Months a mysterious hack has taken over crypto wallets draining 10 million worth of ease from ogs in the space We Begin our conversation with Taylor breaking down the hack from the beginning and also updating us on the latest in this Saga then we go over her own long History in the space she gives risk management advice for crypto users and developers and Ponders some deep questions on whether code is Law and whether D5 should really be immutable it’s actually it’s been going on for a little bit and one of the I guess interesting or unique things about me is That I’ve been around forever and I’ve been building wallets forever and so for some reason um Whenever there were like these large hacks over the last few months um that involved you know keys that were were rather old like 2016 2015 era um a lot of times they would like get to Me somehow whether that was via like the metamask support team um or like other investigators in the space who were trying to get to the bottom of you know how this seed got compromised or whatever it was um and so I started to like notice earlier this year that there did seem to Be like a number of these um they were sizable hacks and they were you know of of people that like were intelligent they were integrated into the ecosystem they worked in the ecosystem Etc et cetera um I just thought it was kind of peculiar though and so then fast forward To April 15th I was uh it was a Saturday and um one of my very first hires one of the guys that I hired like before uh back into my ether wallet days in fact um calls me which is rather unusual on a Saturday and he goes Hey Taylor uh my Wallet’s being drained right now and I was like oh no like oh my gosh like your main one and um I have a four-year-old and she’s dancing around because it’s sunny and it’s Saturday uh there’s like paint and Orbeez flying everywhere um and I immediately like pull up my Computer and try to like you know look at his address and see what’s going on and the thing about this attacker is that they are the way that they like steal the funds is very unusual they actually swap like they they swamp all the tokens or the nfts within the Victim’s wallet before or sending them the eth out directly to like essentialize uh it’s a centralized exchange but it’s a non-custodial exchange so it’s like um it’s like an uh OG shape shift type situation you like send your money in and then it sends Bitcoin out or whatever Um and I was like looking at this pattern and I was just like wow that’s so weird I’ve only seen like a couple other attackers who’ve done this um you know and and again like this guy like I tired of in 2017 he’s hung out with me for a very long time Um he is what I call reasonably secure meaning that he uses crypto is he’s on his devices but at the end of the day like he’s not clicking fishing links um and if he did click a fixing a fishing link he would uh he would realize that that was the source of Compromise and so that from that incident from trying to help uh one of my uh close friends and colleagues you know get to the bottom of his case we uh started looking on chain and that’s when sort of this whole Trail got uncovered and at this point I think we have Uh confirmed like 300 victims um that are like these are like high confidence ones there’s like a larger broader Circle of Life probably victims um but it’s really the hardest thing about this sort of trying to get to the bottom of this numbers wise is a lot of The people that were compromised they had their seed phrases their secret recovery phrases um compromised and so there’s some people that we’ve talked to where they had like 20 or 30 addresses all drained and so when you look on chain you then have to like sync that with the in real Life intelligence that you’re gaining from talking to these people because there might be a thousand addresses on chain but if everyone has 30 addresses that were drained you know we’re dealing with a smaller victim tool I mean besides kind of the step by step of how It’s done you know like uh swapping all the tokens for eth and then sending it uh to an exchange do we know how the hacker is gaining access to these people’s seed phrases I mean you’re saying that many of these people are pretty experienced like I imagine it’s some People who are just like giving away their seed phrase so do you know how that’s actually happening no so that’s what we’re still trying to get to the bottom of we’re collecting stories and we have um I think we have about like 50 different sort of stories and like Um somewhat organized fashion have have gone through you know the wallets they use the devices that they use um and the most interesting thing about this and I hesitate to say this because it’s it’s very speculative but um there are a large number of people in this group that seem to have stored Their secret recovery phrases or multiple keys and secret cover phrases all in LastPass and obviously there was the LastPass breach that started uh last August and then it sort of information has trickled out about it uh through December and so a lot of these people have sort Of attributed the root cause of the compromise to the LastPass hack um sorry what’s what’s LastPass LastPass is a password manager is supposed to be very very very secure um it’s it’s been around for a while the issue is is that um a hacker got into the LastPass Servers and even though uh LastPass does not have your master password the thing that like encrypts and and protects your last bus holds um even though they don’t have that password uh the hackers still got the vaults and so um essentially theoretically these hackers now have everyone’s faults and they can like if They can brute force or gas your master password then they can get all of your passwords and any other information that’s inside that last asphalt um and so that’s what there are there are decent number of people who think that that the hackers who hacked last mouse Ran have gone in and hacked you know their individual keys from the LastPass breach I’m last confident about that simply because um a lot of the last festivals had very very strong passwords and it would surprise me to learn that you know a 24 character super random password was was brute forced Um I think that if I had a gas right now I think that what’s happening is that there’s some like there’s some either like data leak or there’s some old malware or something has happened where um an attacker is like going back through some pile of data and and Extracting the seeds and the keys that they can from it um but we will see how it turns out it’s all it’s so hard to figure out so crazy and what’s what’s the like the most recent um amount that you have of uh if that’s been drained so I think the eve number Is about the same what we have learned now is that there’s a sizable amount of people who have had um coins on other genes so there is now there’s Bitcoin there’s Litecoin there’s Doge there’s tezos polka dot like I mean it’s basically average eight and it’s crazy um I I’ll post some numbers today and then I’ll link to I’ll link it for you and your listeners so that we can have some better numbers uh that are more up to date but it’s um it’s really hard to wrap your your sort of wrap my head Around it you know what I mean like just the the sprawling nature of it what kind of information are you able to gain from um you know from what what you’ve been I mean from your research like is about the hacker like do you think if this is One one individual person uh a group um a country I don’t know like is there anything anything we can discern from kind of what’s Happening um yeah so I think that it’s probably some sort of group um the reason for that is um some of the investigations that have been done Um have obtained like the the server logs from various services that the hackers were using and those um the like the information that gets returned like sometimes you can get some IP addresses sometimes you can get like the user agent for the browser that the attacker is using and that kind of stuff Um and so I think it’s probably a group just because you see sort of distinct little fingerprints depending on like the you know day to day it’ll change but it’ll be the same like same IP uh but different user agents and then this different user agency MIP Um going back and forth there’s some that uh at least one of the guys in the group I guess is using a Mac which is fabulously interesting don’t usually see that um and the other reason I think it’s a group is like there’s um just like the speed and efficiency Which with which they do it and then the the sort of the time cycles that you see um indicate that it’s some sort of um like organized effort and so what I mean by that is um if you look like a single guy who hacks a Proto or something his his Timeline will be all over the map they don’t sleep a regular schedule they’ll take days off in between um they might go on vacation those sorts of things and you can kind of see it when you map it out over time um these uh these wallet drains seem to Be sort of operating on a more regular schedule they’ll go for like little drain wallets and sort of like move the the funds from point A to point B um uh like for nine hours ten hours uh that sort of stuff and it’s just it’s so Regular that at this point I would be surprised if it was just one very dedicated dude wow so this looks like this kind of just like very organized you know operation of hackers doing this yeah and that’s what um generally it’s like not just with crypto hacks and Stuff but generally with the malware groups the fishing groups the brands of more groups we’re seeing lately is they are far more organized and it’s groups of people and then you also increasingly we’re seeing this sort of separation between the creators of the software that hacks the things or fishes the People they’ll be like a team that’s developing the the software or the malware or the ransomware or whatever it is um but the ones that are actually going out and like getting it into the wild and like pushing it to victims those are uh what they they call them like Affiliates and it’s like a it’s like a real business amongst oh God that’s horrible Packers getting specialized yes um How likely do you think it is that they get away with it uh I think it’ll come down to we have to figure out sort of the the root source of it and then Um once we we sort of collect that information we’ll we’ll go back to some of the law enforcement agents that are working it already on some of the bigger cases and try to put all the information together um obviously if they’re located in the US or most of The West there’s like a pretty good chance that they’ll be caught pretty quickly um if they are in uh like Russia Ukraine if it’s a group operating out of those then it’s a whole a whole different situation before we go further in hack territory I I’d love to Uh hear your your backstory I mean you’ve mentioned how long you’ve been in this space that you were in my crypto before now in in metamask um uh and yeah it you’re just such a an OG so I would love to get your backstory on the podcast yeah absolutely so Um hey guys I got into the space right before Mount docs collapsed which was basically like a hundred centuries ago um and uh I got some Bitcoin uh it was not on Mount gox so I did not lose the Bitcoin but um I wasn’t I wasn’t super like deep in The ecosystem at that point I was just sort of part of it and watching and you know I found it very interesting um and then fast forward um I got into ethereum um during the pre-sale using some of the Bitcoin that I had acquired previously uh and then ethereum launched and it Turns out that there was no uh there’s no way to send your your ether from one place to another when ethereum launched uh unless you wanted to use command line and so that is sort of my origin story was I personally was not gonna send all My ether via command line and so me and my um my original co-founder coleslaw we saw John and we created a very simple interface that just allowed Taylor to do the things with the buttons and uh we shared it with some friends we put on Reddit and Um and then from there it was very very organic like people would ask for features we were part of the ecosystem we had things that we wanted to do I got involved in the Dow that was super exciting the people were all like super super nice then the doll got hacked and So we had to like figure out how to fix that mess um and yeah I’ve just sort of like I guess let though just gone from like one major event and like one problem that needed like my unique expertise to the next um I’ve been building wallets this whole Time but it’s uh like the thing that I actually focus on is you know trying to make this space more accessible uh trying to help people like both be in control of their their money and their assets uh and today like it’s their identity at this point it’s getting crazy Um but also like what does that mean like we want to empower people but in order to empower people it’s not just like you know throw the keys at them and the legs say good luck like we have to actually um understand where people are failing and where they’re struggling understand The assumptions that they’re having and then build products that are actually going to um you know enable them and Empower them to uh safely and successfully hold their their stuff and then also interact with the world right like we we don’t want to just like walk away the key and never Use it the whole point of this stuff is so that we can like interact with people and improve coordination between groups and um yeah it’s probably one of the hardest things certainly the hardest thing I’ve ever done I think it’s probably one of the hardest problems like just generally Speaking in this world right now yeah for I mean for crypto yeah just yeah improving accessibility and and making the space more safe for a regular users and for everyone um so in in this in this time and it’s it’s funny that or I don’t know Finding Is the word but like you started you were involved in the original ethereum hack and have been just like tracking all of this you know all of these exploits since ethereum started the original pack being the Dow hat um in that time do you I mean how how have Things changed like are are attacks getting more sophisticated is is called getting better like have you seen um the space get safer or I mean because from from kind of the the data doesn’t seem that way right it’s it’s like more and more money is getting hacked but I’m not Sure if that’s just because there’s more interest in the space and just like there’s a bigger Honeypot attracting more hackers um or is that because it’s just very hard problem to solve and and it just you know it’s hard to make it safer uh whatever you’ve seen I think there’s a Couple unique things about this space that make it seem like the hacking is a bigger problem than it actually is this is not to say that it’s not a problem like it definitely is a problem but I think that specifically when people like uh try to compare crypto hacks to like Traditional Finance or or non-crypto even um I think people are very quick to assume not like there’s more hacks and there’s more loss within the crypto space than elsewhere um and I think the reason for that is that one it’s like cryptos actually transparent so we actually know exactly How much is being hacked and we can go track in and get those numbers um and then the other thing is that it’s um it’s very much talked about and I think that even in the cases where you have large scale scams around like uh Zell quick pay and cash app and like all these things um it’s really not talked about at all you know and like the crypto ecosystem we uh we collaborate a lot on trying to solve the hacks but we also just like we analyze them there’s databases of them We count them we make graphs of them um I do think that from like looking at crypto’s history from say like the Dow to today um there’s definitely like the numbers are definitely bigger but so is all of crypto I don’t think that relatively speaking it’s Um like if you were to adjust the data to to you know account for the growth that the ecosystem has seen um in both like user numbers but also like value wise I think that we’re we’re probably uh there’s probably like less loss relatively speaking um the other thing that’s changed is that We’re we’re just starting to see the beginnings of like um people saying like no you can’t hack me like yes you just hacked me but like no you can’t and it’s interesting because I think we did this like um we did the Dao we we responded that With the hard Fork which was very controversial but what that was was like it was a uh messy ad hoc way to give the people that had lost money a path to um to recovery from that point from like yeah the hard Fork on there was a very long period of time where People really did not want to talk about the fact that like like if your money got hacked if something got hacked like that was it that was the end there was nothing you could do nobody tried to stop the hackers nobody tried to like doxa hackers nobody tried to like force The centralized entities to like stop the hackers uh most of the money that was like being stolen by you know anything from like little script kitties on the street to like North Korean hackers would just run around the blockchain and then go in into the centralized exchange through These money laundering networks and then out into the real world um today I think it’s it’s like last couple years we’re actually starting to see a shift like we’re actually starting to see a lot more of the stolen assets being Frozen um with like the Euler hack lately like Is a good example of a team that said no like no we’re not gonna we are gonna sit down and do everything that we possibly can to get this money back whatever that takes and uh they were successful at it and that I think that there’s I think that’s probably one of the Things that excites me the most about this like we’re getting better at stopping the stolen bonds um we’re getting better at these creative ways like the Mev Bots that front run the hackers and then return the money um I think that’s yeah it’ll be interesting to see because ultimately we do need to Have some sort of like risk or pressure on the the hackers and the attackers otherwise they’re just gonna keep running rampant and that’s in my opinion not acceptable no that’s that’s a really big an interesting development and change over the years I I think you’re Right we have seen that that shift in in teams and projects that they they’re realizing that they can fight back and it’s good to see that um third parties are helping with that so yeah centralized exchanges uh freezing funds um and I think now uh regulatory agencies are are more Knowledgeable about crypto and and they I think they can step in uh faster when when things happen and I think maybe the industry is more established that you know people people feel comfortable going to law enforcement when when there is a hack I think maybe before um You know uh victims felt like oh we’re in this Fringe thing crypto like we can’t go to like authorities uh because it is what it is you know you know not your case not your Crypt or whatever you know a code code is Law and whatever Like there’s nothing we can do about it um but now there’s this feeling of okay now we can actually fight back I think that that mentality that change both internal to the ecosystem like realizing like wait there are things that people have done like that is so huge and so exciting because Um the thing that people don’t don’t often realize is like uh the blockchain is all public like you can see every transaction it’s actually a terrible way to launder money um a lot of the regulations that are in place in traditional Finance are actually trying to solve the problem of The opacity of the system right so like if you have an attacker in the traditional world who wants to launder money like they just Bank up like wherever they want because um you you can’t see it you can’t see it you have to I get the privileged information from the financial Institutions in order to follow the money um whereas on the blockchain like literally I can follow the money like you can literally watch it um and that’s like I don’t know it’s it’s pretty cool it’s pretty empowering um there’s obviously like they’re still decentralized institutions uh that sort Of like bridge the gap but I think that they are getting better at being able to like realize like um no these funds are stolen you know like it doesn’t matter if the sorry it doesn’t matter like um if the attacker is using like a compromise exchange account or like what The kyc information on the exchange account is like the funds are still right like we can see the money is stolen um and so yeah when they freeze that and then um you know prevent it from from going on until like you know more thorough investigation can can be carried out I Think that’s that’s a huge huge huge huge change that’s um you know only gonna get better with more experience than as as people are successful at this kind of stuff meet State your Labs the non-custodial multitane liquid staking platform that’s aiming to transform the liquid staking landscape with over 120 million in Assets State and the more than 40 000 users across six chains stator is partnered with 40 plus top defect protocols like Ave unbalancer gear up for the launch of ethx status liquid sticking token on ethereum with a unique multi-pool architecture and tokenomics ethx and power stickers everywhere with As little as four eth to run a node and earn 35 more than solo staking the best part stator is committed to keeping their fees low and accessible to users charging only 10 percent of staking rewards so you don’t have to choose between cost and decentralization Sign up for their EFX Alpha list today and be the first to know about 1 million in D5 Rewards I just wanted to drop a bit of a context um so chain analysis does these annual reports on money that’s stolen in crypto and they said that uh 2022 Was the biggest year ever for crypto hacking so 4 billion was stolen and that’s up from 3.3 billion in 2021 so just you know putting in context like actually how much money is is being stolen um so you know obviously really positive developments with uh crypto fighting back but still Still a lot to do and I I wanted to go to this topic of um you know what I mentioned uh code is law um which I think used to be this argument that was made I think maybe more so in you know in the past but But I still see it and and it’s you know this this argument that developers put this code out there it’s supposed to be immutable and permissionless hackers are just figuring out a way to use that code in a way that benefits them so you know it is what it Is they they’re able to figure it out and it’s kind of your fault because you didn’t know better or like your code wasn’t good enough what do you think about that oh I hate it I think it’s absurd I think it’s um I’m always hated it I think that it is a I think it stems from like the combination of like the very libertarian crypto Anarchist roots of this ecosystem combined with just like the sheer number of engineer brains and like I love engineers and I love the way that they can like solve problems and I love how their brains work but like That’s not how the world works like um code is not law uh law is Law and like law is or should be you know defined by people in society and if something is wrong like uh theft is bad right like if I steal your stuff it’s bad Um if it’s allowed to carry on uh meaning that like if I steal your stuff and then I can just walk around and there’s no harm that comes to me there’s no punishment like you know I’m I stole yourself and that’s like that’s the way the world Works what Ends up happening is that um I am now incentivized and other people are now incentivized to steal and you are actually like you have uh created this organization you’ve like added value to this world you’ve received money in return for adding value to this world right but since I stole that from you Um you have been like uh decent of us from doing that and the other people in society are y’all look at you and be like okay so I could go and I could work really hard and try to have a positive impact on the world around me and get paid for that Um but you know what actually it turns out that like I might just have all my stuff stolen so maybe I’ll just be a thief too and this is why um like this is yeah this is life up just bad it’s bad for people it’s bad For society and if we let thieves like you know sort of if there’s if there’s no harm that comes to the like socially legally financially like anything if there’s no risk um Society tends to degrade pretty pretty quickly and I think that that we should um I I’m not a fan of like The you know bring in brand the big bad law enforcement and like you know that that sort of path but I also think that there’s a huge area in between letting hackers and thieves like just run around willy-nilly and do whatever they want and like you know some just yeah like authorientarian State Like there’s there’s a lot of room in the middle there where we can get creative and um you know find a good balance that allows people to uh be empowered and have control of their stuff uh while also not allowing these to to run our world Yeah I think you know with that argument doesn’t consider the fact that there’s there’s an intention when developers write that code so okay maybe they made a mistake and it could be exploited but you know when you when you create a lending protocol it’s it’s meant to do Things a certain way if a hacker figures out you know how to do things differently then it’s it’s very clear that that wasn’t that wasn’t the intention even though you know the code is there so there is at least that that kind of you know argument you can make I Guess the the thief like yeah you use the code how how you could use it but no not how it should be used a long a long kind of this this reasoning there’s also this kind of like tricky question in um in defy on um and this goes also back to the down Like if if developers have the power to um you know go into god mode and turn things off or update uh like single-handedly update a protocol to recover funds should they do it I mean again this also goes in line with this is supposed to be a like permissionless autonomous and so on D5 is not supposed to work that way right like we’re not supposed to have a group of people making unit lateral decisions like it’s all supposed to be smart contract based but in the case of there being a theft and like users being affected um do you think it’s you know do you Think it’s something that they should do it’s a really tricky area because a lot of the a lot of what is sort of communicated about certain D5 protocols a lot of what people think of their own D5 protocols if they’re like on a team or even the creator of one is not Necessarily in line with how things are today and so while they’re like optimistically hopeful that in the future it will be this completely permissionless thing or run by governance or whatever it is the reality is a lot of times today um there’s like a single admin key that Can do whatever can upgrade the contracts can you know uh with like one person or um a more ideal situation is a multi-cig um but like yeah a lot of times it’s one person so in my opinion if you give yourself God mode right if you’ve created this thing and you give yourself God mode um and and something happens where you are um you’re in a position to recover funds uh for like the rightful owner um I think you probably should and if you don’t want to be in that position then I think you should probably think more carefully about Giving yourself God mode in the first place but I think that like both um giving yourself that power without taking responsibility for that power is um like you can’t have your cake in either chilled like you gotta you have to think responsibility for your Creations you know and I’m I’m not Uh I would never tell a protocol like you should give yourself the power it’s more so the fact that like if if you have and you end up with a hacker a bunch of hacker funds uh I’m probably gonna be the first one to come up to you and tell You that uh hey you can upgrade this contract and make users whole and give them their uh their funds that are rightfully there is that they worked hard for uh and you should probably do that so with all this you know like with all the the hacks happening and um and Maybe kind of the the problems of accessibility which you know you and so many other you know brilliant people are working towards what we’re not that we’re not there yet do you think that uh I mean would you advocate for people for crypto to go mainstream now do you think Is the space ready for just like you know billions of people to to come and trust it like the technology with their all of their funds No I um we have so much work to do I think that for people that got into the space you know with some understanding of You know the risks and and are having fun with it um like let’s go you know like I I the more the merrier at the same time I think just blindly like telling people like this is the future this magical internet money and come come and not informing Them of of the risks and in the reality that um that there are a lot of scammers there’s a lot of issues there’s a lot of hackers um there’s a lot of like just holding crypto like they’re you’re going to be targeted more than not holding crypto Right now and it’s um it’s just very unfamiliar there’s like a learning curve so uh I don’t think that we should just be running for massive adoption but I do think that we are uh generally like on on the right path where things are getting better there are a lot of new Technologies in the works that will help make things safer um and ultimately like it’s going to be uh this combination of like all the different uh like product choices all the different Technologies all the different brands working together that that ultimately get us to a point where Um you know it can uh you can have like the the different solutions for different types of people you can on ramp like slowly and surely you can find things that work for you depending on um depending on your needs right like someone like Snowden is in a different Boat than someone who just wants to like um hold a fun nft because they went to an event or something right and they don’t need the same um you know I necessarily need to train the the random nfg holder about like you know perfect security and Perfect privacy but you do want to have the ability for someone who needs that perfect security and privacy to have it uh crazy to hear someone improve to say no we’re not ready for mainstream I spend a lot of time with users and like I do I will say I do have a I do have a like I I consume more information around the loss like I I talk to more people who have had a bad experience with crypto than most so I might be slightly biased but like it’s just the sheer number of ways that you can um lose your crypto right like there’s Accidents that happen you can make a mistake um you can be like tricked into it so like the the most of the fishing these days is not like stealing your seed phrase it’s tricking you into taking an action you you think that you want to do but you don’t want to do Um and then it goes all the way towards like yeah the malware the hacks the very sophisticated protocol hacks um it’s yeah there’s just so much um yeah and and a creative like hackers and scammers are incentivized to be very very creative and we need to be more Creative than them on the solutions to to protect people so that’s perfect segue to um I I wanted to ask you about what advice do you give uh crypto users to prevent being hacked yeah so it used to have a like a list of like very tangible like steps you could take security-wise And um some of it still applies like I definitely recommend if you’re in the space to like get a hardware wallet and use your Hardware wallet Ledger is a great choice treasure is a great choice I’m a big fan of the grade plus the Lattice it has a big screen I like it I feel fancy um the the other thing I think that is increasingly helpful though especially as um the scans and and the hacks and stuff get more diverse is just don’t keep all of your crypto in like a single bucket so um If you have like your secret recovery phrase or your metamask or whatever like that’s fine use that and use that for all of your day-to-day stuff that you want but don’t keep all your funds on it please um and at this point I would say that You know if you’ve been in the space for a while um you know and you want to like let’s say you have a seed phrase from 2017 that you know you haven’t really touched that much but you probably have put it on a computer at some point Um maybe gel migrate the fullness of that from like one seed to a new seed maybe split in half maybe split it in thirds you know I think everyone’s situation is obviously different but um the one thing that like in talking specifically to the people who have been In the space who got hacked um most of them are generally fine even if they had like 20 accounts hacked um because they had like a a nestic that wasn’t hacked because it was carved into titanium and like hidden under the bed or whatever right very paranoid stuff Um but that you don’t have to go you don’t have to go that far to to have the same benefits right like you can just separate out and put uh these these eggs in this basket and these eggs in this basket and then if something bad Happens you don’t want the person to be able to grab both so keep them separate Hardware wallets paper is good it’s hard to have paper um and then the other advice I have that I think that we’re gonna have to figure out a good yeah we’re gonna have to Figure out a product to help with this but like an easy way to like literally migrate all your funds or split your funds or something I think is like necessary at this point I’m surprised that there’s not a better tool out there but it is you know once You’ve been in the space and you have your positions and you have your tokens and you have things on four different l2s just the idea of like migrating to a fresh seat is very overwhelming um and that’s why you know some of these people whose seeds are getting you know From 2017 are getting compromised a lot of them are saying yeah I knew I should have migrated I knew that that seed had been on like four different computers and two phones over the years um but nothing bad had happened yet and I’m pretty secure and so I didn’t take The time to do that tedious and annoying task um and I definitely understand it I had to migrate some of my funds after helping after helping my friend I had to go migrate a whole bunch of myself because I got scared you know and and that was like the uh inspiration to like Not be lazy anymore uh yeah I mean it’s a pain but yeah it’s it’s a bigger thing to get your your funds stolen so and better better to follow today’s advice here for devs when they’re building their their protocols like any advice on how to make it safer or easier to use at Least so I think definitely learn from the past hacks at this point there are there are so many helpful like write-ups and post-mortems and databases of all the past hacks so if you’re building a lending protocol if you’re building a whatever it is please take some time to Understand uh at this year it’s been three years of D5 like stuff right like since D5 summer learn from the experiences of others so that you don’t make the same mistakes um there have been a lot of mistakes you can learn so much um and then I think You should uh think carefully about um like when we talk about system design a lot of the times like these default D5 protocols they they sort of limit it to their own protocol and their users and the things internal the system and then maybe they think about uh the oracles or Whatever that are coming in but what’s really I think probably one of the most interesting developments in the last year and a half or so is uh if you actually look at the system as a whole and you include ethereum and you include like the existence of like Arbitrage Bots and Mev Bots there are probably some really creative things that a lot of these protocols could do where if they are uh hacked there is like a better chance that a um like Mev bot front runs the hacker right and there’s a lot of like interesting things with incentives and The design of things where um again like I’m I’m not one of those big engineer brains but like I’m certain that there’s a way to use incentives to to make it so that like um you know something bad happens you know there’s a better chance that uh you Know the hacker gets front run or uh maybe there’s you know some Breeze that happens so that like only a portion of the funds are stolen those sorts of things I really wish that we saw more creativity around that what about having like a white hack fund or like reward Pool or something you know so that at least it’s it’s profitable for people who are snooping around to you know to to help the team rather than steal from it I think it’s uh if you’re gonna be all in the space and like having like hold it you’re gonna have access to any Amount of other people’s money it’s it’s um I would say it’s mandatory that you have like a public um sort of like a security philosophy or uh you know a thing that outlines like here’s how you report bugs or vulnerabilities or things um here is like how you do so Anonymously uh and like here’s um like here’s what happens like if you white hat this here’s the Bounty that you’re allowed to keep and here’s the process that you need to um you know you need to undergo in order to be a legitimate white hat not like a Half white half gray maybe black it’s like I always have black hat but then I got dogs so I turned into a white hat exactly so if teens like are out there and they’re you know you should definitely incentivize people to report the bug to you before they hack it but You should realize that you know given the I’ll just say given the nature of the space and the characters in it um that may not be enough and so like if you do have someone that actually hacks you um you should consider you know incentivizing them to return the funds You know because some of them are uh they they lack impulse control so they’re not attracted by the disclose responsibly Bounty but like the second thing hack it and get the money they are suddenly like they’ll usually usually that’s a pretty good incentive that that in persons that I was is a Good one on TV you see like you don’t negotiate with terrorists like that’s I don’t know it’s like what do you usually hear it looks like negotiating with hackers has yielded good results I got a lot of people have been able to get money back that way I mean do you think It’s it’s a good practice to do that I think that over time as you know the system and security procedures and like information and and risk controls and stuff like as as the ecosystem in general matures more I think that we’ll probably at some point get to a state Where like no you should not negotiate like it’s it’s more harm than good um at this point though it’s just so fresh um a lot of the teams not all of them but a lot of the teams that got hacked are uh like you know it’s it’s it’s very hard to Tell what’s a blackout what’s a gray hat with a white hat what’s a rug what’s not a rug there’s a lot of a lot of gray areas and so for now I think that um you know I think that that yeah the negotiations and the bounties and that Kind of stuff I think it’s probably like uh a net win over the alternative but yeah long term ultimately a better way of going about things were would be to have like you know just room more robust like systems and structures where it’s uh you know you’re a legit project because You’ve done all of these things and you’ve worked hard to secure your phone base you’re not a white hat if you hack something that’s how it shouldn’t be ideally but until we get there and you know it takes time I think that you know we’re rebuilding Huge Slots of the world and like just weird because you know ponzi-esque way it’s just um you know we’ll get there but in the meantime we’re uh yeah there’s some things that you know you can’t just you can’t just like pick from you know something that’s been built up over time In the traditional world and like put it on on the stuff here given this the situation as we get there obviously wallets are a huge part on you know how we build up better Financial system and infrastructure for this with three new internet and so on Um and yeah like you said before you’ve been building wallets almost since this beginning of crypto or at least of ethereum so um yeah really curious to to hear what’s what’s the latest there like what uh what’s exciting to you right now in in wallets yeah so I think that I don’t Know if you’ve already had someone on to talk about like account attraction and all of the technical details around that but I think that’s probably like uh what’s most top of mind for for people in Watts at this point um if you haven’t had someone I’ll I’ll Find someone for you who can like really dive into it awesome yeah no I haven’t yet oh yeah it’s it’s there’s better people to talk about it than me so I’ll let them do it but it’s really really interesting how they’ve approached it and um I’ll talk just broadly though Like kind of big swallows about like what uh what the whole point of account attraction is um so essentially um right now you have your wallet and that has usually your secret recovery phrase in it or another form of your private key and um that private key basically controls Everything it controls it has full control over everything in in it that’s your nfts that’s your your soul-bound nfts it’s your tokens it’s uh across all the different blockchains like it’s crazy um and then uh if you’re if you’re your secret recovery phrase is stolen then it’s game over like then the Attacker and you both have full control over uh anything in that wallet and anything that will ever be in the wall anything that was in the wallet like you know and there’s nothing you can do about it um well we just talked about a lot of ways that you can like do things Like post post it but like at the core of like the wall it’s job and the private key there’s nothing you can actually do about the private key like it’s still compromised um so the point of account objection or uh the thing that excites me most about wallets right now is ideally Um there shouldn’t be like one piece of information that has so much control there should be like a secret and there should be levels of uh like authorization there should be different like you know controls and restrictions um like for most of my wallets I I think That like I would be very happy to say like I you know some time needs to pass or I need to have another signer um or hey like if it’s if it’s these crappy tokens that are for fun yeah like I can do anything with those on any site But like my eight like that is my pride and joy that no no like that needs more need something else I need to sign a message on my computer and my phone or I need to get my friend to approve it or something right and so there’s all these different ways of Basically like granting authority over distinct pieces of your uh the things that you hold in your identity um and then the other key piece of that is like revoking that Authority so in the case where something is compromised or I do something bad Um I want to be able to say like no no more like I revoke that permission you cannot do that anymore and I think that that uh is pretty complex there’s technical challenges there’s protocol level changes there’s wallet changes there’s product things like it’s it’s huge but ultimately that will Um single-handedly like all of those improvements over time at all the different layers will make the space and people’s control just infinitely better than when it is now super interesting I am I was actually at East Denver I was moderating a panel with um one of the guys from the theorem Foundation when they made the announcement that the EAP for account abstraction had been approved and um so uh yeah kind of heard about it then and I think there’s like so many different layers of um how user experience can be improved with this um so yeah definitely worth an entire Show on on its own but it’s it’s yeah it sounds like this major Milestone that that just happened to make things easier and safer for for users at the wallet level or at the account level um and then to wrap up uh interested to hear your perspective on this Um because we’re talking about all these you know Behavior changes that people need to have in order to use crypto like learning uh seed phrases and you know dealing with accounts and wallet and all these you know different like foreign things um do you think that when crypto does become mainstream Do you think that it’ll be by getting this a new generation of users to learn these new behaviors like just uh learn okay like now I need to be responsible for my assets like I’m not trusting a third party with this like these are all the different things that I need to do Just like you know interact with the internet in a different way to adjust for crypto or is it the other way around that does crypto need to adapt to the way that users already do things so I think it’s both I’m definitely I think there’s a lot of People who would say that like crypto needs to adapt and like it should be as easy as PayPal or as easy as venmo or whatever it is and I’m I’m actually not in that camp and haven’t been for a while simply because um if we it’s not very interesting to rebuild PayPal or venmo um and you know the the way that they’ve sort of that user experience and the control the user has it’s you know it’s evolved over time but at the end of the day like I’m I’m not here to to build something where someone else has full Control and can like press the stop button and can like do these things um I I think that it’s like fundamentally important that people at the end of the day people have control over their their wallet and like no one else can um yeah no one else can like just Universally unilaterally control it um that said I I apply that not to like just a centralized financial institution that we’re familiar with I also apply it to like a skimmer or a hacker right like nobody should be able to guide neurolateral access or control over your identity and your digital assets and so I do think that we need to understand how that’s happening we need to really deeply understand people’s experience um and yeah there’s going to be some cases where um people are going to evolve to understand you know how these things work um and why you know there’s new words And there’s new Concepts and that kind of stuff but in other cases you know we can’t we can’t just put it all on these or we can’t just say like okay like you know uh you figure it out no like there’s there’s a lot that technology can do to Help users without you know taking that control away from them um there’s a lot that we can do to um like detect that say a bad thing is probably going to be happening uh there’s a lot of things we can do to say like yeah the user probably doesn’t want To do this like these are probably uh doesn’t want to send all of their Apes out at once like it’s a very rare thing and so in that circumstance you know the wallet should probably tell these are like hey are you sure like are you are you really sure Um and then yeah if these are like you know confirms it and is like yeah I’m really sure like I clicked it on both my computer and my phone I’m not a hacker and I actually want to do this then yeah ultimately the users in in full control Um and that’s when I like when I talk about like the big gray area in between the two things that’s that’s what I talk about is like you know there’s a lot of ways that you can you can find Creative Solutions to you know the most common problems without uh taking the control Away from the user or like putting it in the hands of the centralized energy there’s a lot of ways that you can uh help the user make better and more informed choices about the actions that they’re taking without uh you know both without like imposing upon them but also Without like giving them a random string of characters and being like good luck and then being like oh you didn’t realize that that was gonna send all of your nfgs away sorry you should have learned all right you know what I mean it’s like it’s absurd it’s absurd so Yeah we have to get better there’s a lot of work that we can do I think like at this point in time there’s probably more things that wallets and products in the space should be doing to help the user understand the actions that they’re taking or potentially taking uh and help protect them Um but ultimately yeah there’s it’s going to be different and people are going to have to learn yeah I think that’s right it’s like there will definitely need to be a behavior change and a paradigm shift for using crypto but crypto needs to help make that transition better and yeah right now It’s you know we’re getting there but not not there yet um Taylor it was so great having you on the podcast I I love chatting with you so yeah thanks for taking the time um also it’s uh you know I think kind of it’s very neat about you do I mean Besides kind of being this blockchain sleuth just like saying things like they are and just like calling out BS um yeah I just like always appreciate that about you so thanks for everything and uh thanks again for coming on the show yeah thank you so much and uh I Love everything that you’ve been doing and keep it up foreign Taylor Monahan is the founder of MyCrypto, an Ethereum wallet, and today she’s helping build MetaMask.As part of her job, as become a full-time blockchain detective.She’s also a character in my book, The Infinite Machine! She’s the first one who alerted us to the fact that in the past several months, a mysterious hack has taken over crypto wallets, draining $10 million worth of ether from OGs in the space.We begin our conversation with Taylor breaking down the hack from the beginning and also the latest in this saga.
Then we go over her own, long history in the space, she gives risk management advice for crypto users and developers, and ponders some deep questions on whether code is law and whether DeFi should really be immutable.00:00 Intro 00:51 Cryptocurrency Wallet Hackers: An Organized and Sophisticated Operation 12:58 Taylor’s Background 26:19 The “Code is Law” Argument 35:01 Why Mainstream Adoption Is Not Yet Feasible 38:24 Advice for Crypto Users and Developers 48:53 Account Abstraction and Authorization Levels 53:49 Crypto and User Behavior: Adapting to Change and Empowering Users ✨ Check out our new website ✨ https://thedefiant.io/ 🚀 Sign up to our newsletter 🚀 https://newsletter.thedefiant.io/ 🤑 Find DeFi investment opportunities & educational primers here https://newsletter.thedefiant.io/s/defi-alpha ✊ Follow The Defiant Twitter: https://twitter.com/defiantnews Discord: https://discord.gg/thedefiant Instagram: https://www.instagram.com/thedefiant.io/ Telegram: https://t.me/DefiantNews 📬 Contact our Newsroom [email protected] 🤝 Sponsorships & Partnerships [email protected] 💚 Follow The Defiant team on Twitter Camila Russo: https://twitter.com/CamiRusso Alp Gasimov: https://twitter.com/alpgasimov yyctrader: https://twitter.com/yyctrader1 Owen Fernau: https://twitter.com/ofernau Devin Sawyer: https://twitter.com/devinsawyer Samuel Haig: https://twitter.com/samuel_haig Diego Cabral: https://twitter.com/DiegoCabral__ Nick Duddy: https://twitter.com/nickduddy Pab: https://twitter.com/pprhsk #TheDefiant #DeFi #Decentralized #Finance #Blockchain #Web3 source.
