How to earn millions in web3 bug bounties

hello everyone uh sorry about that so we are back now so I'm am arbas and it's great to be here again on bside stage this year so I will be presenting the topic on how to earn Millions uh using web 3 bug bounties uh I will be co-presenting along with nir he is my colleague and also a fellow smart contract reer on imuni so we will be understanding like how bug bones are crucial in web3 ecosystem and also giving you a guide on uh getting started as a Bug Hunter if you wanted to start a journey in web 3 bug hunting yep starting with the intros uh I'm arbaz Hussein uh I work as a

smart contract triager on imuni bug bonti platform and have been immuni from last 3 years and as a smart contract triager uh I I do like triage blockchain related and smart contract related vulnerabilities and also we do mediations uh basically resolving any kind of disputes between project and a white hats uh through the mediating and uh I'm also interested in investigating this blockchain specific hacks and also documenting those hacks into medium articles and also writing poc's of those hacks on a gab repository and previously I work as a ABC engineer in web to and I love creating educational space so have a fellow speaker nir your [Music] intro so hi everyone very good afternoon my name is PARTA akir I work as a smart

contract reer at immuni since last one year and uh yeah before joining immuni I was a smart contract developer and and uh independent B Hunter so yeah please take over so here's the agenda of the talk the whole presentation is divided into two major components like first we are going to understand why bug bones are crucial in web3 ecosystem like understanding the key differences between uh web 2 and web 3 from a architectural perspective and as well as we are also doing a comparison between web 2 and web3 bug bounties and understanding why uh usually like Bounties in web3 are at higher end and uh then we are going to give you a walk through on imuni bug bonti platform and

also some of the top paid submissions on imuni like how uh security researchers on imuni make millions uh through submitting vulnerabilities on Smart contracts uh then lastly we have the how part where we are giving you a guide with we created a beautiful uh road map and as well as resources to help you get started like even if you're absolute beginner into web 3 Banting Journey yep so let's understand why bug bones are crucial in web 3 ecosystem so one of the major problem in web3 are are the hacks because the hacks on web3 are way more common so if we see the graph demographic graph where from 2015 to 2022 there has been lot of increase

in number of hacks so if you see the white line the hacks were touching almost like 200 hacks per year in web 3 and in 2021 alone total 8.1 billion has been lost so imuni did a research in 2023 across all the different protocols that has been hacked and we estimated like total 1.8 billion losses uh in just 2023 itself so let's take a closer look at some of the biggest hacks that happen in web3 ecosystem so starting with the Nomad breach hack so total loss the hack made was like $200 million and it's a bridge so Bridge basically is a program uh in blockchain where when you want to transfer to tokens from one blockchain to another

blockchain so you have to go to Bridge and let's say you wanted to transfer tokens from ethereum to polygon you have to use one of those Bridge so Nomad is one one of those kind of bridge and the vulnerability was uh uh the developers of The Nomad they make a made an upgrade to the bridge and that update introduced the vulnerability into the code and the attacker was able to spoof the transaction behalf of the victim like he was able to make the withdrawals behalf of other victims so whatever the funds that were stored on the bridge attacker drain all of them that is like 200 million the another case we have is uh this PO Network and this is one of the

largest hack ever recorded in the history of web 3 that is almost 600 million and this is also one of the bridge and uh the issue was still in the logic of the validation issue like every bridge has some kind of validation like if you're depositing if you're withdrawing it validates those uh mechanism and attacker was able to bypass that validation and was able to withdraw from a bridge itself uh yep uh then we have the third one which is yuler yuler is one of the popular decentralized Finance protocol uh which is commonly used for Lending and borrowing in D5 and the hack was $197 million and it's one of the most interesting and as well as funniest hack

and the reason why uh because the attacker found a vulnerability in a smart contract itself within the logic where he was able to manipulate the uh price of e tokens like he was able to inflate the E token price and was able to dra drain 197 million and the reason why it's funny because uh once the attacker did the hack oh and after some time he wrote a message back saying like he he don't feel good about the hack he don't wanted to do this harm to the other people's money and he wanted to return the funds so he returned all the 197 million uh dollar to the to the project so it was a good recovery and

this cases does happen in the web 3 so let's understand like why we see lot of hacks in web 3 and this are the common reasons so we see there's not enough security awareness in web 3 ecosystem the space is pretty new uh like compared to web 2 we have established security best practices models like oops and other different models but in web 3 we don't have uh and there has been continuous adoption uh has been going on we Pro because every day we see new blockchain comes up into the ecosystem solving one of the problems and exploring different sectors and category is so this rapidly evolving landscape this gives introduced this gives like introduction to new

vulnerabilities and new attack vectors so this whole adoption cycle uh that just goes on and there's not enough security awareness and as well as developers uh in the web3 ecosystem have this particular mindset where whenever they do uh develop a protocol uh they send that protocol for a security audit and once security audit has been done then they think that everything is secured they go and deploy that on the blockchain but we know that is not right and that is that is why we have bug bones because bug bones act as a last line of defense for the project yeah so let's Now understand some of the differences between web 2 and web 3 bug

bones and it's pretty simple so let's see so how many of you are web to bug Hunters like aware of these attack vectors we are seeing subd domen take over EXs side do and all and uh and we do get lot of web to attack vectors on imuni and these are the common top attack vectors we get for the web to on imuni uh which is subdomain takeovers cross side scripting then we have ey doors then open uh redirect and as well as uh broken leak takeovers like expired Social Links and all and the differences you could notice uh is uh the in the higher end bondes compared to web 2 and the reason why is so web 3 has a very

different impact outcome so using these vulnerabilities in web 2 you can do different things and in web 3 you can achieve different impact outcomes and in the next slide we're going to explore what are those differences so here's the quick compar like comparison between web 2 and web 3 so one of the fundamental aspect we need to look for is determining what is at the stake so in web 2 the users data is at the fundamental aspect where the using those vulnerabilities the attacker is the final thing he could achieve like he could attack the user personal data or sensitive information of the servers and all but in web 3 what attacker can achieve the is the tokens or assets and

these tokens and assets have this financial value and using those vulnerabilities uh attacker can directly uh create a financial loss in the web 3 and that is the major reason why bones are higher end compared to web two in a web 3 uh then we have hacker tracebility where if a if a you know in webo if a hacker uh hacks a website there are very high chances and very likelihood to trace that through the multiple fingerprints but in web 3 hackers do very nasty things they use mixers and all to just remove the traces uh completely so it it is possible and that is where the hacks are more attractive to the black hats and regarding the

vulnerability imers so we know web2 is very pretty much established with different security practices with different models like oops and all but in web 3 we don't have any uh such established security practices model yet so yep so let's understand uh what are the impact outcome differences uh using a xss case so let's say if you find find a stro cross side scripting in a web 2 what you can do to demonstrate the impact is you can write a malicious JavaScript where you can demonstrate stealing of Cerf token or stealing o token or to just chain to do something very impactful where you can take actions behalf of your users and all but in web 3 what you can do you can write a

malicious JavaScript where uh you can redirect users on those website to some malicious contract so Badger do was one of such cases which suffered a loss of 120 million due to cross-side scripting attack where hacker where blackhead what he did he found a cross-side scripting vulnerability then he wrote a malicious JavaScript where anyone who is visiting the infected website uh he end up getting redirected to malicious contracts so they end up making deposits and transfer of assets to attacker control contract and this is how they suffered 120 million and this is reason why U bounties are much higher for such impact outcomes let's understand the differences between architectural perspective like how web2 architecture is different from Pep 3 how how does it

looks so we created a very simple high level overview like how does the interaction uh would look like from user to the server so in web2 if a user trying to access the uh web application he goes to the browser and enters the domain and the IT loads the front end and the front end queries the data from the back end and back end or try to retrieve the data from the database and then it goes back to the front end which renders the data right but things are slightly different uh when it comes to web 3 architectural so in web 3 uh we call it decentralized apps to the web applications where if a user goes to

some uh decentralized website uh it connects with one of the wallets first so wallet can be a Chrome extension like if you know metam Marx and can be a hardware uh wallet as well and the wallet communicates directly with the smart contract that is deployed on the blockchain so it can be any blockchain so it try to directly retrieve the data from the smart contract itself and directly Returns the data back to the user so this is the high level architectural differences between web 2 and web 3 so now uh uh I will call nir who will give you a very technical uh aspects of evolution of blockchain how it comes into the existing and other more

details Hey so uh so yeah thank you so muchas for quickly walking us through the web 2 versus web3 differences now let's actually try to understand what blockchain actually is and how it evolved over the time so does anyone of you know that what was some of the earliest form of currency uh you guys will be surprised to know that many of our old tribe used laser as a valid form of currency what they would do is they would keep a common Stone where they would record all their barters happening in the tribe and that that laser would actually serve as a uh valid proof of ownership and valid proof of currency valid proof of

transaction and as we evolved over the time and as we invented paper uh that paper replace the Rock and we actually started recording our transaction on the paper itself and if if you uh this can also be used in the modern context as well so imagine a group of four friend went to a TP trip to a Goa uh instead of settling every transaction on each split Bill what they would do is they would keep a common ler or I would say a common note between all of them and just record their transaction on that not and at the at the end of the trip they just can settle those transaction or just carry it

forward to the next trip and uh if you really think about it uh isn't this exactly what happens when I transfer or when I Google pay 10 Rupees to arbas I'm not literally withdrawing 10 Rupees physical not from my account and withdrawing into the and depositing into the herbas is one at behind the scene whatever uh what is happening is our bank is keeping and ler and just update that laser with every transaction so so we can establish that money doesn't necessarily have to be in a physical form it could be anything that proves to be valuable and can be used as a mode of exchange or mode of transactions and that value comes from

trust and uh Bitcoin is exactly uh a laser a common laser shared across all the participants and agreed upon by the all the participants which reflects the latest account balances along with the histories so when someone says that I have 10 Bitcoin what they are essentially saying is uh there's a common laser where each participants of the network has agreed upon and that laser shows my balance as 10 Bitcoin uh but the question arise that uh how how do we how do we ensure that these lasard are secure and what prevent someone like me to add a malicious transaction that all of you have transferred all of your BC to my account uh uh uh so uh in in in the example

where four friends went to trip to GOA that all of them had a mutual trust amongst them and that could be considered as a private blockchain in the case where I transfer 10 Rupees to arbas uh the trust is enforced by a centralized entity like a bank or a government and that would be equivalent to a uh centralized blockchain but Bitcoin is a decentralized blockchain anyone uh across the world has access to that laser so how do we actually uh enforce trust here so in Bitcoin the trust is enforced by the Innovations of the cryptography and The Game Theory applied to solve this specific problem uh as much as I would like to indulge into each of this topic the the

the scope of the talk wouldn't allow me to do so but uh yeah feel free to reach out to us uh at our booth if you are really curious about the topics so yeah this is this is really the story of the Bitcoin uh decentralized common Leisure uh but interesting things started to happen when ethereum was introduced in the 2014 uh with the ethereum a programmable currency was introduced uh that actually allowed a coded legal entity to exist on the blockchain uh let me uh let me explain it to you with a very simple and beautiful analogy many of you may have heard about the vending machine so a vending machine is essentially a programmed entity where you deposit some

money and uh some instruction for it to process and the vending machine first ensures whether the sufficient money has been deposited or not and then it actually determine what goods to process now imagine that when ending machines on the blockchain cuz that's exactly what the smart contract is the only difference being in the smart contract instead of processing in terms of actual good it would process in terms of the rules of the blockchain and the native currencies of the blockchain uh now now now uh let's see some of the uh uh I mean uh the introduction of this programmable currency really allowed uh uh all the opportunities to arise where many Financial servic can be designed on the

blockchain for example banking Insurance deriva markets Etc some of the popular def protocol includes Unis for the exchange and swep we have compound and a for the money market lending and borrowing platforms and uh maker for the stable coin Etc uh at this point you might think that designing some Financial uh Financial Services um may require some uh alienated languages and it would be extremely difficult but uh actually there's a good news the most prominent language used for the smart contract developer is solidity which covers almost 90% of the total tvl across the blockchains and followed by the rust and Viper and and if you really look at the solidity you would realize that it is

very very similar to the [Music] JavaScript and trust me it's it's really very easy then we have rust which covers almost the 8% of the total tvl across the blockchain which is similar to C C++ and then Viper which is similar to the python now since we have the basic understanding of the blockchain and uh the language is used for the programming smart contract allow me to introduce IMM unify uh so I guess we have really established that uh uh there's really a lot at stake in the web3 uh and so much legal protection for the for the blacka as well so in this scenario the success and I would say the survival of the protocol

really depends on the security measures taken by the protocol at each stage of their development it it it it all of you must know that it doesn't matter who developed the code how how beautifully how securely they developed the code the bug will always be there uh and some of them are so severe that could add the entire protocol within a single transaction as we just saw so all of this to say that WAP 3 protocols really have tremendous motivations to run an active bug Bounty platform and they are really incentivizing they are really motivating researchers to look into their code basis just to find bug and make their users fund secure and that's where

immuni comes in we are a bug Bounty platform and uh I would say that we are currently the first choice for any 3bg Bounty platform as evident by the number of bounties available uh and we also have some of the largest Bounty available for in the security space now uh uh yeah these are some of the states that we are uh very proud of we are currently protecting over 60 billion in the users fund we have over 300 plus leading blockchain projects on our platform as of now and just a couple of month back we crossed 100 million in the bound count is paid to our security Community by our platform so yeah there there is there are really

a lot of opportunities so now let me quickly walk you through yeah these are some of the uh bounties that we have paid by our platform we have the warm Hall Bounty 10 million 10 million Bounty for a single bug report we have bunch of 1 million bounty we have 4.2 million for the polygon we have we had mediated 7 million for the a finance so these are just some of the bounties uh paid by our platforms now let me very quickly walk you guys through a uh researchers Journey from finding a bug to report uh to to being paid so I I I would just uh go very very briefly over this as uh we are running

out of time so yeah the security researcher submits a bug he reports a bug to our platform with all the necessary information like uh uh the root cause impact along with the coded POC then it comes under a triaging review uh we review it based on our various criteria we determine the sity likelihood we also wait against our various feasibility limitations then if we found it to be truly valuable we just escalate it to the project and project can determine the validity on their own and if they find it to to be valuable the the asss get paid uh now it's time to to uh again very very very briefly walk you guys through some of the top bus paid by our

platform the first one is the polygon uh Bounty 2 million so before I dive into it allow me to uh introduce two important concept to understand the vulnerability the first one is the gas phase in order to execute any transaction on the blockchain you need to pay fees and we call them gas fees the second concept is the concept of the signature where uh the signature is basically a digital fingerprint that proves that some message was signed by you with your private key and when you post that signature the blockchain can verify that it was indeed you who signed that signature with your private key so this beautiful system uh lets everyone all notes of the blockchain determine who

signed the message and the message is being secured like that so in the in the polyon ecosystem there's a contract to transfer Matic mic is a native currency on the polygon just like we have ether on the ethereum so in this contract there was a function to transfer Matic but this function allowed an additional feature so for example if I want to transfer some Matic to arbas and if I don't want to pay for the gas the contract allowed a feature that I can just generate a signature along with the transfer data and that signature would be picked up by the operator and he can execute the transaction on our behalf but uh remember we need to ensure that uh who

was the original signer of that signature so for that we have e recovery function uh the E recovery function is a built-in function uh which uh essentially gives you the signer who signed the message so now let's look at the isy function so if you look at the isy function there's a check that if the signature length is not 65 it would just written address zero as the signer so let me very quickly go back to the previous slide and see what happens when the EC recovery function returns address zero that would be stored in the from variable and that from variable along with the two variable will be passed to the transfer function at the end of the

function now let's look at the transfer function so if you if you look at the transfer function it doesn't check whether the sender of that uh of that transaction really have necessary funds to transfer or not so the vulnerability is very simple uh it lacks a very critical check whether the sender of the transaction has enough fund or not to transfer so anyone can provide a signature which which isn't uh uh 65 in the length and can just mint an arbitrary number of token out of thin air at the time of the submission there were around 9 billion Matic that could have been uh stolen by the Nar and that's why polygon paid their Max

critical reward of 2 million for the shft discovery for the next two bug report I will let arbas walk you guys through all right so the second case we have which is one of the top paid Buck submission on UniFi which was paid 10 million Bounty so I'm not going to dive into technical details so I just created a very high level overview of how the attack Vector works so warhole is a cross Chain Bridge so if you wanted to transfer assets from one blockchain to another blockchain you need to uh use one of sort of the bridge and wo is one of the kind so wo has like uh two contracts uh which you can see on

the screen it's a proxy contract then we have this logic contract and this proxy contract uh does a delegate call to the logic contract and the way delegate call works is uh let's say you are making a delegate call from contract a to contract B so whatever the execution happens in the contract B the memory and the state changes saves get saves into the contract a so what happens uh so the user goes to the Wold contract uh they make a call to proxy contract and the proxel proxy contract makes a delegate call to the logic contract and now whatever the changes happening in the logic contract it gets safe into the proxy contract so what attacker found

next was attacker found a way in a logic contract where he can redirect those delegate call to some third party external contract so what attacker did he created a malicious smart contract and he used a op code called self-destruct which is basically means to commit suicide it's it is the self-destruct op code basically used to destroy the contract so if you call uh that contract it it just destroy itself so what's happening next the attacker us the logic contract and he made uh third party call arbitrary delegate call to the evil contract which contains this self-destruct op code so what happened next all the changes that is happening in the evil code gets stored in a logic

code which destroyed the logic contract of wo itself so coming back to the original workflow if a user now calls the proxy contract he was the proxy is currently brick because it has no logic contract anyway and this proxy contract was holding 800 million funds in their contract which is not usable so this was considered one of the top submission on imuni where the white head was rewarded with 10 million bounty on this one

the third and the top most submission on imuni was for Aurora Finance is one of the ethereum based uh blockchain and before we understand the bug itself let understand how the bridges work so uh if you want to transfer tokens from one blockchain to another blockchain uh you have to deposit the funds into one special contract first on a block chain a so you need to send tokens to the special contract to lock and once you transfer the funds uh it emits the deposit event and using this deposit events the blockchain 2 verifies whether the deposit was actually made or not and based on that it releases the funds on a blockchain tool so this is how the lock

and mint mechanism works on different Brides so here's the vulnerability so there there are two blockchains the Aurora and there is a near blockchain so the normal workflow the user goes and deposit the funds into Aurora blockchain and the funds get released on blockchain 2 that is near blockchain but using the vulnerability in the code the attacker uh created a malicious contract where he was able to do a delegate call making a simulation of the deposit like he is not actually transferring the funds to the contract contract but using the delegate call he can simulate like I'm depositing the depositing the funds into the Aurora contract and the Aurora contract got tricked into believing that yeah I

received the funds and it emits the uh deposit event that is uh exit event log and the blockchain to that is near it verifies the event and and releases the funds so without spending anything uh the blockchain to keep releasing the funds using this attacker and and there were like uh 200 million D wear stored on this contract and total 6 million Bounty uh was awarded to the white hat so coming to the final part we created a very uh detailed road map so if anyone of you wanted to get started in a web three bug bonti Journey so nir created a very beautiful road map and and resources to help you get started on so yeah guys I guess we we have

really established that there's really a lot of opportunity and lot of Stack here at wb3 so if if we have even slightly motivated you to explore this beautiful space of being uh of of exploring this web3 ecosystem here's a quick road map for for you guys to consider uh the step one is to understand the fundamental of blockchain the step two is to understand the different blockchains and their architectures along with the languages used for programming the smart contract over there yeah for example solidity for the AVM based blockchain Solana for the Solana based ecosystem we have rust and the step three is the familiar yourself with the common security practices and past hacks so now now now let's break

the break down the steps and do further sub steps yeah so the first step really is to understand the basics of blockchain Technology uh you need to understand what the blockchain really is you need to understand how blockchain works you need to understand the technology used to make the blockchain really secure for example consensus mechanism proof of work proof of stakes uh private key public key cryptography Hing mechanism the overall concept of decentralizations then you actually need to understand how Bitcoin actually works and some of the distributed laser Technologies once you have the basic uh knowledge of the or basic theory of the blockchain you can go ahead to the smart contract part for the smart contract you

uh you would need to make yourself familiarize with the ethereum and how ethereum differs from the Bitcoin and how it allows the programmable currency so yeah ethereum and then the language actually used for writing those smart contract solidity then uh we have ethereum virtual machine uh the the touring complex machine where actually the executions of those uh transaction happens so the ethereum virtual machines and then some of the common libraries for the development of the smart contracts so sorry guys I'm I I don't I won't go into much of the details so next step we have the the DF so uh these are some of the decentralized applications actually built on the blockchain for example Unis compound a

etc understanding this D5 protocol would actually uh make you understand how how the ecosystem Works how what is currently going on in the ecosystems and how those DFS works with the blockchain and how what is the Journey of a single transactions from user end to the blockchain end and uh yeah some of the Frameworks and DF architectures and the last and the most funniest part is the security part where you would actually make yourself familiar with some of the common security practices some of the past hacks and how atar actually exploited that protocols and uh some of the buck Fix reviews or audit contest findings to strengthen your security mindset so here are some of the

resources for you to get started but I I I am not expecting you to actually wrote it down so we have actually created a uh you can just scan this QR code and sign up and we will actually send you all the necessary resources is for you to get started with your web3 bug Bounty journey and yeah I guess that's really our time guys and please don't forget to visit us at our booth we have some exciting quiz competitions for you guys to Lin up and also some cool opportunities to win immuni swag and IMM unify merge So yeah thank thanks a lot guys

for yeah uh that's our talk and guys any Q&A any questions

so I can see one guy yeah

Mike um hi team uh so uh I mean a few months back I've been into this uh web three Journey I've been reading about all the terminologies involved the Jun and uh all the stuff there is this binance Academy right uh to learn about all this I've been into this and there are like it is overwhelming to be honest uh blockchains level one blockchain level two blockchain and uh uh Bridges uh all these mixers and all these things DBS uh Dow and there are a lot of things you know like a lot of abbreviations are used which are which completely overwhelm my beginner so uh one thing that uh you know impeded my process of

learning I believe is that uh I didn't know a proper pathway like what to learn first and then uh how to proceed on to the next and all there was no step by- step procedure which uh greatly affected my way of learning and I at one point of time I was Fed Up To be honest so I left it and I got back into web 2 again so would you suggest a detailed pathway so that others who are interested in web 3 might not uh face the same problem that I might have faced so so yeah I can really second you and I can understand what you are saying there's not really a very detailed and very architectural

path to learn the blockchain as the overall space is quite young so uh so that's why like we have we we actually have prepared uh detailed road map so if you can just scan this QR code we will send you all the resources for you to get started with you just need to scan the QR code and we will need you detailed road map for you to get started with okay uh so also with this uh web3 and blockchain there are two sides to this right one side is development and the other side is trading so sorry other side is trading okay so uh how much would this pathway would uh actually help a person to get into trading I mean

it is obvious that this will help a lot in development and uh to explore the technical side so how much like is this helpful for trading as well or it's just for the technical yeah I'm really sorry because the path is designed for you to uh for you for you to understand how to be a blockchain developer and how to be a security researcher and how to hunt uh for the W3 bug bound is uh we haven't included any sources for the trading

so yeah basically the path is for to for you to become a wave3 b Bounty Hunter so I mean it will get up get us up to the speed with all the basics of blockchain and web3 right yeah uh sorry can you repeat your question it will get us all up to the speed with all the defitely definitely and our main uh uh our main motivation for to come here and give the talk is to make you guys aware of the opportunities in the blockchain space and that's why we have created a detailed road map and uh yeah you would definitely be very uh if if you see the see the road map you will uh naturally

understand that it's very beautifully designed and it will help you at start sure yeah I would definitely check it out thank you thanks so yeah any other questions guys

yeah yeah so in blockchain there is a one vulnerability called like uh uh dos block gas right uh so we can uh uh like do the Dos attacks for the block gases so is there any dos kind of system for that for the same which is available in the web 2 as well uh I will let arbas answer your question he's more okay sorry sorry can you please repeat your question so the question is there is a one vulnerability in the blockchain uh uh so there is a Dos block gases right dos attack for the block gases so uh is there any mechanism or is there any vulnerability similar to DS the block gases like there is a Dos attack in the

WAP to right so is there any same vulnerability available for the Dos a block gas as well yeah so actually the concept of gas was introduced into the blockchain uh just to mitigate these kind of situations that uh because the evm is really uh the Turing complete mechanism and if you uh submit a transaction that would last forever that would uh I mean if that would last forever it could really de all the participants of the network so for that that we have the gas limit and for the each instruction of the evm there's there's an Associated gas price for that and to execute any transaction you have to pay the relevant gas gas fees for

that and this this beautiful mechanism of gas fees and gas price uh actually prevents uh the DDOS for the gas okay okay that's answer my question thank you so yeah guys I will we will take any other questions offline so yeah please if you if you are really curious about knowing anything about it so please reach out to us our Bo thank you so much guys