 Okay, so good morning and thank you for coming to taking your time to come and see us today. My name is Rod Soto and I am here with Victor Fan, Ferre and Chain. I'm a security researcher. I co-founded Hack Miami and the Pacific Hackers in the West Coast. Some of the companies I work for are Akamai, Canon, Toshiba, Splunk and one that is quite related to the crypto scene, Prolexic. I was actually part of the team that protected Mount Goff. Remember Mount Goff? They were a pain, yes. If you actually go on Twitter, you see how they would tweet like, we're down because of Prolexic. They weren't an easy client and we don't know what happened afterwards. I come from the crypto like 2009, 2010. We were actually buying whoppers for 20 bitcoins. What we're going to talk today is about smart security, smart contract security. I'm just going to go quick on an introduction on some of the blockchain security aspects, which obviously this is what this is village is. It's an effort to bring security into the blockchain scene and it's a good effort. Do you want to? Just a quick intro of myself. I'm Victor Fang, so I used to work at Fire Mendian and the company I founded last year. Who's from Mendian? Oh, cool. Hey, we should talk. Okay. And by the way, that's my face, as you realize. So we graduated from the UC Berkeley, the blockchain accelerator. And yeah, I was very proud to be here presenting, sharing some of our research. All right. So we're a little short, so I may go a little faster than this. Some background of the blockchain basically implemented around, effectively implemented around 2008, believed to be immutable, public ledger. It's like a DV technology that you can check it's exposed, it's public, full tolerant for the most part. It has been popularized by cryptocurrencies. There are some some interesting implementations right now on financial video games, white video content, social media, and some countries are actually doing an agriculture. The most successful of all the cryptocurrencies and you can check it right now is obviously VTC. It was it was closer to 1000 yesterday. And according to John McAfee, we hit 500,000, I hope he's right, at least on that, right? So I know John, by the way. Obviously, we have a development of blockchain frameworks. And I would say the second most popular is Ethereum. And it's a it's highly traded. And with Ethereum, the concept of a smart contract was introduced. So what is a smart contract? A smart contract is basically a framework that facilitates negotiation without the need of third parties. So what this does is aims to reduce transaction costs, and enforces the contract under the blockchain framework. The transactions are trackable and irreversible. And I put that on quotation marks, because we're going to see sort of an example of how this irreversible sort of like a flexible term has been implemented in several cryptocurrencies, including blockchain and Ethereum. The most popular standard right now is ERC 20. So at one point, you saw a bunch of people selling you the framework to create a new cryptocurrency, basically what it is, they copy the Ethereum blockchain, use ERC 20, and then they will sell it to you for $250,000. So you just had to name a new currency. As we all know, at this point, smart contracts can be exploited. So we had DAO, there was a 3.6 million of it of either. And the amount of losses was so huge, that it was basically easier to hardfark that continue with that. So that's an example how smart contracts can be hacked. And today you're going to see actual examples of how that happens and how to audit smart contracts. They are a powerful tool. And in my opinion, the smart contract is the bridge that can enable blockchain to widespread in many other areas. We don't have to, I think it's important to see blockchain, it's just not only crypto. Crypto has driven it, but there are other areas that we can definitely implement this. And it doesn't have to scare the banks and the powers that be, which is usually in my opinion why crypto has been held back. And among other reasons, but basically things such as the smart contracts and several new standards will help to advance the cost of implementing blockchain technologies. And we can use smart contracts for, like I said before, we can use it for record, supply change, digital identities, mortgage, insurance. So here's one of the main problems of the blockchain scene, right? So which is the hacking history is we just play with fraud fraudsters and people that for some reason can explain mysterious hacks. So we have some of the relevant hacks here. The Mt. Gox one, again, I had experience with Mt. Gox because we protected Mt. Gox. And Mt. Gox was basically a trading site for cards. And then they turn it into a cryptocurrency exchange. And they will get hit all the time with DDoS, all the time. So we, in case you wonder if we knew how the bitcoins were lost, we did it because we were only protecting the actual perimeter. So basically, they will get a lot of UDP floods or TCP floods or even layer seven attacks. So basically, we protect their perimeter. They lost 750 BTC. Then we had the DAO, which I just talked about, it's around $50 million in ether. Then we had a coin check hack in 2018 for $130 million. And then we have some of the exchanges that were compromised around the world, $1.5 billion in losses, right? So here's a number that I want you to see before you see this number is 2019 you have compromises at Binance, Crotopia, DragonX, Gate Hub, Bitdom, and so on. And here's a number that is very shocking. Around $1,800 in average, we're stolen per minute in 2018. If that is not enough to drive a security industry within the blockchain, I don't know what else it is. Right? So that's that was the average $1,800 per minute stolen in cryptocurrency. So before I switch it to Victor, one of our messages is we had to come up with security standards. Openness and exposure does not mean security. The fact that you can see it and it's out there somehow. And I remember this from the beginning, from 2009 to 2010, we believe that basically by having the ledger exposed and seeing what everybody was doing and protecting the identities by just looking at anonymized addresses was going to be enough. And we had this libertarian dream of eliminating the fiat and self regulating by basically being open and transparent. We now know that's not possible. I mean, if that number doesn't prove it, I don't know what else. It's hard to balance at times, basically, the anonymity with the transaction levels. So at one point there will be a regulation. I don't know many people would not like to hear that. But yes, they will have to come with standards and eventually regulation. And then sometimes when we put all our x right into one basket, like we just saw an example, a major exchange was attack and breach, right? They got in, right? Hopefully nothing else happened. But my coins are there. So I'm looking at this and I'm thinking, oh wait, my coins are there. If they got to my wallet, that's it, right? So when we put our stuff at one exchange, then this is sort of like a single point of attack. And one of the points that Victor's going to touch on how these attacks have affected a majority of sides, including exchanges. And of course, the critical core scene because of the the regulated environment and the level of anonymity is solved by organized crime and nation states. So I'm not sure if you heard about the whole wave of ransomware that's happening at least in Florida. I mean, one city is okay, two city, three cities, four cities. I mean, at one point you have to wonder, are they targeting all the schools, all these municipalities, low budget, outdated systems? And then where is the payment being sought? It's critical currency. It's hard. Then they go and launder it. And that's another point that he's going to touch on. Smart contracts with flaws are immutable. And once they're deployed in the blockchain, well, the immutability helps, the exploitability. And that's one of the things that he's going to touch on today. So we again, before I pass it to Victor, we need to come up with some infosec standards just like we apply, we have a BCI, we have SOX, many of all, this is standards of compliance. Sometimes it's not worth much, but at least it's an attempt to get somewhere instead of just thinking, you know, this is this by itself will regulate. So here's a something that may happen to you. Right? So we have a some adult side that got spanked. And I bring this up because they didn't audit the smart contract. And they lost almost $40,000 in one day. So with that, I'm going to bring it to Victor. Thank you. Thank you. And yeah, right before this talk, I had a chance to talk to two very smart gentlemen also from San Francisco, some me and Phil asked them, have you heard about blockchain APD? I said, what? There's an APD on blockchain. I'm very proud to be here sharing something new today. So and this is the original title was how to pound smart contract and make $4 million in weeks to give a feeling how much money is it? That's about $4 million. But we're not talking about cash. Okay, we're talking about exeriums. It's also like a silver of the cryptos. Okay. And this is the latest like MIT tech reveal article on blockchain security. The title is sort of sad, right? Once hell as unhackable, blockchains are now getting hacked, right? And it's very proud that our company ancient I was mentioned three times. And so APT, how many of you heard about APT? That's great. Right place, guys. And just a little bit warning, I have some source code here and the slides. So for those of you who like smart content or JavaScript, there's a puzzle there for you. Okay. So what's APT, right? It's basically the most nightmare of cybersecurity and the definition still see and continues computer hacking process orchestrated by person targeting specific entities. Okay. And I'm very proud to work at part of the team that are many and five million who are defining all these APT groups. And I will also contribute some of the research how to use machine learning to actually detect those like PowerShell in APT32. Okay, let's talk about the target. Okay. How many of you heard about FOMO 3D? Okay. What does FOMO mean? Fear of missing out. Exactly. So you guys are not missing out today. I'm going to talk about something serious. This guy is $10 million worth of crypto assets sitting there is a website like this. It looks funny, but the money is real. Okay. How do you play this? It's basically like a Ponzi scheme game, but people, people just play it. Okay. And the nice thing about it is, okay, this Ponzi scheme game is actually a piece of code executed on the blockchain. So there's no centralized governance and all that. Okay. Everything is, is mandated by a piece of code 2000 lines only. Okay. And how you play, right? So you buy the key. And by the way, there's a string shot of how I participate in this. You buy a key there. So and the last guy who bought the key when the clock hit zero, he will win the jackpot, which is usually a millions of dollars worth of Ethereum. Okay. And the developers, right? The very smart developers are for most 3D, right? They actually, um, to increase the, um, interactivities, right? They add a little like a lottery mechanism. Whenever you, you participate by, you buy a key, you have a small chance of winning a lottery. Okay. Otherwise, this game, you think about it, right? Just simulate it. When the clock goes to zero, what's going to happen? Or with the clock, with the clock almost hit zero, what's going to happen? Yeah, exactly. Right. So this game should never stop, right? Theoretically, right? If it operates, right? But, uh, well, it actually stopped. So, um, but that's not something we're going to talk about. I'm going to talk about how the blockchain APT hacker group would identify actually, how do they exploit that lottery bug? Okay. Here's a piece of code. So, um, so actually, yeah, it's pretty hard to see. Um, so there's really like the first section of the code. Okay. And it's actually a function called is human. What does that do? Why do you put this human function in a smart contract? Yeah, make sure it's a human interacting that. Unfortunately, it's written by human bug. And then that can lead to the second, which is that air drop, a random air drop. And it says, um, do we have a winner in the comment? And what does that function do? Generating a random number, right? And that's the piece of code. And again, it's all transparent sitting there on the blockchain right there. And how, how much time will it take to run all those whole bunch of addition hashes on your computer? Can you take a guess? What? How many milliseconds? Usually like 15 milliseconds or so, right? But for those of you, right, who are familiar with the Xenium, right, how long does it take to set over a transaction? Usually like 10 seconds and stuff like that. So keep that numbers in mind. Okay. So if you, you were going to exploit stuff like this, what you can do, right? Yeah, hold it. I think you got the answer already. But now, yeah, again, 10 million dollars on this 2000 lines of code. Okay. So based on our research, right, um, we actually kind of detected the lucky hackers. Okay. They only contributed to like half of the, only 10% of the transactions. Okay. But this guy took half of the entire airdrop pool. Super lucky, right? Yeah, they should actually be here in casinos. And if you look deeper, right, into the exact transaction, that's another nice thing that I want to mention about, right, all the transaction, no matter good or bad, right, is recorded in the ledger on the public blockchain. And this is the exact transaction, one of the many, right? And yeah, I just look at, I mean, it's kind of, there's a lot of like sub function calls, smart content on that. But really, this function, right? This, this transaction, we call it like 0.1 is in. And how much they get out of it? 0.1 night, right? So they get, uh, they make 90% of ROI. Okay. And this is again, one of the many transactions they're doing. Okay. And just to demystify, right? So actually using our, our engines and all that, right? So the target is on the top. Okay, that 10 million dollar asset. See my death, big target, everybody can see it. And the guy, there's a little guy down there, we call it a captain. I want to show you why we call it a captain. And then in the middle of them, right, there was about like 50,000 smart content or addresses are interacting with that guy. Okay, just think, remember the call I just showed you, what's the problem with this? If you see a graph like that, what's the problem connected to the, uh, the source call I just showed you. Remember the first function, right? You answer it. Oh, but yes. So that actually means that is human function was bypassed, totally. And that's why this guy can launch a huge campaign of bots to actually interact with that. And each of them going to win. Okay. Because what this guy ended up doing is they took that piece of code, right? That random number generator is transparent there. They simulated in their smart contract and they only play with this poor little target up there when they are going to win. When they know they're going to win. That's why they're always hitting like 90% profits, right? And when we look at it like last August, right, this guy already make like $150,000 sitting there in the wallet. And, uh, yeah. And, uh, advance persistence threat, right? In terms of advance, what happened to this guy when they run the transaction self-destruct. So they don't leave any bicycle on the blockchain. So, but the transaction will still be there. But the bicycle that they use to attack that smart contract is to remove self-destruct. And why is that? Why do you do that? You don't want to share your profit with some other hackers, right? And, um, yeah. And, uh, so this is what led to the, um, our, our, like a definition of blockchain APT, right? So it's basically a very similar tactics and all that, right? So very similar to what Mendien has been defining, right? The only difference is now this whole attack hacker groups are actually running on a decentralized world, which is actually in our mind is actually harder to defend than even cloud security. This whole thing, you don't even know where, which miner, in which country is running that smart contract bicycle to verify and then reach the consensus. And to give you the full visual, right? This is all the millions of addresses being interacting with that little guy sitting there, the $10 million target. And to prove that we actually know this, some of the address, we highlighted some of the address and this guy sitting in the middle, right? It's the target and the captain and all that sitting there that actually only converged to five addresses, wallets, the real wallets. But this guy launched hundreds of thousands of smart contracts to drain money from the pool. Is that the end? Of course not. We actually found there's a funny, very funny app in China that is actually a copycat of Formal 3D. And it runs on Android, by the way, and see the pool they're showing. It's like, what, $100,000? Xenium? That's a lot of money. And this guy actually ranked the top five D app in the Xenium last summer. And this guy also has $9 million of jackpot pool, right? And yeah, when we look at it, right? It's actually like very similar by codes. And including the bugs, they just copy everything from the Formal 3D. The only thing they probably change is the dividend, the account, they receive the dividends, the developers account. That's probably the only thing they change. You don't want the same money to the Formal 3D team. You want to take the money, right? But they just take everything because Formal 3D is basically open source. It's on GitHub, right? And yeah, so it doesn't, the hackers never sleep, especially on the blockchain world. And so the Q chain, let's talk, let's dig a little bit deeper into what's going on here, right? So let's do a recap. I mean, some of you may already take the Mendian training or whatever, APD training, right? This is the attack life cycle, right? Usually initial compromise, established footholds and previous escalation, right? Internal recall, complete them and then move laterally, right? And they maintain presence until they hit the jackpot, complete the mission. And just to highlight a little bit, right? Most of the APT, what's the goal of most of the APT attack is to make, yeah, I know that's it. All hackers want to do that. But what exactly is that? What was the step before that? Probably still, still data, right? Still data, right? The breaches, that's like why this guy is so patient, right? The average time that they can start at this day in the enterprise without detecting is like, what, 200 days? Yeah, what's the latest number? We have a Mendian guy on the audience. Is that 150 days now? The rest of the days? Have you read the latest M-Chain report? Oh, let me send a copy to you. So, anyways, so, but this blockchain ABD Q-Chain, right? It's actually a very similar kind of Q-Chain, right? So, similar steps. The only difference is the actual tactics, right? Now, again, right? You are not targeting enterprise. You are not targeting a cloud security vendor, right? You are targeting something that is a clear target sitting there in the decentralized blockchain, right? So, usually they do a recon using like web three, the web three JS, right? To kind of scan what's going on there, right? And then when they found the vulnerability, right? This actually, we have the entire lifecycle of that, those, that captains and those few accounts, right? So, actually, they're super hardworking. They actually have been doing like days and nights and trying to exploit that smart contract, right? And then when they found the bug, found the vulnerabilities, like that one, it's a random number generator problem, right? And then there's a human function can be piped up, right? When they figure out those, they start building weaponized smart contract that can interact with it, right? And then, actually, like that smart contract that sold you that transaction, actually did that transaction interact with 10 other smart contracts, right? Like a vault and all that, right? And then they start probing, right? What's, what are the interacting smart contract, right? And then they try to exploit those. It's actually quite easy to find the vault, right? There's a vault taking money in, right? Of course, you don't want to put your whole wallet or the D app smart contract storing that much money. You probably want to move money into the vault, right? And then, yeah, and then when they found it, right, they're going to launch those automatic boat armies, right? To kind of drain money in an automatic way, not like by a human running the script, right? And at the end, like we just showed you, this guy actually made $2 million from the FOMOS 3D and then they make another $2 million from the copycat. And just keep going, this guy make a few million dollars from each of those smart contracts. And, and that's actually the, they source the persistencies of this APD hacker group, right? That smart contract launched in July last year, okay? And what's the first box about? The three red boxes there, what's the first box about? The recon, exactly. Yeah, he's, he's really, he's listening. That's great. I should give you a sticker. And that was what happened in the middle. Yeah, he found it, man. He found it. And then now he weaponized all the boat armies and launched like 100,000 smart contracts to actually hack it. And that's probably one of the reasons that why the entire Xenium was jammed. Okay, this guy pay a lot of money, but they make a lot more profit out of it. And then why do they stop? Why do they stop at the end? What? Oh, because the money is gone, they drain it. It's gone, right? And, yeah, and to kind of like summarize a little bit, right? So yeah, I mean, really, this is a very tough camp in the blockchain. Blockchain security is opening up a new dimension of complexity, right? So in our mind, right, three eternal seems for this emerging blockchain security industry. First one is the transaction, right? How we dig into all these massive number of transactions, how do we identify those suspicious accounts? How do we find all the tactics? How do they attack the smart content and all that, right? Based on the transaction sitting on the ledger, another, another angle is the code security, right? So you're putting that piece of smart content, which is the piece of like a source code like JavaScript, like kind of source code, right? Xenium. And yeah, but that one is actually operating on a totally open and transparent platform, right? And if you have a vulnerability in that smart content, I just showed you what's the consequence, right? And each of those are representation of crypto assets. They're money in those, right? They're not like a dump of a database in the hospitals and all that, right? So those you're dealing with directly currencies, okay? And the next one is infrastructure security. The blockchain right now like Bitcoin, how old is Bitcoin? How old? 10 years, exactly. How old is Xenium? Only four years, right? And like it takes the internet, right? About 20 or 30 years to evolve through to get to that, the maturity that we're seeing today. But again, right, you're still seeing this entire cybersecurity industry, right? So the hacker never stopped innovating, right? And so in terms of the blockchain, it infrastructure in Alma is still very early, right? So there's a lot of opportunities there that we can add, put our talents into this field, right? To make it grow and make it more secure. And yeah, some of the latest research, right? We feel like we need more transparency into all these different blockchain ecosystems. Now we have those Bitcoin, Xenium, EOS, Tron, and all that, right? But like this research is just published in CoinDesk, right? Actually, half of the EOS accounts, right? Actually run operated by bots. And they look like this, okay? Is that could that be a human? No, right? And there's economics like reasons behind those, right? And yeah, so I mean, we are, we are publishing a book, right? So we're in the process of publishing a book on the blockchain, building blockchain apps. I'm a contributor chapter on smart content security and best practice, right? So we are talking to the publisher house, right? We want to make this chapter at least this chapter free on our website. So yeah, so follow our Twitter is going to go out this year, right? So yeah, to get your free copy of the chapter and we're hiring. So yeah, that's the end of the show and questions. Yeah, go ahead. When do they know when they win? Other when they win? When they receive that money? They know they win. Simple. And it's money. It's not a piece of data that you have to spend more effort on dark web to sell it. You are getting the crypto. Yeah, go ahead. And this is only one of them. Yes, but there's another one targeting on the jackpot. That's another research. The only answer we had a lot of exactly. It's at the part of the game where it's like person standing to get the jackpot, but there's also this other laundry system where. Yeah, this is the airdrop. The one we're talking about is the airdrop mechanism. So whenever you buy a ticket, you have a small chance. It's one of 1000 or less than that. Then you can win a small chance. You win a proportion of that, like this guy was making 90% right by various. So that's the vulnerability this hacker group exploited. And then calculated to make sure it was matching the same one as the same one. Exactly. And right, isn't there a smart idea? They only play with the casino when they know they're going to win. Will you do that here? I don't think your life's alone playing. It's just keep playing. Yeah, it may be breakfasted if you do it here. Yeah. So this seed that was part of that airdrop, was that something that was set by the XOR contract? Yes. That's right here. It's right here. That 15 lines of code that defines exactly how we will win the lottery. And that's why people love smart contract. Because the house is open to you. It's transparent. All the policy, how they distribute their funds is written in the smart contract. Isn't that amazing? It's totally transparent. Yeah, go ahead. It seems like this would have been easy to detect. Was nobody watching and having to know the course of weeks? Actually, yes. But we're the first one to detect those. So you see that timeline that we find out. We actually start watching them when they start experimenting. It took them actually two weeks to figure out that vulnerabilities. About two weeks. So it was noticed, why wasn't the smaction taken? That's what you talk about. In exterium, there's literally no way. I mean, it's very hard to change your bike code unless you do those upgradeables and whatever, those fancy stuff. But that's exactly why people trust exterium and those blockchain. Because that piece of code is your promise to the public. All your logic is recorded there. You're not supposed to just change it. That's the immutability of the blockchain smart contract. Yeah, but then there's a new version of it. You can actually upgrade the bike codes and all that. But actually, that brings in a new attack surface. If you think about it, this program comes. And that's why we feel like this field is fascinating. It's always evolving. Well, this is a bigger problem in software engineering than even all of them. I mean, is there work in software engineering or in proof systems? Yeah, so actually, that's part of the mission we're doing. We have a free smart contract already in Sandbox out there. All developers can just go and submit their code there and run it. We're going to scan for the about 30 vulnerability that's already known. But your question actually, it touches a very good point of what's going on in this blockchain, emerging blockchain security. Because literally, there's no standard, like you just mentioned, there's no standard. So right now, Engine Air is actively participating in like OWASP. So we're helping the committee defining the blockchain standards and all that. I mean, and this is going to be a community effort, right? We love this technology. It's totally transparent. We feel like this is going to be the future of all the software that you're going to do like public facing kind of software, right? You have to put your source code and all that in a decentralized and totally trustable platform. But now we are suffering from those vulnerabilities. Some of them are in the source code they write, right? Because they don't have the right or anything to call code and like we have in this software industry, right? The other one is the infrastructure, right? It's super immature. Like one of the vulnerability we found last year in EOS blockchain was actually called the callback of the rollback vulnerability. That means if you know how the EOS super know are dealing with the transaction producing the blocks, you can actually exploit that to make sure your transaction won't be recorded in the blockchain. But they fix it in December. They're very quick. They fix it in two weeks. But I mean, that is kind of like a zero day for EOS blockchain, right? But yeah, it takes a community effort, right? And this is a very new field, right? It awaits a lot of standard and bodies and all that. And the good news is like, as you guys following, right? Like JP Morgan Chase, right? They have those stable coins rolling out in February. Facebook Libra, they are launching a new blockchain, right? The Libra blockchain, right? So when these big guys from the internet industry or the banking, right, they come in, they're going to help this industry grow. But right now is like still very premature. That means a lot of opportunities, right? Yeah. Yeah, question for you. You mentioned JPMC, you mentioned Facebook, whatever. One of the common features with them and everybody else around it, things that are not bullshit and want to get on the internet is that they own it. So what are you seeing in leaping out to old fashioned governance, key shares and backroom boards versus actually trying to solve this problem? Yeah, so it's really like, yeah, his question is about like, what do we think about this like the emerging enterprise blockchain, right? Like the stuff I just talked about JP Morgan Chase and Fidelities and like Facebook, right? They are launching their chain. Those blockchain is probably falling to the private blockchain or the consortium blockchain. It's not like totally open to everybody. Like the JP Morgan Chase blockchain, they only open to the banks that interact with the inside the JP Morgan Chase banking ecosystem, right? So that's actually if you think about it, isn't that like the intranet? Isn't it 2000, right? Isn't that? But that's just our take, right? I mean, with that consortium blockchain, yeah, definitely it's more secure because you have a much smaller risk exposure than the stuff we're talking about. Yeah, right? But I mean, I feel like, yeah, I mean, eventually this should be an open system, right? So that's our take. Like think about the intranet and internet, right? At the end, nobody's using intranet, right? Maybe only a few of you may remember the term if you are as always me. But yeah, that's what we believe. Any other questions? All right, thank you very much. Thank you.