 Hello and welcome to the state of blockchain security here at the blockchain village at DEFCON 28 I'm excited to share with you just a really zoomed out view of the current state of our industry We'll talk about a variety of blockchain security related events major incidents We'll gather some insights and make future predictions and most importantly. We'll talk about a lot of opportunities how to build a stronger and more trustworthy financial system So in case we have not met my name is Peter Kaczyginski I'm a blockchain security engineer at Coinbase Where I spend most of my time trying to break and secure a variety of standalone blockchain systems and smart contracts On the side I also publish a blockchain Thread intelligence newsletter where I share the latest news and Partially I will be recapping some of the major events that I cover in that newsletter And in the past I was also organizer of the capture the coin competition at DEFCON In the past I was working also as a malware reverse engineer at far I if you're a malware reversal you may have run into a few of my tools such as flair VM and fake net ng And I've also reversed a whole lot of APT malware. Then I care to remember Zooming even back out I was more on the offensive side as well for the Federal Reserve system where I was working as a Penetration tester trying to break finance 1.0 I guess everyone shares their story of how they got into crypto The revealing moment for me was just basically my past growing up in a Soviet Union and observing what hyperinflation means in the first place so it really it really Stroke a chord in me when I understood what what are the what it would the future offered by the cryptocurrencies and I take it as a personal mission to make this feel succeed by making it more secure And I hope you join me on that mission as well So what are we going to talk about? I would like to help inform educate and Identify as many opportunities for you as possible. So if you feel like this is the field for you You will be you'll know exactly where to plug in and what to pursue Within the stock we're going to talk about a variety of incidents as I mentioned from the newsletter But the key point here is that it's less about me being right I will offer some insight and opinions here But I'm even more excited to start a discussion and learn from you during the Q&A session or offline if you care to reach out I Would be highly excited to hear your thoughts on it In our presentation will begin by defining the field in the ecosystem So we'll talk what is blockchain security water? How is it different from you know any other? Security disciplines, let's say web application or IOT security. What makes it unique? We will also talk about the overall ecosystem that we're trying to protect and also think how it's getting attacked Next we're going to break down all of the Variety of the components within the blockchain security field. So we'll talk about exchange security What were the major incidents this year so far? What can we learn from it? We are going to talk about the asset security So we will discover a variety of protocol issues that are being exploited We'll talk about software getting attacked other weak points And last but definitely not least is user security We're gonna deep dive into the main point of why we're building this is for the users for people to be able to transact securely We will finish the presentation with thoughts about building this industry how to make it more mature What we can do to share the guidelines to that people can just pick up and Implement in their next projects the tools that still need to be developed as well as how we can build up our community So let's begin first by defining. What is blockchain security? I believe it's a brand-new field. It's a new discipline of Information security with a mission of securing and defending the cryptocurrency ecosystem What is cryptocurrency ecosystem? We again I mentioned users are at the core of it We have a variety of assets both layer one and layer two. So smart contracts and all of that So nodes wallets smart contracts are all within the scope of this field. Of course exchanges a variety of people choose to delegate and use centralized points of Storage and key instead of holding all the keys themselves And a variety of attacks and input security implications that that brings including what are the issues with cold hot storage? the incidents that are happening in this world and and other issues So some of the threats that we'll cover throughout the stock will talk a lot about malware Just because of my background will cover how it's affecting both the assets where they're getting back door malware attacks against users themselves the ransomware and the miners and all that good stuff as well as how it affects exchanges We'll go through fraud and scam schemes That are perpetrated against users. We'll talk about what are the losses? What can we do to defend ourselves against it make users feel a little bit more comfortable and safer? We'll talk about network attacks. So we'll dive into nitty gritty technical details of attacks against a variety of different Chains and lessons that we can learn from them we'll talk about phishing attacks against exchanges and users and Definitely about bad actors. Who are the people behind those threats? What can we learn how we can better defend ourselves against it? So let's first dive into the exchange security? Fra I mean last year if you've been paying attention in 2019 there were so many incidents when one exchange after another foot was falling down with Millions and millions of dollars lost from the hot wallet theft This year what I'm observing is something different Is that we're seeing two incidents from BlockFi and coin check where the attackers shows not necessarily to go after? the you know just grab the coins and run off instead they were content was just getting to PII data. So we're talking about emails addresses other personally identifiable information from the customers so the the first incident that I'm going to cover is BlockFi and They they were good at publishing the incident reports fairly quickly However, what they described as the reason the root cause for the attack is that one of their employees was simported Simported to access the internal portal. So this sounds like a something preventable I mean if if you're if you're defending your simp your Internal portal with with a phone with you're to using to FA that which is like some kind of SMS or a phone system It really could have been improved. It's something that could have been avoided similarly coin check reported a loss of 200 customer 200 customer pieces date PII data and again the the root cause for it was the main registrar was hacked It's something that could have been avoided by maybe picking someone more secure or Trying to find a way how to secure your registration. So it wouldn't be hijacked as easily And of course this year we have, you know, good old hot wallet theft. So the year started with Altspid with really tiny Financial loss. It was only six six seven bit coins stolen and 23 E Lawsack took credit for this compromise Unfortunately, the exchange shut down as a result But and so we don't really know as much information about what caused it What was the underlying issue? But it's just continues on the trend from last year that these things happen and this happened early in the year I believe in back in January and more recent incident was from the Kasha exchange Which reported loss of 336 bitcoins and again the reasoning that they described was that their employee was using a personal laptop to conduct Official business. So they were running OTC desk from their personal machine Which apparently got malware on it and the attacker was able to get away with the keys again something that could have been avoided So some inside some observations that we're seeing so far our exchange is getting more secure I think so we yet we're observing a decrease in the number of incidents back in 2019 It was absolutely insane where yet multiple exchanges sometimes compromised within a single week So far we're seeing four exchanges with only two of them Resulting in a direct monetary loss Speaking of damage my financial damage itself The total amount of lost was in 175 million back last year. We're almost Six months in into the year and the total losses so far only four million dollars. So the financial damage is going down What's also very interesting to see is that folks are very open about the compromises they release incident reports within 24 hours They tell you exactly who who is affected. What is what was the issue? So that response is just really good to see on the other hand as I mentioned the types of incidents They could have been really easily avoided Sim swapping that could have been locked down ahead of time the running letting people employees run Official work on Unmanaged personal laptops is just a very risky thing to do Another trend is the is the attackers going after more than just hot wall not more than just the coins themselves So I imagine that whatever PII they stole on one day Come Monday, they will turn around and try to perform Sim swapping attacks. In fact, there was a article I believe where there was an interview with the attackers where they explicitly said that well, you know what we kids We the best way for us to monetize is to actually just to start sim swapping instead of trying to sell that data or using Any other type of attack? So this is something we may see more in the future Next let's talk about the asset security specifically Security of the protocols like we're talking about the interaction between different chains and nodes and all of that Well, the best example are the Variety of 51% attacks which are been always happening will continue happening. I First we'll cover two incidents with Bitcoin Gold So the first incident was back in January 23rd and 24th So there were in fact two 51% attacks back to back it resulted in 29 block reorg which is fairly sizable and it definitely resulted in a double spin So this is unfortunate. This is something that we we observed Happening for a while any coin which is using which is as literally relatively lower hash power and And has a hash power available for sale that you can easily rent on something like nice hash He's getting 51% attack What's interesting is the second incident on July 10th is that the attacker apparently once again tried to rent out the power Some hashy power on nice hash But in this case the miner who rented out their capacity apparently figured out they're doing something bad and Was able to notify Bitcoin Gold developers. So what they did is in response to that was fascinating and potentially trend for the future is that they contacted miners in secret and Distributed modified piece of node software, which had a checkpoint that checkpoint essentially invalidated whatever New chain that the attacker was mining in secret. So what happened was once the Once the attacker actually published the reorg chain. It was not accepted by the network So they wasted all their money on on nice hash and all their efforts Bitcoin Gold published their Report about what happened what they did to defend the network This is this is concerning in and well in this is interesting also in two ways on one side It's great that the they were able to catch it but this was only done because one of the nice hash miners was Vigilant enough to be able to notify them. So this could have been just as easily missed Depending on how you view those networks introducing checkpoints into your protocol secretly communicating with miners It depends on your specific looks and decentralization that may be considered by some as Something that we don't want to see but it's it worked in this case And we'll in fact see later on when we talk about work coin It is once again something that repeated where developers of node software were communicating with Miners in order to seek help secure the network Another interesting trend about this particular attack that the rework was massive. It was 1300 blocks reorg So the attackers are willing to spend and invest significant funds into their attacks in fact The most recent incident which is still ongoing is starting August 1st Is a massive 3500 block reorg the first of two Where an attacker apparently spent more than 200k on nice hash to rent capacity in order to double spend an exchange So in this I in the slide. I'm only listing the first incident. There was in fact yet another reorg attempt Successful reorg attack on 51 on the ethereum plastic network with another massive 4000 block reorg So some of the insights in this is that these types of tech will continue any coin which is which has easily rentable GPU capacity That you can rent on nice hash or something that you can repurpose from another coin They they are They will be attacked. They're they're under a risk of getting attacked What's another interesting observation with bitcoin gold gold did with working with miners and kind of trolling the attackers by Not not saying ever to everyone was like, hey, we're we know there's an attacker and they're about to release their Their secret chain any time now they actually waited for the attacker to waste their capacity and their funds to until they Until they found out like wow, okay. This was all wasted effort So what I covered before were traditional 51 attacks against proof of work networks What's interesting happening on the blockchain networks Today are is that there's a trend towards shifting into a proof of stake consensus algorithms so What I'll cover are two different coins so steemit incident and the ethereum incident and explain how they're potentially trend setting and Something that we may see more in the future rather than just more and more 51 attacks So on the steemit side I guess just just summarize incident uh just in sun from tron purchased the steemit coin There was a disagreement over how to manage uh vast assets of frozen funds that were initially pre-mined since the beginning of steemit The way that this disagreement was addressed was not through negotiation and trying to find some kind of agreement but in fact it was On the tron side They decided to attack the coin By taking over its Delegated proof of staking algorithm So if you're familiar with proof of stake algorithm, uh, the more coins you have You can take those coins. You can lock them up somehow to give you some voting power. So you can This is what's called staking in order to produce blocks or vote for whatever Unchained actions. So some coins use governance for that in the delegated proof of stake systems, uh, you don't You don't vote for blocks yourselves directly Something for example in e2.0. You need to lock up 32 eath and you can vote on blocks and validate blocks with delegation you in fact delegate A set of validators and you empower them and you entrust them to Validate and produce blocks. So this is the system used in steemit eos and other coins So what happened in this particular incident is that tron? Colluded with a number of large exchanges, which were holding Vast amounts of steemit coin in order to gain the controlling package of the asset Once they got that they were able to vote in Uh, a controlling set of validators which allowed them to basically control the network They were empowered to set. What are the consensus rules? Once they gained that right they were able to push an updated note software which unfros Through a basically a hard fork unfros those funds which were from the initial pre-mine Which absolutely gave Tron a controlling Package of of the asset in the system where no one could really challenge them And they were able to hold on to their power indefinitely Taking the ethics aside their their arguments On both sides that you know, why did this have to break down into a technical attack? When something that could have been agreed upon just by Dialogue what's interesting about this? This is the first case of a proof of stake attack And we could see how it played out What was the way that it played out is was very quickly between the time that tron was able to get the controlling package of steemit coins to pushing their own set of validators to pushing a hard fork to unfreeze funds to taking those funds and Yeah, you know multiplying how many how much voting power they have it didn't take months or even weeks it took hours So it was a highly coordinated attack. It was executed very precisely and effectively Um, so this was a fascinating example on the ethereum side We are again ethereum is something that has massive hash power So we're not going to see fit highly unlikely We're going to see 51 attacks, but there's still a variety of things that people do For such as a mempool manipulation When uh, when there was a black swan event when the price of ethereum went crashed And a bunch of maker dow auctions were starting to get liquidated There was apparently a mempool attack where they try to cause a high degree of congestion so that Some individuals were able to create a number of liquidation bids For nothing at zero zero bid liquidations and be able to win them because they essentially did not have any competition Because the network was congested. This is this is very interesting approach. We've seen mempool attacks before but this is interesting how we are um, manipulating the underlying protocol underlying ethereum network in order to attack Higher level smart contracts and defy projects as well So some network security insights from what we've seen is that steemit That opens up a new era of proof of stake attacks and governance attacks Instead of being worried that someone will buy up a whole bunch of miners or mining capacity Hash power capacity on nice hash now the power is in the exchanges the exchanges control the most coins Exchanges colluding together may decide to attack a A chain So this is something that we have to be on a lookout for now Attackers are getting more creative as well. So mempool manipulation in order to attack a defy project Is is something interesting that that we will likely see as well Let's switch gears a little bit and instead of talking about asset security on the protocol side Let's talk about the underlying software itself in the end. It's it's all abstract It all works in the cloud But what's actually working the actual logic and code that runs is in node software itself Nodes are complex Pieces of software and they inevitable that they will have bugs and vulnerabilities So a few interesting incidents that I want to cover So far this year Two of them happen on the test net. So I'll start from left to right So the salana network, there were no issues in the protocol itself So the design I believe it uses a bft like system Um The issue was in the implementation. There was a flaw. There was a vulnerability in the way that it's failed to The node software failed to validate transactions, which essentially allowed somebody to print 500 million salana coins On the on the main net project so the tender mint, this is the underlying consensus library used by projects like cosmos and others Uh at the now service vulnerability Was discovered which essentially allowed someone to uh hold the entire network And again, this was done not because of some flaw in the product protocol. It was because of uh notes failing to validate Especially crafted blocks Uh, the last example is the inflation bug those are particularly dangerous because the effect the entire ecosystem Luckily, this one was discovered again on the test net where nine billion file coins were minted This was patched Uh and did not affect the main net But you can see like the the vulnerability. There are only three examples that i'm listening here, but Uh the vulnerabilities in node software can have severe implications for for the market On the wallet side again Any piece of software will have vulnerabilities Monero wallet failed to validate specially crafted Uh transaction coin based transactions to be specific Which resulted in it appearing as if you were you received more of Monero than was actually sent This is something similar to if you recall there were a whole bunch of exchanges compromised with the ripple There was a special flag which is basically telling you how much you are Vouching to send as opposed to how much you actually are going to send. So there's a potential for Exchanges or individual wallet owners to incorrectly credit Whoever is sending them funds Lightning network, it's still very much alpha system. So it continues to have vulnerabilities discovered and patched There's a lot of there are a lot of papers getting published So this is actually a good sign that people are looking into it and finding flaws early on No arch and wallet that was an interesting bug that was responsibly disclosed by open zeppelin and effectively patched by the arch and folks is that It allowed it allowed users to basically create a kind of recovery mechanism using specialized guardian nodes and In rare occasions when such nodes were not properly defined It allowed anyone to take over those wallets Once again, this was patched but an example of vulnerabilities and wallets What's more interesting are not the vulnerabilities that are discovered and patched This is normal What's more interesting are intentional backdoors that are introduced in both wallets and node software So the first incident i'm going to cover it happened in the trinity wallets in the way that We've seen we've seen backdoor wallets for a while last year I talked a lot about the election wallets getting backdoor The way that they've the way they attack the trinity wall was not directly not going by after the main repository itself instead, they were going after the Third party dependency So the third party dependency on which trinity wallet was relying to was patched to steal users keys That was included in the main repository And any user downloading and using this was heading had had this asset stolen Raven coin Incident was even more dishes On july 4th an inflation bug was discovered and an emergency patch was issued to a variety of nodes and and distributed to miners And this is something that initially Maybe it was just a vulnerability every once in a while you discover those things Until the point they realized that the bug was intentionally introduced it was introduced back early in the year in january By an account, which was a throwaway get up account The patch appeared to be very innocent looking Commits which allowed you to be more verbose about the type of errors that you're getting so it's snuck by Um The the core maintainers eyes. They were not able to detect that And for months now they were slowly minting. There was a script running that was slowly minting RV end coins So a total 300 million RV end coins were minted Over time and unfortunately also sold on exchanges. So this was a successful Inflation bug that was maliciously introduced and exploited Uh, these are particularly scary and I'm sure we'll we'll see this again and again because they attack the whole ecosystem rather than individual user or piece of software So some insights on node and wallet software security Vulnerabilities are still very rare. We only talked about four flaws here and one was introduced intentionally The question and challenge to you. Do we really have enough eyes looking at nodes? looking for the vulnerabilities and Be able to patch them. There are bug bounties which are available But I wonder if there are enough participants and enough folks which are really Pushing the limits of how secure that software is Raven coins stealth commit and trinity supply chain threats. This will likely happen again Attackers are highly motivated. There's a direct financial profit in attacking these pieces of software So this will likely repeat So switching gears a little bit on the layer two issues, which is smart contracts That's even more concerning. There were I mean, I'm listing here 10 incidents There was one more that happened in the last few days, which is not included here As d5 projects are getting more and more popular The vulnerability. This is complex software, which once again has a lot of different vulnerabilities Which are constantly getting discovered I'm not going to cover all of these just it would take a whole hour on its own But I'll focus on just three of these So we'll start left to right The first incident that basically opened the year was the bzx d5 project back in february And the way that it started out was there was a margin trading vulnerability that was exploited 1 million worth of ETH was stolen What was interesting about this particular incident is that the use the attack or use flash loans in order to amplify the attack flash loans is basically A mechanism where you can borrow x amount of an asset And return it back to the initial point All within the same transaction So you're paying non-existent or minimal fees for doing that and allows you to execute an attack in between Since you have all these assets available to you in order to execute the attack So this kind of defeats a kind of a paradigm that we had before where we think that if we If it's if it costs so much money to attack something that is highly that it makes it more less likely That someone will actually execute the attack but with flash loans the attackers have really minimal risk To basically the transaction reverting then so be it they don't lose anything And they they can return those funds and whatever they loaned and They don't really lose anything, but if they win then they win big. So in this case, they won 1 million dollars worth of ETH Um, and we start seeing this flash loans approach happen again and again throughout the year From this point on Another incident which is interesting to note is the balancer project. So again 500k was drained from multi token pulls This one is interesting because it wasn't the vulnerability in the balancer Smart contract itself It was in the way that one complex project was interacting with another complex project in this case the developers could not predict that you could use deflacering tokens which Change the logic to the attackers advantage So when on its own like in all of their testing with traditional token systems Then it's it works as expected So this is something that is well known in the traditional computer security practice and something that needs to be applied to defi projects as well another gotcha in this one is that The vulnerability was reported in a bug bounty report. So the good news is bug bounties work I think a lot of the projects in a defi space do have bug bounties It's just it's very hard to triage those things very hard to find the ones which are Real examples of an attack and or which ones are not as good quality So this is this is something to keep in mind when running your own bug bounties Now the last example and again, this is something that example here repeated in other incidents is a bank or project where Developers were notified That they had a vulnerability. So they learned there was an issue and the way that they approached to To protect their users is by attacking their own coin their own smart contract With the same ways that an attacker would is just that with a purpose of actually preserving user funds But what was interesting here is that arbitrage bots apparently their piece of software constantly monitoring the ethereum network seeing that if there is some large large activity happening and it starts automatically replaying it trying to Art make a arbitrage opportunities exploit arbitrage opportunities there picked up on developers trying to Secure users funds and we're automatically able to exploit the project in the same way that the developers were doing it So it's fascinating to see those automated piece software that just piggyback of Existing attacks So some insights on the leitu smart contract security This is going to be the year of defi hacks both in the the amount lost The number of vulnerabilities discovered unfortunately The the the number of incidents is on the rise So it will likely continue seeing that this year The bug bounty Programs they work and developers are catching bugs early, which is a good sign And i'll explain you why in a bit when we talk about tooling and guidelines But the interesting trend to use by bancor is that we often have to hack ourselves to secure funds complex code will continue having bugs and complex interactions between different projects are also something that we need to think about as this is the whole point of defi is that you're You're creating links between vast smart contract projects out there So i promise to talk about user security and we had a few major incidents that we're going to cover shortly from twitter and so on But this is this is uh It's not sometimes it's not as exciting of a field to look at but just as critical as any other uh discipline So we're going to talk about cryptocurrency malware variety of scam And fraud schemes as well as just talk a little bit like who are the bad actors who is doing that who are the new players in this arena now so first let's talk about the Uh crypto mining malware, and this is how i got into partially into cryptocurrencies is that essentially for a year i was reversing nothing but uh ransomware and crypto mining samples For on the crypto mining side. It was always the monero folks. They are Setting up their miners xm rig into anything that can possibly run xm rig So if they could run in a toasters, they probably would run in a toasters Uh, so far this year. It's not as bad as uh, you know Russian scientists running nuclear stations Mining on nuclear stations But still five u super computers were hacked in order to run monero miners We had multiple issues with docker where attackers were scanning vulnerable api Endpoints to take over existing docker images or just publishing their own backdoor Docker images on the docker hub, which would also Mine monero in the background and of course there's just never-ending stream of windows desktop malware one example is lucifer, which is just it's an arsenal of um There was a whole exploit built into it which can self propagate attack other windows machines and spread on its own So on the ransomware side It seems like this this is an ongoing threat. I'm not sure yet if the If the trend is going down yet, but uh, so far we had ucsf, which was attacked for 100 bitcoin or so travelx earlier this year 285 um Just a few days ago. We learned that cannon was attacked with ransomware by I believe the maze crew We don't know they're they're known to ask for bitcoin as a compensation As a ransom. So we'll find out when when the When the incident concludes and of course it seems like every city in florida is getting ransomware on their on their machines So an example of city of riviera had to pay 65 bitcoins to get their systems back online Yeah, so this sucks. This is unfortunate. This is this is a thread that we have to worry about especially on systems like ucsf in the time of covet, but This is something we'll continue seeing the narrow miners will hack anything available to them to get to install the crypto mining malware Ransomware appears to be on the decline, but it's too early to say we're still only halfway through the year to to establish a trend crypto giveaways Well, I mean we all talked about the twitter hack which was absolutely epic. I don't want to steal victor's Keynote presentation tomorrow, but he'll dive into more details, but just to summarize 130 Accounts were hijacked on twitter from exchanges to celebrities to corporate accounts The way that we're hijacked is that the attackers were able to basically get access to the internal tools through social engineering of twitter employees And that's kind of fascinating like the best thing they could think of doing it was Was running a btc giveaway scam? So on one side, this is really bad on the other side. It could have been much worse Elon musk is getting no break from From youtube scammers. So anytime you see a space x Feed there's likely going to be send btc notes everywhere. So sorry elon mlm scams are Still continue on as before. So we started with the bit connect and Moved on to four billion enterprise of plus token and now the latest and greatest is chinese police just busted Woe token scammers who managed to get one billion dollars worth of crypto from 700 000 victims What's more interesting is Not just the the existing scams or the ones that I covered before but the trends of what are we going to see? attackers experimenting with which may Become something more prevalent So one example is the maker dal fishing attack and that is a that's the first example of a web3 fishing scam. So You think that you are exchanging psi to die Um You are interacting with metamask or so you think you're putting in your keys and then bam All your coin is stolen. So this is something that was reported early in the year and Something potentially we'll see in the future The justin sun sun A deep fake scam that was fascinating someone essentially recorded a video of justin sun Making doing some kind of an investor scam trying to get people to send money to this unknown entity And they play that video on a skype call complete with Justin cuffing and it looks very real and also very fake and strange at the same time They fake this passport to show for some reason If you if you want to search that on youtube, it's a fascinating video to watch We're still it's still not something that was successful But it's kind of fascinating that scammers that you've been exploring deep fakes for for that purpose The last example is is the trust wallet scam. So We see just a barrage of backdoor fake wallet software everywhere on If you search on google if you search in the app stores What's interesting about this case is not the wallet itself. It's how it was addressed, which is a security researcher Was able to actually attack the infrastructure a fairly broken infrastructure on the attacker side to start recovering the funds and this is an interesting trend of basically folks taking things into their own hands to help users So a quick note about the bad actors. So we already talked about the individual attackers. So the twitter folks, you know Three were already arrested one in florida one uk So we'll call them lone wolf type attackers Inside a thread such as kasha employee who got malware in their machine and was Unfortunately result in funds loss Um, let's talk about apts. So we're we're familiar with the lazarus group. So that's the north korean apt And a whole variety of financial ransomware groups who basically attack anything with financial gain What's interesting this year is the crypticor apt, which is our very own dedicated cryptocurrency exchange um advanced persistent threat So with a bull market, um, maybe happening and sometime in the future In the renewed interest, I will see uh, we're probably going to see more dedicated groups like this as this becomes highly profitable enterprise So some insights One is that users are taking things into their own hands So we have was who's suing youtube for being too slow at taking down the giveaway scams We have michael terpens suing at&t to Basically compensate him for the for allowing the sim swap to happen in the first place We have researchers like harry denly reverse hacking scammers to get users funds back Well, it does sound good on one hand that you know, people are really pushing their their fighting back against the scammers I really wish the industry was more mature and we had enough tools on one side, but also user education and guidelines and other security controls available That not as many people would get compromised in the first place MLM schemes are incredibly profitable. So this year out of all cryptocurrency scams Uh, basically 99 of the take was the low token one billion dollar scam Um in the past plus token with their four billion dollar take I think controlled a whole one percent of the total bitcoin supply So these things are incredibly profitable and will definitely continue Uh an interesting trend that exchanges are proactively blocking bad addresses to protect their users So there's always debate of centralized storage versus decentralized storage that's something that That was interesting to observe This year is that exchanges like coinbase. They were basically blacklisting the The attacker addresses immediately to save their internal customers funds Um, this is something that could be decentralized as well. If you're looking for a project to be able to Um alert users of of doing some kind of unsafe action And I believe a few projects like my crypto are in fact doing that already Scammers are getting more creative so, you know the web 3 fishing sites and the Deep fake scams. This is fascinating to see. I'm not sure which how profitable there are yet But if they do become profitable at one point, we'll see a very rapid rise of them so to summarize The state of blockchain security Insights that we've seen so far We talked about the exchange security Um, the number of hacks and financial damage is decreasing. That's great Um on the other side existing incidents could have been easily prevented Attackers are going after more than just coins. They're going after pii. They're getting creative On the asset side low hash rate gpu mind about proof of work coins are getting 51 percent attack We'll continue getting 51 percent attacked Uh, there was a first example of a proof of stake attack and it was very efficiently executed Um, we're not finding nearly enough node wall vulnerabilities I think there's an opportunity there to for independent security researchers to really start looking at that Nasty backdoors and supply chain attacks against nodes and wallets Again, if you can backdoor node, you can attack the whole coin as the whole ecosystem You don't have to go after individual people and you can take Basically the whole asset down. So this is highly dangerous highly critical to start looking at D5 vulnerabilities are unfortunately on the rise and so are the attacks as the the whole ecosystem is becoming more popular on the user side I don't see any new threats which are suddenly popped up. Um, it's just a consistent threat from miners ransomware fake software Um and scammers are still sticking to giveaway scams and mlm schemes They're getting more creative here and there, but They I mean the the giveaway scams unfortunately still work So an opportunity here is to work on more user education to see if we can Make users a little bit more secure So we've seen what the issues are we've seen what the problems are here and there I dropped some ideas of what you can do to contribute to the field make it more secure But really we can look at it more holistically and think of of the blockchain security as just a standalone industry That we can build up together we can grow in terms of maturity education projects and so on So something some ideas that i'm going to cover of what we can do is we can talk about the guidelines of tools How we can develop those we can talk about growing the community And specifically you what is it that you can do today to start applying and contributing to this field So on the guidelines of tools side there a few Amazing projects that are available. So on the consensus diligent folks there they keep on publishing A variety of software to test smart contracts. They publish the swc smart contracts weakness classification Registry where you have a listing of top all abilities Give you build understanding like what they are how to prevent them Trail of bits folks. They are publishing tools one after another. They have the slither echidna they published a document this basically summarizing findings from All of their smart contract security assessments. What are the trends? What are the top issues to look out for? Open zeppelin essentially defined the field of how to write secure smart contracts. I'm seeing A lot of the newer projects. They're just basically verbatim adopting open zeppelin open zeppelin templates And they're very secure as a result Other projects like securing they published the smart contract security verification standard ncc group publish an owasp style list top 10 list back in 2018 but unfortunately It wasn't really maintained for a while. So it would be interesting for them to Give new life to this project another one is the cryptocurrency security standard and this one is interesting because If you notice all the previous things that I mentioned, they have to do with smart contracts and ethereum This is the only standard and project out there Which attempts to talk about more about the how to securely generate keys how to securely store keys in the cold storage I would love to see this project growing and having a larger impact On on the security of exchanges and nodes and wallets and so on Guidelines and tools are important if we are to grow this industry we need to have a large collections Really available for anyone who wants to contribute to this field to be able to Quickly learn from the mistakes of the past on the smart contract side. I think we're pretty solid We have great tooling. We have methodology We have a variety of companies and consultants who are available to test your smart contracts So even though the there are a lot of defi issues which are getting discovered But there is enough tools and folks that are experts in this field that can address this trend very quickly On the other hand, we're missing Core guidelines core methodology and practically no tools to address standalone blockchains How if if someone wants to build a new project What is a what is a good resource that they can read? And learn about the failings of the past and how they can Learn and correct whatever future designs of their building No configuration operation Nodes are at the core of any blockchain project if if nodes at some point start having more and more vulnerabilities discovered Then this brings down everything that is built on top of them hot and cold storage security key management protocol design wallet design innovations in blockchain forensics and also user security how to educate users and give them simple guides on how to avoid Scams how to give them tools to quickly protect them against going to bad websites like google browser style Like this is dangerous. Don't send to this address One thing that I will be covering later in a separate talk on attacking defending blockchain nodes Is i'm trying to create an oas top 10 style listing of what you can do to secure your node infrastructure um, but I invite all of you to Pick out any one of those items in the list or if you imagine that you have more things to to contribute to this field And start writing documentation start writing tools. There's there's an entire field available that you can develop and work with On the community side. Well, here we are at the blockchain village There are three other conferences which are also available that you can attend hopefully virtually throughout the year But I I wonder if there should be more. I imagine that as the community grows and this field grows. We're going to see more and more of these We have our own competitions. So we have this year. I believe victor is hosting a Blockchain investigation competition last year. We had to capture the coin and chain heist There are some challenges which are ongoing such as open zeppelin's excellent ethernet So this is great On the knowledge sharing side We have a variety of resources. So you can go on telegram reddit This court here for def con and you can talk about blockchain security Some newsletters that are also working on distributing disseminating knowledge. So the one that i'm writing is blockchain threat intelligence Where I try to cover what every every piece of news that is related to this field Not just related to smart contracts, but just holistically exchange security malware user scams and all of that Consensus diligence, they're running an excellent smart contract security newsletter. So if you want to raise your focus on ethereum and layer 2 security This is this is the resource to subscribe to immediately We even have our own shitty movies. So we have crypto where we have You know ml officer hunting down and investigating blockchains to bring down russian mafia and the money playing I'm not sure exactly what's happening there. I think the plot is they're hacking crypto on a Plane, which is a fortress and a casino Point is we have our movies. We have our media this we made it officially. This is great So some community insights We're still a very small but growing community with unique computations gatherings chat rooms challenges tools projects and so on Our community should and will continue growing What's exciting to see is blockchain security or block sec becoming a career option Even today you can look on the internet and you can find jobs to do smart contract security testing if you want to You can do blockchain security engineering so building projects security projects Uh cryptocurrency forensic analysis is is going to be even more in demand after the twitter hack more people will try to Exercise this new skill set So this will i'm hoping this will grow in the future The point is i want to invite you i want to invite you to contribute to this field Uh, so if you enjoy learning about the nitty gritty technical details consensus make it into the smart contracts Great join blocks that contribute to this field. There's plenty of things to explore and do here If you're a security professional and you're just tired of finding yet another xss or spl injection bug You want to find some cool new things which are Just not fully explored yet. Basically be able to define the field. Great join block sec There are plenty of bugs that need to be found and passed by you Are you investigator who is trying to hunt down the fraud service wants to understand like how the hell do we track down Fraud and bad guys on on the blockchain. Great join block sec. There are plenty of blockchain analytics companies out there There's there's growing a body of investigators who are now capable of doing those tasks Join them. This is this is very interesting Uh, finally if you're a developer and you're just looking for an exciting new project And you really want to make an impact on the open financial system Making that system more secure contributing it to to be more trustworthy by the people using it Is a good way to to help bring it about so with that Join block sec and thank you very much for your time