[Music] thank you foreign thank you for joining uh early just doing some sound checks and we'll be getting started right away in the meantime I enjoy the beats [Music] these days thank you [Music] foreign [Music] foreign [Music] [Music] foreign [Music] [Music] foreign over time so maybe we can get a few more moments to uh do intros but we have today Jazzy and uh zelik not gonna uh docs but um uh yeah I think oh I see you're requested speaker okay now cool so we have Jazzy and uh zelik on uh excited to have you on talk about smart contract security a lot of hacks happened the last few years even in the last few months uh it's starting to get your perspectives and also hear your thoughts on the Move uh really really great to be working with y'all and uh yeah happy to be here yeah um thank you for inviting me and yeah it is also a pleasure to work with you all so as an introduction I'm Jazzy and I'm the co-founder of zelik we have been doing uh blockchain security for about the past year and a half now and I have my partner uh Stephen with me uh however Steven is not a speaker yet uh does he have permission uh over does that like everyone just left yeah there you go connecting awesome hello hey it's me Steven what's up awesome yeah thank you for being on board uh here with yeah a bit of an intro for our audience here uh maybe tell us a little bit about your thoughts uh how you came to uh work on zelik and yeah I'm sure the audience sure so I met Jazzy about five years ago when we were in high school we were playing these hacking competitions called ctfs if you don't know what a CTF is you can think of it as like a math competition but instead of solving math problems you have to hack software so when we were in high school we started playing these ctfs together and we formed a team called perfect blue that team went on to become the number one team in the entire world over the course of 2020 and 2021 and then we decided uh around then that we should start doing smart contract audits my friend Sam Susie's son we were friends for a long time he told me that we should go do Audits and that there was this huge issue where people are paying a lot of money for these very very low quality Audits and we decided that after we read a bunch of these Auto reports we were really unhappy with the state industry we thought that we could do better we think we thought that we could provide a useful service for the community and that's why I started working on zelig and it's really grown since we started it as I said two-person shop I think we're almost 20 people now and very proud of all the work that we've done all the projects that we've secured and yeah me and Jazzy we've been in crypto for quite a long time I think we've both been in it since around 2016. granted we've seen uh everything from the Ico and you know Ico bubble in 2017 all the way up to uh what we see now so yeah quantum please go ahead yeah that's pretty crazy I didn't know they had uh like hacker Olympic uh would love to kind of like dive deeper into how did how did you get involved in that and uh what was that what was that like going through all these all the competitions and then yeah becoming the number one team well it's actually kind of a bummer because in 2020 we were supposed in 2021 we were supposed to go to all these like competitions across the world um so actually when we were when we were playing back then we were college students and we were essentially just competing for uh free travel because if you like qualify for the finals you can usually like go to the finals in some like place in the world where there might be like Korea or Japan or like um Romania and they'll usually pay for your flights but it was spread during covet that we got really good so we didn't get to go to as many as we hoped to but we did get to go to quite a few places and uh now that covet's over uh me and Jazzy still play for fun on the weekends when we have time on the weekends right because Running Company is like a lot of work but yeah it's really sweet and just in general great Community lots of really smart people thoughtful people and you get to solve really interesting challenges and it keeps you sharp on the tech side too nice what is that what does that actually look like is it uh like predefined Puzzles or uh maybe like you go up against other teams and trying to hack each other oh yeah great question so there's multiple formats in these ctfs so oftentimes uh the most common format is like a Jeopardy format which is as we described as to some predefined puzzles and if you solve them you get points there's like a leaderboard for how many points you have usually it's like a 36 24 or 48 hour competition there's also attack defense ctfs which are very high touch they're you know quite complicated to set up and because of that you don't see ADC tips that often but some of the more prestigious ctfs like Defcon CTF which we participated in last year and the year before that they're also attack defense and that one is like you have a bunch of teams on the same network of trying to hack each other you have some like vulnerable services that you have to host and you have to patch your own services to fill all the holes fix all the bugs and you also have to exploit those same bugs to attack other people's instances of those Services it's pretty sweet yeah yeah is there any boundaries like it's social engineering and other I guess other tactics oh we actually we got we actually got busted last year because um I ran a I ran like a fork bomb on one of the competitors servers and apparently that's like that's not kosher yeah I mean if if you're a hacker there's really no rules or boundaries though doesn't my opinion doesn't make sense to put put boundaries on hacking competition um well I mean like you wouldn't want to like blackmail your your competitors right that's true that's true uh yeah you probably don't want to ransomware and ask for Bitcoin to continue the conversations yeah um awesome so from that uh what what really got you interested into uh crypto what was your journey into into it and um Jazzy you want to explain your story because I think our stories are pretty similar uh yeah I mean um so my story is like I mean I'm so I first connected to crypto back in 2015 when I was still back in India so I was like this 15 year old kid in India and I was doing some freelance work and the best way for me to get paid was Bitcoin and I'm like hmm this is very cool and then and then um right when I moved to Canada around 2016 I heard about ethereum and it was just like very interesting because it was a concept where you could write code on the blockchain and it would run on every single computer around the world so I just got super interested into that I started looking into get 3M I think I found a bug in the get 3M itself around uh 2018 2019 and um late 2020 I started doing a lot of Mev and which was also very fun and uh yeah like like I mean most of the most of my interest was just like my own curiosity of like blockchains just seemed very cool and we just got deeper and deeper into it yeah instead you found a bug in like got the go ethereum implementation um yep oh wow that's crazy um yeah definitely have football questions there um yeah sorry go ahead even um I guess if you want to know more about how I got to it it's very similar I was like a 16 year old kid and I wanted to do some freelance work on the internet and yeah I got hit the Bitcoin like oh this is lit and also because I had a lot of internet friends at the time uh you know it's kind of hard to send your friends money if they live across an ocean from you because banks are annoying when it comes to that especially if you're all like 16 year old kids so yeah we used to like remit money and accept money through with cryptocurrencies and that's I've gone to it and I discovered there's such a thing as pay to script hash on bitcoin I was like okay so ethereum took the idea made it turn complete made a more Rich set of op codes and then that's how I got into all this all this stuff nice that that's definitely encouraging to hear that it was through an actual use case uh being able to take potentially cross-border payments um yeah I'm actually super curious to hear uh dazzy I guess even following up on what we said earlier uh you seems like you have really intimate knowledge with the evm uh kind of curious to hear your thoughts how the move VM Compares I know that uh from uh overall narrative perspective people say that the move move is safer than validity so yeah I want to hear it from uh experts like yourself what do you think I am in so if you look at like the VM level I'm sorry I would definitely say like um there are less ways to like basically do wrong things in moves whereas I mean um so you can think of you can think of evm as like a thing where everything is allowed and there's a lot of ways you can [ __ ] up things and things can go wrong whereas movie m is designed in a way that it is harder to like have things go wrong so I think I'm for example having linear types and having the whole like I mean basically having a type system at the VM level really protects you from like a lot of issues that are plaguing evm for example there's no re-entrancy on the Move side because you need to know all the addresses at compile time which really reduces the attack surface and also the capability attack I mean and also the capability pattern of like basically having like the least privileged access level is also super useful as people have been using on the Move VM side so I think move VM is definitely like a bit more safer but it also comes at the cost of composibility because you uh because since you because since you need to know everything at the compile time you can't really compose arbitrary contracts on at the movie M level but yeah I think that's a very good summary yeah so as I understand that there's uh some ways that uh just makes it easier for developers to not make comments maybe common mistakes but they're probably still a lot of best practices that you can followed uh just in general for smart contract building and have still applied to move um I guess uh out of out of the ones that you mentioned which do you think uh causes maybe the most amount of tax on ethereum that uh potentially won't need it has frequently happened on [Music] um re-entrancy uh yeah I mean I mean yeah like um I mean so if you look at like the history of ethereum there were a lot of issues that happened that due to re-entrancy but like rehindrancy has slowed down in the recent years uh just because people like to slab re-entracy not on every single contract now foreign back before solidity 0.8 there was integer underflows and overflows which move VM stops at the VM level but before slavery 0.8 everything could underflow and overflow which definitely caused a lot of issues on ethereum side which I don't think is possible on on the on movie and mother I think I think when we say like underflow and overflow it's it's a bit I think the better way to think of overflow underflow is like sending negative money to someone that's that's like a funny outcome of underflowing overflow but yeah Jazzy gone oh yeah yeah I mean I don't think uh there's much uh I mean um apart from that I mean most of the bugs that we find on audits these days are usually business logic bugs which affect both evm and move at the same level because this is logic um you essentially consult that at the code level because business logic is like my thing is supposed to do this this and this and it's doing this this and this but is that actually what you intended to do yeah and that's uh business logic hacks can affect any any smart contract really do you do you feel like move maybe because it's a little bit easier to uh read uh maybe compare to like Russ building with Russ and Solana make maybe makes it more intuitive or easier to audit or uh easier to look for these business logic errors I mean I'm definitely having high readability helps uh plus um since there's formal verification directly like uh built into move so if you know your spec well on and your spec is like um concise enough that you can prove it then you can solve a lot of like logic issues that way that if you know your logic is like correct but there are a lot of issues where people believe that the logic is correct but like it's it's it's typically not because they have not considered like all the consequences of like certain type certain type of logic are like yeah yeah maybe all edge cases yeah um so the the prover is also something that's touted as uh you know feature of move that that people really like I definitely understand that for solidity there's also approvers but uh yeah I would love to hear from you uh what the differences are or similarities between what's what's available with move with the prover and and how you have to do proving on solidity well the Proverbs on saludity you're probably talking about the smt Checker I believe so yep although smt Checkers fairly uh simple it's basically like either a bounded model Checker or a constrained horn Clause solver they basically just reinterpret the solidity code you can think of it almost as line by line into a series of smt formulas and then it plugs these into smt solver like Z3 or cvc5 or actually now use a cbz4 then the move prover I believe it's also based on like an smt approach however it's a bit more uh crafty with how it uses smt for example it also finds a loop pre and post conditions and it also finds Loop invariants right if I if I remember what I learned from the slides correctly I remember talking to mung who was on the DM team at the time and he he had some really interesting things to say I think the move prover is definitely a lot more powerful than the smt Checker currently and that's just because it's integrated into the language at a much deeper level also applies some of the things that we've learned in Academia about formal verification that I don't think have been really ported to s p Checker yet um very cool and how do you how do you see that maybe scaling is it relatively easy for teams to do formal verification on their code or is there some form of of libraries or something that can be reused like do you see the the spermal formal verification for move being one of the adopted and if if not what are some of the challenges well formal verification is tricky for two reasons the first one is actually getting your code to verify it could be that it's very hard to convince the prover that your code matches the spec and that could because because your spec is something complicated or requires some inductive property for example regardless of whether using the move prover or this lesson or the solidity smt Checker I think that you would be hard-pressed to prove that a square root function that uses like Newton's method uh converges because that proof requires you know like actual math and calculus at the same time I think it I imagine it would be challenging to prove properties about data structures because those are also inductive proofs right in general I think approaches like this move prover and smt Checker uh they don't do well with inductive properties I also think that the second issue would be when you're doing formal verification is you don't have bugs in your code anymore sure but then you might have bugs in your specification you may forget to rule out certain edge cases in your spec or consider them all together I think these are two common issues that we see everywhere when it comes to formal verification from both Hardware circuitry and software in general in terms of how the industry is going to proceed with its relationship with formal verification I think that we're probably going to see the rise of formally verified libraries that become almost standard libraries for the community for example this would be like the open Zeppelin stuff back in the evm world granted I'm not sure if those are formally verified but I think I will see the rise of a set of formerly verified libraries that everyone builds using as Primitives uh yeah that's a that's a really good point and I know we've uh wanted to do some form of verification on some of the math for for liquid Swap and you know open sourcing that would definitely be useful for the community uh one one uh building block that we need potentially is something like an open Zeppelin like a a big library of reusable code um maybe the standard libraries I guess for the app for the framework could be that but uh you know potentially there's still a lot of pieces missing um but yeah uh kind of kind of curious to hear uh your view I guess uh maybe even outside of uh just security uh what you think of move compared to some of the other languages I guess solidity is the the biggest one but if you're familiar with others uh just you know honest thoughts it's it's an incredibly well designed language it was designed very thoughtfully and carefully by a team of extremely smart people I know this because I used to be colleagues with on the DM team that was back when I was in university I was an undergrad I was in a research lab and hmong was one of my colleagues at the research lab if you look through some of the like slides or just the papers or move it's signed incredibly well it knows exactly what it's trying to do the use cases very clearly we want to write some secure smart contracts we want to make it as difficult as possible to shoot yourself in the foot or make it even impossible to do that I think that compared to solidity which definitely feels like it was uh you know was developed organically and a lot of features are ad hoc I think that move is very careful in what facilities it makes available to the developers and that's a good thing I also believe that the linear type system is just like you know one of those new age it's not okay the linear type systems have been around for like decades but the the Resurgence is definitely like a Zoomer thing and I also think that it's a good thing by Zoomer you mean gen Z like uh yeah where it's kind of like bringing back something that used to be old school cool yeah Zoomer thing uh awesome um yeah any any thoughts there Jazzy on Move versus other languages and I mean um so I would say like my thoughts are very similar to Stephen that like move just makes it like incredibly hard to like like shoot yourself in the foot like and I guess solidity there's just a lot of ways you can do something in the wrong way and move there's not a lot of ways you can do something so there's only like a very slight ways to like do a certain operation so like it just constrains you in a bit that it makes you do the things in the right way which I think is very useful especially for like critical applications like blockchain like I mean if you look at the history of move move was designed to be ran only on blockchains or like mainly on blockchains so like all of its design and planning has been focused exactly on like blockchains and like also formal verification because foreign first class use case for move as it was being designed so it is like easier to form they were from move as compared to solidity just because of the design principles of move I mean I also think that move just like feels better to write like in solidity I always have to like [ __ ] try three or four times to like cast uh un-32 to an address you have to like go first to un256 and then cast that to it's like dumb yeah I mean it's where it's like where it's like have you ever tried to like do like un256 of like negative one like in in solidity like solidity 0.8 like I just like type in zero xff every time now because it's just like I can't remember the right syntax to do it because I don't know solidity is just designed and like it's like a mishmash of stuff it's like it feels like designed by committee yeah I think uh Gavin Gavin uh from polka dot was uh the person behind it and you know it's I mean it's a noble first attempt you know like this was uh ethereum was definitely groundbreaking for the time oh yeah yeah 100 like solidity needs to have existed so that like we can build off of it but it does feel like I'm running JavaScript sometimes and it just does not Inspire confidence when it feels like I'm writing JavaScript that's going to be like handling tens or hundreds of millions of dollars yeah like I mean you can think of the JavaScript but on the blockchain yeah it's kind of uh like I I doubt some of the banking systems are like critical infrastructure of the apps that we use run on JavaScript right like they're probably well I mean no they're running Cobalt yeah it's Cobalt like another low-level language no like Cobalt is like a Mainframe [ __ ] yeah exactly it was like a similar here you're also very close to the uh I guess to the servers or the the hardware right like you need something that's that's super close to um like it doesn't need to be that abstracted away perhaps oh I don't know about that I mean I think there's upsides and downsides to abstraction or not having right because you still need to build all these applications it's kind of yes blockchain's kind of weird because the what you're building or the logic that you're building is so close to the hardware but it's also like you know the applications themselves need to be relatively intuitive for people to build this complex business logic otherwise it can be very very hard yeah hey ponton what are your plans for 2023 yeah for 2023 we're excited about uh working on concentrated liquidity uh we think we can speed run uniswap on some uh major features that I think the whole industry is researching and moving towards uh one of them is volatile uh fees essentially based on internal volatility Oracle I have Dynamic fees that can help reduce some of the impermanent loss uh we're also looking at things like discretized uh liquidity uh for liquidity provisioning which should help with price slippage within certain steps of pricing uh we're also working towards uh I talked about this at another at another one we haven't made a formal announcement but uh we're really bullish on move and we want to make sure that it's available on ethereum uh me myself I'm definitely a believer in Aptos and high throughput chains I think uh ethereum currently even layer twos are going to have scalability issues like the latency for something to have finality on ethereum will still take uh you know several minutes potentially like up to up to an hour depending on how many confirmations and even the throughput we're still like a few hundred maybe a few thousand um and even if all all the bandwidth was taken out by an L2 you'd you we're still pretty far away from like tens of thousands maybe hundreds of thousands on ethereum but the bandwidth is not being used yet and most of the maybe Lindy effect of store and value and what people are speculating on is is on Ethan Maybe rap rap Bitcoin on Ethan uh perpetuals uh for doing speculation on future uh prices so we're seeing a lot of that for example on arbitrum with GMX uh dydx but even though that's on Cosmos um so our goal is to essentially deploy the move VM on ethereum so that uh application developers on ethereum have the same have the same optionality that they do with solidity as they do with move to the pull on various chains So currently it would be optos than ethereum uh but this uh model is expandable to more chains but it really would depend by by each ecosystem like for example on Avalanche it might have to be its own subnet which comes with its own uh intricacies and similar with Cosmos versus uh something like um for example ZK zinc which has a uses the llvm which is a compiler commonly used for their ZK ubm implementation is is relatively doable to do something similar with move so um yeah bringing bringing move to ethereum I think is going to be a huge milestone uh for the for the industry and um yeah we're excited to to work on making that happen so that's that's probably the biggest development that we're we're going to be working towards in in 2023 awesome yeah uh okay that's really exciting yeah I think the biggest challenge and would love to hear your thoughts on it too is uh like compatibility with with UVM like is is I best understand it even if you're like all these different runtimes might still need to be run asynchronously so you might break uh composability across them unless you have like two uh two runtimes and I'm sorry two VMS in the runtime I guess um but they're at least you know as we as I look at uh neon for example on Solana it does look like they're working on ways to not break composability between uh the evm and uh I guess uh Solana BM that they have so I think that might be one of the biggest challenges like are you are we creating like these kind of like bubbles of applications I can't compose with with ones that aren't with it with other uh that are operating on other VMS so yeah kind of curious to hear uh your your thoughts on that and uh what some of the challenges might be and even potentially how they could be solved oh yeah I mean um so I think I mean I think the easiest way might be to have multiple VMS because that just makes things like work coherent but like I don't think anyone will go towards that just because it makes the blockchain significantly more complicated when you have multiple execution layers so that I mean um the solution that neon is taking where they're building the evm on top of the BPF interpreter is is probably pretty okay but like I am again as you said like it breaks composibility because you have to break a single transaction it'll do like multiple asynchronous transactions and that just reduces the overall composability of the platform because you can't really get the result of your execution in the same transaction but yeah I mean um so I don't know what's the what's the best way to go about fixing that though because that just seems like a challenge at execution level like unless you're able to execute the whole um I mean um maybe it is possible to have like a layer two with a different execution there maybe you can make a layer two which is actually no never mind that might not work either let's see what are your thoughts on how to get like multiple execution layers yeah move on evm or vice versa I'm thinking well it depends on how much you want to compromise in the move language mm-hmm because I think like if you just like didn't do any of like the checks that the move VM does you could totally just like port the language over and have it write it back in that compiles to like evm by code but if you want to have all the checks you probably need to write some bulletins to do that right I I I mean um you can definitely have a compiler that that like compiles the document version to evm but it won't really have like all the runtime or the bytecode verification checks oh yeah I mean technically you could do that because it is like turn complete you could just run that like on the Chain it'll just be like really stupid like incredibly inefficient yeah it seems like the layer on top uh might be a good way uh what we're what we're researching is this uh I guess L3 architecture that ZK enables where uh you can have uh what seems like app chains essentially connecting to uh kind of like a public chain that then check points into into ethereum um and then these individual options can have even like their own consensus although you still have you still break like if this one is just move runtime for example you'd still not have the evm composability so like any calls to solidity contracts with the asynchronous um I think actually I mean the main the main issue there is probably just going to be Mev like if there's any Arbitrage between uh let's say like an Ave running on another uh app chain I guess and and uh liquid swap then or another credit credit protocol potentially like arbitraging on yields um you would have Mev between the two if it's asynchronous um I think uh Cosmos is working on like some some form maybe like a sequencer or some some form of intermediary between their different app chains uh so that uh transactions can executed I guess atomically or at once um so that that could potentially be a solution but I think yeah it's going to be hard to to figure out how to how to actually have yeah optimic City or having these contract calls between different runtimes execute um that's definitely one of the biggest challenges uh yeah I mean I mean it also brings up the point on like how much do you want atomicity like there's a lot of applications that depend on depend on adamant City but like as applications grow bigger there might be less need for it yeah what do you mean by that I mean I'm just thinking about for example near right near as at its core is not Atomic when you do cross contract calls and they're still like relatively okay applications built on it because you can program against automatically by having like like State freezes that when you do a asynchronous call you can just freeze your state and you accept nothing else oh yeah but like it just makes like development like like a lot will work it just makes a lot more work but like it's doable it's just like you have to program around then yeah you'll use the program around the non-existence of drama City yeah but also like makes like your code not source code compatible right because if on one implementation you have ADD automaticity and the other one you don't that means that when you port it over you can't just use the same code base you have to like basically rewrite it it's like what's the point if deaths buddy buddy I thought we wanted a lesson about I thought we learned a lesson about this if deaf but on the blockchain oh my god brother Jazzy you can't you can't propose bad language ideas just because it'll make people write more bugs and create more jobs for us think about it like that's not that's not fair Jazzy is this is that is that another long term okay never mind guys you're on a public Twitter space right now think about what you say before you say it Jazzy I know you're the one who usually says that to me but come on a little joking but yeah yeah I mean by the way if it's not obvious we're joking yeah we need to move towards uh just having completely perfect contracts written by chat GPT and then you know everything will yeah oh yeah yeah yeah 100 100 percent can read it um okay so pulling on this thread a little bit more I'm kind of curious to hear uh maybe your vision for what blockchain looks like in five ten years is it a bunch of islands that have this asynchronous problem where you know it's just like these islands or maybe like nation states on the internet on the metaverse kind of like connecting and composing and uh you know working really well together and then every once in a while you know someone needs to do something another nation state and there's like some you know cross cross messaging protocol that does it asynchronously or you think we could get to a you know maybe like a holy grail of of atomicity or synchronous State between all these different blockchains I was kind of curious to hear were you thinking and what what this looks like oh I have no idea uh yeah I mean uh I mean I think we can just predict this but like I mean I'm a multi-jain future it does look possible where you have like different layer ones just like with their own different intricacies and there's costume protocol that is one possibility and that but like I'm not sure because the blockchain ecosystem just like develops so fast that there's not really a way you can predict any of this yeah I mean like 10 years ago could you have predicted that we would be where we are now because 10 years ago we didn't even have ethereum yeah yeah that's right 2014 right ethereum um I mean um they had their uh I see their Ico in 2014. yeah it feels it feels like a Trope to say we're early um because there's been so much like price volatility in the quote unquote market cap it's so high but the tech itself doesn't really you know work yet at what we think it should work for us to actually sustain like billions of people so it's definitely early I guess mm-hmm yeah very much so do you think we'll ever get there yeah is because even a hundred thousand TPS right like that doesn't sound enough to run like a Twitter or Facebook um or even like Visa I guess that's like 600k TPS so how are we gonna put everything on the blockchain um I mean I think that the question is a bit I think like how are we going to know what the final use case is going to even be right because it could be use cases that are unlocked by blockchain that we don't even know about yet I think it could be a mistake to assume that we have to uh because it could you know be thinking inside the box to think like oh it has to be Facebook on the blockchain right who knows there could be some new use case that was completely not possible before like for example like who would have predicted the rise of defy uh when ethereum just came out right well other than Vitality yeah but yeah um I think I think we'll probably see some maturation of the existing use cases that have so okay this maybe this is controversial to say but I think at least short to Middle term really the only use cases that apply our store of value so we're seeing Bitcoin I think nfts fall under this as well where people are storing value in art or or some commemorative object uh and then eth I think as a coin is also earning store value and then there's uh trading so there you have both spot and derivatives I think GMX and unit swap are good examples of that uh then you have credit uh and various use cases for credit money markets and then all types of Leverage uh and then money management I think the most interesting one is actually like Olympus Dao or the implementation of time even though I know it wasn't done really well uh but maybe like Index Fund as well where people or or now the uh uniswap V3 position uh rebalancing protocols like gamma I think that's that's also like wealth management or money management and like we were naming these things so weirdly that we're losing track that these things already existed I guess and now we're just doing it better um and then everything else I think might be like super really speculative like uh yeah like a Facebook or an Uber um I think that's that's really speculative but I think we'll probably see these uh Financial applications play out with the stores of value so you know people are going to want to take credit on their nfts and they're going to want to do that with Bitcoin and eth um and then potentially some meme coin like Doge or Bonk uh and then that's gonna be like you know crypto maturing within its own sandbox but then I think we're gonna need to break out of our sandbox and go into real world assets and I think we're already starting to see some of this um but yeah I think if we can prove out that we can do instant settlement and have programmability and and have an open permissionless environment for money with these like kind of like funny magic internet money coins that we're minting uh then we can move all this value like this technology to uh like real world assets and then I think that's hopefully how how it matures and you know there might be some permission chains or whatever that you know get get tapped into as well asynchronously um but I mean that's that's my opinion if we get stuck here in this like kind of like bubble of only playing around with with the sandbox of crypto um you know it has a kind of like a cap and the crossing over to real world assets I think the use case has been proven by stable coins like those are essentially like derivatives digital derivatives or receipts of of money that's stored in a bank vault somewhere so I think that could probably be iterated on for for a lot more assets so okay I guess we shouldn't get into the real world assets tar pit because that's such a deep discussion that I think it would kill the rest of the space um how about okay I guess one of the questions that I think we should go over is what was the essence of your partnership with selic um yeah we have uh so we have collected some questions from the community um yeah we're uh honestly yeah very happy to be working with y'all uh your highly recommended uh by other teams I believe specifically the Aptos Foundation uh so uh yeah really uh really great to be working with Galileo did a really good job with our uh Audits and yeah excited uh excited to work with y'all um and hopefully continue uh building up move and uh doing stuff like this where people can learn more about move and app those and blockchain in general so um but yeah uh I guess what are what are some of your thoughts on our partnership and how we can work closely together could you repeat the question I just cut out for a second oh yeah just kind of curious to hear your thoughts as well on you know how you work closely together with us and maybe other other projects and ecosystems like Aptos yeah we work closely with the quantum team to audit both their decks and their wallet we just had a very good experience working in ponteme they're extremely professional in terms of working with other projects I mean I think that clearly what we do is we help blockchain projects stay secure we're looking forward to helping throughout the Aptos ecosystem it's really exciting space and we want to make sure that everything is secure as it's being built out at this incredible Pace we want to be the people that are enabling the community to ship at this Breakneck Pace while also keeping their users safe I think that's a very important job and I'm glad to be the one who has to do it nice um yeah this one this one looks also interesting so how can blockchain gain Mass adoption when the users themselves need to have a high degree of knowledge of technical code to verify contracts for example uh to ensure safety when navigating web 3 so uh yeah given that it's so dangerous to navigate web3 how can how can this game Mass adoption well I think we can compare it to the early days of the internet right because initially it was just the tech enthusiasts and these like you know Tech nerds who are interested in the internet and people made fun of these nerds like hey like what are you doing on your computer all day right but as industry matures it's going to be available for Mass adoption for everyday users and that's going to come along with ux improvements usability improvements as well as better accessibility right because a lot of America for example didn't have access to broadband internet until way into the 2010s right and that's still something that's being worked on the rest of the world as well now I think one of the uh main issues that we face is that the ux's crypto is not easily portable or comparable to web2 so there's a lot of Education that needs to be done there's a lot of improvement that's needs to be made needs to be made there before we can see Mass adoption but I think that it's a very promising future for sure um what do you see I guess as some of the guard rails that need to be put in place so uh someone like my grandma can come and start using crypto well I think the biggest problems would be custody as well as fishing that's a huge issue we've seen fraudulent activity in C5 we've seen what else are some issues well we also need to just make sure that the markets themselves are safe because for example it's not great when a protocol gets hacked or a protocol has some economic issue that leads to some quote unquote Arbitrage right I think these are all things that need to be addressed I still think that solving the custody issue and also social cover is going to be very important I think that's something that we're going to see in the next generation of wallets perhaps I'm not 100 sure on this issue because I'm just a humble security researcher who happens to have a company what do you what do you think are some of the solutions for custody like maybe uh so I've seen some that use like a like a threshold uh Network threshold cryptography Network I guess to do like a giant multi-sig um and then maybe use like uh like a social login as as one event and then your device is like another one uh so that's that's one but yeah kind of curious to hear your thoughts on maybe what are what are some of the solutions to custody well regardless of what the solution is I think the one danger that we always have to keep in mind is the trade-off between uh how you know nice the solution is versus how complicated it is right because the fancier you make a solution the more complicated it's going to be and the more explanation you're going to have to do with your users right if we want Grandma to be able to use crypto it's going to have to be something that's uh pretty foolproof and explain to her uh how social recovery works with a threshold uh you know signature is that's not gonna it's probably not gonna fly right it's got to be something that's very foolproof I'm not 100 sure what the full solution is going to look like in the future yeah I definitely agree the user experience needs to be as simple as just clicking a few buttons and uh that's it I mean I I think even if it's super complex in the background as long as the user interface is relatively simple and people understand what they actually need to do to to stay safe I think that'll be good um I think it is very challenging because uh I mean one way that a lot of people think of their crypto right now is that they might have a hardware wallet or they might have a device with their keys on it and that's essentially like keeping a big pile of cash under the mattress right and I'm not sure if Grandma would be uh jumping at the opportunity of keeping her retirement savings as a publication of the mattress so to speak I think she might want to deposit that somewhere the question is who would you trust to deposit that somewhere right it's a very difficult question and I think that the solution to that is going to be huge and looking forward to what we build yeah I think if maybe if she grew up in the in the 1920s or in an emerging economy where their their Banks stop giving out money or stop withdrawals potentially she might want to keep her her money under the mattress but I yeah 100 oh yeah um yeah you know I think I think actually the centralized exchanges would be super useful here as long as we don't give them full custody like I think uh shared custody with exchanges who also have the infrastructure for kycml which I think is also going to be important for this industry to really uh reach broad adoption um so I think what I Envision maybe potentially is like uh for example a partnership with an exchange and you just create a multi-sig with them and and maybe uh like one of one of them one of the uh Keys lives in your device and maybe that's like safely stored on uh for example like the Samsung or Solana phone that has like a specific Hardware uh storage for it that's well made and something com something like that with in partnership with exchanges I think might might also help uh with this at least people don't have to think too much about it um and they're not giving full control of their keys yeah I mean you know what they always say right it's like not your keys not your yeah exactly maybe half half your keys have to half your crypto or yeah who knows I have no idea um cool so uh let's see what other questions uh we have uh one that's interesting how did you how did you choose the name zelik and um yeah Maybe yeah so select stems from our background and vulnerability research right it's actually uh the name is derivative of Z analog or like you know Z allocate which is a low level memory allocator that's used in the BST kernel and notably the Mac OS X in your kernel and that's because uh we were hacking some iPhones back in the day nice Okay um interesting what did you learn from hacking uh the iPhones are they like kind of like jailbreaking them oh yeah so like uh it's a long story but I used to work in the VR industry where VR being full research where we basically would uh originate develop weaponize and sell uh exploits that compromise iPhones either remotely or locally and then jailbreak them and proceed to do the full chain I guess what I learned from that is if you throw enough money at any Target it's probably hackable interesting would you say that's uh also true for something like in ethereum or or a Bitcoin or even like a altel one I mean yeah if you throw enough money at the network you can just buy all the tokens that's true yeah but I guess the argument is that uh the price of it would go up so much that it would be very hard to get all the youth required I guess I mean I mean keep in mind that like if you take like I don't know Fidelity and you take like one percent of their AUM and use it to buy like Bitcoin like you would buy like a pretty big chunk of all the Bitcoin in circulation you probably want to short it first you probably want to you know manipulate the market down first and then buy a really key oh I mean like this is not necessarily like an attacker is interested in economic profit this is just an attacker who is interested in harming the network right yeah I I guess my biggest concern with something like that is that if let's say we do start to trust critical infrastructure like banking on ethereum uh and a big state actor like China decides that you know we're not going to use that that's not safe but then they could theoretically uh have an attack on on ethereum which it would if it took out like most of the western economies uh banking infrastructure that would be pretty bad so oh I mean like I'm not gonna like make broad comments and stuff I don't understand but like my vague feeling is that like all of our critical infrastructure is insecure anyways so yeah that's true it's just that it's just that like nobody [ __ ] with it because they don't want to go together to War I guess yeah pretty much uh that's right because like if you if you're like if you like if you like take over a power plant and then you cause like a computer to crash like that's technically an active War so like don't do that yeah and unfortunately that does seem to be happening uh somewhat more fairly frequently than than normal um like again like stuff I mean yeah uh yeah interesting definitely not something good to be seeing yeah it's not great yeah um I wonder if Bitcoin has that same issue I guess because they have the the Asic miners so you would need like really to bootstrap or buy a lot of these specialized Hardware devices which makes it a lot harder and then you so like even if you bought up all the Bitcoin you couldn't hack Bitcoin because it's still proof uh I mean like you just have to take over a few big mining Networks because like they're like it's there's a few points of failure there's always points there's always centralized points of failure and everything like one of the pools yeah um I mean like I'm pretty sure Bitcoin just has like maybe less than a dozen big pools if I remember correctly right ethereum's even worse I guess the argument would be that the individual miners if one of these big pools was hacked wouldn't provide anymore but um and then you need to sustain that attack for a long enough period of time to like create a chain uh Fork I guess and um I think I mean I definitely agree with the sentiment that if you throw enough money at something you're probably going to be able to hack it um I'm just thinking maybe proof of work might be harder or be more expensive than proof of sake I have no idea I mean I still think that the tenant of if you plan enough violence to the problem and if you're willing to like get your hands dirty enough you can like do whatever it is that you want to get done so if like you're a government and uses a hell bent on doing something like you're probably going to get it done that being said it might just be like really really messy and people will like hear about it but I mean that's that's what I learned from hacking on iPhones because it's like iPhones are these incredibly secure devices but um if you're just motivated enough to find the bugs and the market is willing to incentivize you enough to attack these devices then you're going to find exploit chains in these devices so do you think uh maybe it's dangerous to move away from the the App Store like I know in Europe they recently uh passed the law or some there's some news about uh being able to sideload apps or creating oh I mean like I have opinions about this but completely unrelated to security it's just like a user experience thing I think the upside of side loading is that like I can put a DS emulator on my phone which I think would be pretty sweet because then I can play Ace Attorney on the train which I already do but I just use one that's like a [ __ ] website it's JavaScript so go modern technology I can have a website that's literally a DS emulator um I can use on my phone in place to turn it on the train uh so I think the upside is side loading is that it obviously opens up the developer experience anyone can make inside load apps the downside though is that it like okay so imagine you go to like a restaurant and they're like oh to like see our menu please side load this app like I would rather just [ __ ] kill myself to be honest yeah what kind of malware is this restaurant I was saying or not even malware like maybe their app is just like really [ __ ] and then like it just sucks and like it doesn't load or whatever and then like maybe it doesn't support my version of iOS or something like that because there's no quality control right it's a side loaded app and or maybe like it's just like festered with ads or something like that or like imagine you go to work and you're on your first day of work at orientation they're like hey like please install please side load or companies app onto your phone and I was like I think I'd rather just kill myself yeah these these wall Gardens definitely uh create so there's an upside and a downside um I think the biggest downside is that these app stores are kind of monopolies and they can set arbitrary oh yeah like don't they take like 30 of all in-app purchases like if you're trying to get Twitter blue on your iPhone it costs 11 a month but if you get it um on the on the website it costs eight dollars a month and I guess that's just like Twitter's way of just like protesting that like hey like Apple's [ __ ] us and they're just like passing it on to the consumer because they're like we're not eating this we're just gonna make the consumers aware that Apple's the best yeah exactly and uh one that's that's definitely kind of like price fixing because you can't help a competitor come in and try to offer better better fees for an app store uh two you also can set some what arbitrary rules like uh for example uh nfts were just a short period of time ago were like really difficult to get any nft app I think coinbase posted about this also for iOS um any form of crypto could also be easily quote unquote banned and then really hard to get apps that are related to crypto on there um so it's almost like too much too much power and maybe being arbitrarily wielded uh is definitely not not good either I mean that's just like the way that a tech Stacks work right that's why um I mean that's why investors they love to invest into l1s exchanges Bridges and stuff like that because that's where the value accrues because those are the points of centralization they're the fundamental building blocks everything else has to be built on in other words you can rent seek yeah and that also seems to be like a strategy for tech companies just like grow really quickly at pretty much zero profit or even negative profit and then once you become a monopoly then start to make sure well I mean we'll we'll see if that strategy is actually good or not because we've existed as your interest rate environment for the past 10 years and now we're no longer in that so now we have these companies who are forged on that principle and now it's finally being put to the test because it really wasn't being put to the test before that's also why we've seen like multiples like just die but I guess this is not necessarily the best space to be having a discussion about Equity markets because also I'm not a I'm not a I'm not like an expert in like equities I'm just like a humble security researcher who happens I think it's fun to speculate I think it's applicable here too I think the somewhat VC um I guess BC subsidized free rides and free food uh similarly apply to crypto where uh I guess VC subsidizes their they have Private Sales of coins or tokens being given out for adoption of these protocols I think also somewhat similar yeah it's [ __ ] it's customer acquisition cost it's CAC if something is free then you're the product yeah exactly but I don't know if that applies here in crypto hey man all I'm gonna say is I really [ __ ] miss when Uber rides were like five dollars all right I really missed that no but what you do is when when one of the taxi apps gets expensive there's always going to be like another taxi app that's like being funded by like someone like an investor or something so what I what you do is you just stop using the old taxi app that ran out of CAC and is expensive now so you switch the new taxi app that's going to be slightly more buggy but it's like way cheaper because they're getting hacked because they're trying to compete for the taxi Market it's great so you just have to constantly jump between these apps and go to whichever one is calculated customers the most right now in fact like you can like extract so much value from CAC if you're just like actively cat forming your life like get get those instacart um like credits or whatever I went through a phrase I mean if you think about it it's actually like the world's worst form of universal basic and BC subsidized I mean like okay okay this is a [ __ ] post but like what about like 30 years in the future when instead of like giving you free raw taxi apps rides or like giving you free food delivery why don't they just like give you like a 100 check in your checking account every month and then you just promise to like put your eyeballs on an app for 30 minutes a day and listen to propaganda like that'd be pretty that'd be pretty that'd be pretty efficient right you can cut out the whole hassle of building a whole taxi company right I'm just I'm just I'm just kidding this is I'm just like this is a joke like don't take this seriously I was just being like what's the cbdc tracking where you spend your money I think it could be possible PC subsidized um basic income um I went through a phase where I did like pretty much all the meal kit companies where they just deliver like meal kits to you in the first month free so like for a half a year I was just getting like highly subsidized free food well I wasn't fully Freeman yeah oh my God this guy is the humble cat farmer I gotta show you that Meme after this space yeah sorry Jazzy you're saying yeah and I was saying I did the exact same thing last time in college where I just got like four food delivery companies to give me food for like three months yeah exactly it's great um another one the delivery services that do like snacks uh like go puff there's a bunch of them that also uh or you could get like 200 300 worth of snacks just for free from all this yeah it's crazy um cool so I know we're running running on time here uh any final thoughts any final um yeah any final words for for the audience no no words uh we'll drop the mic there uh thank you thank you guys for joining uh this is a really fun conversation uh it's awesome when you know we go off topic and talk about random stuff we're not experts in so thank you for joining and uh yeah hope to have you again soon and would love to you know continue