This week we sit down with Robert Chen to chat about the state of web3 security and discuss some of the largest exploits in DeFi history. In this more technical interview, we learn more about different web3 attack vectors, how exploits were performed (often draining 10s to 100s of millions), and conclude with Robert’s views on the state of web3 security and promising upcoming projects.

To learn more about OtterSec check out their blog (blog.osec.io) and follow them on Twitter (@osec_io @NotDeGhost)

You can also follow the Moonshot Research team @USA_Pharoah, @KidQuartz1 and @PapaPelli or visit us at www.moonshotresearch.xyz.

[0:00] Note: This week we have a more technical episode with Robert Chen, the founder of OtterSec, a web3 security and auditing firm.

[1:22] Overview: Robert’s story founding OtterSec, the major types of web3 attacks and most interesting exploits Robert has seen over the past few years, and views of Solana and other L1 ecosystems from  Robert’s time under the hood with web3 builders.

[2:18] Introduction to OtterSec and Robert Chen.

[4:15] The start of OtterSec — reporting large bugs in Sabre and Jet and landing larger clients over time.

[6:05] Current projects: Bridge integrations as an attack surface, Aptos and SUI as new design spaces, and Solana frameworks.

[8:05] How security firms and hackers evaluate projects — Recurring themes and ‘Areas of Complexity’.

[9:30] The balance between auditing code and auditing ideas — Design frameworks and OtterSec’s role in supporting client companies.

[12:30] How MEV makes OtterSec a sharper auditing firm (e.g. how flash loans affect Solana).

[13:45] Robert’s pessimistic view on blockchain security based on an under the hood look at different DeFi protocols.

[14:30] Favorite (or most interesting) hacks, Solana account issue hacks, Crema’s hack on a closed source codebase.

[18:00] Other attack types — Ethereum flash loan exploits (e.g. beanstalk), Solana’s 300M wormhole hack, Solana’s account model.

[20:40] How major exploits work: Flashloans and Bridges.

1. Flashloans — Flashloans will lend you a lot of money (billions) for an ultra-short period of time. Does this DeFi primitive have utility outside of MEV and hacks?
2. Bridge exploits  fall into two categories 1. chain-specific vulnerabilities and 2. relayer vulnerabilities. Due to the large size of these hacks (hundreds of millions) the attacks themselves are usually more bespoke.

[25:00] DeFi projects that Robert gets excited about vs. simple DeFi primitives.

[27:40] Cross-margin and cross-chain DeFi — Jet and MarginFi.

[28:45] How OtterSec chooses its clients — quality of code is king.

[30:00] Views on DeFi landscape and investing.

• Investing based on quality of code.
• Sloppiness can indicate less serious teams and/or rug pulls.

[32:00] Projects to get excited about:

• Jet V2
• Aptos and SUI and the move ecosystems

[32:40] How Aptos and SUI differ from existing L1s and moves differentiation as a blockchain native programming language.

[33:30] What’s it like building a top tier auditing firm as a college student?

[34:25] Is DeFi’s reputation continually eroded by hacks and exploits? Does decentralization lead to a lower security code environment?

[35:50] Will Web3 and DeFi ever be safer than its web2 counterparts? Perhaps not…

[36:40] Staying anonymous as a hacker and how hackers can cash out of the system? How to launder millions of dollars (but perhaps not hundreds

Follow the Moonshot Research team @USA_Pharoah, @KidQuartz1 and @PapaPelli or visit us at www.moonshotresearch.xyz.