 And we are live. What's up guys and welcome back to another episode. I got a special guest for you today I got a hunter Prender gas which is a former nuclear reactor operator solar system designer and computer engineer who has been working with blockchain technology Technologies since 2015 prior to co-founding Mimimir. That's a pronounce. How was it again? Mimir Mimir, which is a Norse God, right? Yep, that's correct. That's awesome We'll get to that in a second and to build secure hardware devices deployed automated trading algorithms and research alternative Applications for the theory and blockchain hunter welcome to show and thank you so much for doing this You and I originally connected a couple of weeks ago. Unfortunately due to Timing restrictions and things out of our control. We couldn't do the podcast at that point But the reason why I wanted you on the show is I had questions about the parody hack And what went down? How did it go and also kind of expand on that is like since we have all these platforms and wallets out There's more contracts holding ridiculous sums of money. What are we implementing in place for actual security protocols or audits to make Sure, this doesn't happen again Absolutely, yeah, there's a lot to talk about in those spaces and how we should be done better How we can change the system to accommodate both the user and the business or wherever the security need lie really So where did where did we want to tear in to start all of this? Why don't we do kind of high-level approach or kind of a scan of what happened with the parody issue? Okay? Well the parody wallet hack really came down to a mistake so When they deployed the the parody wallet itself they created a library and then they were using what's called a proxy And proxies are basically a very minimal contract that allows you to talk to another contract in any way that you want and What this does is every time someone would create a new wallet contract on the blockchain They wouldn't have to pay nearly as much gas because all of the complex logic that allowed the wallet to operate Existed in this library contract that All of the proxies were calling into and they shared the same logic inside of that library now every time that they did a change what was actually occurring is They were changing the copy of their own local memory space in the contract system and so What ended up actually happening was because of a mistake during the the programming of the library contract It enabled a hacker to really go in and while just kind of fiddling around it would appear Accidentally destroy the entire library and in the process because all of those proxies relied upon that library to Actually perform their logical operations. He effectively seized. I mean I've heard various numbers anything from 150 to over $300 million by accident and then with the rice at recent changes in price Substantially more than that now so That's kind of a fairly High-level but kind of technical at the underside. So where's the any confusion points you had on what I said? No, I'm quite aware of that and I understand that my my next question would actually be is two things a is how can we stop this from happening again and be We can't guarantee the stuff like this won't happen again in the future What better let's say contingency plans. Can we create to offset if this happens again? Well First we'll start with the contingencies. So there is actually a Proposal within the Ethereum Development community to essentially have The ability to reset all of these types of things that may occur without actually having to perform a fork And so this would take place through a consensus mechanism and I don't think all of the details are really fully vetted yet But essentially it would allow you to have the community as a whole Roll back and undo these types of unintended things without having to modify the protocol itself So that's one mechanism. There's of course with anything of that nature what we call the The problem of the commoners, you know, you you hear the analogy of the commoners robbing the coffers So there's there's security concerns and this is one of the things that must be balanced in that system And so that's why we haven't seen that proposal probably go through although it would help with a lot of this stuff the other way that's really coming about to mitigate these types of circumstances is using virtualized ether tokens and so this is actually a mechanism that we're employing within our own system is The ERC token ERC 20 token contract is a very well established like secure piece of code that everyone uses and what you can actually do with it is you can have someone send you ether and Then you can give them an IOU and in place of that ether that they gave you And the idea here that's really interesting is that if you go send around all of this virtual ether if something goes wrong Then all that you really have to change to make it work Or to undo a horrible accident is to change a single contract and rewrite some numbers This is awesome because we could undo some things but just like the other compromise. I was talking about That's only one place that someone has to rewrite some numbers to steal all of the Ethereum Mm-hmm So using virtualization is beneficial and that you can kind of undo it, but it's also dangerous So those are the the two mechanisms to kind of you know fix once this has happened Now in terms of mitigating this from happening in the future There's a lot of things that are in proposals one of the more exciting ones that I really look forward to actually hopefully happening would be to get Web assembly support inside of the Ethereum EVM and the reason that I say this is doing Deterministic code provable code. So basically writing something and know that it's only going to do exactly what you intended it to do Is much easier in that language. So there's potential there There's also a number of developing tools for doing security audits against your own smart contracts but I think within the parody wallet hack one of the things that really you should keep in mind is This is the second sequence of hacks against this Wallet that this company had created the the revised copy of the new wallet came out within I believe 72 hours of the original hack occurring The question is did they really audit this code as much as they should have before they went live with it again? And so that's the thing at the end of the day is If you want to prevent these types of accidents You just you have to know that what you've written is accurate and it's going to do what it should do and the way You want it to do it. Did you see their statement? They actually came out I think it's yesterday or day before yesterday talking about hard forking You know, I haven't read the statement because I'm actually right now turning on the alpha for my own company So I'm embedded in code Sleeping like four and five hours a day, but I'll get around to reading that one soon I think that that's probably the the only way that we can expect to get these funds back though Is a hard fork? But then that brings up the question though of like because a lot of people see if you're men's well They try to Compare it to Bitcoin, which is not but they see a store of value some people do but the whole idea if we can then constantly be hard forking these Circumstances then who's to say which circumstances should get approved or not? Well, mind you I didn't say that I necessarily agreed that we should hard fork But I think that that's the only way that we could get them back now. I agree. I think that Continuously forking the if we look at the economic incentive in those system, right? The economic incentive is for a few minority minors to hang on when a fork occurs And if they can get enough of a community to stand behind them, then they effectively Permanently forks the network or at least temporarily and they're on a network that albeit has a much higher difficulty Has way fewer people on it. So they're gonna get a lot more reward If you just think about the wrong numbers of the economics if you do these types of protocol upgrades The game theory is pointed at people should try to leverage that game If you just do the the equilibrium's then are the Nash equilibrium's So it shouldn't be unexpected that that's gonna happen and it does destroy the value of the network if it happens too many times So I think with all of that said that yes, we should be very very careful how often we Hard fork Is there any ways we can like mitigate the stuff on the back and having some kind of multi-sig variations? What I mean Explain exactly what you're asking there because okay, it's on the parody hack right you they had one set of One one light a library was relying on another set of code right and this hacker with this individual We don't know exactly Who this person background is He came in and he found this faulty default and change a bunch of stuff and there you go The code is suicide or whatever they want to call it Is there ways that we can create where not just one person can come in and do something that where even if he or she Does do something like that it automatically triggers an event where notifies other let's say participants within the security network So there's actually a really great paper on this exact topic that I recently read and This is a classic engineering Solution it's not a very efficient one, but it is an interesting one Which is say we're going to send and a little bit off topic But bear with me say we're gonna spend to send a rocket into outer space right if something goes wrong It's catastrophe one of every system Two of every system then fails. We can keep the rocket in the air Right. So the the classic engineering solution is will pay if two was good three is better and you know Etc up until how much can we shove on here and then that's where we stop So there was a paper I recently read that actually was the idea was you take Two or three Individual groups of programmers and you give all of those programmers the Specification for what you want your program to do and you have them completely isolated and code All of the logic to perform the contract and then you have to in this case use three groups Actually, but then at the end of the day any time you want to modify something inside of the contract You actually call all three of the contracts and you get the consensus of the two out of the three This way if any one group made a mistake Then the other two groups hopefully would not have made the exact same mistake and you could catch some of this So yeah, the the multi-sig kind of idea extended up and abstracted into the application logic layer People are talking about it, but the gas cost of running that. Yes, it gets it gets expensive, right? So it's a balance as everything in engineering Do you see big issues or fears in your mind with all these ICOs and people just running around with copy-paste code that No one has really audited or taken in time to really work on well I think that The Most of the people who are doing copy-paste code. They're probably not gonna be writing some complex logic and they're not going to be Building some intricate machine. They're probably just gonna take the ERC 20 token interface And they're gonna cut and they're gonna paste it into a page and they're gonna go man I just made some new money for the whole world and I'm rich and Well, I think that that contract is pretty secure I mean, I've audited it a lot myself because we're using some of the logic in pieces of our system, obviously and There's only one flaw that I'm aware of in that code and it's a Race condition for front-loading essentially. Yes, and that is For all practical purposes Inacceptable flaw because it's actually doing something as intended It just with a little bit of tweaking you can make it do it better So we've tweaked out ours just a tiny bit, but you can't change it much or you break anyone who wants to interface with your system So to go back to the original question my concern Yes, I am concerned about People flippantly raising millions of dollars that don't necessarily understand cryptography that scares me a lot in fact But I'm not scared that the ERC 20 token contract is what's going to cause the problems I think it's actually what you're right when you want scares me the most in the space is the exchanges Yeah, I mean Isolation and our rather not isolation consolidation of massive amounts of funds. Can you imagine like bitrex or cracking? If they got hacked as of today and everything got liquidated Well, I mean it would destroy the markets. Yeah, I would I mean that's a it's an interesting problem because Even if you could break in as a hacker, would you want to empty the bank account? Or would you want to trickle off bit by bit so that you didn't destroy the market? You're robbing right because then you have skin in the game once you rob it, right? You don't want to lose the value Exactly. Yeah, the beautiful thing of You know how blockchains work on economics, uh, so yeah, it is terrifying and And There's a lot of things that hopefully those companies are doing I don't necessarily know all of what they're doing underneath in their server-side logic But I would hope that they're using secure hardware devices and really doing the things right because They have some of them Even hundreds of millions if not billions of dollars potentially passing through their system. Mm-hmm frequently So, what's your I'll ask you two questions question number one is what what excites you the most right now in the space And then we will follow up with what is the most concerning for you in the space? Most exciting things in the space I think that really the thing that excites me is actually seeing some of the Projects start to turn online and we're starting to see these concepts that people were talking about, you know Decentralized exchanges atomic swaps across chains Microchannels all of these things that everyone's kind of been looking at and going hey if we could just turn these pieces of logic on We could take this from something that's incredibly useful into something that essentially rivals Payment processing systems on a global scale And that to me is the transformation when the blockchain goes from being essentially DARPA net of the you know 1970s early 80s to the internet of today where it's a global Communication and exchange platform that is integral to almost everyone's daily lives even if they don't know it's there That if that makes sense that that's what I'm really thinking is where we're moving in the future And I'm hoping I'm right, but the things that scare me the most right now I'd say that the the most Scary things to think about are Upgradable contract logic and people doing it wrong and Why it's necessary and why you know this whole thing of you write a smart contract and you Are guaranteeing that the logic of the contract is established because that's what smart contracts are intended to do But then when you look back at that problem and you go well wait a second what happens when a bug does occur We need a way to modify this so then you put in a mechanism by which you can modify a piece of code Now have you accidentally given yourself a back door? Right or given someone else a back door or put in something that allows someone else to destroy your entire system So I say that this is the thing that scares me the most maybe it's just because I've been writing a lot of solidity recently and Even unfortunately what I don't like having to do at places had to go into some assembly Which means that you have to really audit what you're doing And so finding this balance between mutability and security Is something that scares me personally and it also scares me because if we have people who are trying to do this That don't understand how to construct finite state machines and do it, right? Mm-hmm could undermine and destroy the entire thing that so many people have worked so hard to build up Do you think like second-layer solutions for example like plasma or generalized state channels can kind of mitigate a bunch of these issues? Um What depends on which issues? I mean which which ones do you think that they can mitigate and then I'll give a Opinion on that how about that? All right, let's uh Let's let's let's do a real case study If we had plasma or if we had generalized state channels Could it mediate any issues that happen with parody if parody used those second or third layer protocols on top of Ethereum? well If they use them yeah, if they use them so if we were using second-layer protocols It's an interesting question one honestly I hadn't thought about a whole lot If we make the assumption that payment processing could occur outside of the traditional wallet scheme It could have prevented having so many people putting money into that wallet that would have been something of value and utility the The use of these micro channels The fact that they are off-chain which means that they're potentially mutable if you could develop a side channel consensus mechanism to kind of remove the counterfactual claims or the you know the protections in the system to be able to Undo a wrongness. Yeah Yeah, I think that definitely if you're off-chain. It's easier to mutate data now what you really have to wonder is Not necessarily if it's possible to mutate the data But if it's possible to coordinate the human beings in such a way that it's in their best interest to actually observe the rules For me the data. Yes, I don't know Because people people move wherever you put the carrot, right? Well, totally and that's the whole thing like even my concern moving on to like any proof-of-stake model What whether it's delegated proof-of-stake or whether it's caspers what sharding is How do you stop coordination attacks? How do you stop collusion? How do you how do you stop the fact that like if I can out even? financially Financially, I just out maneuver you because if I'm staking say a million dollars worth of ether I have more say than you do. Yeah So this is a problem within weighted proof-of-stake schemes because You have the ability to be a whale and to kind of shove the market around now the same question exists for minors though and With that said minor manipulation. That's a fact. I mean we've seen examples of We've seen examples of suppression of block size actually by mining and spending the network Just a couple of weeks ago the mempool and Bitcoin got flooded Yeah, we've also seen I mean we've seen all kinds of stuff even some of the gambling contracts, you know, they they are essentially Manipulating randomness and front-loading all our front-running all kinds of stuff. So yeah People will go wherever the money is and so Minors have the potentially the ability to do the same thing you're describing in a proof-of-work system as you could in a proof-of-stake system But manipulating the system too much is in your disinterest, right? Yes. It's just manipulating it enough that you don't hurt the thing Be parasitic. Don't don't kill the thing. Just kind of live on it forever, right? That's that's the way that these people have to live I'm just get it from a technical standpoint. Yeah, I don't agree with that opinion But if you're looking at the game theory now within proof-of-stake Yeah, I mean you can manipulate it Um So you have to be careful What's your thoughts on that to the delegated proof-of-stake where you have a delegate? I think it's 21 master nodes for voting You know I haven't done the math on the game theories and I haven't thought through all of the different games or strategies You could play I will say that it's a pretty complex game, right? This is my big issue with this and I'm just gonna make it a parallel with voting in politics, it's okay Like anything in politics you can bribe politicians a lot of human beings are bribeable That's one issue, but the bigger issue is this issue for me. Maybe they figured it out. I just don't know The voting turnout for voters. What do you think it's like what 50% 60% fluctuates, right? It's not a hundred percent of people come out and vote if I get so the way that these Delegated master nodes get voted in is like everybody comes together who's a token holder like I vote these this as a master node Well, guess what you're gonna you're not gonna have a hundred percent voter turnout So you're gonna have all these whales I have all these tokens are gonna manipulate who these master nodes are and obviously They're not gonna manipulate the nodes decrease the value of their token They're obviously want to increase the value token, but they have say over what consensus happens in that ecosystem Yeah, we we get back to the centralization problem all over again, right? Yeah and I think that you're right I think that consolidation of power into too few individuals in a system that's as large as you know Cryptocurrency networks are today. It's dangerous And it needs to be played out very carefully and when it comes to basically me saying it was a complicated game the more simplistic you can make the game the better off you are because You a great example of this the system that we are building within the product My company is working on uses a proof-of-stake mechanism under the hood we had developed our product for I believe almost two months and I was sitting outside with one of my software designers or software architects and We started kind of playing out a game basically playing through the sequence of the proof-of-stake model and both of us looked up About halfway through the game and went oh my god We missed that strategy and it destroyed everything that we've been working on and so we you know Panicked and looked at each other and said all right We've got to undo this we've got to fix this problem And we went back to the drawing board and we proceeded to redesign the underlying game theory to make sure we observed The edge case that we'd forgotten about That's the point though is if you forget one of the edge cases and if we had made our system with that edge case in it It would have essentially put a gaping hole in our security model Keep it simple So why don't we kind of expand on that like what do you what are you guys actually working on right now? We're about to launch actually today you said oh, well, it's not gonna be launched today We are in the process of you know doing some low testing and just low testing Yeah, everything is coming up gracefully and doing what it's supposed to do So we're making sure all of the bugs are out of the system. We're going live on alpha next year The product that we've been building is a decentralized web API So if you know what web APIs are I'm sure yeah, yeah, so obviously a way for mobile devices or Devices that are resource constrained to access the blockchain, you know that could be IOT that could be Cars I mean anything that has a connection to the internet that might have some utility in knowing something about vetherian blockchain and So we're building a decentralized web API, which means that Instead of hosting all of our own nodes We rely on the fact that there are currently 25,000 nodes in the world approximately on any given day that is an immense amount of Processing power that's already dedicated to the very problem of having stateful information about the blockchain so The idea is that running a node in a cloud infrastructure is very expensive for bandwidth for Processor for storage all of these things that go into it so we offload our cost of running that infrastructure into the Ethereum community and pay people to do something they're already doing and give people the information that they need on these Mobile devices or resource constraining devices. So your platform is pretty open then for like devs to go on there with your open API That's the entire idea is at the end of the day. It should be as easy as binding to An RPC node on your local host, right? It should be a nice transparent pipe for devs We're we're not we're really not aiming at this product at Clients, I mean clients will obviously use it because they interact with the blockchain too. It's I want to say clients I mean like individual users we're trying to build a tool that makes Developers able to extend the reach of what they're making very easily and very inexpensively That's awesome. You said next year some point your guys are live. We're gonna go live on Robston January and ship around the corner Yeah, right around the corner. We've been mining pretty heavily on Robston So if you notice there's like four or five addresses that are always winning We pointed some huge GPUs at it so we can turn on a faucet and we'll be turning out Some ETH from our faucet for the alpha testers and we'll be turning out the the tokens that'll be utilized in the proof of stake model of our system and We'll be running through the game theoretics and making sure that everything is running the way that it should Because I would much rather do that with the Robston test net than with the ethereum network itself and where can people check this out? So our website is Mamiro blockchain dot solutions and you can get a lot of the information and resources regarding some of the upcoming Releases we're still limiting some of the information. We're putting out until we're Positive that we have everything where we want to be for next year, but we're going to be going live and letting people play with the API soon That's awesome. Well, Hunter. I just want to thank you so much for coming on and sharing your knowledge with everybody and I'll speak to you soon Thank you very much. I'm your happy take care Bye