Skeyellama: CODE IS LAW. APPLYING SECURITY TECHNIQUES TO PROFIT IN WEB3

and applying security techniques to profit and web 3.0 so welcome thank you [Applause] all three I got three different mics here you guys can all hear me excellent good I'm gonna need them you can hear me now still thank you very good all right so again can you still hear me good all right I'm Sky Lama um I've got a little bit of passion for web3 because I like to I like to find ways to make things and do things that their creators didn't intend and as it happens there's a lot of opportunity to do that in the web 3 or crypto space uh so it's come you know a hobby we're going to talk about that today

so who in here owns some crypto maybe some Bitcoin ethereum a couple people anybody own any nfcs

very good all right so let's just Baseline then some terminology so I'm going to talk about with three and basically when I talk about web 3 what I'm talking about is anything that's like a a blockchain architecture or like a business uh use case that is reliant on blockchain then I'm going to talk about web 2. I went to and these terms are very you know ambiguous you go on Google you read about them everybody's trying to dispute what they mean so right now I'm in charge so that's what they mean um web 2 basically means everything else it means the grocery store you shop at it means traditional servers apis anything that's not you know some kind

of modern newfangled let's do it on blockchain idea all right does anybody heard the term Alpha

before the end of this talk here Alpha is basically it's a turn that's really thrown around a lot in the crypto space which means information that gives you an edge usually an edge makes money sometimes an edge to fomo into something that's gonna lose the alpha and what's not um does everybody know what a crypto Wallace yeah yes all right good really functionally crypto wallet could mean the way people use it could mean that you know software you use to manage transactions on crypto you know maintain your balances sentence other people really what I'm gonna when I talk about personal wallet I'm talking about a private key that represents your wallet that your crypto is associated with and

it's come a long way since the guy lost his Bitcoin you know about his wall without that file and it dumped somewhere and can't get it back these days we don't really represent our crypto wallets and files and such as we represent them usually with secret phrases mnemonics it's like a 12 word phrase which makes it really handy because you can now Port your wallet pretty much anywhere as long as you have that secret praise but it's also a kind of a security concern because we happen to have that in the background while you're streaming on uh twitch then there goes your crypto all right so all right ethereum Bitcoin these are basis there are a lot of different blockchains

out there that have a lot of different rules there's way too much to talk about but really ethereum and Bitcoin are the two biggest and most important cryptos so Bitcoin being we'll call it an asset right it's it doesn't do a whole lot of advanced functions whereas ethereum has the ability to do things like smart contracts people can really build applications on blockchain that opens up a lot of interesting opportunities for people of a mindset like us all right gas gas is also important because the blockchain is really a giant distributed computing environment where if you wanted to do something whether it's recording the data to move crypto from one place to another or having a

complex smart contract the person who makes the call to do something has to pay the whole validator network and I'm going to use validator as a very general term that's completely technically inaccurate and then use it but it's accurate enough for us I'm going to use validator to represent any of the um any of the different systems that receive transactions from people like you and I determine if they are correct create blocks on the blockchain basically assert that everything is correct um but in order to pay these people when you submit a transaction you have to pay what's called gas which is a certain amount of Bitcoin or ethereum or whatever other native coin is for the

blockchain you're using and then finally smart contracts this is this is um a lot of most of the newer blockchains have the ability for you to submit arbitrary code onto the blockchain called smart contracts which you can use to effectively run logic when somebody makes a transaction they can call functions in your smart contracts so you can start doing things like building autonomous decentralized exchanges for example where you can exchange one crypto for another there's no human involved no permission it's all just logic Unchained and as long as the rules fit it's all done it's also it's magic consider the magic all right now before we go too much further I do want to call out three

important things before I get you all excited about you know going home and getting rich and crypto everything in the crypto space is you know like literally everything for every honest person in crypto there's dozens of scammers out there just waiting to you know just waiting to get you if you go home and you download a wallet and you have an issue and you go post somewhere hey you know there's something wrong here I guarantee you within 10 seconds you're going to get half a dozen at least scammers pretending to be support for that product just so they can trick you into stealing your crypto that's it's a really dangerous space um you can get rich and crypto like some

people have you've seen the guys like with the Bitcoin rats Lamborghini but you know for every person who does that there's thousands of people who can't pay their mortgage because they fomo into some project and now they don't have their mortgage anymore uh and really for us this last one's important which there's this perception that is very incorrect that the blockchain is Lawless that you can do things like exploit a spark contract and steal a couple million dollars of crypto and get away with it because you know it's the blockchain there's no enforcement no nobody's going on nothing's going on there but it's important to recognize that it is true that enforcement is ambiguous at this point regulation is ambiguous

um it's multi-jurisdictional there's a lot of international actors so it may be hard to crack down and uh you know enforce law encrypta currently but everything that was illegal it went to is just as illegal in wet three just because you do it on blockchain doesn't mean you're illegal you know investment scheme is somehow legal it doesn't mean stealing is somehow legal uh and that's important because in web 3 with most chains there's also a feature that doesn't exist in web 2. if you go and steal somebody's bicycle on the sidewalk you know if you weren't caught on camera and positively identified now you might get away with it right it happens all the time

you go steal somebody's bicycle on web3 it is immutably and permanently recorded on the blockchain so maybe nobody cares right now or nobody has the capability to investigate it right now but that doesn't mean that in a you know a week a month whenever particularly the higher Stakes the crime you do that somebody's not going to come down on you and right now the IRS is working on machine learning and artificial intelligence applications of blockchain just to predictively figure out that you're cheating them at a tax revenue right now apply this to any number of private investigation firms law enforcement enforcement agencies Etc if you're doing nefarious things on blockchain and you ever want to turn that uh

criminal proceed will say into something that you can actually use a sandwich a Coke you've got to convert it out of that crypto at some point which means you've got to de-anonymize or at least leave breadcrumbs of of between that crime in you in order to turn that into value and you're going to set yourself up to get caught so that's a very long-winded way of saying don't ape into uh criminal activity on blockchain that idea all right so that said you know what if um what if you have the ability to see the future right what could you do how could you make money uh what would be opportunities be for you if right now

you could know what was going to happen say 12 seconds from now or 10 minutes from now right well it's interesting because that's really how it is on the blockchain so if we take our friend Maeve here on the left right and she wants to send some crypto to her friend Alex on the right they'll exchange or Alex will give Maeve her wallet address his wallet address so that she knows where to send the crypto to she'll use her wallet software to you know craft a transaction send it off onto the crypto Network to validators the validators assuming she's paying enough gas are going to validate that transaction they're going to bundle it up into a block recorded on the

blockchain and magically no magic internet money uh Alex has gotten some crypto just like that what's important is now everybody in the world for all time can see that Maeve just sent Alex that crypto very interesting what's also interesting is there's a period there when Maeve submits that transaction before the validators actually pick it up where it goes into this big cache of transactions called the mempool and um basically what happens is blocks are created at regular intervals to talk about like Finance smart chain that's targeted every three seconds ethereum is like every 12 seconds bitcoin's targeted at every 10 minutes where when a validator goes to create a block it'll look into the mempool and it

will pull out the transactions from the mempool that are paying the highest gas so it can make the most profitable block that it can right and so if your transaction hasn't been picked yet for a block it's just sitting there remembering and what's really fascinating is anybody can look at example right now I mean you're looking at a copy of it from whenever the heck I took the screenshot these are all transactions that were submitted but not yet processed on the blockchain right here you're now seeing the past that was once the future 12 seconds in advance right so so in reality on the blockchain you really can see the future if you're looking for it you can know what's going

to happen in three seconds or in 12 seconds or in uh 10 minutes right so what would you do with all that information right well there's a huge flourishing uh industry of bots in crypto they're all doing this General activity of front running and do we know what front running is all right so front running we would often think of as like um in the stock World think about it like insider trading right where all do you know some secret information uh very illegal right don't do that kind of stuff well in the crypto world when we talked about front running what we're usually talking about is we're talking about looking into the mempool for certain

patterns of activity that we have determined are profitable for us um and then using that information to take some kind of an action to profit off that when it happens uh when it actually executes you know 12 seconds in the future or you could even potentially take action to prevent that from happening let's say that I really wanted a uh a new nft for example I don't really want to buy it yet but I also don't want to lose it well I could be watching for a transaction in mempool of somebody else buying it right and if I see they're about to I can snatch in pay some higher gas and get my transaction processed

first and snatch it out from under them right just a simple kind of be used uh thinking about it other ways well we know that Elon Musk can move crypto markets or really any other Market just with like a single tweet right if he tweets Dogecoin what's going to happen it's going to double in value right well what if you could identify what crypto wallets belong to Elon Musk right and then you could monitor the mempool for activity on those wallets so you can know what Elon Musk is about to do before he actually does it right you can identify Elon musk's next crypto d-gen play and through the power of computers and Bots potentially mirror

his play so when he makes that tweet you get just as rich as he does sound good could happen in fact there's a lot of people who do that right now with all sorts of uh crypto notables like metallic computer and um you'll also hear about like um front running Bots that you've probably heard some of the news they steal a couple million dollars on Christmas swaps same type of thing they can find out that you're about to exchange some crypto and get in front of that and actually through a series of uh transactions they can buy the crypto at the best price available right now make you pay a little bit more and then

sell it as soon as you do to squeeze out that little bit of margin right this happens all the time so moving on from that one of the interesting things about the web series like guys is the the um idea that web3 should be decentralized and Unstoppable so like the US government shouldn't have a voice in it or control you know technically they should be locked out from doing that um any other government any other whoever if you have an idea you should be able to build something on blockchain deploy it and let it go forever right and that's actually true that is how it works unless the maintainers of the blockchain decide to change the code and

break your thing but that's basically how it works um but what's happened over the years is that the participants have found that the economics of gas really undermine that decentralization so if we talk if we look back to like early 2020 and before gas was really cheap it didn't cost you a lot of crypto to process a transaction and ethereum was really cheap it was under 200 it's like I don't know what somewhere between 15 and 1700 right now I don't know what it is it got to a peak of like I don't know anybody know what Peak was somewhere between four and six um but basically you know you could build these decentralized apps that were very

complicated because it was cheap to process transactions against those contracts but all of a sudden the bull market came in 2020 ethereum 20x the amount of gas it took to process the transaction 20x and now all of a sudden something that costs you pennies or maybe a dollar to process earlier was costing you tens of dollars or hundreds of dollars it might cost you 150 dollars to send a dollar fifty to crypto to your friend right it doesn't make any sense it basically undermined the whole idea and that really brought us to a place where we are now and don't get me wrong there's still a lot of people who are all about decentralized you know message

but economically we're not more moving towards the gas optimized reality and what this means is that blockchain developers are more and more appealing uh appealing um logic out back out of smart contracts and moving it back into client-side code in your browsers moving it into traditional backend apis because they can remove a lot of that heavy lifting that drives the high gas usage on the transaction just do it off chain and then pass information in as they process the transaction what this really means for us you know being a security-minded folks is we now get the benefits uh if you call them benefits but we now get the benefits of all the security issues that come along with traditional

back-end apis client-side code and smart contracts all rolled into one with many modern web free applications

smells like whoops oh well we were in that one anyways there's there is also the moral of the story on that is there's a lot of interesting Alpha out there that's waiting to be discovered so I'm just going to share two actual use cases uh of things that you know I've come across here so the first one is a mid-size Bitcoin mining company and we do we all know if Bitcoin mining in is that's basically how the Bitcoin uh network works miners run ungodly amounts of compute power specialized compute power to find blocks and solid hashes but go mining is one of those companies they're very established uh Bitcoin miner who has now moved into the web 3 space

what they've done is they've created an nft project that tokenizes their hash rate so that instead of investing a ton of money to have physical Bitcoin miners you can now buy a small amount of Bitcoin minor power so you can get into the Bitcoin mining game with you know an initial investment that's probably less than your average night out right and in exchange you get Bitcoin rewards that are basically equivalent to real physical mining they launched in 70s and then like most nft projects they've been completely unable to resist the urge to gamify their products this is a big thing in space and so they also launched some gamification you get to do things like

um uh manage your virtual Bitcoin farm right you can go in there once a day you can click the service button uh to maintain your farm and in exchange you'll get whoops you get a discount off your hosting costs right up to uh three percent um and then 10 minutes away that's terrible we're gonna make this a 40-minute talk um so in any case as you can imagine what I just said that's a lot of logic it's a lot of complexity it'd be a lot to manage directly on blockchain so they have a very complex ecosystem and they're a project who in order to manage that has really uh spanned the whole Space of client-side code back-end apis

and multiple smart contracts to wrap it all together all right so I you know I like Bitcoin mining as I mentioned I like exploring interesting apis and things uh so I took a look at them and um I don't know if anybody else is like this but I got a little confession which is I use almost nothing other than chrome chrome developer tools and curl it's just my biggest complaint in life is that I can't get developer tools on my mobile phone so if anybody knows an answer to that please catch me up later um but in any case my first step is to effectively walk through all of their apis now all the things that are being

called automatically all the things that get called when uh you know you interact with any of their various dude ads in the application right let's see what's actually going on there and one of the things I found was they return a wild amount of information Beyond what's actually being used in the in the application and this was my first great Alpha because what it actually provided for me was competitive advantage in their game because I now had access to information that other users of the platform did not have so I was able to build systems that would allow me to attain a higher daily Bitcoin reward than other users were able to do but we're not going to go

into that because that's that I'm looking away my secrets but one of the apis I noted in the exploration was a push API and um this API would be invoked every time you click that service button I talked about and the developers intended this button to be clicked once every 24 hours that was how it worked you had to come back once every 24 hours to click the button keep you engaged with the game to maintain your discount every time you clicked it you get a little bit of discount it would add up over days but if you forgot to click it there goes all your discount and that's terrible um so you know I played with it I found

that it was very well enforced in the client-side code you absolutely could not uh through the client-side code uh interact with that button more than once every 24 hours but they had no actual protection on the API itself so you could invoke the API whenever you wanted and sure enough it would reset your service account excellent I was like this is awesome I'm never gonna have to worry about losing my discount again I'm just gonna like fire up a Lambda function and call this uh this API once a day or something automatically for me every 12 hours right but then as I was exploring other API API I noticed something I hadn't noticed when I was interacting with this API

because it doesn't return much useful data which is that when you're interacting with the API directly it would actually increment the days well beyond the limit that they had Set uh so yeah I did what any rational person would do and I I put together a dirty uh you know Loop and uh ran it and you know serviced my farm 1621 times um it acquired an 816 discount on my hosting fee yes

it's my Mason developers had you know not enforced not only have they not enforced the limitation on how often you could click the button it also now bothered to enforce in the logic uh back in logic once the apis invoked to limit the actual impact of invoking the API so at this point you know the least impactful scenario is I get free hosting um you know that's nice but the most impactful you know it really would depend and I didn't have disabilities in this but how uh how automated is their daily reward payout function how uh what kind of checks and balances do they have there because if this just processes right now they're going to pay me 716 of what I was

supposed to pay them which means if I take this to the extreme you know and keep this going is this an exploit that allows me to completely drain their reward wallet at the next reward site right um I didn't find out that was a couple hours away and I think that clearly falls into category three that I talked about earlier uh so I responsibly disclosed this they fixed it before the next reward cycle offered me completely no reward

so any case but yeah so there's a good example right if you apply a little security mindset to some of these projects there are opportunities you know maybe maybe if I was a little more black cat now but you know moving on to a second example of how I answer them oh that's perfect okay moving on to a second example here um to an art project I uh minted an nft project called Rhoda earlier this year it's rise of the apes it was the second collection of this uh this um aged together strong organization and basically I was just trying to squeeze out some yeah I guess to kind of explain when a non-terrible nft product

that's important because most nit projects like mint straight at zero and that's where they stay forever and um when a non-terrible nft project means there's often like a little bump and drop that happens in pricings usually you mint and then you get out you got a little bit of profit that was my goal with this I minted some um I had no idea really about this community or anything about it but as it got in it was actually pretty interesting I found that the founder was very passionate and had a a rather unique quality uh in the crypto space which was that he was not an entirely uh you know a complete asshat um so I I stuck around to see what their

uh utilities would look like as it went forward so fast forward you know a couple weeks couple months into the future and they had released two utilities that I thought were really interesting the first was effectively a utility intended to help them maintain the floor price of their collection because what happens is if you're just holding a bunch of nfts you know oftentimes what you'll do is you'll just list them on nft marketplaces because hey you know why not maybe somebody will bite and you'll make some money but what happens is that causes everybody to keep undercutting each other all the time so it causes the floor price to go down so they built this utility that

incentivizes you to de-list your nfts and it does this by automatically giving you tickets for this eight ticket system uh for any nft that is unlisted you get more tickets the rarer it is you get more tickets and you get like a multiplier if you have no nfts listed at all and every week they do a drawing based on those tickets and they give away you know something it's usually um nfts in their ecosystem or partnering to use something like that but they actually have real monetary value a couple hundred a couple thousand dollars um so it's a pretty interesting utility the second utility was a war utility where it's part of the lore of this

whole project like these are some Apes that went through like a multi-dimensional thing and got anyways um anyways you can send the nfts to war and it's a deflationary mechanism where if you send it to war there's a random chance that it's not coming back that it will get burnt um and so as that happened and as it happens the rarer the ape is the higher the chance it gets burn um so what you do is you stake your nft on this contract 48 hours later you can come back you can unstake it uh and based on that random chance you know it'll either you'll either get it back it will be upgraded in Rarity which

means theoretically it's worth more money or it will be burnt and well you might regret it depending on how rare it went in um but one of the other interesting things is that you can also continue to receive eight tickets for nfts while they are submitted to the statement contract all right so I was really curious about this war function because one of the things that smart contracts don't really do well Is Random so hearing random kind of piqued my interest um and so I went I found the contracts you know done through the client-side code found the contract address that was being referenced um went to etherscan which is a website that allows you to see basically all the

data about the ethereum network um and it's really easy to see the actual code of smart contracts because they're on chain like they're out there it's no there's no propriety or anything going on here with smart contracts so you just go out there you know I found the functions that were available for it saw two interesting functions you know the go to war function where you submit it the leave War where you're unstaking it uh and what I noticed was that with the leave War function there's actually a value you're passing in when you're calling that function which is the random data the random numbers so that's interesting of course you know how can we control the random numbers

are and therefore control the outcome of the war so so you know I went and I looked at the uh looked in the code and what I found was you know I can't uh they had done a smart thing here what they've got is wherever that data was coming from it's being signed by a wallet that they control uh and this contract is validating that that signature is valid which means if I send in any data I want I can't it's not going to be signed right it's not going to say well that's too bad so I can't control the outcome that's unfortunate but I kept looking you know I saw that this function called another function

underscore lead War which then called another function died at War which is the function that actually determines if an ape lives or if an eight dies all right and basically all this is doing here with all this gobbledygook is it's taking in uh the random number and the ID of that nft it's hatching it converting it into an integer modding that integer by a hundred and if whatever that number resulting is is less than the burn chance for that nft it dies so so what I know is I can't control it if it lives or dies but I can definitely determine if you guys if I know what's going in there so next thing I did was jump over to the

client-side code because you know if you're going to call a smart contract that's where it's going to live it's going to be in the client-side code because some of the transaction somewhere so I've done it through I found the section of the code that's actually making that call in a including the API where the random number of data is coming from that has passed in which is nice and you know using the aforementioned curl because I don't know anything about modern hex results um I determined I was in fact able to retrieve the random numbers for any amp that had been sent to war now unfortunately if an ape had not been sent to war there was no data in there

which is a real shame because it would have been some real nice Alpha to be able to determine before I sent it if it was going to live or die right but that was not possible unfortunately so next best thing next best thing like these token numbers those are all the ID numbers random numbers all random numbers so um you know so I can't control the outcome I can't know in advance what uh whether they're going to live or die but if this is still valuable because at the very minimum if I do send an a to War I will know if it's going to die if I call the lead War button if I yeah they'll leave War

function uh so if I know it's going to die I can just leave it sit there and derive some value from the eight tickets you know it's better than nothing it's a consolation prize for burning a couple hundred bucks I guess um but the in the alpha is actually interesting if we go further because none of these apes are mine but I know if they're going to live or die and uh the value of nfts are generally based on either utility or the Rarity in this case it's Rarity which means if I know which of these apes are going to live or die I know 48 hours in advance how the Rarity of this collection is

going to change right so I can now determine if some ultra rare ape is about to die and the number of you know Galaxy skin Apes is going to go from six to three right for example which gives the opportunity to front run the market on rare me yeah so that's an idea and now that you've all heard this if you have any other ideas about how to front run based on this knowledge absolutely let me know but I'm a time right is the random number five the token uh it is oh man so you can't just use a different random number that's correct but it's not even though the wallet is in there if you're paying attention the wallet

has no relation whatsoever because yeah all right so that's it I didn't flip through all my things on here but I explained it so that's fine and that's it okay myself [Music] okay so one more thing at the beginning of this talk I mentioned secret phrases right demonics if you pay attention or didn't there were 12 words in this slide oh yeah and this QR code references a wallet address I'll help you but it will let you see what was in there so if you happen to have caught any of that there's no crypto waiting for you but if you didn't if you didn't wait for YouTube yeah all right all right thank you a little a little

over but thank you for sharing all your secrets with us secret sauce 3.0 thank you awesome awesome job