The following is the text version of this online salon.

Cassiel：Please introduce yourself briefly.

Zhang Xiao:Hello everyone, I am very glad to be able to discuss with you today about Web3 security issues. Briefly, zCloak Network is a digital identity and privacy protection infrastructure based on zero-knowledge proof. We hope that in the Web3 era, we can truly return user data autonomy to users. Based on this concept, zCloak has developed and implemented user-friendly A series of infrastructure such as self-controlled DID, verifiable digital certificates, digital identity wallets, and local zero-knowledge proof calculations. Tonight, I also hope to have an in-depth discussion with you about another of our new products—Valid ID, how it can help you avoid and prevent Web3 fraud.

Tom: Thanks to zCloak for the invitation, I am the director of DATT, a digital asset think tank under the Financial Technology Center of the Hong Kong Polytechnic University Faculty of Business Administration. My personal background is in the financial industry. I used to work in an investment bank in New York and Hong Kong. I am currently managing a hedge fund. Blockchain is currently my PhD research direction. The digital asset think tank hopes to explore and study the status quo of digital assets and information technology industries in the entire Asian region, and discuss with industry experts and scholars how to use blockchain technology to solve practical problems in economic and social development. At the same time, we will also regularly share the results of discussions with policy makers in the industry, such as the Hong Kong Monetary Authority, the Hong Kong Foundation, Invest Hong Kong and Cyberport. Finally, we hope that through DATT, we can provide more opportunities for the industry to interact and communicate.

Turing: Hello everyone, I am Tutu, the co-founder of Legal DAO. Legal DAO is currently working on a Web3 compliance product based on global lawyer resources. I hope to be able to deeply participate in the construction of Web3, and I also hope to provide you with global legal services. We have been constantly integrating emerging technologies of Web3, including underlying technologies and AI technologies, to better provide users with legal support. In addition, we have also made many friends in the industry, such as zCloak, etc. We look forward to continuing to learn and discuss related issues with you today!

Adam：Good evening, ladies and gentlemen, I am Adam, the co-founder of SharkTeam. SharkTeam is mainly engaged in Web3 security-related products, on the one hand, smart contract audit, on the other hand, security analysis on the chain, including security warning of risks on the chain, monitoring and analysis of transactions and addresses on the chain, and security research reports, etc. At the same time, SharkTeam also Continue to provide security services for Web3 projects and companies. It's a pleasure to be a part of today's discussion!

Cassiel：What impact will the security issues of Web3 have on their respective fields? Recently, there have been a large number of incidents of Twitter and Tg account theft. The most direct threat to Web3 users is the security of digital assets. It just so happens that the Hong Kong Polytechnic University Digital Asset Think Tank led by Tom has been exploring and researching digital assets. and the current information technology industry, so first ask Tom to share your views based on relevant experience?

Tom：I have done a lot of Web2 projects in the investment bank before. From the perspective of Web2, the problem mainly occurs at the application logic and data level. Web3 is different from Web2. There are many modes of decentralized applications in Web3, such as cross-chain, identity, wallet, etc. This kind of constant interaction and innovation is indeed easy to breed security problems in some scenarios. At the same time, the wide application of public-private key technology and digital wallets can protect the data autonomy of Web3 users and ensure the transparency and non-tampering of the transaction process. However, there will be a security problem here. When some DApps and protocols are upgraded, how do we go about it? Protect user data and privacy security. Through our research, we found that the security issues of Web1 and Web2 are limited by the relatively rudimentary tools. For Web3, the biggest problem is that the security issues of transactions seem to be unable to be solved at the preventive level, because once the transaction is executed, it is very difficult. According to our research and experience, the idea of ​​security is generally to establish a mechanism to verify whether the transaction meets the security conditions, so I would like to ask experts how to prevent these systemic weaknesses at the technical level To resist some organized attacks? Including native encryption, smart contract vulnerabilities and other issues. In particular, the following directions: the first is the vulnerability data, the second is how to make security decision-making design, the third is authentication and signature, and the last is how to make the key Smoother management and smoother user experience? So I think that after absorbing the experience of Web1 and Web2, we can actually do a lot of things in Web3, which is what DATT has been thinking and exploring.

Cassiel：Next, I would like to ask Adam to talk about your views from the perspective of security services.

Adam：Frankly speaking, although the current development of Web3 is very rapid, it is still in a very early stage, which is mainly reflected in three places. The first is that the business form is very early, and everyone is more familiar with DeFi, although it is already in Web3. It is an old word, but it has only been developed for more than two years. Then some new formats such as NFT, GameFi, and derivatives that have emerged recently, etc., the rapid development of these formats will bring some business aspects. Risk and Safety Issues. So for Web3, so many business forms must not rely on a certain technology to solve all security problems. Based on the multi-service mode of Web3, its security precautions should still be done in a system engineering way. It is precisely because of its rapid development and innovative business model that the attack points are more extensive and open, such as private keys, cross-chain infrastructure, wallets, and identity security can all be attacked. Therefore, for the project side, the first thing to consider is to introduce the concept of business security modeling like Web2 in the early stage of business design, and plan and separate the risks at the business level.

Second, from a technical point of view, the project party must have a standardized development practice technical process, and the project party must have the awareness of code freezing before going online. Otherwise, after multiple revisions and corrections in the later stage, developers will unintentionally introduce many security holes, which will cause some security problems that cannot be prevented. At present, for many project parties and developers, they may think that smart contract auditing, DID identity privacy security, etc. are all security issues, but for a project, these are only part of it.

The last aspect is the level of operation and emergency response. After many projects were attacked in the middle of the night, although we found out, we could not contact the project party at night. We could only watch the project being attacked and user assets stolen by hackers. Emergency response and security Operations are slow, including the blocking action of contacting asset freezing or contacting other ecological partners after a security incident is very slow. This is also because a sound operation and emergency response system has not been established. Finally, the current development of Web3 is very rapid, but no matter in terms of business form, technology level, operation and emergency response level, a complete security system has not been established, which also requires our subsequent joint efforts to build.

Cassiel：Adam shared his views from the perspectives of technology and business, as well as operations and emergency response. Then everyone can have a brief discussion, and Mr. Zhang and Turing are also invited to answer some related questions raised by Tom.

Turing：I would like to make a simple addition. You have talked about a lot of systemic security issues before, so Legal DAO can give you some ideas from a legal perspective. You may be wondering why some legal matters based on Web3 have been slow to advance. In fact, it is because traditional financiers and legal professionals have been in contact with emerging technologies such as blockchain for a relatively short time. There is no benchmarking basis for the implementation of the problem and subsequent accountability, or it is difficult to have a consensus for everyone to maintain. After analysis, I think the absence of an identity system is a core reason for the slow development of the Web3 legal industry. In Web3, the person may not be found by changing the address, but in Web2, as long as there is an ID card, the person can be found, so the biggest difference lies in the lack of identity system in Web3 compared with Web2. As a result, a complete reward and punishment mechanism and business system cannot be established in the entire Web3 world, including reputation and reputation cannot be effectively accumulated. Therefore, for the Web3 legal industry, I think it is a good access point to cooperate with partners like zCloak to gradually establish an identity authentication system based on privacy protection. Next, I would like to hear Mr. Zhang's thoughts.

Zhang Xiao:Thanks to Tutu and other guests for their sharing. I am personally very inspired. First of all, I would like to respond to the few questions Tom mentioned before. Infrastructure such as blockchain currently carries high value, whether it is stablecoins and other financial institutions. Assets are still real-world assets on the chain, etc., but there are indeed big problems in terms of overall asset security and investor protection. For the blockchain industry, everyone is familiar with the phrase "Not your key, not your coin.", if the private key is not under your control, there is a high probability that the money will not be entirely yours. As well as on-chain transactions and some infrastructure based on smart contracts, when a transaction or a block is generated, it is extremely difficult to withdraw them, unless a hard fork is performed, but the cost is extremely high, which requires us to Use your own account prudently to trade under the environment.

Tom mentioned the issue of wallets before, and I think wallets are an extremely important infrastructure in this industry. It is mainly used to manage our private key, and the security of the private key determines the security of our assets, but the practicability of encrypted wallets is not ideal at present. For ordinary people without a certain computer knowledge background, some technical terms such as public key, private key, mnemonic, derivation path, etc. are enough to make them confused, which invisibly raises the threshold for using encrypted wallets. However, encrypted wallets themselves It should be open to the public. Therefore, there are currently many new generation wallets trying to simplify the user experience. This kind of applicability improvement is very good, but in fact, security and applicability are contradictory to some extent - usually the easier it is to use Convenience, security will be compromised. For example, from the perspective of controlling the private key, the security of the private key control completely in the hands of the user and partially in the hands of the user must be different. Therefore, for the wallet industry, we have indeed seen some progress, but the relevant security has to stand the test of time to determine.

Another issue about asset security on the chain that Tom mentioned is that in addition to the original encrypted industry assets, there are gradually many real-world assets that are on the chain. The form of a contract may also be an NFT, or even 100 tons of oil in the real world. The ownership, auditing, security, insurance, and who will endorse it from a legal perspective are very important after these assets are chained. . Therefore, the authentication and identification of the authenticity of assets on the chain is very necessary.

Adam also mentioned that the security issue is an overall issue, and that solving the security issue of smart contracts does not mean that the entire security issue has been solved, not to mention that the security at the level of smart contracts may not have been resolved yet. A smart contract is uploaded to the chain after the audit, but it is updated later, and most people can't tell whether the running smart contract is the smart contract after the audit. Especially at the audit level, the audited code may be code A, but what the project party actually deploys on the chain is code B, and ordinary people cannot distinguish which code it is. Here we zCloak proposed a relatively new concept, which is the identity of assets on the chain or contracts on the chain. For example, after a smart contract is audited by SharkTeam, can the audited contract display its corresponding audit information at the same time, or can we trace a smart contract running on the chain in some way? Has it been audited. In the same way, can assets on a certain chain display and interact with their audit results in this way. Therefore, we will find that the security issue on the chain finally returns to identity. Any smart contract and asset can have an identity, so who will effectively notarize and endorse its identity, where to display it, in what form, and how to let users verify it, these are all we need to solve in the process of industry and technology development Very interesting question.

Tom：In response to the points you just mentioned, I also have some questions that I would like to extend. The first one is the identification of smart contracts mentioned by Mr. Zhang just now, but there are many different audit companies in Web3. What are the technical differences between different audit companies? Do and why do typical projects require multiple audit firms to conduct audits? Is it possible to have an internationally accepted auditing standard? The second question is combined with what Turing and Adam just mentioned, in terms of law and technology, is law always lagging behind? If it is lagging, how can we ensure that our technology is compliant with regulations? Because we have been communicating with Hong Kong’s regulatory authorities on issues such as stablecoins, exchanges, and real assets, but found that the current legal supervision is not enough. The most advanced may be the newly introduced stablecoins and other currency regulations in Europe. However, after careful study of its regulations, it is found that it cannot satisfy the essential innovation of the Web3 world, so how do we ensure the balance between Web3 innovation, legal supervision and security technology?

 Adam：Then let me briefly talk about my opinion. Regarding Tom's first audit question and audit standards, it is actually difficult to form a clear standard at present. The various audits in Web2 are also performed by multiple service providers. The fundamental reason is that there is no 100% security. We can only continue to add, but we cannot form a quantitative standard, and we think that reaching this standard is safe. The second is the "stamping" of the contract mentioned by Mr. Zhang. This is also a problem that we often encounter when doing security services. At present, we will conduct one-to-one auditing of specific audited contracts in the audit report of the contract. Hash binding, including binding with Commit on GitHub. But there will also be a problem. In fact, the auditor and the project are in the same trench. Everyone's consensus is that the project party should deploy the contract that we have audited and revised. But there are indeed developers who have made modifications later, and some are even head agreements. There are also some project parties who deliberately do not deploy the contract after auditing it, and ordinary investors cannot tell whether the content of the audit report is the same as the actually deployed contract. From a technical point of view, it is achievable, but it is difficult to implement it. Perhaps some emerging business forms, such as insurance, can be used to solve this problem. Of course, this will also involve some legal aspects, but I think it is a solution.

Turing：Insurance is indeed a relatively clear means of hedging. From a legal point of view, it is somewhat similar to the audit integration in Web2. In the audit integration of Web2, if a company spends more than a certain value, then the company must accept comparison High letter confirmation and review of transaction amount. By analogy to the entire Web3, audit companies in the Web3 world now have their own methods and principles for auditing projects, and a unified standard has not yet appeared, but relevant industry alliances are constantly emerging, so I think this unified Industry consensus emerges over time. Legal DAO's lawyer resources cover many countries around the world, and promoting the formation of this industry consensus must also require multiple parties to call for it.

Adam：Yes, a Wallet data platform coupled with an insurance mechanism for hedging risks in business forms may be more effective. We are also looking forward to the emergence of this solution. Whether the audited contract and the actually deployed contract are the same contract can indeed be used as a relevant certification system, especially for solving Rug Pull.

Tom：I also want to add about insurance. According to my previous experience in investing in DeFi projects, the biggest problem with this type of insurance is that although the premium is not high, around 1%, its guarantee period is very short, usually within 3 months. Inside, the amount to be guaranteed is also limited, and the guarantee for DeFi is still very early, including liquidity, and the efficiency is not very high.

Adam：The difficulties in implementing decentralized insurance are related to evidence collection and identification. Is this related to the law?

Turing：Let me give you an example, such as defining the ownership of goods in logistics. First, you can paste a low-power chip on the express package, and punch the card every time it passes through a base station. However, after the goods arrive, there will be problems with the goods after unpacking. There is really no way to solve it legally, because it is impossible to determine whether the damage to the goods occurred during transportation or after it was received. It is still difficult to define this specific problem.

Zhang Xiao:Adam just mentioned a point, which I think can even be used as a product direction. Contract audit, after a project party deploys on the chain, each contract has an address, but the contract can also be upgraded, so if the project party upgrades the contract, will the contract address remain the original address?

Adam：The address will change, but security problems are very easy to occur during the contract upgrade process. Before the Hong Kong conference some time ago, a project party lost 800 ETH because of a new contract upgrade, because this is actually easy to go wrong, but everyone is very concerned about it. It's easy to overlook it.

Zhang Xiao:Therefore, for auditing, the project party actually submits a certain version for review, or from the perspective of GitHub technology, the audit is actually a certain version of Commit’s smart contract. After the audit of this version of the contract is completed, is the project party really The smart contract deployed on the chain, or the contract that was originally deployed, but whether it has been replaced later is actually very difficult for investors to judge.

Adam：Yes, especially for some self-stealing teams, many of them will use contract upgrades to replace some core contracts, and users will not be able to find these problems. However, there will be a proxy contract on the outer layer of the contract. After the contract is upgraded, the proxy contract will change, so it can actually be found, but there is no relevant infrastructure at present, because this requirement needs to be further clarified. Is there anything else Tom would like to discuss?

Tom：There are two main issues. The first is insurance. How do we implement the business form of insurance, including intermediate claims settlement and payment, who will implement supervision, etc. We still need to find a perfect business model. The second is contracts and The standardization of addresses, we have connected with the China Quality Inspection Center before, they will issue certificates and are in line with international standards, they are actually the most professional, they are releasing standards in all walks of life, and they also have blockchain-related groups , Then can we use the strength of the country, maybe not just China, to formulate and improve this industry standard with other countries? Using Web2 thinking standards to assist Web3’s various identifications, of course, these cannot solve the problem of self-stealing, so I see that many audit reports issued by audit companies will also score the project team, so it may be that for Web3, it is still necessary to be more comprehensive. Orientation development. Finally, I think that the impossible triangle of Web3 also exists. It is decentralization, anonymity and privacy, supervision and accountability. It is true that there is no way to make these three coexist reasonably.

Cassiel：In fact, judging from the current frequency of security problems, the implementation effect of some security problem solutions that have appeared in the past is not as good as expected, or they all have certain limitations. What are your thoughts on possible solutions to the problem? Mr. Zhang just mentioned that zCloak officially launched the Valid ID platform earlier this month. It seems to be a new idea to solve the crisis of trust in Web3. At the same time, zCloak has been committed to providing users with privacy computing services based on zero-knowledge proof technology, and " The two words "privacy" and "security" are actually inseparable, so Mr. Zhang, please share with us, for the security of Web3 privacy data, what solutions is zCloak under construction or has already built?

Zhang Xiao:Okay, this topic is indeed deeply related to our new products. Among the various security issues we have discussed before, I think one of the core issues is trust and the transmission of trust. The trust problem can be traced back to the lack of identity system facilities on the chain. The problem that Valid ID can solve is also very simple, that is, "who is who". At present, there are only wallet addresses one by one on the chain, and what is shown is what the address signed, how many accounts were transferred, what transactions were made, etc. At the same time, for individuals, the anonymity or semi-anonymity of the blockchain address It does protect my privacy, which is a personal benefit. However, the needs of institutions on the chain are actually opposite to the needs of individuals. Institutions (auditing companies, law firms, government agencies) need to let everyone know who is behind the address, so the identity system on the chain is particularly important. In the traditional world, if we want to know who is behind a website, we can query through the CA certificate, but we have no way of knowing who is behind the address in the blockchain world. Vliad ID is a small exploration in this direction. We hope to apply Web2’s idea of ​​solving identity problems to Web3. Of course, we use Web3’s native technology to solve the problem. The method is very simple. , The identity of the entity is subject to technical testing and certification. After the testing and certification is completed, its identity in the Web2 world is bound to its address on the Web3 chain to form a certificate that we call an institutional identity. At the same time, we store these certificates on the chain that cannot be tampered with or in the Arweave database, thus forming a binding relationship between addresses on the chain and real identities off the chain that cannot be tampered with. When others see a certain address, they can clearly know which institution is behind it.

There is also another very important issue here, who decides who is behind the address. If you continue to use the CA method for certification, it will be contrary to the concept of decentralization of Web3 and blockchain. At the beginning of building Valid ID, we wanted to build it into a decentralized platform, so we introduced a multi-party authentication mechanism. The identity authentication behind the address is not determined by a certain organization, but by multiple organizations. identified. The more people repeat a fact, the more likely it is to be true. So we use the social authentication (Social Attestiation) method on the Valid ID platform.

At present, we have promoted several small application points. One is to perform various digital signatures based on this certified address. We found that although many Web3 practitioners have been working in the industry for a long time, they are still using Web2 social tools. , Such as Twitter, INS and other social platforms to express opinions or promote projects, which has great security risks. What should I do if the official account of the organization is stolen and phishing information is released, causing the user to lose property? The identity of the Web3 project is guaranteed by the Web2 platform, which is not what a decentralized society wants to see. Therefore, the solution of Valid ID is to couple the Web2 identity with the Web3 address, that is to say, what controls the identity of the organization is actually the private key held by the organization itself. Hackers can steal the organization's account, but cannot obtain the private key of the organization's identity, so the control of the identity is still in the hands of the organization itself. The Valid sign function allows everyone to attach their own digital signature when publishing any information on any platform, which is very important in many application scenarios. For example, when publishing loan information, add your own signature, and the person who receives the message can sign Verify on our platform whether it is really the message posted by me, so as to prevent a series of phishing scams.

And the contract audit we just talked about gave me a lot of inspiration. Is it possible to express the audit information of the contract on the chain, bind the contract file with the identity of the organization, and when the user sees the contract, they can check it in Valid The ID platform conducts verification to check whether the contract is a contract verified by an organization verified on the Valid ID platform. Therefore, we believe that Valid ID is a very beneficial supplement for zCloak in the exploration of personal privacy and identity, because zCloak has been providing zero-knowledge proof of private data at the user end, but it can only guarantee the correctness of the calculation process, and the authenticity of the calculation data depends on DID and verifiable digital certificates, and the reliability of verifiable digital certificates depends on the reputation endorsement of the issuing institution, and Valid ID is the solution to the identity and reputation of institutions. Finally, in fact, zCloak transmits the authenticity of Attestation through the identity authentication of the organization, and then adds the method of zero-knowledge proof to allow users to prove that their identity has certain credible attributes and characteristic.

Cassiel：Thanks to Mr. Zhang for sharing, what do Tom and Adam think about future security solutions?

Adam：Now Web3 does lack an identity security infrastructure, and many security issues may have some solutions in the process, so we can do something around security and identity later, and I am looking forward to it. Another thing I want to discuss is that many security solutions have indeed emerged, but why security problems continue to occur. There are two reasons. The first is that the security infrastructure of the entire Web3 is not complete, the trust cost is high, and the trust efficiency is very low. In this case, many people will unconsciously generate loopholes for hackers to attack; another reason is that the implementation process of many security measures is not solid, because the Web3 industry is a relatively fomo field, and everyone will have many innovative ideas and good products , but it will be disturbed by many problems during the landing process. Whether it is market changes or other factors, it will affect everyone's enthusiasm and efficiency in doing things. Therefore, some products and projects have not effectively implemented and perfected services, such as the DeFi just mentioned. Insurance itself is a very good industry, but it has not developed as well as we expected. The essence is that it has not been seriously implemented. Web3 security issues, auditing, on-chain security analysis, risk warning, attack monitoring, anti-money laundering, etc., there are still many systematic projects waiting for us to build and develop. These same projects also face landing problems and cannot be widely used by users Problems that use yield value. This is also a point that we constantly push ourselves as a Web3 security service provider. We must not forget our original intention to do a solid job in products and services. We hope that the Web3 industry can also form such a consensus.

Tom：A point mentioned by Adam just now, is it possible for us to make a 2C-side security audit tool? It seems that most of the current security audits are 2B, and the project party queues up for audit and then uploads to the chain, so can a plug-in be made on the 2C side, after the user logs in to various Dapps, the user can be prompted in real time, and ordinary users cannot capture many contracts. If there is a problem with the code after the update, then this plug-in can provide risk warning and suspicious point warning during the interaction process between the user and the contract, and assist the user to stop actions that may cause losses, such as transaction transfers, until the project party identifies the loopholes. The alert disappears, and the user interacts in a safe environment. I think DeFi users who often use wallets have certain needs and payment capabilities for this product. I don't know if this product has appeared in the industry before?

Adam：C-side security warning tools exist, and now they are mainly connected to C-side traffic portals such as DeFi or wallets in the form of API, Cypto API/Security API, etc. If users interact with a high-risk address, the development of the wallet may The team and the operation team don't know about this, but after accessing our API, it is reflected in the form of C-side functions, which is what everyone does more now. Of course, it would be great if there is a secure entry that can cover everything, but at present, the market is still mostly in the form of API for C-end users, and of course this is slowly developing.

【FAQ】

Tom：I think that an aggregated solution may still be needed in the future. Now a major problem with Web3 is that there are too many products and services that are too scattered. The same is true for security products. I don’t know if there will be a complete set of solutions in the future. There is also identity verification and monitoring, and it will also include accountability and compensation after problems occur. Is there any project party making an integrated product now? Whether it's the B-side or the C-side. If not, why are you not doing it?

Zhang Xiao:I think this kind of package solution is still very difficult, which requires a project party's professional ability, technical strength, understanding of laws and regulations, financial knowledge, supervision, and policies, unless it is a large-scale organization, It is even possible to take care of everything when institutions with government backgrounds participate. For ordinary companies and institutions, it is already a very good thing to do one of them well.

Adam：Yes, many products need to be developed in stages. Some products and services are not necessarily acceptable or understood by users now, because efficiency and safety must be balanced. Sometimes too much security will inevitably affect efficiency, so it is still a process. matter.