Hello Defiers! This week’s interview is with the white hat hacker who goes by Samczsun and has quickly become a DeFi legend for uncovering bug after bug, even on projects that have been audited. He does this in his free time and discloses his findings to companies in exchange for “bounties” or rewards for the service —what’s known as a “white hat” hacker. But these bounties are only a fraction of the financial benefit he could get by exploiting these vulnerabilities, so pure profit isn’t his only incentive. Knowing that he helped prevent dapp users from losing their money is the other driver —no wonder he has been hailed as a hero.
He recently made headlines for finding vulnerabilities in decentralized insurance project Nexus Mutual, authentication service Authereum, and for helping bZx fix the bugs that got exploited in the biggest financial attacks to DeFi —which he had also warned about last year. He has also uncovered bugs in 0x, Curve Finance, Ethereum Name Service, Kyber Network and DDEX.
In this interview he talks about:
The double edged sword of open source as it makes it easy for hackers to exploit applications, but also allows researchers to find bugs
Why developers should have ways to respond in an emergency, including using the controversial “pause button”
Vulnerabilities he helped uncover that stand out to him the most
Why he focuses on Ethereum and whether DeFi is especially vulnerable
His motivation for doing this
This time, the interview will be fully available for free and paid subscribers. To get full access to exclusive interviews every week, subscribe now.
Camila Russo: Approximately how many major security vulnerabilities have you been able to find in your career?
Sam Sun: A little over 10, depending on what you count as “major.” I’m keeping a list of public disclosures on my website at https://samczsun.com/research/
CR: Which ones stand out to you the most? (either because they were the toughest to spot, because you prevented loss of funds, or for any other reason)
SS: I would have to say:
– 0x, for being my first public disclosure and also the bug with the highest (if not one of the highest) financial impact
– A Geth consensus bug, which could’ve caused a hard fork if exploited
– The oracle attacks, given the past couple of weeks
– The ENS bug, for how long it managed to stay hidden before being found, and also how simple the contract itself was
Image source: Samczsun’s website https://samczsun.com/
CR: Why focus on Ethereum?
SS: The space is growing tremendously quickly and there’s not nearly enough security researchers to cover all the new area.
CR: For how long have you done this and has Ethereum always been your main focus?
SS: Definitely not. I’ve bounced around security trying a lot of other things and I also don’t expect Ethereum to be what I end with.
CR: What is your process like? Do you follow some sort of method, like checking each new protocols’ code, do you check contracts that specifically interest you, or is it based on requests, or something else?
SS: I mainly look around for projects that are being discussed or contracts which are seeing a lot of traffic. It’s all completely arbitrary though. Sometimes people reach out with requests too, which is good for getting a project on my radar but it doesn’t necessarily mean I’ll look into it.
Open Source Blessing and Curse
CR: It seems like there have been many DeFi vulnerabilities found lately. Is this space more prone to vulnerabilities than others, say blockchain games, for example? If so, why?
SS: Games have bugs too (see: Cheese Wizards), but they don’t get as much attention as the big DeFi apps. I think generally speaking, the number of bugs is strongly related to the complexity of the code and DeFi apps are usually very complex.
CR: Does open source help or hurt, in terms of project security?
SS: Open source is a double edged sword. On one hand, it makes it easier for security researchers to find bugs. On the other hand, it makes it easier for hackers to find bugs. At the end of the day though, a motivated hacker will put in the effort to disassemble your code if they need to. Why make it harder for the researchers to do their part?
CR: After what you’ve seen, what recommendations would you give those who are putting money in DeFi?
SS: I would refer users to this post from ConsenSys which goes into this very question: https://diligence.consensys.net/blog/2020/03/questions-defi-users-should-be-asking-defi-developers/
CR: What recommendations would you give DeFi developers?
SS: Make sure you’re thinking about security every step of the way. If your design is flawed or your code is unreadable, no amount of auditing will save you. Also think about how to response to a potential incident. As an example, Curve Finance was deployed with no emergency pause functionality which made the incident response very stressful. Now their contracts have a way for protocol administrators to disable swaps while allowing users to withdraw liquidity. If another bug is found, it’ll be much easier to resolve.
CR: Can financial attacks like the ones we’ve seen be prevented?
SS: I think it’s possible to claim that a project is protected against current attacks, but there’ll always be new attacks that have yet to be conceived.
CR: What are your thoughts on DeFi, more broadly? Is it an improvement over traditional finance? Do you think it will continue growing like it has?
SS: No opinions here.
White Hat Motivation
CR: Why do you do this / What’s your main motivation?
SS: There are a lot of users out there who’ve put a non-trivial percentage of their money (possibly their savings) into this. While you could blame them for not doing due diligence, the fact is that not everyone has the technical knowledge to audit every protocol they’re about to use. Given the choice between preventing a devastating loss for hundreds of “innocent” people or not, I think the decision is obvious.
CR: Are bug bounties enough incentive for independent white hat hackers? What would you tell projects should do to incentivize more of this research?
SS: For independent white hat hackers, sure, bounties are just a nice bonus for their white hat work. Frankly speaking though most bounties don’t offer nearly the same amount of compensation that a hacker could get from just exploiting whatever bug they find. Case in point, bZx’s bug bounty would’ve netted the attackers $5,000 instead of $300,000 and $600,000. Unfortunately, I don’t think there’s much that can be done here – most projects don’t have the financial backing to pay a big bounty, and the financial incentive is often the strongest one.
CR: There’s been an outpouring of gratitude from the Ethereum community for your work. Any comment on Gitcoin grants’ efforts?
SS: I was pleasantly surprised by the amount of support from the community. Gitcoin is doing great work making it easy to fund community projects and I look forward to round 5.
CR: Looking forward, do you see yourself as an independent security researcher in the long term, or have you ever considered joining a security firm, or even doing something else?
SS: I think I’ll always be doing bug bounties in my spare time. As for where I’ll be in the future, you’ll just have to stay tuned!
The Defiant is a daily newsletter focusing on decentralized finance, a new financial system that’s being built on top of open blockchains. The space is evolving at breakneck speed and revolutionizing tech and money. Sign up to learn more and keep up on the latest, most interesting developments. Subscribers get full access at $10/month or $100/year, while free signups get only part of the content.
Click here to pay with DAI.There’s a limited amount of OG Memberships at 70 Dai per annual subscription ($100/yr normal price).
About the author: I’m Camila Russo, a financial journalist writing a book on Ethereum with Harper Collins. (Pre-order The Infinite Machine here). I was previously at Bloomberg News in New York, Madrid and Buenos Aires covering markets. I’ve extensively covered crypto and finance, and now I’m diving into DeFi, the intersection of the two.