 Hi, I'm Nicholas Ajabek and I'm the CEO and co-founder of Danish Blockchain Lab. I'm very happy to be here and speak about the topic Seven Ways of Ensuring Security of Your Blockchain Product. At Danish Blockchain Lab we are experts at focusing on security audits, mainly focusing on blockchain. We find it very interesting that a lot of companies are choosing blockchain as a technology, specifically because of the security function that it carries, but after they have chosen blockchain, what happens very often is that security in the everyday and continuously integration is kind of moving into the background. So we see a lot of these companies have chosen blockchain to prove security, but in the everyday they are not really focusing that much on security. And that is some of the points that I would be focusing on in this presentation. So a lot of the reasons for choosing blockchain as a technology, underlying technology, is definitely to make sure that the things that you're carrying in the product is being held secure. So what we often hear is, but it's a blockchain, so it's secure, right? And we often meet this misconception that blockchain is carrying some sort of security magic inside it, meaning that once you have chosen blockchain as a technology, then you do not longer have to focus on security. And I will be showing you some numbers, and I bet that a few of these numbers will probably show that this is definitely a misconception within this industry. So just by now in 2022, we know that $2 billion has been stolen by hackers. We know that a lot of this is targeted at DeFi, and a lot happened through blockchain bridges. What we also know is that it has kind of changed from being single groups and single person individuals who are doing these attacks and switched more into being dominated by very professional groups, very professional organizations, and even sometimes nations really focusing on carrying out these attacks very professionally. So these are some numbers from this year, from some of the largest hacks that happened so far. There may have happened a few more hacks since I created this presentation only a week ago. But I'm pretty sure that most of you are familiar with a few of the biggest ones that would be Axie, Infinity, Wormhole. And what is really, really interesting when we look at these numbers besides the amounts of money and funds being stolen is that not all of them is actually targeted through the smart contracts. So what do I mean by that? Well, what I mean is that a lot of the companies that we are in touch with, the first meeting that we have with them, the client usually asks us if we can conduct a smart contract audit for them. And yes, definitely we can, but the thing is that smart contracts is not the only way that hackers can exploit your blockchain product. Of course it does not mean that you should not focus on securing your smart contracts. You should definitely do that. But it has become very clear that hackers are taking advantages of other ways into your product as well. So if we go back to the numbers and the model that I just showed, what is interesting when we take a closer look here is that in only two of these cases the hackers actually gain access to the funds directly through the smart contracts. And a lot of the other cases here the hackers got in in different ways. A good example of getting hacked, not getting through the smart contracts as the first touch point is especially Axie Infinity that was carried out by a well-known hacking group. What they did was that they actually created this fake job ad company, a fake tech company that posted fake job ads and they actually directed this to some of the developers, the core developers in Axie Infinity. So what happened was that these engineers at Axie Infinity they actually started to apply for jobs at this fake company which was basically set up by the hackers. And eventually the hackers were very successful providing different files back and forth which the job seekers in this scenario falsely thought that was PDFs with material, CVs, resume stuff like that. And in fact it infected the infrastructure and the computers of Axie Infinity which made the hackers able to draw out more than 600 million dollars. So that's a very interesting case where we know that the hackers actually did not get in through the smart contracts but they got in through regular, almost if you will, phishing. So if we kind of divide it into different categories here we can see that a lot of the cases that I showed you right before actually happened through phishing. And if you're not that familiar with phishing, it's a type of like social engineering and it's often a way that hackers trick themselves into the organization either by it could be that they are scamming your domain, it could be that they're creating a domain that is very much looking like your domain and what they will do is that they will be sending fake mails, they will be getting your access codes, they can get you to draw out money and all sorts of stuff like that. Another huge junk is misconfigurations. A lot of the cases we see are happening due to the fact that blockchain is such a new technology meaning that it is very difficult to gather a large development team that has done this a million times before. So I usually say that this is one of the rare businesses, one of the few businesses where you are almost considered a senior after only one year. So what often happens is that if you like to scale up and create a huge team you will be ending up with one senior and a lot of developers who may be doing this for the first time. And that means that a lot of them will be skipping some corners, they will be copy pasting a code from different repositories which can be totally fine if you know what the repositories contain and what the code actually do. So what the hackers can use here is, of course, they can go through smart contracts, they could also be accessing master keys, they could be exporting wrong setups in two-factor authentication or they could be taking over domains. We recently saw an example of this. The hackers were actually hacking GoDaddy and what happened was that they took over the domain of this company, and they changed the DNS so it directed to the hackers side and they have made this replica of the original side, meaning when people, the users were locking in, they were asked to reconnect their wallets, everyone did, most of them did, and then the hackers were actually able to draw out funds from the wallets. Another way, of course, as most of you probably know, is the vulnerabilities in the smart contracts and that will be exploiting box of vulnerabilities in the smart contracts. And that's definitely a factor that you need to take into consideration as well, even though that we see a lot of these attacks is actually directed at organizations where the general level of security is low. Right, so what do we actually need to take into consideration when we want to increase the security of blockchain products? Let me give you seven points. All right, the first point here is probably better off thinking through before you actually are launching the product, and it's about tokenomics. And a lot of people out there are not considering tokenomics being part of classical security, but the thing is that if it has not been put up right, then you will actually be able to find yourself in a position where someone can take advantage of bad structures, or bad mathematical structures, or bad economical structures in your environment, meaning that they can actually draw out a lot of funds and doing things that they were not supposed to do. And by that, parties can actually come in and draw out and take advantage of the bad structures in the setup of the tokenomics. And that can be very mission critical for your product. So we have worked on projects where our experts in tokenomics have saved projects from being misused by bad actors solely due to poor tokenomics. There's also a huge need for looking through the blockchain network security. By that, it's very important to have a focus on the whole network surrounding the blockchain, because there will be infrastructure, databases, servers and stuff like that that can be exploited. So as you are considering to focus on smart contracts, you need to have the same focus also on the infrastructure and on your server side as well. All right, a lot of these applications that are being used together with the blockchain, they can contain a lot of vulnerabilities also. So you need to take into consideration how strong is the user authentication and how are the endpoints set up, who has access to what, if it's a permissioned blockchain, where access and use are only open to vetted and known participants. This may include variable levels of access that could change over time. So you need to think about who has access now and what are the scenarios that can come into the future, what happens if our staff changes, who can take over and who has access to what. Where are the keys stored within the applications? How do we make sure that we are not having a decentralized blockchain, but we have a centralized database of all the private keys? We have seen that also. So there's plenty of room to look through within the application security itself. Another very interesting part here is to institute real-time analytics. And what does that mean? Well, in fact, it means that you have monitor systems monitoring parts of your infrastructure. It could also be your protocol itself and looking for anomalies. A good example of that is the example that I mentioned earlier with GoDaddy, where the company was actually hacked through the domain. We work very close together with different vendors within different monitoring systems. We're not a software company, but we do consulting. So we point at the best within the industry. Within domain intelligence, we work together with a very, very cool company called FIO. And what they do is that they can actually monitor your domain for you. And what it will do is that you will get notified right away if there is a look-alike domain coming up that might be taken advantage of by scammers. Other than that, they actually have people that can jump in and take down the scam domains for you. So that's a very, very handy piece of software and service that they provide. Other than that, it's very, very important to have general dock files, general monitoring of transactions of your server side and of your network in general. So what is really, really important after that you have set up a lot of systems for monitoring is actually to have a plan about who will actually act if something happens. What we see a lot is that, of course, it's very well known that if you as an organization do not have any systems to monitoring, then, of course, your security level is very low. But we also see that if you increase the products within monitoring, then you'll be ending up with a lot of data, a lot of monitoring, and that will actually make your security decrease again. And the reason for that is that your staff is probably not geared to actually figure out who will actually act upon this data. Maybe they also have other things to do than be staring at monitoring services. And that will actually end up drowning your staff in data and not having a real strategy for what to actually do when this scenario or this scenario happens. So it's very, very important to have a strategy so the company is able to defend at all time. And unfortunately, the hackers are not taking a day off only because you are. So they will be active even though it's Christmas Eve, New Year's Eve, or when you are on vacation. We are right now developing a service within response teams, meaning that we can provide 24-7 coverage for companies, making sure that we will take over and defend in the case that an attack is happening. Next up is to make sure that your audit strategy is actually in place. And by that I mean, why are you doing the audit? Are you doing this only to please your investors, only to please your users? Or are you actually looking into making sure that you have a secure product? So it's very, very important to have a strategy about your audits. What part of your structure and your product are you actually auditing? And why are you doing it? A lot of the audits that's being done today are very retrospective, meaning that it will tell a lot about if your product has been insecure or secure up until now. And once you have done the fixes, then you will actually probably be outdated within a few weeks. Meaning that an audit will probably never look into the future. So it's very important to have a strategy around how often do we do it and why and what parts are we actually doing. Last but not least, it's very, very important of course only to use trusted auditors. And it's very important to make sure that you are aligned with the auditors and you understand what kind of methods that they use. The worst case scenario is that the audit company will tell you, well, everything is okay. We didn't find anything, but they don't tell you how they conducted the audit. They did not tell you about what kind of blind spots they may have or they did not tell you about the method, meaning how and what areas are they leaving out of this. Because if you do not understand the methods and if you do not understand the blind spot that it may leave you with, you don't fully understand the risk afterwards. Then you could have this as a false security. And that's definitely not good for anyone. It's not good for the audit company. It's not good for the client to have false security within the space. All right. Thanks a lot. Thanks for having me. It was a great pleasure to do a speech here at Hyperlegion. And thanks a lot. Take care.