Dialogue "Encrypted Batman" samczsun: What is it like to be a white hat hacker?

Source: WLD Show Podcast

Compiled by: Linqi, Guo Qianwen, Chain Catcher

Introduction: Samczsun, a research partner and head of security at Paradigm, is a white hat hacker who has saved hundreds of millions of dollars in the crypto ecosystem by responsibly disclosing vulnerabilities and publishing educational resources. In a previous podcast with Paradigm partner Dan Robinson, Dan referred to samczsun as the "Batman of Crypto." Whenever a significant amount of funds is at risk in the cryptocurrency ecosystem, the bat signal is sent out, and samczsun comes in to help save the day.

Related Reading: “How the Top White Hat Hacker in the Crypto Industry, samczsun, Came to Be?”

Recently, samczsun discussed his experience of becoming a white hat hacker on the WLD Show podcast. The following content is a summary of this episode by Chain Catcher:

WLD Show: What is a white hat hacker?

Sam: From a macro perspective, it depends on whether your intentions are good or bad. Of course, the definitions of good and bad are not objective, but generally speaking, white hat hackers do good things, preventing certain incidents from occurring. If they conduct an attack, they will disclose it immediately and notify the parties involved. However, black hat hackers bring negative impacts, such as stealing funds and assets. Gray hat hackers fall somewhere in between; they may conduct attacks under the guise of goodwill. So, there is actually a very blurry line. They do attack, but it's for a good cause—so are they white hats or black hats? Ultimately, whether one is a white hat or black hat depends on whether what they are doing is good.

WLD Show: Why did you choose to become a white hat hacker?

Sam: First of all, it's not easy to steal money as a hacker, of course, I'm joking. I was taught from a young age to take care of others and give back to the community. Now, if I can contribute something to society, even if the outcome is uncertain, I will do it.

WLD Show: Can you introduce us to the hacker ecosystem?

Sam: For me, the entire system is very risky, like a PvP game—this is just my personal view. When you discover a problem or receive an alert, you only have a few minutes, and if you're lucky, a few hours to deal with it. That's actually a very short time, and it's very likely that a hacker will steal the money. Especially in several recent cases I've been involved in, there were only "life-and-death" seconds: either save the funds or they disappear forever. So the risk is very high.

If you want to participate in these activities, first, you need to have a good understanding of blockchain security, such as Ethereum, smart contracts, etc. Then you can start looking for new protocols and targets, beginning your research and actions. Once you find a vulnerability, the process becomes very tense—"time is ticking." This is a psychological process: because the vulnerability is there, once you confirm its existence, everything becomes "real and tangible." The whole process is quite crazy; you need to quickly find the right contacts because whether these billions in assets can be saved depends on your knowledge.

The biggest challenge is finding the actual developers because this information can easily be attacked, leading to lost funds. I feel it's my responsibility: even though it's out of goodwill, if the developers don't receive the information and the funds are stolen ten minutes later, legally I may not be responsible, but I personally feel it's my responsibility. So the whole process is very tense. Once I find the developers, I immediately report the vulnerability to them, and I feel a sense of relief.

The hardest part is over; the next step is to collaborate on a solution, to see if there are feasible measures for joint action, whether we can interrupt the protocol, use management keys to save the funds, or in the worst case, directly rescue the funds. I do not send transactions myself, partly due to responsibility issues and partly because I don't want to be the one who "presses the final button." So I inform the developers and guide them; they will send the transactions themselves, and if they need my help, I will provide it. Ultimately, we either successfully save the funds or fail for various reasons; that's the basic process.

WLD Show: Many people have tweeted that the rewards from these rescue operations are quite disappointing compared to the actual funds saved. What do you think?

Sam: I think this relates to the question of how much reward is considered sufficient. Each party can have many arguments. But there is a reality: many projects do not own the funds they have; whether it's 10% or 20% taken, these are actually user funds, so it's not something the programmers or projects can decide. Of course, some projects have a lot of funds and might be able to offer a large portion as a reward, but over 90% of projects do not have such large amounts of funds.

WLD Show: What is the difference between white hat hackers in Web3 and traditional Web2?

Sam: In the world of cryptocurrency, everything happens in an instant. For example, if you discover a vulnerability in DOMPurify, which, as far as I know, is a project written by Cure53 to clean HTML, the company uses it to ensure the system runs without being attacked by scripts, such as ensuring the frontend is not vulnerable to cross-site scripting attacks. For instance, if Google is attacked but users can still log in and register, that would be very bad.

If we report a vulnerability in DOMPurify, it will take a lot of time to resolve. First, the probability of discovering a vulnerability is very low; second, once discovered, there is a whole processing procedure. In Web2, this process includes starting a private security mailing list, patching, and asking users to upgrade dependencies, among other measures.

But in Web3, you don't have time to apply for relevant qualifications, etc. Within ten minutes, funds may enter a new wallet, and after twenty minutes, the wallet may disappear. Compared to Web2, you don't have, say, six months to resolve the issue.

So overall, events in Web3 occur and are handled relatively quickly, but the impact is significant.

WLD Show: Yes, this may also relate to the open-source nature of the code, as everything is transparent.

Sam: Yes, for example, at least in Ethereum, if you want to participate in the community, you have to embrace transparency. This is different from Solana, where the code is not public, but there is at least code verification; generally, you can see links to code verification on project pages, such as GitHub or Etherscan. So I think protocols need to make changes, such as releasing emergency patches. In short, security issues on Ethereum are very transparent; anyone can see what has happened.

WLD Show: Paradigm is a unique venture capital firm with its own research team and many talents like Dan Robinson. Why did you choose to join this company?

Sam: I was actually attracted by the talented people here. There is a saying that goes, "If you are the smartest person in the room, you should probably change rooms." So working with people who are better than me in various fields every day is something I aspire to.

WLD Show: Can you describe your joining process?

Sam: I had previously collaborated with Georgios and Dan. After they published the article "Ethereum is a Dark Forest," I thought their work was fantastic. Later, someone contacted me to see if I was interested. At that time, I wasn't sure if I wanted to join, but after talking with the team, I felt it was a chance worth taking.

WLD Show: What is your typical job?

Sam: My daily work involves supporting portfolio companies, ensuring their code is correct. For example, if they need to write a smart contract, I help them review the code. Of course, I may not have time to review everything, but just like in regular rescue operations, I go through it and pick out the most critical issues. I also work on some of my own projects to maintain Ethereum's security; for instance, I previously released a user-friendly four-byte signature database. I also write some blog posts. But overall, as the head of security, my responsibility is to maintain the company's security.

WLD Show: Do you think there are pros and cons to joining a company like Paradigm? For example, previously you weren't tied to a company, and you might have had more freedom to choose projects and your working style. Will this change the pace? Will there be any restrictions?

Sam: No, when I joined the company, we already had a consensus that there would be no such restrictions, such as not looking at competitors' code. If we discover a vulnerability in SushiSwap, we will definitely report it. But at that time, in reality, there was no issue, so this is a hypothetical situation.

WLD Show: Dan Robinson's “Dark Forest” describes a terrifying story, mentioning "top predators," while your article “Escaping the Dark Forest” describes how to escape these "monsters." Can you explain what they are?

Sam: Before this, even before I heard about the "Dark Forest," I had already encountered front-running bots. I deeply realized how complex this issue is; they not only monitor sandwich attacks but also any ordinary transaction that creates profit, then somehow manipulate the pending transaction to profit themselves. We later discussed how to deceive these bugs.

We thought that their operation might involve simulating a transaction first and then trying to determine if there was profit to be made. Theoretically, if we break down the logic of institutional actions or add extra transactions, it should not lead to linear growth in complexity, but rather exponential. I can't be completely sure. For attackers, in this case, the simulation should be much more complex; theoretically, they don't know which three transactions are yours. They will keep combining to determine which set of transactions is correct.

WLD Show: Can you describe the situation when ten million dollars were at risk?

Sam: I have a tool that monitors large TVL contracts and can issue alerts in real-time. I received an alert regarding the Lien protocol. At that time, I was about to go to sleep, and I thought I might need to check this alert. Then I discovered its vulnerability. When you realize that all the money staked in the protocol is at risk, you really feel like the world is just seconds away from exploding.

WLD Show: So this means you discovered a bug that, if exploited by someone else, could have resulted in all the money in the contract being stolen.

Sam: Yes, there are different ways to deal with this vulnerability. Some vulnerabilities can be exploited by the contract owner, which theoretically is bad, so you need to conduct due diligence. There are also some vulnerabilities that only occur when you invest a lot of money; if you can use flash loans to exploit this vulnerability, it could lead to severe consequences. If this vulnerability cannot be exploited using flash loans, its urgency may be greatly reduced. Generally, attackers do not have enough funds to exploit such vulnerabilities. There are also worse vulnerabilities that do not require the attacker to have a large amount of funds or special permissions. For such vulnerabilities, anyone can become an attacker as long as they know how to invoke the functions of the contract; then all the money in that contract is theirs.

The vulnerability in the Lien Finance contract at that time was the last type mentioned; you didn't need any funds or permissions. As long as you knew the vulnerability existed and how to invoke the contract's functions, you could exploit the vulnerability. So at that time, the situation was very urgent; you didn't know what would happen in the next second. Any second could lead to problems, and even if a vulnerability attack occurred, I wouldn't know who the attacker was. By then, it would all be over, which was really terrifying.

WLD Show: To solve this problem, how did you assemble a team to escape the dark forest?

Sam: I did spend some time considering who was responsible for this project. But the team responsible for this project was anonymous, so I was very cautious and didn't dare to disclose this matter to anyone because if it fell into the wrong hands, it could easily be weaponized. So I tried to contact some intermediaries, those who had previously been associated with this project. I reached out to Alex Wade because he was the only person I knew who was related to the audit of Lien Finance. I also contacted some other people. I explained the issue to Alex so that we could take urgent measures. After that, Alex began trying to connect with the person in charge of the contract through his channels, while I was considering how we would handle the issue once we made contact.

Every second we didn't make progress could be another second for someone else to ruin everything. So the obvious question was how to extract the funds. Yes, our goal was to save the funds in the contract. Because, as I said earlier, this vulnerability could be exploited by anyone. The biggest problem for us was how to avoid front-running traders if they had these skills.

WLD Show: So you wanted to save these funds, but if you acted, the predators, i.e., the front-running traders, could potentially steal the money before you did, right?

Sam: Yes. For miners, they will definitely prioritize transactions that pay higher gas fees, so in this case, our actions would definitely come after the predators.

WLD Show: So this means your goal was to figure out how to create something that could obfuscate the front-running trading bots to hide your actions and extract the ten million dollars, right?

Sam: Yes, our goal was to submit a transaction in such a way that those bots couldn't front-run it. I was continuously bringing more people into the team; the team members were people I trusted and had known for a long time. So I was thinking, either trust these people not to backstab me or try to deceive the front-running trading bots without testing, which would likely result in losing that ten million dollars. Ultimately, I preferred to trust these people, which is why we ended up building such a strong team.

WLD Show: Can you describe how you discovered the SushiSwap vulnerability?

Sam: I was in a meeting at Paradigm, feeling a bit bored, so I started browsing the LobsterDAO channel on Telegram on another monitor. There was some discussion about SushiSwap's Dutch Auction on the MISO platform. I naturally started typing and browsing the Dutch Auction contract. At first glance, there seemed to be no issues; everything looked perfect. I was even thinking about whether to refocus on the meeting, but then I thought, can I break it? If I assume it's safe without fully checking it, is it really safe? So I continued browsing the contract. Then, I discovered the vulnerability, and it was similar to a vulnerability I had seen before. I was surprised that the Sushi team could make such an obvious mistake.

WLD Show: Paradigm is an investor in UniSwap, and SushiSwap is a fork of Uniswap. So essentially, SushiSwap and Uniswap are competitors, but Paradigm and everyone on the team basically supported you in solving this issue, so it feels like everyone on the team is thinking about the entire crypto ecosystem.

Sam: Yes, the crypto industry is a team game. We are all in this field, working hard to contribute the best we can to the crypto ecosystem. Ten million dollars and three hundred fifty million dollars are the same; when I told everyone there was a vulnerability in SushiSwap that could lead to a loss of 350 million dollars, no one hesitated and everyone was doing their utmost to try to contact the person in charge of SushiSwap. Because this is not a zero-sum game; it's not that I must win and others must lose.

WLD Show: Regarding the ten million dollars at that time, your thought was to transfer it out. So what were your thoughts on the 350 million dollars?

Sam: I think, to some extent, that number is just too large. It's really hard to properly perceive 350 million dollars. What does it mean for an ordinary person? What does it mean for someone in the crypto industry? The idea of holding 350 million dollars is simply unbelievable. I felt I should do something.

WLD Show: So at Paradigm, compared to the team you had to build to escape the dark forest, there is actually a larger network supporting you, which allows you to resolve the SushiSwap issue more quickly.

Sam: Indeed, this is another reason I joined Paradigm. It clearly has a larger network and a broader influence in the crypto ecosystem. So when I discover certain issues, it is very effective to contact any team leader through Paradigm.

WLD Show: You not only discover vulnerabilities but also write educational resources for everyone to read. One of your tweets was about the Wormhole 325 million dollar vulnerability. At that time, you explained the Wormhole incident through reverse engineering. Why did you write such a tweet? Can you elaborate?

Sam: Actually, I don't often post educational resources; I write blog posts more frequently because I think if I want to publish anything, I want it to be a long article so I can engage more deeply. The Wormhole vulnerability was the largest hacker attack in terms of stolen funds at that time, and no one knew the cause and effect.

There were some speculations on Twitter, but if you fact-checked, those were false. So even after several hours had passed, no one really knew what had happened. I thought it was time to publish some accurate statements and also to get a better understanding of Solana. Frankly, I didn't know much about Solana at that time and didn't have the motivation to really learn about it, but this incident gave me the opportunity.

WLD Show: So how did the vulnerability occur? How was 325 million dollars stolen from the system?

Sam: It's important to know that this contract requires multi-signature to be effective, but at this step, there was a bug that actually didn't check whether these signatures were valid. The attacker provided Wormhole with a fake address, pretending it was cisfa, and it wasn't blocked. They used this signature to bridge the assets. Next, the hacker used it to generate an order because the signature in the first step was considered valid, so the guardians accepted this signature. The third step order was submitted and processed.

WLD Show: In other words, this process was from Ethereum to Solana. Normally, if someone deposits ETH into Wormhole, then because there is ETH in Wormhole, it will transfer it to Solana. But due to this specific vulnerability, the hacker made the system pretend there was ETH, and then it would transfer to Solana, resulting in a loss of 325 million dollars in the system.

Sam: It's important to clarify that when you bridge assets, you receive the same assets on the other side. If it is a 1:1 asset backing, then there is no problem. But Wormhole is not. This process requires locking real ETH in Wormhole to have Wormhole ETH, and Wormhole needs to trust the signers. If four out of five signers agree that someone has locked 10 ETH, then that person will receive 10 Wormhole ETH. But in reality, that person locked nothing, so the system was deceived.

WLD Show: If we need help, how can we contact you?

Sam: I usually publish some blogs on my website, and you can browse some of my latest updates there. Of course, if you have any contract security issues, you can also directly contact me through Twitter, email, or DM me on Telegram.

WLD Show: Thank you very much for your generous sharing. This has been a great conversation, and I've learned a lot from it.

Sam: I appreciate you too!