How much do you know about on-chain security: How do ordinary people build a firewall for encrypted assets?

Moderator: Alex , Research Partner at Mint Ventures

Guest: Zhou Yajin, CEO of blockchain security company BlockSec

Recording time: 2025.3.28

Disclaimer: The content discussed in this podcast does not represent the views of the guests’ institutions, and the projects mentioned do not constitute any investment advice.

BlockSec's service scope and target customers

Alex: In this episode, we are going to talk about a topic that is closely related to everyone, which is the security of the crypto world. Before we encounter real risks, we often think that we will not become victims of security incidents in the news. How to build a firewall for your assets and invest in a safe environment is a compulsory subject before we start our crypto journey. In this podcast, we invited Zhou Yajin from the blockchain security company BlockSec to talk to us about the topic of crypto security. Please say hello to us, Mr. Zhou.

Zhou Yajin: Hello everyone, my name is Zhou Yajin. I’m currently the CEO of BlockSec. I’m also a researcher in cyberspace security at Zhejiang University. I’m very happy to meet you all.

Alex: OK, let's get to the point today. I believe that many listeners may not know much about blockchain security companies and security services. Please introduce BlockSec to us, Mr. Zhou, what services you provide, and what kind of people and institutions will become your customers.

Zhou Yajin: OK, BlockSec is a Web3 security company. We were founded in 2021 by me and Professor Wu. When it comes to Web3 security, the first thing that comes to mind is security auditing. In fact, BlockSec's business scope is not only security auditing, we also provide a series of other security products and services. Specifically, the services can be divided into three major sections. The first section is what we call security for on-chain protocols. On-chain protocols are some smart contracts deployed on the blockchain for some DeFi or NFT, or other activities. How should the security of these contracts be guaranteed? BlockSec provides secure auditing services and secure monitoring products. The second area we are more concerned about is the security of assets. The so-called asset security refers to the assets that users have on hand, for example, these assets are in their own contract wallets, or invested in some on-chain protocols. How to ensure the security of these user assets is also one of our BlockSec service areas. The third area is compliance and supervision. We find that more and more traditional financial institutions are entering the Crypto industry. We have seen news recently that traditional banks in the United States have issued some stablecoin assets on the chain, including Crypto entering the cross-border payment industry. In fact, after these traditional financial institutions enter this industry, it brings a problem to supervision. The regulatory authorities do not know how to supervise, and these institutions do not know how to comply with regulations. So we are also helping regulatory authorities to supervise these players entering the Crypto industry, or helping these traditional institutions entering the Crypto industry to comply with regulations. These are the three areas of our business.

Our customers cover a wide range. What you can think of are the project parties that do decentralized finance or other services on the chain, such as lending platforms and decentralized trading platforms on the chain. These project parties are our customers. We can help them do some security audits before deploying smart contracts on the chain, and review whether the smart contracts they developed have security vulnerabilities from a security perspective. If there are security vulnerabilities, they need to be fixed in time. At the same time, when their protocols are deployed on the chain, we will also have a 7×24-hour monitoring platform to monitor the security risks of their protocols. If any security risks occur, our platform can notify the protocol in time and automatically block risks and attacks. Therefore, these developers and project parties who deploy smart contracts on the chain are our typical customers. The second type of typical customers are people with assets, which may be some high-net-worth customers who have some assets in the contract wallet, or these high-net-worth customers will invest in some protocols on the chain. Our services and products can help them better monitor the security of the protocols they invest in. Just like the front and back of a coin, from the perspective of the protocol project party, we can help them improve the security of the protocol. From the perspective of high-net-worth clients who invest in their protocols, we can help them monitor the security of the protocols they invest in. Once the protocol they invest in has security risks, such as being attacked, they need to be able to withdraw their funds as soon as possible. The third type of client is the supervision and compliance I just mentioned. This type of client is mainly some regulatory agencies, such as the Hong Kong Securities and Futures Commission, which is actually our client, as well as some overseas law enforcement agencies. When they need to investigate crimes involving digital currencies, they need to use our tools and platforms to facilitate some investigation activities such as evidence extraction and fund tracing. This is basically the scope of our overall business and our clients.

Three tips for encryption security

Alex: I see. Mr. Zhou just talked about the types of customers, their needs, and the general situation of the industry. The second question may be more relevant to individual investors, especially since many of our listeners are just beginning to learn about Web3 and try to invest. If you have a friend who has just entered the field of crypto investment and knows that you provide crypto security services, please give him three suggestions on crypto security. What are the three suggestions you would give him?

Zhou Yajin: This is a very good question. My friends often ask me for some security advice. They also want to enter this industry, but they also heard that many people seem to encounter some risks. We once had a joke: If you enter the Crypto circle and have not been phished or defrauded, you will not become a senior player in this field. Of course, this is a joke, but you can indeed find that there are many risks in this industry. If you want to make three suggestions, the first one is definitely what everyone will think of, which is about private key protection. In the Crypto field, how to prove that you own the funds is actually to use your private key to prove your ownership of the account. The private key is a string of numbers, which is also not tied to your personal identity. Once this string of numbers is lost or leaked, others can have control over your own funds like you. This is very different from our real world. In the real world, if your bank password is leaked, you can call the bank to freeze the account, and others will not be able to withdraw money. But in the Crypto world, if your private key is leaked, then the person who owns your private key can transfer your funds from your account without restriction. Generally speaking, there are several ways to protect private keys, such as hardware wallets, contract wallets, or mobile phone apps. Each method actually has its own advantages and disadvantages. Through my own experience and the overall experience of some security friends around us, the basic principle is to write down the mnemonic of the private key and put it in a safe. Whether the safe is your own home or a bank, keep it well and don't move it at ordinary times. Basically, you don't need it. Then use a relatively trustworthy device, whether it is a hardware wallet or a mobile phone, to store your private key. This mobile phone must be a dedicated device. Don't engage in any other operations, just use it to manage your own digital assets. This is the first suggestion. The second suggestion is to be aware of security and risks when trading on the chain. In essence, you just need to remember one sentence: there is no free lunch in the sky. We found that when trading on the chain, users face a very high risk of phishing. Including many KOLs and OGs in the crypto circle that we are familiar with, they have encountered phishing attacks and lost a lot of money. If an unknown website asks you to connect your wallet to get the so-called airdrop reward, you need to be more careful at this time and be aware of security. The third suggestion is that you need to know a little bit about the basic knowledge of crypto assets. Basic knowledge refers to the concept of authorization in crypto assets. This is different from traditional finance. For example, if you own a type of digital asset, USDT or USDC, you can authorize the asset to a contract or other user through the signature on the chain, and such authorization can be achieved by signing a bunch of weird things that you don’t understand through your wallet. So when signing the wallet signature, you signed the authorized transaction because you don’t understand it or are deceived, then others can use all your digital assets. So you need to have some basic understanding of authorization so that you won’t mistakenly sign such a transaction when signing the wallet signature. In summary, the basic suggestions are: the first is to protect your own private key, and some operational methods are given; the second is to be careful when conducting on-chain transactions, be security-conscious and don’t be phished; the third is to have a basic understanding of Crypto’s authorization mechanism, so that you won’t mistakenly sign some authorized transactions.

Alex: I have many high-net-worth friends around me. They are also OGs or veterans in the industry. Logically, they all have some of the security awareness you mentioned, but every year I hear about some big accounts being stolen. There is a saying in the industry that if a professional hacker targets you, he knows that your wallet has money. If he uses all available resources, it is often difficult for you to escape. Do you think this statement makes sense? Is it really like this?

Zhou Yajin: Your question is very good. In fact, security issues, especially those involving Crypto security, are essentially an unbalanced confrontation. If you have enough assets in your wallet, you will easily become the target of targeted attacks by others. Once you become the target of targeted attacks by others, others will mobilize a lot of resources, whether it is social engineering resources, technical resources or other resources, to design attack methods against you based on the target's daily behavior patterns, living habits, etc. In this case, it cannot be said to be 100%, but the difficulty of your defense is very high, because others have mobilized a lot of resources to fight against you, and you only have yourself. So it is a very asymmetric confrontation. In this case, I think the basic principle is that we Chinese have a saying that wealth should not be exposed, that is, you should not disclose your assets, and avoid leaking the identity relationship between your personal offline identity and on-chain assets. The second point is that even if you are a high-net-worth user, it may have been leaked by others, so you need to isolate your assets as much as possible. That is to say, the assets you usually operate in your daily life may only have 100,000 yuan in your dedicated wallet. If someone targets you, they can only defraud you of this 100,000 yuan at most. Your other large assets should be placed in a wallet that you basically don’t need to use. If you need to use these assets, you should find a security expert to help you review a better set of operating procedures and specifications, so as to avoid very large risks.

The three most impressive security incidents

Alex: I see. This advice is really important. Can you share with us the three most impressive security incidents you have experienced in your career? They can be your own experiences, or those of your friends or your own experiences.

Zhou Yajin: I can share with you some security incidents that we have actually personally participated in and that left a deep impression on us. The first example, as I remember, was on February 10, 2023, when a protocol on the chain called the Platypus Protocol was attacked. It is a platform for lending and other functions. This protocol has a security vulnerability, and hackers used this vulnerability to steal assets worth about 9 million USD. The reason why I was impressed by this incident is that the hacker made a mistake when attacking the Platypus Protocol. When he attacked the smart contract, he needed to develop a smart contract himself. A smart contract can be understood as a string of code that can operate on its own. When the hacker attacked, he deployed his own attack contract, and this attack contract completed the entire attack process. But the attacker is also a human being, and we all know that as long as you are a human being, you will make mistakes. He made a mistake when writing the attack smart contract, and there was a vulnerability in the contract that could be exploited. This vulnerability can extract the funds stored in the attack contract, which is exactly the funds obtained by attacking the Platypus Protocol. As a security company, we are always following the attacks on the chain, and we have a set of attack detection engines, which can detect the attacks that are happening on the chain at the first time. Coincidentally, when Platypus was attacked, we had already detected it at the first time. We will independently analyze this security incident, such as what is the reason for the attack and where the vulnerability is. At the same time, we will contact the project party to help them, tell them how to patch and how to deal with it. In this process, we found the hacker's vulnerability and told the project party that they could exploit this vulnerability. Then we developed a string of code with the project party to extract the attack funds, that is, 2.4 million out of 9.5 million, from the attacker's contract. This is also the first time in the history of blockchain security that we call it hack back, that is, taking advantage of its vulnerability, extracting the stolen funds and returning them to the project party. This is a particularly interesting confrontation, and I am quite impressed.

Alex: Did you have a cooperative relationship with Platypus before, or did you start communicating only after this incident?

Zhou Yajin: We didn’t have any cooperation relationship before, and we only contacted each other after this incident. I can talk about the whole process of handling security incidents. We have a security attack engine in our own company. When a security incident occurs, our engine will immediately report an alarm, and we have an emergency response team in our company to analyze it together. First, we will see which protocol is attacked, and then we will try to contact the project party through various means, whether it is Twitter on the chain or other means. In the case of Platypus, we didn’t have their contact information before. We contacted the project party through Twitter and assisted him in analyzing the whole reason for the attack, because many times the project party doesn’t know why it was attacked. Anyway, the money in the protocol disappeared, but the reason is unclear. At this time, the security company needs to assist him in the analysis. After the analysis, it involves how to repair the protocol. If the reason is clear, then the vulnerability needs to be repaired, how to apply the patch, whether it is safe after the patch, and the tracking of the stolen funds also need security companies like us to assist him. We will always deal with it with the project party in the whole emergency response process. In this case, we actually had no contact with the project before, but fortunately, we were able to contact them in time during the handling process and recover part of the funds. In fact, in most cases, we discovered the attack but could not contact the project party.

Then the second case is also quite interesting, which also happened in 2023. Our Chinese audience may be more familiar with it, because this case involves a project called ParaSpace. ParaSpace can pledge the NFT of Boring Ape and borrow other assets. I know that many Chinese OGs are actually holders of Boring Ape NFT. This protocol actually has a security vulnerability, and it was attacked in March 2023. I clearly remember that it was in the morning or noon Beijing time. After our system issued an early warning, we first contacted the project party to analyze the cause. But we found that the first attack transaction that our system exposed was reverted on the chain. Revert means that the attacker did not have enough handling fees when attacking, so the attack transaction was not successfully uploaded to the chain. But his attack transaction behavior and trace have been exposed on the chain. Our system can also detect this kind of transaction, which we call reverse, that is, a transaction that failed but was uploaded to the chain. This is the ability of our engine, which can determine that this is an attack transaction. After we figured it out, we thought of a way to simulate the behavior of the attack transaction and automatically generate an attack transaction that is the same as it, but this attack needs to be quoted. We need to replace the profitable address in the transaction with our address. In this way, we can save the funds in the protocol that is currently in danger and put them in our own safe account, and then contact the project party to return the funds to them. This is similar to saying that the bad guy's knife is about to chop down, but for some reason the first attempt failed. We can also try to withdraw the funds in advance in the same way, so that when the attacker tries to attack for the second time, there will be no funds in the protocol, and the attack will fail. After we had this idea, we actually have a system inside, and we can quickly automate this kind of thing, and then automatically generate a transaction like "attack", send it to the chain, withdraw the $5 million assets in the ParaSpace protocol, and then contact the project party to return the funds to them. This is actually very interesting. It is the highest amount in history. We call it rescue, which is an action to save funds on the chain. Without this rescue, their assets might have been looted.

However, after this security incident, it actually triggered a lot of thinking for us, because there are many security moral and ethical issues involved. For example, after we observed an attack, although the funds in the protocol were withdrawn, it was still an attack transaction in essence. The attacker's behavior was simulated. Although the funds were withdrawn and returned to the project party with good intentions, it was still an attack behavior strictly speaking. This involves issues of compliance and security ethics. Our thinking at the time was that when you see a bad guy stabbing a good guy with a knife, should you stop it or let it develop? I think we chose to stop it, although there are some moral and security ethical issues involved. After this incident, we also deeply realized that the security of the chain cannot be saved by hacking it back, which is the way we just talked about. The project party should be informed of the security risks he faces at the first time. He must know that the project has been attacked, and then he can configure some automated operation strategies. When these security incidents occur, our system tells him that he should be able to automatically pause the protocol, so that the attack will not succeed. It not only prevented the attack and saved the user's funds, but also did not involve any security ethical risks. This is the whole idea behind the development of the subsequent Phalcon attack monitoring and blocking products after these two incidents. This is the second major security incident that I remember.

Alex: I seem to have noticed this security incident. You just mentioned protective attacks. I would like to ask a detail. After the revert attack you just mentioned, you must have an internal discussion and decision to see whether to make a protective attack. How much time did it take from the discovery of this incident to the decision to protect the funds?

Zhou Yajin: It was very fast. It took us only a few minutes from the time we first learned about it to the time we finally completed it. This is because the company has formed a very complete security processing process. Once we learn about security issues, we will discuss and make decisions immediately. After the decision is made, we have some automated tools, so we can get things done quickly.

Alex: I see.

Zhou Yajin: The third case is the Bybit security incident that everyone should have paid attention to recently. In February, 1.5 billion US dollars of assets were stolen. This attack is also the single largest security incident in the security circle so far, and its loss is very different from the two security incidents I mentioned earlier. The previous two security incidents were caused by contract vulnerabilities, but the Bybit security incident actually has nothing to do with the vulnerability of the smart contract. We call it a long trust chain. In a system with such a large amount of funds and such a long trust chain, the attacker found the weakest link through social engineering attacks and then completed the attack. Specifically, Bybit uses a contract wallet called SAFE, which is a smart contract wallet to manage it. SAFE is a multi-signature wallet. You can think of it as a lock that requires three people to open at the same time. This lock can be opened and the funds inside can be taken away. This lock is made by a project party that provides such a contract wallet. You will find that the trust chain in this system is very long, including the developers of the SAFE wallet, the people who operate the SAFE protocol, and the UI interface in the browser when using the SAFE wallet. There is also the operator of the SAFE wallet, that is, the Bybit employee who has three keys, or the person who has the authority to operate funds. He has to operate the SAFE wallet through the computer browser or through his hardware wallet. You will find that there are many aspects involved. When we talk about security, the most difficult point in security attack and defense is that when defending, you have to make sure that your system has no shortcomings, because the level of system security depends on the shortest board in the system. The attacker does not need to break through the well-done part of your system, he only needs to find the weakest point in your system, and then launch an attack through that point to complete the whole process. In the Bybit case, the attack process is as follows. He may find that this is a targeted attack because he found that the Bybit SAFE wallet, which is the wallet of the smart contract, has a lot of assets. The target he chose is the developer of the SAFE wallet, because as we just said, no matter who operates it, they must use the UI interface provided by SAFE, that is, its website to operate your assets. If I can break into the developer's computer through social engineering or other means, and let the developer deploy a malicious code on the SAFE website, then when anyone operates his wallet on the SAFE website, the operation behavior he sees is inconsistent with the actual operation behavior on the chain, but normal users don't know. For example, when a normal user operates in the bank's APP, he sees a transfer of 100 yuan in the bank APP, but actually 900 yuan is transferred out, but I don't know because I see a transfer of 100 yuan in this APP. If you hack into the developer of the APP or the developer of the SAFE wallet, and make the operation interface that the operator sees in the wallet inconsistent with the actual behavior rules, you can complete the entire attack process. It is actually completed in this way. How can it obtain the developer's permissions? It is through some social engineering attacks, and finally complete the entire attack process. In this, even when the developer of SAFE is hacked, we actually have other opportunities. For example, if the signature of your wallet can tell you what the signed transaction is, and it is inconsistent with the transaction you see on the website, there is actually a chance. In the past, many banks had U shields. If you have experience, you will find that when you press the button on the U shield, there will be a display screen, which tells you that you are transferring 500 yuan. Whether you confirm or not, you can confirm it on the U shield device. It actually solves this problem, because even if my APP is attacked, the APP tells you that you have transferred 100 yuan, but when you confirm it at the end, the U shield tells you that you have transferred 500 yuan, and you will find that it is inconsistent. Specifically in the Bybit case, if your signed wallet has such a good reminder capability, it can actually prevent such attacks. But unfortunately, in this case, the signed hardware wallet did not do a particularly good job. After the SAFE UI was hacked, such a malicious upgrade transaction was signed, and then the attacker took over the wallet and transferred 1.5 billion US dollars. So this is a very impressive thing. One revelation from this incident is that cross-verification must be done when it comes to large amounts of funds. You cannot trust the information told to you by a single provider or a single point. If you rely on the information told to you by a single supplier or a single interface, as long as this is compromised, the system link will be gone. So cross-verification must be done, and there must be a third party to help you verify whether what you see is true from a third-party perspective. In this case, the risk can be further reduced.

Experience of social worker attacks

Alex: In the case you just mentioned, there is a term called "social engineering attack". Perhaps not all listeners may understand the meaning of this concept. Can you explain it?

Zhou Yajin: The full name of social engineering attack is social engineering attack. It does not use some technical means, but your work habits, interpersonal relationships, job responsibilities, etc., to design a set of attack methods for you. I can give you an example of a social engineering attack that I personally experienced, which will be easier for everyone to understand. As the CEO of BlockSeo, I often receive some information, mainly in two categories. The first category is some invitations to participate in podcasts, conferences, and interviews. The second category is some investment institutions, who will contact you to say that there are some investment opportunities. I met someone who sent an email through the company email saying that he was a person from a certain investment institution and hoped to discuss some investment opportunities. Our security sense is still relatively strong. We will observe his email and domain name, and sometimes do some background checks, look at his company's website, and investment profile. After doing the background check, I found that this is a very decent institution, although I have never heard of this institution, so I made an appointment with him on Calendar. But at this time, you will find that the first strange phenomenon has occurred. When making an appointment for a meeting on Calendar, he did not provide you with any meeting link. When we make an appointment for a meeting, we usually connect to zoom, google meet or other meeting software. But he did not provide any meeting link, just an appointment time. When the meeting time comes, you send him an email saying that we are already meeting, send me your meeting link. He will immediately send you a meeting link. After you click on this link, you will find it strange that he asks you to download a software. If you are inexperienced at this time and feel anxious about the upcoming meeting, he will take advantage of your anxiety and keep urging you through emails and bombard you with emails. You are eager to make this opportunity happen, and you may install this software without hesitation, but in fact it is a video conference with malicious components that will steal your private key stored in your computer. This is a social engineering attack that I have actually experienced. So you can see that the attacker will target my position in the company and my job responsibilities, and take advantage of my anxiety before the meeting to launch an attack.

Alex: I saw an incident that attracted a lot of attention in the industry a few days ago. The founder of a certain protocol said that when he was attending an offline party, his phone was away from him for about ten minutes, and millions of funds in his mobile wallet were stolen. Assuming that this attack occurred when his phone was away, is this also a kind of social engineering attack?

Zhou Yajin: Yes, I think it is a kind of social engineering attack, but it is not quite a social engineering attack in our usual sense. Because in this case, his phone was only away from him for a period of time. Of course, the main purpose of inviting him or approaching him may be to take his phone, but how to unlock the phone and get the funds inside after getting it actually requires some very strong technical support.

Security principles when interacting with blockchain protocols

Alex: I see. We just talked about a lot of representative major security incidents. So back to when ordinary people interact with blockchain protocols, as you said, many of the projects you served before were Defi protocols, and many of us interacted on the chain with Defi protocols. When we interact with these Defi protocols or other protocols, are there any security principles that need to be followed? I believe that most ordinary users do not have the ability to read code, and may not even have the ability to read signed information. In this case, how can we reduce this risk as much as possible?

Zhou Yajin: I think if ordinary users want to do on-chain transactions, they should first do some background checks on the project party. I think it is still very important. If you invest in a project on the chain with a small amount of funds and are willing to give it a try, it may be okay. But if you are very serious and say that you are an investor who wants to invest in an on-chain protocol, then because your funds are relatively large, you may need to do a better due diligence on the project party. The due diligence here is basically divided into the following levels. The first level is to say who is the founder of the project party and whether it is anonymous, because some on-chain protocols are anonymous protocol projects. You have to know the quality of the protocol, you have to know who the founder who has shown his face outside is, and whether he has ever rugged the project. This is very important. That is to say, you must first do some background checks on the composition of the protocol itself and the identity of the founder. The second point is that you need to do some background checks on the technical capabilities of the project party itself. You can see whether the project party has been audited by a leading security company. As you said just now, many users may not understand technology, code, and cannot read the audit report, but you can pull down the audit report and simply review some core key points. For example, which auditing companies did it, what is their reputation, and are there any core security loopholes in the report? It does not mean that the discovery of core security loopholes in the report means that the protocol is unsafe. It just means that the security company may be more diligent. It found some security loopholes, which will reduce the overall security risk of the project party. We should look at this matter dialectically. After the background check of the project party, you should basically adopt a gradual approach when interacting with it, and do not invest a large amount of funds at one time, as the risk is still relatively high. Another thing is to use some professional security tools, such as some attack monitoring, some tools and platforms. If your capital volume is relatively large, then you must always be aware of the security risks of the protocols you invest in. You can use some platforms, such as our phalcon platform, to monitor the overall security of the protocols you invest in. For users with relatively small capital volume, I think the main risk to guard against when doing on-chain transactions is still phishing. After all, the probability of the protocol being attacked is relatively low, but the risks of on-chain phishing and authorization are indeed possible for ordinary users when they are on the chain. To prevent these risks, you should not be too greedy. There is no such thing as a free lunch. When you interact with a website, try to confirm that it is an official website, not a knockoff website. As for how to confirm that it is an official website, you may still need to have a certain ability to collect and organize information. Of course, you can also use some security tools to identify phishing websites. In this way, you can avoid some risks.

Alex: I noticed an incident. Two days ago, Binance removed the tokens of many projects, saying that the operations they could provide were not up to standard, so Binance removed them. Then the project owner said that due to various problems, the project would not be operated in the future and would be in a semi-abandoned state. So suppose this user may have used the DeFi protocol a year or two ago. No one is in charge of this protocol at present, and no one knows who has the upgrade permissions for the code. In a specific case like this, will their upgrade permissions not be properly managed, leading to hackers or people with ulterior motives getting control of them? If your previous authorization is not cancelled, the funds in your wallet will be threatened by these subsequent impacts.

Zhou Yajin: Yes, this is also possible. Especially as you just said, if a user authorizes his funds to some protocols, and these protocols and smart contracts may no longer be maintained, then if the authorization is not cancelled, there may actually be security risks. Regarding the solution to this problem, we have always recommended that ordinary users should regularly review their authorizations. You can revoke those authorizations that are not used. Many users may not know which project parties they have authorized. We have made a tool called authorization diagnostic tool. You enter an address and we can tell you which protocols this address has been authorized to. We found that many users actually authorized dozens of protocols, and many protocols are now inactive. These inactive and unsecured protocols may have security vulnerabilities. As long as there are security vulnerabilities, others can transfer your funds through the vulnerabilities of the protocols you authorized, which is actually a big risk.

Alex: I see. Regarding the security of interaction, I have another question. In the past, some DeFi protocols that have been attacked, or other protocols, we found that the number of thefts and attacks on DEX is relatively less than that on lending or staking. Does this have anything to do with the smart contract types of these two types of protocols? Or are there other reasons?

Zhou Yajin: You are right. Relatively speaking, the security risk of DEX is lower than that of other lending, yield farming and some financial derivative protocols. First of all, the overall protocol of DEX is relatively simple. The protocol in the on-chain DEX is a constant product such as xy=k. Of course, Uniswap V3 is slightly different. The basic core is the constant product formula. First of all, its protocol is simple. Secondly, it already has a very good reference example, which is Uniswap. Many DEXs are forked from Uniswap, so you only need to make some simple modifications to deploy a DEX on the chain. Its overall security risk position will be lower. However, for lending, yield farming, or other leveraged lending, and some more complex functional protocols, the design of its own protocol is relatively complex. For example, if we build a lending platform, it seems that in principle, I put asset A in and lend asset B. I just need to control the health of its entire asset. But for example, the types of collateral assets you want to support, the price fluctuations of assets, and if you want to support leverage, how can you always keep the overall health even if users pay back your money? The complexity of its own protocol will be relatively high, so the probability of these protocols being attacked is greater. I think this is the first reason. The second reason is that DEX itself does not store money. Of course, the money in DEX is all liquidity providers, that is, the money you provide liquidity is placed in it. And those who actually use DEX, as long as they swap, put token A in, and token B will come back immediately, so your assets are not in the DEX's Pool. Even if the DEX's Pool is attacked, most users will not lose, but those who provide liquidity will lose. It is different on lending platforms and other platforms. Your assets are actually placed in it, and you are over-collateralized. If you are some other more complex protocols, there will be a lot of users' assets retained in it. After it is attacked, the group of users who are damaged will also be relatively large. I think this is the second reason.

Then we also found that DEX has been attacked in the past. The reasons for its attack are relatively simple. First of all, the risk exposure of DEX lies in authorization. When you want to swap, you need to authorize your own tokens to the routing contract of DEX. Although the routing contract does not store money, if there are some arbitrary execution loopholes in the routing contract, it is possible to take away the funds of all users who have authorized DEX. We found that the DEX has loopholes that cause relatively large losses. This type is relatively easy to find. As long as you are a qualified auditor, it is actually easy to find.

Alex: So in the case of the authorization vulnerability you just mentioned, if an audit company finds that DEX has such arbitrary execution permissions, they will generally advise it that this is unreasonable, or remind everyone of this when disclosing the report?

Zhou Yajin: Yes, this must be a loophole, it must be unreasonable. If a security company audits it, it must fix it, this is a very critical loophole.

The current status and potential of the blockchain security industry

Alex: OK, we just talked a lot about security attack and defense, and some specific issues on how to protect the security of personal assets. Let's talk about the last question today, about the situation of the blockchain security industry. As you said, in 21 and 22, because there are a lot of DeFi, the number of customers in the blockchain security industry is very large. So as of this year, what is the current level of the industry scale of the security industry, and what is its development status and profit level?

Zhou Yajin: This is a good question, because we are in the blockchain security industry, you have to always know the current stage of the industry and where the ceiling is, so as to better develop the company. At present, there is actually no recognized data to say what the market cap of the entire blockchain security industry is. However, there are some reports on the Internet, or based on their own calculations, they think that the overall industry scale of blockchain security is about 3 billion US dollars a year. This scale is actually relatively small compared to the traditional network security industry. For example, in 2024, the scale of the entire traditional network security should be around 100 billion US dollars. The gap between 1000 US dollars and 3 billion US dollars is actually quite large. I think this is related to the current status of the development of the entire industry, because blockchain security is essentially a secure product and service serving the blockchain industry, and the blockchain industry as a whole is actually still in its early stages. For example, the period of relatively good development before was during Defi Summer, when some new innovations came in. In the past one or two years, after the financial innovation boom of Defi Summer, it seems that there is no particularly good and more innovative thing coming in, which leads to the fact that the scale of the entire blockchain industry should reach the highest TVL in 2022. I remember that the highest level of TVL of the entire blockchain security at that time should be 177 Billion, which is more than 100 billion US dollars. But today, before participating in this program, I took a look at the data, and the current TVL is 99 Billion, which means that it is probably a little more than half of the peak, which leads to the development of our blockchain industry seems to have encountered a bottleneck.

But at the same time, we have also discovered new potential in this industry, that is, traditional financial institutions are slowly entering this industry. There are some signals that traditional financial institutions are entering the industry, for example, traditional banks are issuing stablecoins on the chain, and they are in compliance with regulations. Traditional payment providers such as Stripe are supporting Crypto payments. Some cross-border payments use Crypto to solve the payment problems faced by traditional cross-border e-commerce. So we will find that although there is no innovation like the DeFi Summer in 2021 and 2022 that has triggered a new high in TVL, traditional financial institutions and merchants with real scene needs are entering this industry, and after they come in, they will bring compliance to the entire industry. If an industry wants to develop relatively large, it must develop in compliance within the regulatory framework and system. I think this is an opportunity we can see in the past one or two years. So in general, the overall scale of the blockchain security industry is still relatively small and is still in its early stages. But with the entry of traditional financial institutions, more and more supervision and compliance, I think the potential for explosion here is still relatively large. This is my own observation.

The moat of the leading security companies

Alex: Okay. I have a very deep impression. In 2021 and 2022, I felt that blockchain security companies, especially those doing smart contract audits, were very profitable. Some well-known security companies even felt that it was a privilege for you if they let you jump the queue and arrange a quick audit. What do you think are the main moats of the leading security companies?

Zhou Yajin: I think there may be several points. The first point is about brand and trust. Especially security audit, it is actually a service that requires strong brand recognition. You just mentioned that when the market was better before, audits were very popular and it might take a long time to queue up. In fact, the top security audit companies are still in this situation today. It is not that when a project party comes to audit, human resources will be available immediately. The top security companies with brand effects are still in such a state of supply and demand. So I think a moat is brand and trust. How to establish a better brand image in the blockchain security industry and the trust behind the brand, whether the trust comes from users, project parties or other participants, is very important. The second point is the need for safe innovative technology. In addition to solving blockchain security problems and doing security audits, do we really have no other solutions that need to be supplemented? Security audits can only solve the problem of smart contracts of the project before they are deployed on the chain, and do a security review. But after the project is actually launched, the project party may change the parameters, and it may do some daily configurations. Daily upgrades are not audited due to queuing or cost considerations. That is, there are many security problems caused by various reasons after the smart contracts are deployed. We cannot rely solely on security audits to solve such problems. We need some innovative security technologies and products to solve such problems. This is also what I think is very different from other blockchain security work. In addition to our security audit services to the security of smart contracts before the protocol goes online, we also have a platform that can cover the monitoring and blocking of attacks after the smart contracts go online. This is also the only blockchain security company in the world that has both smart audits and attack monitoring, and can cover the entire life cycle of smart contracts. This is very important, that is, you must have innovative security technologies and products to help users really solve problems in this market. The third point is compliance, supervision, and geopolitical influence. The Crypto industry will definitely need to be compliant and regulated in the end to have large-scale development opportunities. This view is not shared by everyone, but we have been in this industry for so many years, and we can see that the development of this industry must be under the sun, and must be under the compliance and regulatory system to attract traditional old money into this industry. Under this situation, it is necessary to prepare compliance and regulatory products and services in advance. Compliance and regulatory products and services require you to have a deep understanding of the regulatory policies and compliance requirements of the industry, and then be able to turn it into products. In addition, the so-called geopolitical influence means that when some regions choose suppliers, they actually have some geopolitical considerations. For example, regulators in Hong Kong may be more inclined to choose products from non-US suppliers. So when you have a deep understanding of regulatory policy compliance, have better products, and can also have some geopolitical influence, I think this is the moat of blockchain security companies.

Alex: Got it. Today we are talking about encryption security from many perspectives, from a specific security incident to some security principles that everyone needs to pay attention to, and the development scale of the entire industry. Thank you very much Zhou Yajin for coming to our show today to share these insights, and I hope we will have another opportunity to talk about more related topics in the future.

Zhou Yajin: Thank you, Alex.