How did the top white hat hacker in the crypto industry, samczsun, come into being?
All contributions from samczsun are a blessing for the industry, but they also reflect the sadness of the industry.Author: Gu Yu, Chain Catcher
"U up?"
This question from samczsun is one of the most dreaded messages for any DeFi project team, as it likely means that samczsun has discovered a serious vulnerability in the project's smart contract, putting user assets at risk of being stolen by hackers at any moment.
In the crypto world, various protocols' smart contract vulnerabilities are common, becoming tempting "prey" for hackers. According to Footprint Analytics, at least 90 DeFi projects encountered various attacks in 2021, with initial losses exceeding $1 billion, causing significant losses for ordinary users. However, while hackers run rampant, many white hat hackers are also helping project teams identify smart contract vulnerabilities in advance.
Samczsun is the most well-known white hat hacker in the crypto industry, without exception. Over the past few years, samczsun has privately messaged project teams to help discover system vulnerabilities in at least twenty projects, preventing losses of hundreds of millions of dollars, including Sushiswap, ENS, Rari, Tokenlon, and others.
Samczsun's formal identity is a research partner at the renowned crypto venture capital firm Paradigm, focusing on the security and related research of Paradigm's portfolio companies. Almost all of his public statements are reports and analyses of vulnerabilities in crypto projects, aimed at protecting the healthy development of the crypto ecosystem.
Although samczsun has stated that he prioritizes reviewing new code releases from portfolio companies, most of the projects he disclosed vulnerabilities for are not part of Paradigm's portfolio, such as Sushiswap, ENS, ForTube, Tokenlon, etc. This has made him one of the most influential figures contributing to the security of the DeFi ecosystem and the crypto industry.
Haseeb, a partner at Dragonfly Capital, recently stated in an interview that he believes samczsun is the smartest person working in Web3. Another Paradigm partner, Dan Robinson, referred to him as the Batman of the crypto industry. Whenever a significant amount of funds in the crypto ecosystem is at risk, the bat signal goes up, and samczsun comes in to help save the day.
So, how did samczsun become the top white hat hacker he is today? Chain Catcher will outline and summarize his past experiences through publicly available information in this article.
From samczsun's social media profile, his earliest online activity dates back to November 2014, when he joined GitHub and made 114 contributions in November and December.
The earliest traceable record of samczsun's vulnerability discovery is from January 2016, when he tweeted at @Enjin's official Twitter, indicating a serious security issue that needed to be addressed. The Enjin official account replied and provided a link to submit a report. This Enjin is the now-popular NFT gaming platform, but at that time, the project had not yet entered the crypto and NFT space.
In 2017, samczsun submitted multiple project vulnerabilities on the bug bounty platform Hackerone, including the Indian version of Meituan, Zomato, and legal contract analysis company Legal Robot, and published several vulnerability analysis articles on his blog.
Samczsun's first public investigation into vulnerabilities in DeFi protocols occurred in July 2019, when he disclosed a smart contract vulnerability in the 0x protocol that allowed malicious actors to create valid orders on behalf of any approved 0x contract by spending assets from an externally owned account (EOA). The project team had to shut down the protocol to fix the vulnerability and redeploy the 0x v2.1 smart contract from scratch. In this incident, samczsun received a $100,000 bounty.
From then on, samczsun officially embarked on his white hat hacker journey, quickly gaining fame in the DeFi industry with his prolific vulnerability research.
In the following year, amid the "DeFi Summer" craze of 2020, samczsun discovered potential vulnerabilities in numerous crypto projects, including ENS, Livepeer, bZx Network, and Curve Finance.
Among these, the vulnerability in Curve Finance allowed anyone to exploit it to drain the smart contract, while the ENS vulnerability enabled ENS users to regain ownership after transferring it to others in a certain way. These were significant vulnerabilities that could have a major negative impact on project development, highlighting samczsun's substantial contributions.
"A common misconception in building software is that if every component in the system is individually verified as secure, then the system itself is secure. This belief is best illustrated in DeFi, where composability is second nature to developers. Unfortunately, while combining two components may be safe in most cases, just one vulnerability can cause severe economic losses to hundreds or even thousands of innocent users." Samczsun summarized after discovering numerous vulnerabilities in DeFi projects, "Safe components can also come together to make something unsafe."
In early 2020, samczsun initiated a grant on the Gitcoin platform and became the most funded recipient in Gitcoin's fifth round of grant activities. At the same time, samczsun also joined the crypto security company Trail of Bits as a security engineer.
By September 2020, samczsun had already gained considerable fame in the DeFi security field and was invited by Paradigm's founder to become a research partner at the investment firm, with the goal of "helping assess the security status of potential portfolio companies, assisting current portfolio companies, and advancing the overall security of the Ethereum ecosystem."
Ethereum Execution Layer Vulnerability Bounty Leaderboard
Since then, samczsun has continued his practice of disclosing vulnerabilities, involving projects such as Alpha Homora, DODO, Rari, Tokenlon, ForTube, and BendDAO, among others. The Rari code vulnerability could potentially lead to the theft of all borrowable assets in the Fuse pool. On the Ethereum Foundation's published Ethereum execution layer vulnerability bounty leaderboard, samczsun has consistently ranked first. Additionally, samczsun has also helped projects like dYdX and Gelato Network handle emergency vulnerability incidents.
The case that brought samczsun the most fame was the MISO vulnerability incident, which helped the project team avoid a loss of up to $350 million.
On August 17, 2021, when samczsun noticed that the SushiSwap IDO platform MISO was conducting the largest IDO in history (BitDAO), he opened MISO's smart contract on Etherscan and quickly discovered that the initMarket function lacked access control, and the function called by initAuction also did not include access control checks.
Specifically, this vulnerability caused MISO to incorrectly handle failed transactions in Dutch auctions, meaning the smart contract would not reject transactions exceeding the auction token limit but would instead refund users after the auction ended. Therefore, attackers could exploit the vulnerability on the MISO platform to bid for free and receive refunds for the difference between the submitted amount and the current bid until all funds in the contract were exhausted. In other words, this vulnerability put more than 109,000 ETH (worth $350 million at the time) at risk of theft.
Realizing the severity of the vulnerability, samczsun contacted the Sushi team and held a conference call to inform them of the specific vulnerability. He then closely communicated with the project team to urgently handle the funds in the smart contract, ultimately resolving the crisis within three hours. Afterwards, samczsun received a bounty reward of 1 million USDC from the Sushi team.
In a subsequent interview with Immunefi, samczsun described his feelings upon discovering the vulnerability as a "strange combination of excitement and fear." "Excitement comes from finding something you've been looking for. Fear comes from the ticking clock; every second that passes, someone else might discover the same mistake. My heart rate rises in proportion to the level of risk."
After this incident, samczsun's influence expanded from the security circle to the entire crypto industry, becoming the most well-known white hat hacker and crypto security researcher in the industry.
However, samczsun's outstanding contributions also subtly hint at an unsettling and harsh reality: the crypto security ecosystem remains quite fragile. Despite a few white hat hackers like samczsun choosing to disclose vulnerabilities to project teams with a strong sense of industry responsibility and ethics, most hackers opt to actively attack upon discovering vulnerabilities to achieve greater profits.
This has led to a series of security incidents occurring in the crypto industry this year, with events such as the Ronin cross-chain bridge hack exceeding $600 million, Rari Capital being hacked for $80 million (despite samczsun previously reporting a significant vulnerability in the project and it being fixed), and Beanstalk Farms being hacked for over $80 million, repeatedly shaking the confidence of the crypto community.
All of samczsun's contributions are a blessing for the industry, but they also reflect the industry's sorrow.
Note: For more on how samczsun understands the hacker ecosystem in the crypto industry and how he specifically discovers vulnerabilities, see "Interview with 'Crypto Batman' samczsun: What is it like to be a white hat hacker?."
