• 0:00 Introduction. • 3:06 What is Halborn? • 5:15 What is the process for a code audit? • 8:07 What are the challenges of building good relationships with customers? • 10:20 Is technology growing too fast for security? • 12:37 How many people are needed to audit the code and the economic model? • 15:00 What are some of the most common security concerns that Halborn sees? • 18:40 What do solidity devs have to rely on that someone 3-4 years ago could not rely on? • 23:07 Discussion on general security and attack vectors. • 28:27 Is it a concern that there is no “help desk” with Defi/ general crypto? • 32:04 Where is the balance between speed and security? • 34:54 Is there a master list of top things to look for when doing an audit? • 38:53 Should the Ethereum Foundation provide a best practices guide? • 46:49 What is Seraph? • 53:57 Closing thoughts.
- Recordings
- Notes
- What is Halborn?
- What is the process for a code audit?
- What are the challenges of building good relationships with customers?
- Is technology growing too fast for security?
- How many people are needed to audit the code and the economic model?
- What are some of the most common security concerns that Halborn sees?
- What do Solidity devs have to rely on that someone 3-4 years ago could not rely on?
- Discussion on general security and attack vectors.
- Where is the balance between speed and security?
- Is there a master list of top things to look for when doing an audit?
- Should the Ethereum Foundation provide a best practices guide?
- What is Seraph?
- Transcript
Recordings
Notes
What is Halborn?
- A cyber security firm and tool developer committed to ethical hacking and offensive security.
- Been securing smart contracts for about 3 years.
- Have about 100 engineers that focus on different protocols.
What is the process for a code audit?
- Like to be thorough and stress quality over quantity.
- Build partnerships that are long term and learn with the teams and understand what they’re developing.
- Set up a month to month service cadence rather than a one time quick audit.
- Provide reports back and help the team understand the finding and after they’ve made the fixes they retest it and prepare the team for launch or upgrade.
What are the challenges of building good relationships with customers?
- Keeping up with the the diverse and dynamic environment of smart contract blockchain and web3. Everything moves and advances so fast with innovation.
Is technology growing too fast for security?
- Sometimes you don’t think about whether you should do something, should we go live right away, or what the long-term effects will be.
- A lot of big vulnerabilities don’t even come from your own code, but elsewhere in the ecosystem, such as flash loan attacks or economic attacks.
How many people are needed to audit the code and the economic model?
- Depends on the complexity of the code.
- Like to have a language expert and a protocol expert.
- If it extremely complicated, they’ll have quite a few people collaborating on it together.
What are some of the most common security concerns that Halborn sees?
- Access to liquidity and the centralization of that access, such as in the case of emergency withdrawal functions that can be executed by just a multi-sig or single key.
What do Solidity devs have to rely on that someone 3-4 years ago could not rely on?
- We have the experience gained from all the previous exploits.
Discussion on general security and attack vectors.
- People are often the weakest link when it comes to security.
Where is the balance between speed and security?
- It’s a matter of risk appetite. It depends on each team evaluating risk and reward.
Is there a master list of top things to look for when doing an audit?
- The pace of innovation is so fast that things are constantly evolving. Best practices are changing frequently with the addition of new protocols and languages. Hard to have a single source of top things to look for when the landscape changes so fast.
- Best thing to do is look at previous audits and study hacks that have happened.
Should the Ethereum Foundation provide a best practices guide?
- It should be done as a parternship with security experts from outside organizations.
- Best case would be for them to give standards on how to code Ethereum contracts to spec and have teams find vulnerabilities and provide a security spec.
What is Seraph?
- A tool that allows for preventative security while maintaining a sense of decentralization.
- Acts as a notary to protect certain critical functions from unexpected use. Rejects unexpected transactions.
Transcript
[Music] welcome to the beanpod a podcast about decentralized finance and the beanstalk protocol i'm your host rex before we get started we always want to remind everyone that on this podcast we are very optimistic about decentralized finance in general and beanstalk in particular with that being said three things first always do your own research before you invest in anything especially what we talk about here on the show second while you're doing that research try to find as many well-developed opposing viewpoints as possible to get the best overall picture and third never ever invest money that you can't afford to lose or at least be without for a while and with that on with the show [Music] at its best a decentralized world is one where people are free to explore and build without the hassle or threat of intermediaries it's one where you can develop ingenious products and services without the roadblocks of government regulation or entrenched legacy competition it's also one where you can grow wealth regardless of who you are where you come from or what you look like unfortunately decentralization is not always at its best and one of the risks is that the safety nets that protect many traditional organizations just aren't in place not your keys not your crypto is a pithy truism but losing a cold storage device is a genuinely frightening possibility with essentially no recourse and while clicking a dangerous link in the traditional web space could cost you your facebook profile clicking a dangerous link in defy could cost you your fortune in the days since beanstalk's exploit security has dominated our conversations co-vulnerabilities social engineering and of course governance attacks have been discussed argued over addressed and resurrected to start the cycle all over again all in the name of making the protocol as invulnerable as possible but with that has also come the understanding that we can't do it alone trusted partners providing audits have laid cold eyes on the project that will in the end result in a safer ecosystem beanstalk has undergone three audits to date with the two most recent ones finishing up just this last week one of those audits was performed by halbord a firm committed to ethical hacking and offensive security and for this episode mod publius and i are lucky enough to sit down with one of halbourne's co-founders stephen walbrowell steven has more than 20 years of experience in cyber security and it's a pleasure to have him share some of that knowledge with us steven welcome to the podcast great to have you thank you how you doing glad to be here wonderful to have you mod welcome back thank you for having me and publius good to have you too thank you rex and thank you steven for coming all right steven so to kind of kick us off just tell us about how born what what does hellborn do what services do they provide who are your typical clients give us a basic overview yeah so hal bourne we are a cyber security uh firm and tool developer and we've been around for about three years now securing smart contracts but not just that you know we consider ourselves end-to-end security so um the background of myself in general is i have about 20 years of cyber security experience as working at you know everything from like ibm to uh large insurance companies and banks and then some startups here so i've taken a lot of the um the approaches from different areas of security and i'm trying to provide all of that experience and the experience of our you know other auditors and pen testers and developers here to not just think about you know the smart contracts but the web apps around it and the securing the people around it the communities you know with the security awareness and training doing infrastructure tests and you know when it really comes down to it um you know it's all brand new uh and you know security vulnerabilities there's there's zero days or new ones every day and um i want to see the space in general thrive and and have a lot of success because i believe in decentralization and you know self-custody and transparency so doing security for all of the different communities and developers and protocols and projects are you know kind of doing the part here and we've you know so how we're now where we are we have about about 100 engineers that focus on different protocols and help work with the you know teams like like beanstalk um to audit check the code and secure all of their assets so that you know people's money stays safe that are investing in it and the protocols can continue to develop secure solutions excellent so you mentioned the the audit for beanstalk and definitely appreciative of that and we've just gotten a chance to to read through the final report could you talk us through the basic process that hal bourne takes and you know obviously a lot of individuals working for a lot of different clients but what's your basic process for providing audit services yeah for sure um so one thing i know it's always okay i know that beanstalk also has audits from trailer bits and they had just one done one as well which is a fantastic they're a great they're a great team and it's always good to have multiple auditors look at things too and our audit process in general for for how born in particular is we like to be very thorough uh we we care about quality over quantity of audits so um first we we partner with the people that we want to do audits with on you know ones that actually care about security uh themselves and you know there's a lot of different developers out there and if you're listening to this you know it's not a good thing to kind of rush the security aspect of it all and because especially on complicated protocols you know com complexity is the enemy of security and it requires a really really deep understanding of what's going on with the smart contracts so the way that we work is to build partnerships that are long term and learn um with the teams understand what they're developing and really set up a month you know month to month type service cadence rather than just one time quick audit and then you know here's your report that way uh you know month to month we can provide that whole security around all aspects of it make sure it functions correctly and we look at the you know the logical business logic aspect of the smart contracts not just a quick scan and you know so we work uh very very direct with the developers and the engineers side of it as part of our audit process is we you'll give engineers that are familiar with the language itself or the platform itself like solidity or evm and we also have teams that do like rust and solana or you know cosmosim but when you get the engineers that's focused on that language they understand it much better they get better quality and you know actually faster speed too because they you know have to like learn something over and over again so that's really we do it and then we provide the reports back uh you know help them understand the findings some test scripts and then uh after you know they've made the fixes and implemented them we'll retest it and prepare them for a uh you know a launch or an upgrade um onto the main net that seems like a really important aspect you hit on it just a second ago that idea of essentially building a relationship with a client especially one that is evolving or consistently developing you know that's that's moved beyond this idea of having like a single product or platform but it is in you know a continuous evolution or adding new products or services what are some of the challenges about building those relationships that are that are ongoing yeah uh the biggest challenges for building the relationships ongoing um you know i used to say it would be just the remote you know distance we're not really collaborative working together i don't think that's the case anymore i think that in web 3 you know especially with dows and you know remote teams all over the world you're getting great talent we are very distributed team as well all over you know europe and you know even some parts of africa and we have a couple engineers and i'm myself in miami so um now the challenge uh really is about the besides the technical parts of it is keeping up you know with the the diverse and dynamic environment um of of this you know smart contract blockchain and web3 world i've never seen all my experience something move uh and advance so fast with innovation and um you know i think that's a couple years in crypto and blockchain tech um is more than uh you know 10 years and normal web 2. um so just understanding all that and keeping up with it is the biggest challenge and you know luckily when you have a team that really loves what they do and cares and you know shares that knowledge you know in the essence of open source and transparency um it makes a lot easier so um that's it and um you know it's also reason why we do this long-term relationship building because then our knowledge grows along with the protocol and the teams that are continually evolving it and pushing it you ever worry that the technological developments are are too fast for the security components to keep up with our you know the the old colloquialism that i hear is like you know being out over the tipsier skis you know are we in an environment where development's happening so fast that that security might be lagging too much for your comfort so have you ever uh seen any of you guys seen the movie jurassic park the original one yeah yes absolutely yeah okay uh it's a really good quote from that movie that kind of it relates to what you're saying uh ian malcolm you know he's the the guy in there that we all know see he has a quote he says your scientists were so concerned with whether they could do it that they didn't stop to think if they should and um it was paraphrasing it might be a little bit different but that's kind of that what you mean here is we're moving so fast uh because we know what we can build and we want to build it and we're pushing it out there but sometimes we're uh thinking like well should we be doing this and should we be going live right away should we uh you know add this feature to it what's the long-term effects with it um because with blockchain we're all connected to the same you know the same chain and this is all very composable um there's you know a lot of the big vulnerabilities that happen are just in you know coming from your own code but there's environmental uh issues that come up like flash loan attacks and economic type of attacks and you know there's there's impact that can be shared you know with others as well so when you are doing security you know why you want to take time with it and um you know not kind of like brush it and and push it out and you know some of that stuff yes that does scare me um because you have to think big picture with everything that you're doing stephen you've mentioned the scope uh of an audit that covers you know different aspects of it including the economics of of a protocol do you typically find one person knowledgeable enough to you know check the code and the economics of it or do you find the team being split into you know different different parts of different specialties really good question um this is uh something that i would say you have to it it depends on the complexity of the code um we always pair up and have multiple people work on it and you know inside hellborn our engineers uh there are different levels of them we have our more senior engineers that have multiple you know languages or multiple protocols and some understand the you know d5 um some of them understand more nft type of security issues and you know the way that we do it is we like to have a language expert and a protocol expert for whatever it is that we're going to audit and the language expert will be somebody that's very experienced in like rust or golang or solidity um and you know they're looking at the uh the code flaws kind of like from a static you know side of it any you know issues around how the um solidity was developed reentrancy type of attacks or whatever you know if you want to get specific and then another one coming to look at the protocol like the purpose and looking at you know in particular as for beanstalk like anything around yield farming or anything around decentralized uh autonomous organizations or dows and proposals these are all functionalities that you know doesn't really matter about the code it's you know a dow can work like a doubt whether it's written acidity or viper or rust so that's the way we do it um some people do know both uh but then again it's all based on experience and having more eyes on it definitely helps so it's a long way of saying that yes we like to have um you know multiple people and if it's extremely complicated uh you know audit we'll have we'll have quite a few on it on there and they all kind of collaborate together so what are some of the common security concerns that that your team see and you know obviously sounds like you've got teams that are working in a lot of different spaces um let's you know let's say with protocols like bean stocks you know decentralized finance protocols to put a little bit more of a box around it you know what are some of the more common security concerns that that your teams see in that space so uh the most common ones in the in the space of d5 is you know access to liquidity and um you know kind of centralization of that um you know if you have a large vault or you know something that's holding a lot of tokens like a liquidity pool it's obviously a target you know it's like a it's like a bank in itself um you know bridges are one aspect of that too but you know when you have that um thinking about the ways to access that you know if there is uh you know just a multi-sig wallet for some reason or a single key that can you know withdraw this or or transfer this that's um you know the common problem that would be the the worst and we've seen it before uh where you know you have you know the emergency withdrawal function is what i call it it's like hey this is supposed to be decentralized you know why is why why can you just like withdraw one one address or one uh multisig while i can withdraw all the liquidity you can't even do that kind of stuff in a centralized bank um and so that's the kind of thing but then if we're working with them we see something like that then it's like the awkward conversation of like oh well we found this issue and they're like it's not an issue it's supposed to be there it's like oh okay that's awkward uh it's not a bug it's a feature right so that's yeah it's uh that's the common thing we saw for a while which uh was you know seeing that quite often we you know that we have a solution uh called serif that we that we've developed that lives you know in the smart contract itself um natively and kind of provides a way to at least add like another layer of protection around that um and among other functions too so it's now it's uh you know another third party you know to decentralize that that functionality because we do understand sometimes it is necessary for some reason if in emergencies or you're getting hacked um so now it's something that keeps the spirit of yeah you know decentralization and you know non-custodial access now something that is also native and transparent on chain but will provide a layer of protection around you know the worst case scenario of that you know a breach or insider threat or a loss of a private key so that's the most common issue we see uh and then um you know hopefully this is uh you're becoming better and better as far as like practices that we see coming out because really the only thing that's been there is to completely revoke your ownership of it and access and leave it up to uh the dao or uh you know multi-sig which you know multisig is not security you know it could be my firefox browser and my chrome browser metamask wallet so who knows um but yeah that's that's that would be it so i want to ask this question of publius from the the beanstalk development side how do you feel like the evolution of security or let's say um common knowledge or experience around security approaches or features from like a development side how do you feel like that is has evolved like what what do you feel like you have to lean on on the dev side that somebody in your shoes three four five years ago might not have had the ability to lean on so you know over the past few years you know um there have been numerous you know exploits and hacks throughout all of d5 and you know the web 3 ecosystem um and you know the the one saving grace you know today is that we have that experience um to kind of learn from and you know when we're going through the smart contracts um we can refer back to you know large you know the majority of the large d5 exploits and you know see what caused them um you know even a couple years ago um this whole idea of uh you know flashlight resistant oracles was something that's still new um you know even in you know the exploit that occurred to us several months ago you know it was a flashlight exploit and um you know something like something stephen mentioned earlier reentrancy attacks um you know that's something that you know we didn't know too much about you know uh years ago but now we have the history of you know web 3 to kind of guide us and show us kind of what pitfalls and traps we need to look out for as we're developing um and that's you know one of the the saving graces of kind of the web 3 open source kind of you know um ethos where you know we have uh you know defy and you know you know blockchain is all kind of one large experiment where we're all kind of building on each other's uh you know trials and failures and successes and learning what works and what doesn't work and um you know unfortunately that comes at large a large cost sometimes um but you know at least today we're much more aware of you know the large the large-scale attacks that can occur on you know d5 protocols and you know we're all learning especially the oracle problem um you know a tremendous problem of you know kind of what is what is price how do you calculate price and how can you have a non-manipulative price uh well it also being you know an honest price uh it's not a it's not an easy challenge and you know we're all kind of working together collectively as uh you know a web 3 community to try to figure out what the best solution to all these types of attacks are that's fantastic uh respect and i like how interesting you're saying about the oracle problem too because what is price and what is value yeah what what's your peg and um they're even extending beyond that with oracle's and that problem too is uh it's all about like what is the source of authority you know in a decentralized thing so right you know is the coin gecko price api you know well now you have something that can control price even with an oracle so how do you distribute that authority and if it's not price you know let's just say you're doing nfts or something and all right well you know here's my art and i you know put it out here this is the original art and it's supposed to be you know proof of authenticity but what is you know what is the real one what if i make a smart contract uh that means the same art you have know okay so who who's the original artist me or you and now it's like a essentially like who has the blue check mark on on that art now it could be that so it's all but back to you know authoritative source and you know what is what is one so i think a good part of like dowse and governance would be you know a community-based way to decide you know what what is the price and what is the source of authority what is the point of authenticity as well on blockchain it's really interesting the projects that are out there we actually just had a conversation with teller protocol to you know his decentralized oracle and i had never thought about this exact problem that you guys are discussing i'm admittedly full transparency i'm not a dev you know this is not my area of expertise i'm my my knowledge lies far away from here this is very interesting to me but i'm still learning and so to have that conversation about like what does what is value who establishes what value actually is you know can you trust just like you said steven the you know the the price feed from coin gecko and you know is there a better way to do that is there a more um reliable less or a more censorship resistant way and you know i feel like that does feed a lot back into these questions of security that really aren't really aren't code driven it seems like and again this is someone without technical experience speaking but it seems like there's a lot of a lot of passion around making sure that that code is carefully crafted and that vulnerabilities are quickly exposed seems like a lot more of these attack vectors are far more driven by social aspects or questions of data source rather than hey there's an incorrect value in someone's lines somewhere people are weakest link yeah people are the weakest link usually in any not just blockchain security normal security too you know there's some of the uh the biggest you know incidents happen from you know a uh somebody gets tricked um even even still today um where you know you have a liquidity pool or ico completely you know decentralized perfectly coded contract set and they do an initial token offering and somebody scrapes the telegram or discord group and sends them to a fake one and they mint a fake coin looking just like yours and you know they put their money into it and then they uh end up draining it because of the tricking the community or you know just um you know convincing them and then that's kind of preying on the masses all the way to like somebody clicking the link and getting private key or mnemonic phrase or something so yeah people people are the always the link which is why we focus on edu it is funny as as i hear you and publius talk and you know in mod talk it it makes me think of you know the basic the the cyber security training that folks go through in their irl jobs where you know it's like if you get an email from your boss that says that they're stranded in new york city and need you to send them your credit card number so they can get an uber home you know notice that that's you know might potentially be an attack and it it's it's it's interesting and i'll say sad not in the sense of like you know not not in the sense of like i don't i feel bad when i hear about attacks that happened because someone clicked a link at discord i mean like that breaks my heart yeah it comes down to i think higher level like big picture looking at it when you think of the purpose of defy and you think the purpose of uh just like even bitcoin back to the you know the grandfather it's about you know you are the bank self-custody and it comes with responsibility so the you're you're giving up um you know the the all your keys or your the custody of assets that you would normally give to somebody else to hold and secure is now on you so you're responsible for it um and we all know that it's uh you're not your keys not your coins so it's all like between custody and not non-custody you know you click that link you you're you're gonna get impacted and you're gonna lose your keys or the keys of uh whatever project you're developing for and uh you know before a company if it's your bank for wells fargo you know usually they have monitoring and then they're two factors set up and all that stuff too and you can call to give a password reset i just got like a fraud detection call from wells fargo on like a wire transfer i made to buy something and they're like you know they're watching all the time it's centralized there's there's an overseer for that to make sure that you don't mess up yourself um so that's like the good and bad part you know depending on how you look at it i understand security i like self-custody and i like being the bank which is what attracted me to bitcoin in the beginning but i would not recommend like a cold storage wallet or a d5 for like my grand my grandad he should have it you know inside of a bank instead because he's gonna lose it yeah it's funny um so actually we have a lot of these conversations on the community side and what we talk about is i'll use beanstalk as an example because it's the example we love to use you know we want beanstalk eventually to be a place where non-defy natives can use these tools successfully and be able to interact with the protocol successfully use beans use the field and the silo and take advantage of all that that has to offer but i do feel like there are some fundamental things that we wrestle with right around what exactly what you're saying if i want my parents to buy pods i've got to get them set up with a wallet on metamask or a cold storage wallet or something and like and explain to them that you know hey here's you know here's your here's your passphrase here's you know here's if you're using a cold cold storage wallet here's your here's your code to get into your wallet here's here's your emergency phrase if you lose those things your sol like there's no there's no help desk and i can see how there would be some apprehension especially folks that are used to using centralized systems where you know if something happens i can i've got a desk i can call i mean do you feel like that will be a limiting factor or is that more just a process of you know newer generations are more going to be more comfortable using things like wallets that don't necessarily have you know some type of centralized safe haven yeah i mean it's this is why we have you know bitcoin then we have the you know coin bases and the centralized exchanges it's so uh you're but you know what's the difference is back to the old system you know somebody is holding it there now you have to trust that system um you know to secure it for you uh so it's just a different asset instead of like us dollars it's uh you know you know btc or or you know bean if you know for whatever exchange is so it's you're not but you know it's also like what's your purpose for for it if you're like uh you know just want to hold on to it for speculative investing or uh you know just to trade then you know what it's okay to to do that um you're never really you know owning it you're just swapping and trading on a you know a web server somewhere and so that's fine you know that's okay but if you're you know about you know self-custody ownership or you know transparency you know i want to know with defy when i place my funds inside of a yield farm you know to get something and you know earning uh you know earning this uh the extra value then what exactly you know where are those funds going and what is locked in because you don't know look at what just happened with celsius all those people put their money in there expecting one thing and it wasn't being done for that it was being used somewhere else so it's not transparent so it's all it's all like you know what what is your purpose you know for this and i think that it's a case-by-case basis on uh you know depending on the individual and their you know the results or the reasons that drew them to this whole ecosystem stephen i wanted to go back to a comment uh that you said earlier which is you know about complexity and and not to sacrifice security for for speed what what this is something that we you know seem or have have discussions uh about as well and you see you see it commonly being you know um no audits let's move as fast as we can and then you have a a different group that would be like you know one all that is not enough let's have you know multiple audiences well where is the balance that you think you know is is the one that makes sense so there it's all about risk appetite um you know of the teams yeah i can't you know condone or say everybody's like right or wrong on you know the approach for it but different different development teams have different risk appetite for it perhaps the the risk is you know not as good as the possible reward of moving fast without an audit and going live but the risk is is great uh you know doing something like that and the reason why is you know you are uh you don't get too much you know chances on blockchain you know when it's on when it's on blockchain it's there it's immutable um i mean there's proxy contracts and stuff of course but you know basically it's on there and uh when when funds are gone you know it can't be like reversed unless you're gonna fork you know ethereum or something but it's you have less less chances and um reputation is is of course at stake too so that's you know that's it it's just like what's the risk appetite do you want to take that risk i recommend not because this is complicated um the more complex your your your platform is um yeah and with beanstalk you guys you you guys are complex too um you make it very fun you know and convenient to understand these things but you know with having you know sprouts in the farms and you know doing the different seasons that coming in i think it's a really creative way to um you know to apply like d5 investment to to that um and but the you know the code itself is complicated so doing multiple audits is um giving yourself like insurance in a way you have preventative insurance before it happens rather than insurance after it happens uh i would say it's whatever whatever risk appetite a team has um you know to make that call it's not what wrong or right one way or the other my take is i've seen too much code and know that uh we find a vulnerability almost every single time so i would say definitely go on the risk risk adverse uh side of it so to that point steven like and it was something i was thinking about as publius was talking earlier too is is there like is there like a resource like a master resource somewhere that where if you've got a team working on a again let's say a d5 project they're stepping into this situation where they may have a language expert and they've got someone that becomes a protocol expert or is a protocol expert but are they looking at like is there like a github resource or a document somewhere you know either internal or external that gives your teams like the you know the top 50 things that they should be looking for like you know the gives them a basis to drive what they're looking at in an audit so a uh like a best practices or um kind of like the security standards for it that's actually you know something that um where we've been working on that and it's evolution and because of the the pace you know i mentioned earlier how fast this space moves and how much innovation there is all that innovation comes with new vulnerabilities and new approaches so uh published mentioned like yeah the reentrancy attacks that was like you know a zero day nobody had seen that type of you know type of a hack um back you know five years ago now it's like almost uh something to always look for and it's it's easy to spot but you know there's different vulnerability classifications and categories come out all the time and then all then a new platform comes out and a new protocol comes out and a new but layer one comes out with a brand new language so all of that is you know starts over again so the single source doesn't really exist i think it's spread out and it's very detailed and a lot of nuance depending on what you're doing so with code uh you know that just the way that we approach audits ourself with a code expert and a logical protocol expert there should be different best practices uh you know a list built on you know rust based blockchain vulnerabilities and then best practices around that solidity based you know vulnerabilities and there is a good list for that that um consensus has put together you know best practices around each code so that one's pretty matured um but then the protocol stuff is one of the top vulnerabilities to look out for for uh you know stable points or for automated market makers that those do not exist and i think that's always being developed and more things are looking out for so the best way to do it now just so i can you know give knowledge on what to do is to you know look at previous audits study hacks that have happened and um why how born like us and other security auditors add value is you're getting experience from economies of scale we get exposure and we're looking all day at different types of vulnerabilities across different protocols different languages and all of that experience and insight is kind of captured in one you know one place you know with uh with a security team to help um to find things maybe you would wouldn't have realized are actual issues or um you know best standards for coding or something or think you know kind of gotchas and all of that so the you get that experience and and we are working on compiling you know issues itself um so through study of previous audits and audit reports and um cataloging like a data think of it like a d5 vulnerability database is you know something that is in development so question for for you steven and publius do you feel like that is the realm or should be the realm of like the ethereum foundation to help provide best practice documents like security information or do you think that that's maybe outside of what their purview should be you know it's hard not to when you think about things like best practices i come from traditional industry where really every industry has some type of governing body that says hey if you're gonna do this thing here's a list of best practices things you should look out for things that are absolutely wrong i mean is that is that the place for like an ethereum foundation or is that maybe too much centralization traditional security they have third parties that are providing best practices as security researchers so web applications they have owasp um there's also nist you know the that creates standards and practices um and the those iso is another one you know for policies and administration so iso 22702 standard you know is a framework for securing an organization so they're usually independent third parties that will be adopted by uh the platforms themselves so microsoft you know if we compare them to like ethereum foundation microsoft windows has tons of vulnerabilities but they'll set up their best practices for securing and hardening windows and that's given by an organization like cis sent you know center for information standards and then they uh microsoft will endorse that and say hey harden window systems this way based on these cis practices so i think it's a partnership together with um experts of security and they get adopted by the platforms themselves any additional thoughts about please yeah that was a great answer stephen thank you um you know it it's difficult because this whole kind of you know decentralization thing is you know still pretty new to all of us and you know we're all collectively working together to figure out you know what that really means what that looks like and how do we best exercise it um you know given the decentralized ethos of ethereum you know it's hard to kind of point to the ethereum foundation and say you know they it's up to them to you know make sure that there's best practices and you know all potential vulnerabilities and smart contracts are known and listed by them um you know it's really up to everyone who holds ethereum and to collectively kind of you know make sure that those resources exist and that's kind of where things get difficult though um because you know how do you create accountability how do you make sure things exist and you know it's kind of had this unfortunate consequence that it's like you know you know the the kind of you know warnings and protections that you know developers might want to know about um you know don't necessarily exist until it's needed and it's not really needed until the an attack happens or an exploit happens um but you know there's there's plenty of resources out there if you you know do some googling or looking around in you know the ethereum development community about you know here are common attacks and you know i think really you know there's been a few big ones this year and um you know hopefully collectively as a community you know we're all internalizing that and you know definitely making sure to do our due diligence as developers and you know the area i personally feel like it's most important to uh you know push for is you know new developers um you know personally myself when i started you know developing smart contracts um you know i had no idea um you know this scope and vast amount of potential attacks and exploits there were that you know aren't necessarily related to anything you're familiar with um you know going to the flash loan attack um it's something that you know at least from you know my experience is very unique to on chain development and you know is something you would never really expect to even have to worry about until you know about it um so you know trying to figure out the best way to make sure that you know new smart contract developers uh you know are aware of the kind of unique difficulties that come with ethereum development is incredibly important um and you know i think the community overall just you know the ethereum development community has you know done a good job so far and you know kind of making sure checklists ex exist and you know a list of known attacks exist and you know just overall just you know continued awareness about um you know what what what these vulnerabilities are and common attacks and um you know overall the you know i think the community has done a great job and we just need to keep you know holding ourselves accountable for making sure that you know the the ethereum community is at large like ethereum at large is uh you know making sure that security is always at the the forefront of you know what we're trying to um you know make people aware of and conscious up yeah good point i think it's just checks and balances you know any any great thing is the checks and balances we even do it ourselves where you know we we look at the security for the code and provide practices to help but we don't ever develop the code for our our clients like we would never uh fix a vulnerability with like a pull request or something into you know the bean stock code um so it's it's a you know the checks balance is for there like then we audit our own code so i think the same applies to like ethereum foundation like they they may i think the best case would be they give standards on how to implement and utilize and code ethereum contracts to spec and security is then provided you know by somebody like a community or security teams to get collectively to find the vulnerabilities and you know provide a security spec to it so that's the checks balance just like a normal government having in america you know the the uh three different uh entities check each other judicial and legislative and uh executive branches keeping it all in balance and the the other thing that goes through my mind and you know i made that comparison between you know let's say cryptocurrency or decentralized finance development and in more traditional industries the other difference there that i didn't mention that that came to mind as as you guys were talking was the idea of proprietary knowledge that is held at a in a different standard in traditional industry you know that proprietary knowledge is is precious that's you know that is something that creates a certain amount of secrecy between organizations that we don't see as much in decentralized finance or in in cryptocurrency or you know similar applications web 3 development or whatever because there's so much open source that that isn't common in traditional industries so maybe that's the other the other factor yeah i like open source um you know a lot yeah it's kind of in traditional web too it's like the linux versus windows battle it's like linux open doors windows not open source who's done better in security over time with that that model yeah absolutely so steven i i want to give you a couple minutes to talk about serif we had a great presentation from the team here a couple days ago uh walk us through what serif is the service that it provides etc yeah definitely for sure so um you know a lot of this stuff we talked about today around you know providing security for things but also you know balancing that decentralization aspect of it and you know partnerships and having kind of a oversight ver custody versus non-custody and access and you know this is all you know kind of like the concept that you know us at halbourne um you know had wrestled with for a while and thinking about how do we protect these people um without being you know too centralized uh with a tool something that can protect those um functions so serif um is the concept it's a tool that that sticks by those principles and allows to prevent security while still maintaining a sense of decentralization so preventative is is the key word here most tools have been very reactive monitoring it after it's been hacked or you know doing something that after the fact you know like uh pausing the contract or um you know just having the uh stable coins uh do a blacklist it's all very reactive controls serif is preventative so how does that work is it's um a notary solution that's using a independent third party that has no uh no reason to want to you know censor block stop or you know do anything it's an objective um objective security team um you know so hal born is is that team for this product and it's a they're notarizing um transactions on critical functions so i'll use the withdrawal example so you have a withdrawal function serif is a tool that um will be is implemented in the code and with a modifier and it's only exists on um functions that are agreed upon as sensitive and critical and they execute um as expected uh anything that's not uh as expected like a withdrawal that is not planned or going to an address that you know shouldn't be to it'll um you'll be rejected by uh by a notary so how does that work the tool lives in the contract and it's a separate um rpc endpoint so when you submit a transaction to ethereum uh the functions that are covered with serif actually go into a private mempool that the notaries monitor and they can see what the transaction is doing they can look at the call data and they could simulate what the results will be and if those if the result of the transaction or you know the transaction itself is not um as it should be you know that how it was planned by uh by the teams that user so for for this instance let's say beanstalk has a withdrawal and they say you know withdrawals should only be done when you know uh once a month for an upgrade or they have a plan withdrawal you know next year for a time lock release if it doesn't follow that run book then it'll be rejected and it'll never get written to change they're allowed to be executed so um and it works still being decentralized because you know we're following the run books that are implemented and we don't have a key uh to the contract itself like we're not uh multi-signing you know you have access to any liquidity we're not doing anything that gives us a reason to you know to kind of be fraudulent ourselves it's a it's a notarization system it's a separate one um that is there as objective so it can also be considered kind of like an ad hoc you know audit a transactional level audit rather than a smart contract level audit so we're auditing every every transaction to find vulnerabilities instead of auditing every smart contract that needs to be then put on maintenance so it's the first preventative system uh for for smart contract functions yeah so it makes me think of the uh the multiple keys for the nuclear launch codes that makes sense you know where you have to have you know you see in the movies you've got you know your two guys that have the the keys and they go up and they have to both turn up at the same time and put their individual codes in before you can you know launch the nukes from your submarine right yeah so that's uh it's very very close to that but we don't have a key to the new codes at all so it's uh you know the team of the nuclear launch code people they can decide to do something uh what if one of those you know what if what if it's a crazy uh you know president that wants to nuke it and he ends up stealing the key of his friend and and sends it off you know or you know think of like the multisig wallets that come out or maybe the three keys for the nuclear launch code they work with the engineer of the launching system to turn it in from three keys to two keys and now those two people end up working together to launch it uh so where we are you know you could think of us as the um you know outside uh objective judicial branch of that we don't have a key um but we can you know kind of uh intercept that that launch um and deactivate it uh you know if it's not following the the rule book set by the original committee of those keys got it so that that run book would be something that'd be pretty important when you're setting up that initial process whatever those functions are in the circumstances under which those functions would take place gets established and anything outside of those parameters automatically draws that flag yeah think about like a firewall on the network that's another good comparison you know when you have a firewall there and it's preventing or dropping uh different traffic or you know network transactions saying we know our rule our firewall rule is to block any traffic that goes to this ip address or this port and serif is that firewall that will now stop that transactions from from happening um when if you change your firewall rule set and that's only done by you know working with the teams that are using serif um then then it will be activated then so that that runbook yes is important and it's you know tested and prioritized and worked with the developers in order to make sure there's no surprises all right great so we're we're just over the hour stephen i don't want you want to hold you any longer than i need to certainly appreciate your time i want to give mod and publius both just another chance there's anything on your list to ask no questions from my side no questions on this side either you know just want to thank the you know you stephen and the whole hal born team for um you know doing a great job auditing the beanstalk smart contracts and and you know it was an incredible experience working with you guys and you know we hope to continue working together in the future awesome same here it has been great working with you guys too um happy to be on the show thanks for having me it's an honor and a pleasure i could talk about this stuff all day yeah i love it and i love the project you guys have going on here too so um thanks for inviting me yep thank you so much steven and and mod thank you for joining us and publius thank you as well always a pleasure thank you rex you can find out more about halbourne on their website at halborne.com or on twitter at halborne security [Music] the beam pod is a production of beanstalk farms a decentralized autonomous organization you can find us on twitter instagram medium discord and our home on the web at bean.money you can also find me on twitter at rexthebeam and as a final reminder this podcast is not financial advice thanks again for listening [Music]