Aug 2, 2023

Crypto traders lost over $300 million in exploits and hacks in July, according to security audit firm CertiK.

Video transcript

The state of crypto is presented by Tron connecting the world to the power of Cryptocurrency. Um So, uh what are the key takeaways from this report? Yeah, I would say July is really a dark month for the Blockchain industry. As, as you just mentioned, more than $300 million has been lost due to virus of hacks and scans instances. And uh well, that's the number in the single months. Well, in Q one or Q two, this uh this year each quarter loss is about 300 million. So basically, that's July in a single month, the loss is kind of like exceeds uh the what we have lost in Q two in one quarter. So it's really a dark month I would say, right? So what we want to just understand is uh if you could just explain what happened at um and, and because what we're not hearing is some kind of like a clear understanding of why this happened. Only thing that we are hearing is from you really, which talks about an upgrade that happened, but users didn't upgrade their devices and therefore they were they were exploited that that just seems very like basic stuff and, and it doesn't seem like completely uh foolproof of a, of a system, a programmable system like wiper. It should obviously have other, you know, functions that allow for users to not get exploited just because they didn't press update. Well, it's really a great question and it's a great comparison. Uh I would say that. Uh so uh everyone now is talking about right, the, the, the Viper instance and also affected uh D five protocols and uh it's still um things still continue and uh uh people are still estimating the, the loss and the potential loss and so on. So what happened to Viper instance? So as you mentioned, so the one sentence uh summary is that the developer didn't upgrade the compiler version to the latest one. So it's kind of like the user didn't press the update button and using the old version of the compiler and then expose such uh vulnerabilities. And if I want, if, if to go to more details, it's kind of like the Viper uh is a project uh is a contract or program languages that developer are used to write smart contracts and so on. Uh Well, uh there are three versions, effective versions. Uh So they uh there's a bug in the compiler that compels this uh smart contrast to the code that will be executed on Blockchain. So basically, it means that the developer uh if they use the old version, the wrong versions, even if the smart contracts they have written are correct, the uh real running uh code on the Blockchain and may still be vulnerable and so on. That's what happened to a Viper instance. That's the issue. So I know that II I know that laws would jump on this. But where is the accountability? Uh You know, the bottom line is that this is, this is the decentralized world. Um The reason there are rules and regulations is because somebody can be held accountable and that is therefore a deterrence of a punishment. Here there is seemingly just the loss of money for people or I don't know who. So like where does the accountability come? Yeah, good question. So in this community in this industry, we always have, we always say that the code is a law, right? So you should not trust uh any people, you should not trust any institute, any entity. You just need to trust the code, you just need to trust the technology. But you can see that most of the instances are caused due to bugs in the code because code are written by human beings. And we may make mistakes. Like in this case, the developer even didn't make mistakes in the smart contract, but they use the wrong compiler version that, that they did that lead to the the the instance. So you can't say well, we blend uh Viper because it's open source uh project. Uh And you can't really blame the developer. You definitely can't blame the users. So who should, who should I would say take the responsibility? That, that that's a big question mark also in this industry because it's decentralized. Uh So that is also why people rely on many third party auditing firms, right to try to help uh improve the the reliability and security. But then should you blame this lesson if incident happens, should you blame auditing firms? Uh So that, that, that's really a unknowing. Uh Well, it, it, it with the uh well, I do want to ask about some of the other attacks that have happened and if they're related, how they're related and if there are any big lessons that we can come away with uh between this uh Viper situation on, on a curve and any other things that we see is, is, is there an underlying uh uh frailty in, in D I that can be overcome? And if so, other than auditing firms, as you said, that that's kind of complicated, what else can be done? Yes. Uh a good, good question. So uh you can see that uh uh well, in this industry, the code became more and more complicated and uh uh so it's still very young industry, rely on many new building blocks and uh introduce new cybersecurity challenges. Uh For example, like at the beginning, people say that, well, we issue ec 20 token and we just need to make sure they are secure and then we uh build a very complicated uh uh smart contracts like the five protocols and so on. They will try to make sure all these smart contract source code are correct. And now you can see that what they also are lots of other two chains like compiler. We also need to make sure compiler is correct. Well, this code still runs on like layer two network. Like the, the, the many things we have been talked about actively uh like the base right layer two build by coin base and so on. And then we have layer one network. The uh the basically the the online block can ask you the code. But these are also introduced new uh building blocks like R PC notes and the new security risk like memory safety and so on. And then on the line, you also need to uh seek uh secure your private key, right? And many instances also happened uh related to the the the key uh leakage and so on. So so many new uh building uh blocks and we, I would say it's a really tough and uh you have to educate both the uh users and the developer in this industry about. Well, you need to pay more attention uh beyond the smart contract auditing, you also need to do this what we call the full stack um cyber security. Uh let's say starting from the smart contract to layer two network to layer one network then to private uh your key management system and so on. So there's just been kind of one D I hack after another. Do you think A I could potentially help solve this problem? Yeah, people also talking about, well, can we rely on A I to help check or audit smart contrast? Right? Um And so on. Well, this is a pretty hot topic but uh now more and more developers, they try to rely on A I to generate the code to synthesize the code because it's gonna improve the, the productivity a lot. And then you should not rely on at least the same A I technology to audit the code generated by A I. So I will say that the code auditing can be much more uh powerful uh in the future and much more necessary in the future because in the future, let's say maybe more than 50% of codes are generated by A IA I or, you know, generate with the help of A I. Then we need to make sure that while these code are indeed trustworthy, there are no back, back doors and so on. Yeah. And we could assume that that people are using A I to, to uh try to find weaknesses and exploit them as well. Yeah. All right. Uh Thanks so much uh for that. Uh uh that was C CEO and co-founder Rao.

Learn more about Consensus 2024, CoinDesk’s longest-running and most influential event that brings together all sides of crypto, blockchain and Web3. Head to to register and buy your pass now.