Okay everyone, thank you. Thank you very, very much for having me. Was it was be glad to be over there physically, but unfortunately due to see circumstances we couldn't handle it there. But glad to be here and good to see you guys over here learning more about and getting more awareness about the Web three and smart contracts. And we are talking more, I was following the, the conference and we are more talking about the identity and and security as well.
So this topic will be more focused on how, how as an enterprise we can, you know, get in touch with the security posture and how web three and smart contracts breaches happen in the past and how these case studies can help us out to avoid, avoid them in the future. So o overall, my name is Barbara Han. I was having a second speaker, but we couldn't attend.
So my name is Barbara Han. I'm the CEO and founder of Security Vault.
I'm, I'm doing cybersecurity and different audits for different kind platforms since last seven years. I was active back bounty hunter and also acknowledged by almost a hundred plus companies. Most of them are based in Silicon Valley, like ad, eBay, apple, NOK, and Microsoft for my security disclosure for reporting. So the agenda today will be very simple.
I'll be more, not much dragging into tech, too much technicalities where we will be more happy to, you know, help us understand how the web three and smart contracts works and how the identity could be bring into such kind of the leaks and the breaches. Those have happened in the past, so we'll be dragging down to the abilities and exploitations happen and the case studies and we'll be more learning about how enterprises can manage or improve their security posture.
So regarding the 3.0 as you, I'll just, I'll just, you know, just, just happily, you know, explain it in just a short term.
Like we, we were having like Web one oh, so one oh was morely focused on user, where user can obtain the data, but there was no interaction with it in the current existing one, which we are more interactive with within the platforms, our social media and video platforms and such kind of platform, which is inclusion in the web 2.0 where user contributes to the data and do uploading the of, of the content and on different platforms. But the current scenario, which is we are counting them on the future and we are still in the research area of that platform is Web 3.0.
We, we are not just being the data contributor, but we will write their own data as a 3.0 and the con the, the solutions, the frameworks, the contracts will do their own, the, the, the solutions which we will having with the 3.0 will do their own jobs, which will be kind of integrating with the data and AI and different module.
So web three is, and, and smart ing and defi and, and d apps are, are kind of like a decentralized application, but how, how, how are we gonna, we we distribute these kind of, these three to four terms and,
And and essentially and, and how they can contribute it, like how they are different and what kind of essentially contributions are, are they performing in this three point or journey.
So we, when, when we discuss the three, the web three, we have three decentralized databases and, and ledgers where distribution over nodes available to anyone while the blockchain is, is that what empowers the network? So, and, and dabs are software built on the blockchain.
So when, when, when we talk about the dabs, dabs are the kind of the products of, of the web three. So overall the web three is the main, the main hub of all the contracts and the fi and the dabs are, are, are under the subsidiaries of, of the web three. So the whole stories come down to the web three through the dabs, the smart contract and the defi, which we are we'll be talking about, which is the peer tope applications.
So a simple architecture looks, looks like this for, for web three point or where we have what is software, which were discussed in the previous presentations as well.
And then we have tabs, which is the mobile web application, which where most of us as end user interacts, but where is the security architecture is is is what we are missing right now. So we, we don't have a, a kind of a 360 degree security posture for such kind of infrastructure as we are talking about the Web 3.0. But the security is in the hold of the, every aspect of the web 3.0 is if we talk about the wallet software, we have to have a security over there as well. When we talk about the apps, we have to, to have managed security over there where we talk about the nodes.
Nodes are the most vulnerable aspect of the web 3.0.
So we, we, we have, we don't have a 360 degree overview of the security for, for when we are talking about the web 3.0, but we have to manage it individually when we are talking about this. So the pros for the web 3.0 enterprise businesses are, is, is really been like being up and down with the research and most of them are, were like well managed and well volatile in, in this whole thing.
So the, the, the large portion of this whole applications, when we're talking about Web 3.0, were mostly focused on finance products where as we are talking about the cryptocurrencies and, and decentralized applications are more mostly for the finance application and finance products. Then we came down to the NFTs and then we are now talking about the metaverse.
But the most absolute product, which according to me for, for such kind of enterprises when, when we're talking about the web three is transparency and decentralization, which which is mostly they, they'll be used in the enterprise market not, but on, on the other hand, on the public market it'll be used for finance products and NFTs, which is kind of being degraded right now, but it it's still happening.
The ownership on identity factor is still happening by the NFTs, which can, which can be helpful in the future prospect.
But right now they're mostly, most, most for the public audience, not for the enterprise. Right now, for the enterprise we'll be more focused on the transparency and, and the decentralization. So when we're talking about the enterprise businesses and integrating the web three wire, the dabs and defi, we will we'll be talking about on what kind of security risks do we have for, for such kind of businesses.
So if we see the previous perspective on the previous attacks, which happened on the web three were social engineering attacks, which were including the flash launch, which happened recently as well. Rock pulls most of the time, but most of the time the social engineering attacks were were mostly due to the smart contract vulnerabilities as well.
And when we talk about the data and economics of of, of the whole perspective of the 3.0 would would be something which can we vouched for in the future and, and, and, and have focus on when we talk about the enterprise businesses and the risk for if they are complying with the web three.
So web, web, web, social engineering are most of the time, which we have seen in the case studies as well. We'll be discussing them better and which which was kind of being mostly abused when we are talking about the, the enterprise businesses.
So when we, when we talk about the, the social engineering attacks and, and the data and identity anonymity of the web web three, we, we, we should talk about the attacking vectors on how these, so enterprise businesses can be attacked in, in the web three atmosphere. So we have smart logic hacks, we have logic hacks, which depends on the code and analysis of the code and logic buck finding logical vulnerabilities in the contracts, in the nodes, in the public node or in in the private node or in the wallet section or any kind of logical hack would be, will be happening here.
The issue with this logic hacks are they are not being detected by the tools and any kind of frameworks as they're logically being defined by your mind or the hackers minds. So which which gives the hackers an advantage or such kind of web three platforms or web three products where hackers use their own mind. They don't use tools nowadays.
They, they have their own set of tools, they set of scripts, they set of mind, set of attacks, which are mostly logically. So smart contract are, are facing a lot of logic hacks, which is mostly the, the recent hacks had happened.
Secondly, we have flash loan attacks where recently the ax token was, was hacked for and they, they lost like 24 million on, on on that on that platform. And then we have crypto mining, which is mostly being used by the malwares on your computers, which are being used as the mining machine for mining the cryptos.
And then we have direct pools which are famous nowadays and a lot of cryptocurrency products, which where a lot of the rug pools have happened. So in 20 22, 3, 3 billion were 3 billion were lost.
And when we are sitting, we are right now in, in May of 2023, where in April a hundred million were lost in, in, in the web three projects or majority of them were the financial products, which is why the web three is being used in the financial sector as it's more, as I mentioned, it's more transparent and decentralized. But we have the risk, like we, we do, we do remember about the poor network hack and we, we have the uranium finance as well. So a lot of hacks have been happening in the past and they're still happening.
And the the reason is that attacking vectors are being diversified and they are logical.
So when we are talking about the logic, we we cannot beat them with the tools. So we have a lot of tools since, since we, we, we talk about the webre, we have a lot of tools in, in the market and but, but we are still having a lot of hacks. So why is still happening? So the the reason is the webre security tools are not enough and they, they are not enough securing the architecture of the, of the products when we're talking about the smart contract and, and and the, and the web three tap apps.
So the case studies are, are are, I'll be talking about the three very rapidly so we can just move on and, and, and go on how we can improve it.
So the first which was happen is, is we'll be talking about the level finance which was hacked and they lost almost like $1 million and there was a simple logically logic issue which was not detected by the security architecture they have developed, but it was, it was hacked due to a code error where we, where attacker could claim the a repeated EPO for rapidly and which which was not being like stopped and have a have a repeated raffle bonus, which which was claimed due to the epo.
So simply these kind of code issues are, are being developed by the codes, but, but they are not being that kind of being tested when we are talking about the logics of the application. So such kind of fixes were were could be implemented through pre-checks.
Like when, when the pro, when the refer bonus is being claimed there, there should be pre-condition checks where which, which can be checked. The, the attacker if the product or the refer bonus is being rewarded for once as the rifle bonus is rewarded for once in a day or any timeframe. But in this attack it was, it was repeated repeatedly and then it was drained out the, the, the whole, the whole condition was framed out and the hacker drained like one $1 million due to that attack.
So such kind of issues could be through pre-condition checks, which which is possible through performing the audit of the code, not, not by integrating with the tools and and such which can, you know, just do statistically analysis of the code, which is not focused on, on the logic of the code.
So in in the level finance we have seen like the precondition checks are more important when we are talking about the web three products, we are talking about the uranium finance, union finance was, was, was a, was a recent hack which happened, which cost like 50 million and it it, it was kind of like 1, 1 1 product which was, was hacked and potentially drained out a lot of money from, from the product. I'm, I'm having the code of, of the, of the union finance as well.
So the in, in this defi project, the union on the bin, it was on the Binance smart chain, it was hack and and lost 50 million. So the, the problem occurred on this spare contract of Union of project was when this function checks, and we have seen like there was the code was copied from the uni uni swa and they, they didn't change few of the functions in the uni functions.
So due to that, you you, you are seeing a code on your screen right now where we are are are comparing the both.
So in, in the one we are seeing in the first section, we are seeing 10,000 at a number and the second line we are seeing a 10,000 number as well. But we see when we see the next shot of the code, we are seeing thousand in, in both of the sections.
So when this function checks the contract balance according to like a constant product for where, where this is a product of problem of accuracy processing the errors, so resulting in the balance calculated in the final contract being 10 times larger as as I mentioned, that the, the first image you are seeing is, is, is having 10,000, but in, in this, in this contract, it'll be a hundred times larger than the actual balance of the contract.
So in this case, if, if, if the attacker uses the flash loan to borrow, then then only need to return one person off the loan.
So the total amount to the past inspection, the stealing, it'd be still and remaining would be nine 99% of the balance resulting in project losses. So the the whole thing was like the, the it, it'll be like hundred times larger than than the last edit. So that edited, that copied code from the SWA costed them on 50 million as it wasn't changed when the, when they acquired the code from the swa and thus they, they could, you know, lend the money through flash loans and return only 1% of the Hawaii through the swap.
So it, this was the swap copied the, the whole code or ED form the uni swap, but changes were not made made that much and potentially they lost due to that.
So third party audits are required to keep check on, on team and wide rock pools as that that was kind of being circulated within the market that it was a rockpool and few developers from the uranium finance team did this intentionally.
So when, when we talk about, I'll, I'll swiftly talk about the attack where attacker can send attacker request for ARA from the, from the application as we have recently seen from in the Rari capital and aga where they lost 80 million and 11 million. So when attacker request for a withdraw, it's, it's sent the requester withdrawal to the hacker, but there is no balance is been, been updated.
So if the attacker keep repeating the attack and it keeps sending the them the withdraw amount, which which should be validated on the hackers end as well if the amount is being sent and it should stop, but it, it didn't.
And so in ancy attack it, it happens that the fallback is, is still in execution and that the, the application is still sending the hacker the amount which was requested and thus it goes down and drain the whole wallet for that contract. So the takeaways for from these case studies are very simple and straightforward.
We, we, we are not talking about something which, which is which kind of huge dynamics, but we're talking about very simple, simple logical stuff when we talk about these hacks or could be secured or could be stopped. So when we talk about the level finance, the takeaway is that you, you can implement the bug bounty bug bounty platform, you can add a third party bug bounty platform, which can help you out and address these kind of vulnerabilities.
But when we talk about the union finance that they, they, they could, you know, improve the coding structure and should have avoid the copy from the unap.
And if if they did so they could have, you know, did the auditing procedure to focus on on, on the redacting the vulnerabilities. While we talk about the rawi capital issues, we, we, we can, we can securely say like the monitoring should be like high priority for such kind of products and monitoring should be in the lead for such kind of products.
So when we, when the takeaways are we, we shouldn't be limited to the audit internal team, we should always focus on third party audits as well. The second is we should avoid copying the code, but if we do so, we should improve the coding structure. And the third is the security checks and monitoring is highly important for such kind of products.
So the, all these three can be partially be secured by the tools but not, not a hundred percent. So how enterprises can, can, can do manage these kind of things so they can, you know, focus more on the zero trust policies which are being nowadays in the, in, in, in, in the market.
And we, we are, a lot of speakers have talked about the zero trust frameworks, which could be designed to control such kind of issues and monitoring is such some something which I can vouch for and, and which we, we think we, we need for such kind of contracts to be monitored before or within, within the tools. Like we have a lot of tools to manage security, but we don't have a lot of tools for the monitoring and of the logic of the contracts and a regular security audit should be performed.
But, but as a third person, not internally, but it should be prior to the updates and it shouldn't be just for the ones, it should be, if there's kind of any upgradation to the code, code coding should be, the coding should be audited as well. And then the, the, the main thing which i, i I can VO for is application security and we should implement the DevSecOps pipelines for such kind of products and collaborate for security.
We can collaborate with different kind of security researchers and, and implement back bounty programs to improve our coding structures as a third party auditors as well as one mindset is not enough. We, we need, still need to check out with different minds if we are vulnerable or not. So these are kind of resources you can, I'll, I'll have share the presentation as well. So we'll you will have that. Nowadays we have Zion, Zion is kind of a newly open source architectural platform for security testing for the blockchain and development solutions.
It's one of nowadays a kind of a famous one and it could help such kind of products which are being implemented by, by the enterprises nowadays. But overall tools will never be the human minds.
As, as I mentioned, we, we, we have seen products as, as I mentioned, we have seen products like, like, like we have seen products like level finance, which was audited twice but still hacked.
So it means that that even auditing is, is noting goal, but it should be, it should be a priority one.
But tools could be avoided and such kind of large amount of bug could be implemented to the on thrown on the project and, and they can help you out at large to, you know, secure the, the security of the web three projects which can help out and, and, and different being, having different minds having different approach for testing the security and not limited to one security or the team, or not limited to a security project. So o overall tools can never be human mind, but we can take help out from them.
But we should still focus on, on the, the security posture for being the, on the logical hacks and testing logical hacks on our platforms. So that's all my, my end note is tools are necessary, but constantly assessment prior to update is important. So assessments are thumbs up. Thank you very.
