I've been based in Las Vegas for about five years, but I was born and raised in Central New Jersey in Princeton and my co-founder is Yo Subquan. We started this company about seven months ago and my co-founder's background was he's a co-founder of Coinsider in exchange at a New York which exited to Kraken. After that he started Launchkey, which exited to Iovation. And prior to this company, my previous company was Zaldi, Z-U-L-D-I dot com, where we had a mobile point of sale system specifically for high volume food and beverage companies and businesses. So we were focused on FinTech and mobile point of sale and payment processing. So both of us have a unique background in both FinTech and cybersecurity. And my co-founder, Yo, he had been running a, he's a managing partner of a crypto hedge fund named PinkSky Capital. And he was doing diligence for PinkSky and he realized that the quality of the smart contracts he was seeing for deals that he wanted to participate as an investor in and I'm an advisor in that hedge fund, we both realized that essentially the quality of the smart contracts is extremely low. And that there was nobody in the space that we saw laser focused on just blockchain security and that on all the solutions that would be entailed in there. And so we began focusing on just auditing smart contracts, doing a line by line code review of each smart contract that's written, conducting a gas analysis and conducting a static analysis, making sure that the smart contract does what the white paper says and then putting a seal of approval on that smart contract to mitigate risk that the code has not been changed once we've done an analysis of it, that there's no security vulnerabilities in this code and that we can mitigate the risks for exchanges and for investors that someone has done a thorough code analysis of this, that there's no chance that this is going to be hacked, that money won't be stolen, money won't be lost and that there's no chance of a security vulnerability on this and we put our company's name and reputation on this. And what was the problem that is the alternative to that? Was there just poorly written code? Was it updated code? Was it gas was too expensive? They were doing off-chain transaction? I mean, what is some of the dynamics that led you guys down this path? I mean, this makes sense. You're kind of underwriting the code or you're insuring it. I mean, I don't know what you call it, but essentially verifying it. But what was the problem and what were some of the use cases of problems? I would say that the underlying problem today in this whole industry of the blockchain space is that the most commonly found blockchain is Ethereum. The language behind Ethereum is called Solidity. Solidity is a brand new software language that very few people in the world are sufficient programmers in Solidity. On top of that, Solidity is updated as a language on a weekly basis. So there are a very limited number of engineers in the world who are full-stack engineers that have studied and understand Solidity, that have a security background, and have a QA mindset. What everything that I just said doesn't exist on this Earth today. And if it does, there's a chance that that person has made too much money to want to get out of bed because Ethereum's price has gone up. So the quality of smart contracts that we're seeing being written by even development shops, the developers building them are actually not full-stack engineers, they're web developers who have learned the language Solidity, and so thus we believe that the quality of the code has been significantly low. We're finding lots of critical vulnerabilities. In fact, 100% of the time that Hoso has audited code for a smart contract, we have found at least a couple of vulnerabilities. Even as a second or the third auditor, after other companies conduct an audit, we always find a vulnerability. And is it correct that Solidity is much more easy to work with than, say, Bitcoin scripting language? So you could do a lot more with it. So you're getting a lot more, I want to say, road code, but maybe that's what it is. Is that right? Is that the nature of Ethereum? Compared to Bitcoin script, yes, but compared to JavaScript, no. Because Fortune 500 companies have rooms full of Java engineers, Java developers, and now the newer blockchains are being written to be written on in Java script, right? So you have IBM's Hyperledger program. You have EOS. You have ICX, Cardano, Stellar, Waves, Neo. There's so many new projects that are coming that all of them are flexing about the same thing, including Rootstock, RSK. RSK is a project where they're allowing smart contracts to be tied to the Bitcoin blockchain for the first time ever, right? And so Fortune 500 companies may take advantage of the fact that they have Java developers to take advantage of already that already worked for them who could easily write to a new blockchain, and possibly these new blockchains are more enterprise grade and able to take more institutional capital, but only time will tell, and us as the auditor, we want to see more code from these newer blockchains, and we want to see more developers actually put in commits, because what matters the most is where are the developers putting in commits, and right now maximum developers are on the Ethereum blockchain. Right. Is that like the numbers? I mean, just take a step there. So Ethereum blockchain, percentage of developers vis-a-vis other platforms, percentages. By far the most is on develop on Ethereum. And in terms of code, obviously the efficiencies that are not yet realized because it's not enough cycles of coding going on, it's evolution, right? Yes. Seems to be the problem when you're saying it. So combination of full stack developer requirements to people who aren't proficient in all levels of the stack, just are inefficient in the coding. It's not a ding on the developers, it's just they're writing code and they miss something, right? Or maybe they're not sufficient in the language itself. It's a new language. The functions are being updated on a weekly basis. So sometimes you copied and pasted a part of another contract that came from a very sophisticated project. And so they'll say to us, well, we copied and pasted this portion from EOS. So it should be great. But what that's leading to is either A, they're using a function that's now outdated, or B, by copying and pasted someone else's code from their smart contract. This smart contract is no longer doing what you intended it to do. Yeah. So now, Harte, how much of your capability is sort of human versus machine, ML, AI type stuff? So we're increasingly becoming automated. But because of the over, there's so much demand in this space. And we've had so much demand that has consistently conduct audits. It's tough to pull my engineers away from conducting an audit to work on the tooling to automate the audit, right? And so we are building a lot of proprietary tooling to speed up the process to automate conducting a gas analysis where we make sure you're not clogging up the blockchain by using too much gas. Static analysis, we're trying to automate that as fast as possible. But what's a bit more difficult to automate, at least right now, is when we have a qualified, full-stack engineer read the white paper or the source of truth and make sure the smart contract actually does it, that is, it's a bit longer tail where you're leveraging machine learning and AI to make that fully automated. In art, human art. Talk about the human art. Maybe it's that, I'm sorry, John, is that the long-term model or do you think you can actually, I mean, there's people who say augmented intelligence. It's going to be a combination of humans and machines. What do you think? I think it's going to be a combination for a long time that every single day that we audit code, our process gets faster and faster and faster because once we find a vulnerability, finding that same vulnerability next time will be faster and easier and faster and easier. And so as time goes on, we see it as, since the bundle of our work today is ICOs, it's token generation events. They're ERC-20 tokens on the Ethereum blockchain. And we don't know how long this party will last. Like maybe in a couple of years or maybe a couple of months, we have a big twist in the ICO space that the numbers will drastically go down. The long tail of HoShows business for us is to keep track of people writing smart contracts, period. But we think that they're going to become more functional smart contracts where the entire business is on a smart contract and they've cut out sophisticated middlemen, right? And maybe less ICOs. And in those cases, I mean, if you're a publicly traded company and you're going from R&D phase where you wrote a smart contract and now actually going to deploy it, I think a publicly traded company is going to do three to five audits. So they're going to do multiple audits and take security as a very major concern. And in this space today, security is not being discussed nearly as much as it should. We have the best hedge funds cutting checks into companies before the smart contract is even written, let alone audited. And so we're trying to partner with all the biggest hedge funds and tell the hedge funds to mandate that if you cut a check into a company that is going to do a token generation event that they need to guarantee that they're going to at least value security, both in-house for the company and for the smart contract that's going to be written. How much you charge for this? I mean, just ballpark. Is it the range of purchase price, sales price? What's the average engagement go for? Is it on a scope of work, statement of work? Or is it license? I mean, how does it work? So first it depends on, is it a penetration test of the website or the exchange? Penetration testing of exchanges are far more complex than just a website. Or if it's a smart contract audit, is it an ICO or is it a functional smart contract? In either case, for the smart contract audit, we have to build a long set of custom tooling to attack each and every smart contract. So it's definitely very case by case, but a ballpark that we could maybe give is somewhere around the lines of $10 to $15,000 per 100 lines of functional code. And we ask for about three weeks of lead time for both a smart contract audit and a penetration test. And surprisingly in this space, some of the highest caliber companies and highest caliber projects of the best teams are coming to us far too late to get a security audit and a penetration test. So after months of fundraising and a private presale and then a private, another presale and going and throwing parties and events at conferences to increase the excitement for participating in their token sale, what we think is the most important part, the security audit or smart contract is left to the last week before your ICO. And a ridiculous number of companies are coming to us within seven days of the token sale. Scrambling. Scrambling. And we're saying, we've seen you at seven conferences. I think that we need to delay your ICO by two or three weeks. We can assure you that all of your investors will say thank you for valuing security because this is irreversible. Once this goes live and the smart contract is deployed, it's irreversible. Right, right. And once we seal the code, no one to touch it. It's always the case with security. It's bolted on at the last minute. It's like back in the recovery, oh, we just back it up. It's an architectural decision we should have made that months ago. Okay, so a question for you in the smart contract because again, I'm just getting my wires crossed because there's levels of smart contracts. So if we hypothetical ICO or we're doing smart contracts for our audience that's going to come out soon. But I see that more as transactional. There's security token sales that are essentially can be ERC-20 tokens. And that's not huge numbers. It could be big, but not massive. Not a lot of transaction costs. That's a contract, right? That's a smart contract? People are writing smart contracts to conduct a token generation event most commonly for an ERC-20 token. That's correct. Okay, I call that the big enchilada. That's the big important. Right now that is the most important, most common. Okay, so as you go over the future, I can envision a day where in our community, people are going to be doing smart contracts peer to peer. Sure. How does that work? Is that a boilerplate? Is it audited and then it's going to be audited every time or do the smart contracts get smaller? I mean, what's your vision on that? Because we are envisioning a day where people in our audience will say, hey, her church, let's do a white paper together. Let's write it together, have a handshake, do a smart contract, click, click, lock it in. Yes. And charge a dollar download, get a million downloads. We split it. I envision a day where you can have a more drag and drop smart contract and not need a technical developer to be a full stack engineer to have to write your smart contract. Yes, I totally envision that day. That's not today. That's, we're very far from that today. We are. Dave, kill that project. Yeah. We're so far, we're very far from that. We're light years far from that. Okay, well, if we can't eliminate the full stack engineers, I'm okay with that. Can we eliminate the lawyers? At least minimize them. We can minimize them possibly, but we have five stacks of lawyers for our company. I don't see them going anywhere. We need lawyers. I see that all the time. Press sometimes, yeah, it's going to get disrupted. They're going to go, I don't see it happening. Okay, we were having a great conversation off-camera about kind of what makes a good ICO. You see, you have a huge observation space. And you were very opinionated. A lot of companies are out there just floating a token because they're trying to raise money. And they could do the same thing with Ethereum or Bitcoin. That's correct. My thoughts are that it's very important for companies who are sophisticated, I think, to start by giving away a little bit of equity in the business. And that if you want to be in a blockchain space and you really firmly believe you have a model to have a token within a decentralized application, I would still start by finding quality investors in the space, in the world. They might be still in Silicon Valley. Silicon Valley didn't just disappear overnight now that the blockchain is out. I'm all for the fact that Silicon Valley no longer has as much of a grip on tech because of the blockchain world. And they're not seeing as much deal flow. And there's not as much reliance on venture capitalists. That's exciting to me. But let's not forget the value that top tier VCs like Andreessen Horowitz and Vinod Kostla and FinTech VCs like Commerce Ventures, Nica Partners in New York, Propel VC, like these are good FinTech VC arms that continue to time and time again add immense value to companies. And they have networks, they add value. They have strong value networks. They're just not going to disappear. And those VCs, if they've invested into a company, took a board seat, fostered their growth, taught them what it means to actually be a real business that's growing at seven to 15% week over week, maybe two years down the line after they've given away a board seat to someone like Nica Partners, I would be interested in understanding what your token economics look like now that you have a revenue generating business, how you've placed a token model into this already running business that makes 25 to 50 grand a month and you have a team of 10 self sustaining themselves off of revenue. Much more intriguing of a conversation. What's happening today in this space is, hey, my buddy Jim and Steve and I came up with an idea for this business. There's going to be a token and we're starting a private presale tomorrow. I'm going to give you 300% bonus and will you be my advisor? And you can start raising capital because of an idea. Maybe, you know what we used to say in the Silicon Valley startup world, you can raise on just a PowerPoint. I think in the blockchain world you can raise on just an idea and then maybe a white paper and the white paper is one page and so you've raised a bunch of capital, you have a white paper and- Now you got to build it. Now you got to build, you got to write a smart contract you got to build it, you got to do it and then everyone loses excitement and it goes back to our previous conversation to development talent. So another thing not being discussed in this space is company employee retention. So if you have a growing number of ICOs that have very large budgets because investors have found a way to sink millions of dollars into a company early. So you've got $5 million in the hands of a company to start. Well this company can afford to pay someone a very ridiculous salary to come join them to write the smart contract now. So they could offer an engineer, I don't know, 500 ETH a month to come join them for three months. So you have good engineers just bouncing from one ICO to the next and as soon as the ICO goes live, they quit. This is a problem to companies who are- It's migration, out-migration of the company. Yeah, how do you retain human capital? Companies like HoShow, ShapeShift, companies that are selling picks and shovels in the industry that want to be household names in this space, we have to really think about how we're going to retain our employees in this space. So the recruitment and bringing on the new generation, we're also talking off camera about Bill Tye and the younger generation kind of riffing on the notion that there is a new set of mission driven developers and builders on the business side as well. Your thoughts and reaction to what you see and what you see that's good and what you see that we need more of. So the most powerful thing in the blockchain space that I think is so exciting is that you have a lot of people between the age of 25 and 35 that don't come from money that didn't go to Stanford, didn't go to the Y Combinator. They're probably not white from- I believe schools, yeah, I believe schools. I'm not trying to make it about race, but if you're a white male that went to Stanford and went to Y Combinator, chances of you raising VC money on Sand Hill are a lot higher. Yes, true. And you have a guy looking like me who didn't go to Stanford, doesn't come from money, running up and down Sand Hill, I have personally faced that battle and it wasn't easy. And we were based in Vegas, and so being based in Vegas, I'd also have to deal with, so why do you live in Vegas? When are you going to move to Silicon Valley? And if we invest in you, you're going to open an office on Sand Hill, right? And now in the blockchain world, what's exciting is you have so many heavy hitters running as founders, some of the most successful companies in this space who don't come from money in a big prestigious background, but they're honest, they're hardworking, they're putting in 12 to 15 hours of work every single day, seven days a week. And this space, six weeks is like six years. And we all have a level of trust that goes back to the times when we were all running struggling startups. And so our bond is, to me, even more significant than what must have been between Keith Rabiwa and Peter Thiel in the PayPal mafia, that we have our own mafia as being formed of much stronger bonds of younger people who will be able to share much more significant deal flow. So if the PayPal mafia was able to join forces to punch out companies like eBay and Square, wait till companies in this space, we have young heavy hitters right now who are non-reliant on some of the more traditional older folks. Wait till you see what happens in the next couple of years. It's a great conversation. I know, I want to get one more question. And we've seen Koretsu's form, mafias, teams, more than ever as community becomes their integral part of vetting. And by the way, trust, you have unwritten rules. I mean, baseball, Dave and I use sports analogy. Self-governance. Reggie Jackson talks about unwritten rules and it works. If you're being the batter, the other guy, your best star, you're going to hear stars going to get beaten. That's an unwritten rule. These are what keeps things going balanced in the course of the season. What are the unwritten rules in the ethos right now? Honesty, transparency, and you know, that's the key. We need self-governance. This is a very unregulated market. There's rules being broken by people who are ignorant to the rules. You have people, the most common rule I see being broken is by people who are not broker dealers, running around fundraising capital. They don't even know what an institutional advisor license is. They don't know what a Series 7 and Series 63 is. I asked a guy just last night, he said, I'm pooling capital, I'm syndicating. Let me know if you want another deal. And I said, why don't you take your Series 7? He goes, what's that? Get away from me. You're an American, you need to look up what US securities laws are and make sure that you're playing by the rules. And if someone who doesn't know the rules has entered our inner circle of investors, of people sharing deal flow, we have a good network of people that are closing the loop for companies, whether it's lawyers, investors, exchanges, security auditors, people who write smart contracts, dev shops, people who write white papers, PR marketing, people who do the road show. There's a full circle that has to be closed. So people are actually doing work to put it into the community, kind of to know your neighbor if you will, know the deals that are going down, to identify potential tripwires that are being established by either bad actors or... KYC, AML, this is a new space that's also attracting people that have a criminal background, right? And that's just a harsh reality of this space. That in the United States, if you have a felony on your record, maybe getting a job has become really difficult and you figured let's do an ICO, no one's going to check my record. Like that is a reality of this space. Another reality is the money that was invested into this entire ICO, clean, right? That's a massive issue for the US government right now. It's been less than 15 hours since the SEC has issued actual subpoenas to people on this exact topic today. This is a great topic we'd like to do more of. Dozens of them. We'd like to continue and keep in touch with you on theCUBE. Also you're welcome anytime, love your insight. Certainly we'd love to have you be an advisor, our mission, you're welcome anytime. For sure, let's talk about it. Come out to Las Vegas. Hosho's always happy to host you. We're in Las Vegas all the time. Oh, that's not it. The kid lives at the same home. Come by Hosho's office and let us know, yeah. Vegas is our home. We are hosting a conference in Vegas after DEF CON. So DEF CON is the biggest security conference in the world. You have the best black hats and white hats show up as security experts in Vegas and right on the tail end of it, Hosho's going to host a very exclusive invite-only conference. What's it called? Just a block chain. It'll be called the Just Block. It'll be by the Just Block chain group and Hosho's the main backer behind it. Well, we appreciate your integrity and your sharing here on theCUBE. And again, you're paying it forward in the community. It's great ethos. We love that. It's our mission here, paying it forward content here in the Bahamas. Live coverage at Polycon 18. We're talking about securitized token and decentralized future for awesome things to happen. I'm John Furrier, Dave Vellante. We'll be back with more after this short break.