Hi everyone and welcome to another episode of Living on Blockchain. Today we are speaking to Hind. Hind is a co-founder of Thesis Defense and she’s a veteran in the security and auditing space.
She basically transitioned from web 2 from operations and project management to web 3 where she’s worked with Consensus as well as Leased Authority. She started her journey with Thesis as a founder in residence and then ended up co-founding Thesis Defense. So she has seen both sides of creating the product and managing that in web 2 and then moving into security auditing in the web 3 space.
Thesis Defense in their own words are creating a defense security standard. They value integrity, excellence, innovation and evolution and it’s quite an interesting team because they have a 12 member team of veterans in the space who’ve been there, who’ve done that and they would only help your project become more secure and really do well. So I was very excited to have this conversation for more than one reason because Hind being a fellow women entrepreneur and there are so few of them, it was very insightful to get her experience and insights about security audits and security in general in web 3 space and I’m sure this would be very useful for builders and security auditors alike.
I can’t wait for you guys to hear this, let’s deep dive right in. Hi Hind, how are you doing today? I’m doing great, how about you? I’m doing wonderfully well, thank you so much for asking. I’m so glad that you could make the time to speak to me and our listeners today.
Can you tell us a little about yourself and how you got into web 3? Absolutely and it’s my pleasure to be here. A little bit about me, so I grew up in the Middle East for the most part, I studied political science. I had the fortune of falling into the web 2 technical project management space straight out of college.
I eventually transitioned to humanitarian and international development work which is where I was hoping to land initially due to my background but after being a bit disillusioned with the web 2 tech scene in San Francisco followed by the lack of transparency and impact that I felt international development agencies just didn’t have, I stumbled into the world of privacy, security and decentralized tech. So this really seemed like the only logical next step for me especially considered that it married my professional background but also my personal ethos and desire to do something with impact and something that’s meaningful. Absolutely, I think a lot of people who are very passionate about making an impact, decentralization, they kind of fall in this space right in and they fit as well.
So how did you get into T-SYS and can you tell us a little more about what you do, your team and you are doing at T-SYS? Absolutely, so I’ve been in the crypto security space since early 2018, so I’ve been around for a while. Actually, T-SYS used to be an auditing customer of mine. Eventually, I moved on from the company where they were my customer.
I joined ConsenSys but stayed in touch with that team, was very close with the team, have always been very fond of the T-SYS mission, vision and values, very much aligned with my own around decentralization and user freedom and security and privacy. So we’ve sort of been courting for a long time, just waiting to sort of find the right position. So I came on as a founder in residence and just sort of happened, the opportunity came about to start something around security and we did.
That sounds like quite a journey and quite wonderful that you started off as an entrepreneur in residence and now you’re actually a co-founder here. So what are you guys doing in terms of security with T-SYS Defense? Perhaps a better way to put this question would be, how does the defense security standard differ from existing security benchmarks in blockchain and DeFi space? Yeah, that’s a great question. So first of all, T-SYS Defense is about bringing a deeply experienced and tight-knit team together with shared values.
That’s the key thing. And I’ll continue to go back to this point because this is what really drives me and this is what sort of the glue that holds our team together is we all have these shared values due to personal experience. So we really seek decentralization, user freedom, privacy, self-determination.
So we have this shared vision, desire to make decentralization work. And we really believe security has a significant role to play. This is where introducing a robust, transparent and methodical security standard comes in.
So it’s not so much about the defense security standard being different or being unique. However, the defense team is taking the initiative to elevate that standard. And we hope it’ll be a collaborative effort by everyone participating in crypto and the Web3 security space.
So what we’re promoting here is to work collectively to define and adhere to this comprehensive and repeatable standard, but also to hold ourselves and each other accountable to that. For T-SYS Defense specifically, our minimum commitment is to adhere and hold ourselves accountable to the methodology and those best practices ourselves. Okay, awesome.
So this is it’s not like any other security audit firm, right? You’re taking a step ahead and being a little more future facing when you’re trying to create like a standard, which perhaps the folks that you’re working with have to agree on to take things forward. Is my understanding correct? Yeah, we’re being extremely intentional about following, you know, elevating, adhering to and being consistent about a standard so that we do our job and we do it well. When there’s no measuring stick in the space, it’s very easy to cut corners and still be rewarded for work because nobody can assess whether or not you’re doing a good job.
So you can be profitable, be successful. The problem with security is that profitability isn’t an indicator of success. That’s not the right metric.
What we should be looking at is the impact the security auditing businesses are having on this space. Have the number of hacks reduced, for example? Has the, you know, dollar amount in hacks and losses been reduced? And so it’s easy, you know, to look at this the wrong way. And so for us, we’re saying the number one priority is that we maintain a quality standard in the work that we’re doing above all else.
And if that means we have to turn down a particular project because we can’t, you know, do our best by reviewing that project, for example, then we will. Okay, that’s wonderful. So can you tell us a little more about your services and how can projects perhaps approach you if they are looking to avail your services? Absolutely.
So, you know, one of the things that’s unique about our team, and there are other teams that embody this as well, that we are a tech agnostic team. That means we don’t focus on a singular ecosystem or a singular technology in the decentralized tech space. So we’re not, you know, just smart contract auditors.
We don’t just work within the Ethereum ecosystem. On the contrary, we have a team that’s incredibly diverse in terms of skills, capabilities, and interests. And this allows us to work on a number of different, you know, language components, technologies, ecosystems.
Ethereum is just one. So, you know, we’re very interested in others like the Avalanche ecosystem, the Mina ecosystem, Ethereum, Stacks, and others. We also audit smart contracts, wallets, browser extensions, bridges, you know, consensus mechanisms.
So we do have quite a diversity in terms of our skills. And in terms of folks who are interested in having conversation with us, they can go to our website, which is thesis.co forward slash defense. And they can certainly schedule a call there and they can have a conversation with me or they can shoot us an email and we’ll get back to them.
Awesome. This is absolutely brilliant, you know, and especially because there are a lot of security audit firms nowadays, and they’re trying to productize, you know, their services. Is there something that, you know, you guys are looking at as well to productize, you know, what you guys are doing with thesis? Well, look, I think, you know, there can be value in productizing as long as you’re not undermining the integrity and the quality of your services.
We don’t have, you know, one of our goals isn’t to scale and become this very large security firm. We’re pretty boutique, and we intend on staying. So we really want our quality to be the thing that drives us.
And we don’t want sort of size or scale to diminish the quality of our work. And so, you know, we’re just getting started. And right now, in terms of our services, we offer, you know, security audits.
However, I do think that the future is really going to depend on figuring out new ways and addressing security better. And I think there will be, you know, automation will have a huge role to play with that, especially with the emergence of AI. However, I think this is key, which is, this is not a replacement of the security auditor, and it’s not a replacement of intuitive code review, and that intellectual exercise, which can’t really sort of be replaced by machine learning, but it can be aided by that, right? So if you have a database that can aid you in terms of like, what we’ve learned already, in a really intelligent way that can help us in terms of predicting what might what might come down the road and what we’re working on now.
So, of course, there is ample opportunity for automation, there’s ample opportunity for tooling, we see some ecosystems that are mature, or more mature, rather, in the decentralized tech space and have more security tooling and sort of the attack surface area of certain programming languages are better understood, but there is still so much that is not sort of covered adequately. And so there’s plenty of room here for innovation and opportunity. Absolutely, I think there is something new that is happening in Web3, you know, every day, every minute, almost, and that kind of obviously gives rise to different kinds of security threats that products and platforms do see.
Drawing, you know, from your experience, how can perhaps, like, first, let’s step back, what do you see as the most pressing challenge and vulnerabilities in the current decentralized space? And how is your team addressing them? And then post that, if you could tell me a little about how do you stay ahead of emerging threats and you don’t, of that curve, basically, and continually adapt your security protocols? Because I think this particular answer would actually help some folks who are building in the space as well. Absolutely, yeah. So I think the most pressing challenges in terms of security in the decentralized tech space are twofold, at least on the major level, right? So first, we have a major supply and demand problem in the auditing space.
You know, there are just far more teams seeking security audits than there are teams who can provide them, which results in a lot of auditing businesses popping up without the appropriate skills or experience. This is massively problematic. So those teams are able to succeed and become profitable due to the high demand for auditors, but that doesn’t necessarily make them good at what they do.
So, you know, customers will go to them out of desperation because there is just, the supply is insufficient. And sometimes, you know, customers go to auditors for the wrong reason, and they’re sort of happy with the stamp, but not really, you know, high quality work. So that’s one challenge.
Another challenge is the absence of systems of accountability. We don’t have accountability when it comes to security across the board. There’s no real way to assess whether auditors are doing a good job due to the lack of, you know, broadly agreed upon standards, as we discussed before.
And there’s no accountability for teams who don’t choose to get an audit or get an audit for the wrong reasons or by an inexperienced team. And finally, there’s no accountability for teams who undergo an audit, but then don’t address the issues identified in the audit. So they’re ultimately knowingly putting users at risk.
So, you know, ultimately the industry as a whole and individual users end up paying the price when hacks take place. And users and investors lose funds and the industry loses users and investors. So this is bad for everyone.
It’s sort of like a cycle, right? Hacks happen, users and investors lose funds, the industry loses users and investors. And so it ends up being a disadvantage for everybody involved. And then in terms of, you mentioned staying ahead of emerging threats and adapting.
So here’s the thing. Auditing teams are in an incredibly unique position to have the first look into new and novel protocols and technologies. In addition to becoming familiar with new kinds of vulnerabilities and attack surface areas, you know, we’re looking at the technology for the first time outside of the team that’s developing it before the world gets to see it.
So this means we are in a constant state of learning and adaptation, which is why longevity and experience in terms of being an auditor is incredibly important, right? You build an invaluable knowledge base over time, which then actually enables you in addressing, you know, new technologies, learning them quickly, but also emerging threats that are largely unknown. There’s no way of knowing what you don’t know. You just really have to sort of rely on past experience.
So this is why it’s incredibly integral in terms of being an auditing team. And then hopefully through continuous improvement and evolution of best practices, our understanding of new and emerging technologies, patterns, we’re able to, you know, be better prepared to predict or identify potential attacks. This can also be aided by establishing strategic partnerships with other teams, right? So you can be an expert in one area and they might be an expert in another area.
And this is where collaboration is key. So, you know, we might be able to easily identify a bug in the code that could undermine the integrity of a code base. But if, for example, the code base is extremely complex and particularly vulnerable to economic attacks, it would be good to partner with experts, for example, in token design or crypto economics.
So I think there are lots of ways to go about dealing with, you know, new threats, adapting. This is experience, knowledge, learning, but also a lot of collaboration in the space. Yeah, I think those are the key elements of Web3, you know, having the right experience when building something, you know, and perhaps talking to mentors and advisors, if not your core team members, who have the right experience and then having the kind of integrity as well.
And obviously being open to collaboration, because collaboration is key, considering our ecosystem is still very young. I think that is the only way that, you know, we kind of move forward by taking the best and, you know, helping each other out. Absolutely.
I mean, you know, one could argue, is collaboration sort of, you know, does it stand in the way of teams competing? And I don’t think so. If we’re all committed to making this space a successful one, we really should be working together towards those goals. Absolutely.
I totally wholeheartedly agree. I think this is something that a lot of people, at least a lot of entrepreneurs are starting off with the first product. They seem to believe that, OK, you know, collaboration perhaps is not the key.
And they’re very, you know, they protect their idea and platform very fiercely, which is good. But ultimately, I think because you’re building in Web3, and it is an ecosystem whose inherent values are based on community. So collaboration is always going to be key when you’re building here.
And I do think because the ecosystem is very small, you know, you can reach out to anybody and actually get a response and make them actively involved in what you’re building. Absolutely. I couldn’t agree with you more.
So drawing from your experience and, you know, as in Contensus, you were, you had a senior position there as well in Contensus Diligence and some other auditing firms. What key lessons have you learned that continue to shape perhaps your approach to security auditing? Yeah, so that’s a great question. Of course, there have been endless learnings, but a couple of things that combined.
I’ve learned that auditing teams need to continue to learn and adapt at a constant clip, like you can’t slow down in the security space. Yeah, yeah. The train has left the station, and it’s not stopping anytime soon.
So the space is constantly changing. And we have to keep up in order to make our contributions count, which, you know, of course, includes adapting to new technologies. But this means, though, that we have to have a pretty high appetite.
And for risk, we have to have a high risk tolerance, which is very ironic, given that we work towards reducing risk in this space. But it’s a must. So auditing teams are really looking at things for the first time.
They’re learning, they’re doing their best. There are no guarantees. But this is, again, this goes back to why experience is so important.
Another learning of mine is, you know, we just talked about this, but it’s worth mentioning again, that collaboration and communication is key to our success as auditors in particular. So much of what we learn about a technology that we’re auditing is derived from both internal team discussions, and discussions with the development teams that are ultimately our customers. So this is especially why I think collaboration across the space and developing an agreed upon standard is particularly important.
So, you know, when we’re all on the same page, when we’re in communication, that’s where the nuances appear. And it’s often, you know, the nuances that lead us to the most critical vulnerabilities. Yeah, absolutely.
I think, you know, you put it in a very succinct and beautiful manner. It’s the nuances that are the key. So, you know, again, going back to LCS, how has the landscape of security auditing evolved over the years? And what do you anticipate any new trends in the future with the whole cycle looming ahead of us? Absolutely.
I think the auditing landscape is dynamic and ever-changing. We’ve gone from just having manual code reviews to a massive diversification and approaches to security. That includes the development of new security tooling, both open source and proprietary, formal verification, bug bounties, and what we all see so much of today is the emergence of contest platforms and marketplaces, right? Yeah.
So the reality is, though, that most ecosystems still remain underserved, and we have a lot of work to do. So we’ll see a lot of those security options for the Ethereum ecosystem, for example, but we still have multiple other ecosystems that remain underserved. So, you know, we all have a role to play here in continuing to expand our services and innovate in terms of security.
In terms of trends, you know, I mentioned this before, worth mentioning again, I think we should expect to see a significant increase in automation with the introduction of AI. So I don’t think it will replace the auditor. On the contrary, it’ll just enhance our ability to reuse previous learnings, information, you know, just having a database and known vulnerabilities to protect, you know, future potential problems.
Absolutely. I think I totally agree. I don’t agree with the nature of, you know, that AI is going to be taking up jobs and whatnot, and they paint a very bad picture.
I think, you know, it’s like internet, right? Garbage in, garbage out. You know, any AI tool that you’re using is as good as the person who’s actually putting in the prompt. And what are you putting in as a prompt, right? So, you know, who’s- What is the information that’s being fed into that database that’s giving you responses to that prompt? This is why we have to be really careful about how we utilize technology.
And that’s always been the case, you know, not just in sort of decentralized tech, in all technology developed in modern society, you know, the way in which you utilize it either leads to your success or it leads to your demise. And so, you know, we have this incredible tool here that we have the opportunity to use in the right way. And I think we just need to be careful that we do so.
Yeah, absolutely. I think it’s a tool that can enhance. And obviously, it can be, if put in, perhaps, not so optimum hands and somebody who’s looking to be a bad fish in the pond, then obviously, it can be dangerous.
But it’s all about the, you know, hand wielding the pen or the sword, right? It depends on who’s using the tool and you can use it to enhance whatever, you know, sector that you’re working in. Like you’ve mentioned how it can perhaps help in security, like, you know, we can pick up from our past experiences from a learned database. And that itself is huge, right? Because human memory, though wonderful, can be limited at times.
And that can be, you know, that can be a bit of a disadvantage. And you know, you are, you have a lot of experience. Yeah.
But you know, you’re perhaps not able to tie it all together. And because of various factors, and I think AI can really significantly help for that. Absolutely.
Human memory is inherently limited. And, you know, we have an opportunity here to utilize it for the right reasons. I completely agree with you.
Yeah. So in terms of, you know, just creating a broader community of developers and users, and perhaps educating them about the importance of security and decentralized technologies, how is thesis defense taking on that challenge? Because I do think educating the user and developers is important, because as you said, there are some who would not get, you know, the security audit done, or they will get it done, and they will perhaps not implement, you know, the changes that are being recommended. And then it’s moved, right? That’s that then there was no point in getting the audit done in the first place.
Absolutely. Yeah, this is a great question. Well, first of all, having the opportunity to speak to you today is one of those, you know, approaches to educating the broader communities.
So thank you for having me. You know, I think here’s the tough thing about security audits, and security auditing teams getting the word out. And that is that audit reports are deeply and incredibly complex documents.
And they’re not very user facing, first of all. And second of all, we’re major proponents of open source code, and publishing of audit reports, it’s ultimately at the discretion of our customers and those development teams to publish them and to open their code, we can’t force that. So we can do the audit, we can advise.
But if they keep that information private, it’s completely at their discretion. And so it’s too bad that we can’t sort of rely on, hey, has this code been audited, the audit reports say because most people can’t really consume that information. So it’s really, you know, and of course, auditing teams can’t really dumb down audit reports, or, you know, their technical documents for a reason, because engineering is technical, and the folks receiving them are technical.
And so we can’t, you know, really go about changing that. But I think there are other efforts we can pursue, including, you know, publishing written work and content that’s user facing and community facing and contribute to papers and blog posts and media articles. Also, a major thing is participation in conferences and workshops contributing to public goods like open source projects and tools, and educating our customers as well on how to prepare for audits to maximize the audit and continue to educate and provide feedback on development best practices to the community.
All of these things go a very long way. So there’s a multi pronged approach to educate educating the community. And if we all continue to do it, then I think it’ll go a long way.
That’s a wonderful answer. I think you’ve covered most of all the bases that you know, somebody who’s doing perhaps security auditing should be covering when trying to educate the developers and users. So in terms of, you know, in your opinion, what role will security standards play in shaping the future of blockchain and DeFi landscapes, especially in the context of compliance as well that you know, in different jurisdictions, there are different compliance issues.
And what do you think that there is a correlation there? Yeah, I think that standards will play a significant role. Compliance is a tricky word, I’ll try and get to that sort of at the end. But the current state of disorganization isn’t sustainable, and it’s not scalable.
So this is problematic for us, we should all be concerned with this. So, you know, we should look to traditional finance as a point of reference, where there’s an established and methodical approach to conducting audits. And there’s an established and methodical approach to dealing with the gaps identified in audits, including systems of accountability.
Now, in in, you know, this is where the compliance bit comes into play, where, you know, the way you deal with that in traditional finance is through regulation. And this is, you know, the word that really scares everybody in this space, because it usually means, you know, getting getting in the way of us expanding and doing the work that we’re trying to do. This is why it’s so important for us to all work on this together and hold each other accountable, right? To decentralize sort of the compliance component of this is in our collective best interest to develop standards and to adhere to them, and then to set up these systems of accountability in the event that for those who don’t adhere to them without sort of a central authority having to do that for us.
And generally speaking, I think the space needs to become more secure in order for us to appeal to institutional investors and to drive broader adoption. Developing and adhering to a standard and setting up systems of accountability is a step in that direction. Yeah, absolutely.
I think, you know, this is the right step. And I think the more we educate the users and developers that okay, you know, having to adhere to these security standards is imperative, you’re going to be expanding and scaling your platform. You know, I think one of the reasons why founders or early stage founders, they perhaps balk at the idea of getting a security audit done is also the price and the cost associated with it.
You know, do you have any thoughts about that? My thoughts on that, an ounce of prevention is worth a pound of cure. Audits might be, but it’s the wrong place to be cutting corners, especially considering the losses we’re seeing in recent hacks. So if you are, you know, going to compare $100,000 with, in some cases, I mean, last year, the year before we saw $600 million audit, I think, you know, one can be compelled to not cut corners when it comes to security.
And I think it’s important to work with teams that have sort of the right intentions. You know, certainly for us at Thesis Defence, we want to be able to serve teams across the board. And we understand that not all teams are equally funded, and we’re happy and willing to work through sort of the scoping exercise.
So at least we can get started, even in a limited capacity to help teams and to help their security posture. This can also mean starting to work with a security team on a consulting basis during the design stage of your project, as opposed to sort of having this waterfall approach to security, where you finish everything and then have a team look into your into your code, and then find something in the design, which means you either launch with a flawed design, which is the most likely case, or you have to scrap and start from scratch. So I think there are ways to cut costs.
And that’s by integrating security into the overall lifecycle of your project. And you’re, you know, from design to development to post launch, this should be a living thing. And it should be a consistent thing.
Absolutely. I think what you’ve said is 100% correct. And that is what I tell founders, you know, ask me, what are my views on security auditing, and, you know, perhaps dealing with a security audit company, I tell them the same thing that you might be able to cut corners right now, but then you might have to pay very, very dearly for it in the future.
And that is not where you want to cut costs. You know, you can look at cutting costs elsewhere, and getting perhaps a good firm involved in the design process. And when you’re, when you’re working on your platform, or your MVP is a good step.
And that will also perhaps, you know, help you save some time and money, resources are all in. So I really concur with what you said. So in terms of like, the next big milestone for thesis defense, what would you consider that to be? So we’ve, we’ve just onboarded our team, we’re basically rolling up our sleeves, and we’re ready to go.
So our next big milestone is starting to serve projects across a variety of ecosystems. And we also want to partner with other security firms in this space to start collaborating, and organizing. And so those are the two big things on our horizon is, is to create spaces for collaboration on a number of fronts, and to get to work.
Awesome. And would you like to tell us a little about your team as well? Absolutely. You know, without going into the specifics, our team comes from a very diverse set of backgrounds.
I will say that in terms of our team, every single one of us has previously had the opportunity to work together. So this is sort of a coming back together for many of us, which is really wonderful. And the other thing that’s really special about our team is that everybody has entered the decentralized technology space due to personal reasons, due to be places where they haven’t really had the opportunity to exercise the freedoms and liberties that they would have hoped to, and have, in some cases, been able to leave those places and establish new lives where they can.
And this is sort of their contribution back, that they’ve had that opportunity. And now we want to work towards providing that opportunity to those who are disenfranchised and don’t have those liberties. That’s such a beautiful way of putting it.
I think that is exactly why I got into a decentralized space myself nearly, you know, 10 years back. I think the technology itself and the promise of what it can really achieve in a not so ideal world is something worth fighting for. And it’s something worth building for as well.
So, you know, I couldn’t have put it better. Thank you. So now let’s move on from the serious questions to a few fun questions before we, you know, wrap this up.
If you could share like perhaps a quirky story from your experience in the crypto world, maybe an unexpected challenge or a memorable audit moment or any sort of an amusing encounter, what would it be? Yeah, I have an anecdote. So during my time as the Director of Security Consulting Services at Least Authority, we audited a project called the Atomic Wallet. We identified really serious security vulnerabilities in this wallet, which was live.
So they had already, you know, launched the project. They were having the audit completed post-launch. We identified very serious vulnerabilities.
We, of course, delivered the report. We didn’t really get a response. We then for, you know, several weeks, if not months, followed up to make sure that those vulnerabilities were being addressed to which we were not receiving a response.
And we ultimately relied on a policy of responsible disclosure, which is exactly what it’s like. We’d responsibly disclose to the community not what the vulnerabilities are, because that would put users at risk, of course, if we’re sort of putting the treasure map out there. But we noted in a public disclosure to the community that we had audited this wallet and that we had found very serious security vulnerabilities and that those were not remediated by the Atomic Wallet team.
Of course, there was sort of a public dialogue back. And then unfortunately, a year later, the Atomic Wallet was hacked for nearly $100 million. And so, you know, the anecdote is that as a business, that’s a really difficult decision to release a responsible disclosure.
It puts you in a bit of a precarious position. You’ll have customers who’ll think that’s brave and necessary and others who’ll never want to work with you again, fearing that that might be the next time. But this is demonstrative of the values and living the values and wanting decentralized tech to succeed and wanting users to be secure.
And so we made that hard decision. And unfortunately, you know, that still didn’t compel the team to fix the issues. And, you know, their demise also led to significant losses for users.
And we hope that, you know, the community learns from that lesson. And I think that’s a note worth sharing. Yeah.
No, these are really scary stories, right? You know, there are projects that kind of play with the user’s funds by being a little lax. Like, you know, you’re dealing with your customer facing, you’re dealing with user funds, and this is somebody’s hard-earned money. And I just, I’m not able to wrap my head around how can you take that responsibility lightly? How can you perhaps not act upon, you know, somebody who’s actually well-intentioned and pointing out what is wrong? At times, I feel that there may be, you know, at, you know, there might be a disadvantage because they might have a lack of resources, but I don’t think that was the case with Atomic Wallet.
So, you know, it’s just sad when something like this happens. It kind of, as you mentioned earlier, right, it kind of creates a bad experience for the users, obviously, and then it drives out users when we are actually trying to build for more adoption in this space. Exactly.
It’s a disadvantage to us all. Anybody who cares about the space should be infuriated by that. I mean, there is the analytical part, which should be infuriating.
And then there’s the, hey, you know, we’re all trying to make this work. And every single time there’s a big hack like this, it sets back the entire industry. It’s a disadvantage to every single participant in the industry.
And I think, you know, people should take security more seriously than they do now. And we’re seeing the reasons why. Yeah, absolutely.
You know, I can share perhaps some small anecdotes of my own. So, with our startup, it was a group farming and staking protocol called Unifarm. And we had gotten the security audit and everything done.
But somehow, due to some human error, the admin ownership of one smart contract was changed. And it was to another smart contract, which did not know that this particular contract owns it. Like, I won’t get into the technicalities, but the thing is that these were not upgradeable contracts at that point.
And there was user funds amounting to nearly $1.5 million that was stuck in that contract. And they still do to this date. That contract is locked, and we are not able to access those funds.
But because this was something that, you know, we were launching, and this was probably the second or the third cohort or the batch that was, you know, that was live of farming. We actually, as founders, took the onus and responsibility to ensure that all the users got their funds back when they were on staking. It came from our pocket, but we did that because we wanted to do something, you know, to make sure that, you know, the ecosystem doesn’t suffer.
Because that would have been huge at that point. Yeah, that’s absolutely the right thing to do. And I’m really, really glad to hear that.
Yeah, it was obviously, you know, we faced the repercussions in terms of our operations. But, you know, as founders, we just had to take that responsibility that, you know, we screwed up. And now we need to, you know, go out and ensure that the users don’t have a bad experience.
Because otherwise, who would have used our product, you know, after that? Exactly. Yeah, so that is, that was, that was just something and this several some years back, and this is right in the middle, actually, at the beginning of the bulk cycle. And so yeah, that that was, that was, that was an experience that I share a lot with founders.
And I just to give them an idea about the kind of responsibility that you know, you’re taking on, if you’re really creating a DeFi application, and if you can’t feel that, that onus, and if you can’t feel that responsible, then perhaps you shouldn’t be doing that is my take. I completely, I completely agree. And learning from those hard lessons is the right thing.
And it’s the acceptable thing. When you’re not learning from lessons. I think that’s where things become problematic.
Absolutely. You know, then post that, obviously, you know, we created like different SOPs, and how you know, the team kind of codes these contracts, and what is going to prod what is not. But now, then again, I think that was another, it was a different era.
Those contracts are not upgradeable. And yeah, if anybody is listening, or if you know, you can help us in retrieving that $1.5 million. You know, I always share this with the hope that somebody perhaps can practice and we would be a little riser for Well, definitely keep it in mind.
And maybe we can have a more informal discussion about it offline. Yeah, but this is just so that, you know, I can, this is something I share in the hope that builders would really take this responsibility. You know, this is user’s fund, this is hard-earned money for some people, and it’s a kind of their entire network that they’re putting in.
Because, you know, for whatever reason, maybe perhaps just greed, but you still have that responsibility to make sure that you’re doing right by them. You can’t just, you know, wash your hands off, just because something went wrong, and say that, okay, now nothing can be done, which is something that we could have done, because this was technically, it wasn’t, you know, we made a mistake, but this was a technical error. And it was it was not a hack or anything.
And, you know, we could have just said that, okay, it’s locked, and it’s right here. And it is for everybody to see that money is still right there. And, but that is not what we decided to do, because we wanted to make sure that, as an ecosystem, you know, Web3 doesn’t suffer.
Absolutely. Yep, that is absolutely the right thing to do. So if you had to perhaps send like a time capsule, okay, to the crypto community, 10 years down the line into the future, what would be the three items that you’ll include in it? Um, well, I think I would send a hardware wallet, probably with some legacy tokens, probably a great gift.
And it would age well. And then maybe for a laugh, a print out of some tweets from the current times that probably won’t age very well. And, you know, we talked about sort of, of memory and forgetting in history repeating itself, I think maybe some top 10 lessons of what not to do in terms of security, that might still, you know, 10 years down the line.
Yeah, absolutely. I think it tends to repeat itself. And you know, only people who sort of don’t learn from it are suffering, you know, they tend to, they tend to suffer again, when it does repeat.
So yeah, that that is that is a good answer. Okay, so again, before we wrap this up, I would love to know your personal thoughts about which niche in the Web3 space you think is going to be the front runner in the coming bull run? Oh, I can’t answer that question. I’m sorry, I just, you know, we are we are tech agnostic.
I, it’s really important that we offer our services to everybody. I definitely don’t want to come across as favoring. But I do think that there are areas that will expand, and I think they will serve the ecosystem at large and aren’t sort of specific to a single ecosystem, for example, zero knowledge technology.
But, but in terms of, you know, sort of anything else, I, I try to, to, you know, at least at a professional level, not hold strong opinions in any direction. We’re here to serve, we’re here to help everybody. We’re all a niche.
And, and we’d like to stay sort of objective. Awesome. I try putting you on the spot.
But you know, you managed to give me a great answer to that as well. So okay, now to my last question, which is something I ask everyone who comes on the show, you know, if somebody because you started in as a PM, and, you know, in the Web2 space, if you had to give advice to somebody who is perhaps working in the Web2 space and looking to make a leap into Web3, what would be your top two suggestions for them to start living on blockchain? Well, the first thing I would probably ask them or remind them is that, you know, blockchain is not just a technology, it’s a movement, and it’s a, it’s a set of shared principle, principles and values. And it’s a force for positive change.
And so I would ask them to really think critically about that and think how they can begin to embody those principles and that positive change, which begins with sort of like, just everyday practices and participation in the community. So start to read about blockchain, start to participate in blockchain, immerse yourself in that community, start talking to people who have been in this space for a very long time. And first, before taking any additional steps, determine whether, you know, there is that value alignment, and they’re not sort of in it because, oh my gosh, you know, I might, I might get really rich.
Yeah, do it for the right reasons. Do it for the right reasons. And then, yeah, then my suggestions would be to just to start networking and talking to people and seeing where they could contribute.
I would encourage them to, to push their own personal boundaries further to see how they can contribute to driving decentralization, to foster inclusion, to uphold these principles that we all that we all hold so dear in this space. I think, you know, like anything in life, opportunities are facilitated really by people more than by experience and a resume. And I think it’s really important to become involved in the community.
And once you become involved in a community, and you contribute to that community, that opportunities do just make themselves available. So, so not very concrete suggestions, and maybe not very tangible suggestions. But I do think it’s sort of ambiguous, and everybody’s journey looks a little bit different.
But I think the journey is driven by those shared values. And I think those journeys are driven by participation and collaboration. Absolutely.
I think it is, you know, it’s very important that you are aligned with the vision and the thought process that that sector perhaps has. And collaboration, and just sort of reaching out, I think those are, you know, key elements. I always add that, if you are somebody who’s looking to get into Web3, do it for the right reasons, obviously, and also be open to unlearning a lot of things that you know, you might have learned a lot of notions.
But in Web3, everything is very, very dynamic. And you might, you’ll have to be open to perhaps unlearning a few things before you know, you can really move forward and grow in this space. Absolutely.
I couldn’t agree with you more. Awesome. Thank you so much for taking out the time to speak to me today.
Before we wrap this up, any, any parting thoughts? It’s my pleasure. Thank you for having me. And that’s it.
Thank you so much. Thank you.