How was Samczsun, the top white hat hacker in the encryption industry, born?
Original Author: Gu Yu
As a research partner and head of security at Paradigm, Samczsun is also one of the most well-known white hat hackers in the encryption industry. In the past few years, Samczsun has helped at least 20 projects discover system vulnerabilities in advance and avoided losses of hundreds of millions of dollars through private messages to project parties, including Sushiswap, ENS, Rari, etc.
Dragonfly Capital partner Haseeb said in an interview recently that he thinks Samczsun is the smartest person working on Web3. Another Paradigm partner, Dan Robinson, called him the Batman of the encryption industry. Whenever there is a lot of money in the crypto ecosystem at risk, the bat signal is sent and Samczsun comes in to help save the day. So how did Samczsun become one of the top white hat hackers today?
"U up?" (Are you awake?)
This query from Samczsun is one of the news that any DeFi project party is most afraid of receiving, because it probably means that Samczsun has discovered a serious loophole in the project’s smart contract, and user assets may be stolen by hackers at any time.
In the encrypted world, smart contract loopholes in various protocols are common, and they have become attractive "fat meat" in the eyes of hackers. According to Footprint Analytics statistics, at least 90 DeFi projects will encounter various attacks in 2021, with an initial loss of more than US$1 billion, bringing great losses to ordinary users. However, while hackers act recklessly, there are also many white-hat hackers helping project parties discover smart contract vulnerabilities in advance.
Samczsun is one of the most well-known anonymous white hat hackers in the encryption industry. In the past few years, Samczsun has helped at least 20 projects discover system vulnerabilities in advance and avoided losses of hundreds of millions of dollars through private messages to project parties, including Sushiswap, ENS, Rari, Tokenlon, etc.
Samczsun's formal identity is Paradigm Research Partner, a well-known crypto venture capital institution, focusing on Paradigm's portfolio companies and research on security and related topics. Almost all of his public statements are reports and analysis of encryption project vulnerabilities to protect The healthy development of encryption ecology.
Although Samczsun has stated that he will give priority to reviewing portfolio companies planning to release new codes, most of the projects he disclosed vulnerabilities are not Paradigm’s portfolio projects, such as Sushiswap, ENS, ForTube, Tokenlon, etc., which also makes him an expert on the DeFi ecosystem. Even one of the most influential figures in the security field of the encryption industry.
Dragonfly Capital partner Haseeb said in an interview recently that he thinks samczsun is the smartest person working on Web3. Another Paradigm partner, Dan Robinson, called him the Batman of the encryption industry. Whenever there is a lot of money in the crypto ecosystem at risk, the bat signal is sent and Samczsun comes in to help save the day.
So how did Samczsun become one of the top white hat hackers today? In this article, Chain Catcher will roughly sort out and summarize his past experience through public information.
Judging from Samczsun's social media profile, his earliest network activity was in November 2014, when he joined Github and made 114 contributions in November-December.
Samczsun's earliest traceable vulnerability mining record was in January 2016, when he tweeted @Enjin's official Twitter, saying that there were serious security issues that needed to be resolved, and then Enjin's official tweet replied and provided a report submission link. This Enjin is now the popular NFT game platform Enjin, but at that time the project had not yet entered the encryption and NFT track.
In 2017, Samczsun submitted multiple project vulnerabilities on the bug bounty platform Hackerone, including the Indian version of Zomato, a legal contract analysis company Legal Robot, and published several vulnerability analysis articles on his blog.
Samczsun’s first public investigation into DeFi protocol vulnerabilities was in July 2019, when he disclosed to the 0x protocol that it existed a smart contract vulnerability that allowed malicious actors to spend their assets on behalf of any approved 0x contract Externally owned accounts (EOA) To create a valid order, the project party also had to close the agreement to patch the vulnerability and deploy the 0x v2.1 smart contract from scratch. For this breach, Samczsun received a $100,000 bounty.
Since then, Samczsun has officially started the road of white hat hacking, and quickly became popular in the DeFi industry with his highly productive vulnerability research.
In the following year, with the "Summer of DeFi" boom in 2020, Samczsun discovered potential vulnerabilities in many encryption projects such as ENS, Livepeer, bZx Network, and Curve Finance.
Among them, the vulnerability of Curve Finance can allow anyone to use this vulnerability to exhaust smart contracts, and the ENS vulnerability can enable ENS users to regain ownership after transferring ownership to others in a certain way. Vulnerabilities with a major negative impact, which shows the great contribution of Samczsun.
“A common misconception in building software is that if each component in a system is individually verified to be secure, then the system itself is also secure. This belief is best illustrated in DeFi, where composable Security is second nature to developers. Unfortunately, while combining two components may be safe in most cases, all it takes is a single vulnerability to cause serious financial damage to hundreds or even thousands of innocent users .” Samczsun concluded after discovering many loopholes in DeFi projects,"Secure components can also come together and make something unsafe."
At the beginning of 2020, Samczsun also initiated grants on the Gitcoin platform and became the object of Gitocin's fifth round of grants with the most funds raised. At the same time, Samczsun also joined the encryption security company Trail of Bits as a security engineer.
image description
Ethereum executive layer bug bounty leaderboard
Since then, Samczsun has continued its practice of vulnerability disclosure, involving Alpha Homora, DODO, Rari, Tokenlon, ForTube, BendDAO and other projects, among which the Rari code vulnerability may lead to the theft of all borrowable assets in the Fuse pool. Samczsun also ranks first in the Ethereum executive layer bug bounty list published by the Ethereum Foundation for a long time. In addition, Samczsun also helped project parties such as dYdX and Gelato Network deal with vulnerability incidents urgently.
Among them, the case that made Samczsun most famous was the MISO vulnerability incident, which helped the project party avoid a financial loss of up to 350 million US dollars.
On August 17, 2021, when Samczsun noticed that the SushiSwap IDO platform MISO was conducting the largest IDO (BitDAO) in history, he then opened the MISO smart contract on Etherscan, and soon found that the initMarket function has no access control, and the initAuction call Functions also do not contain access control checks.
Specifically, this bug would allow MISO to incorrectly handle failed transactions in Dutch auctions, i.e. the smart contract would not reject transactions exceeding the auction token limit, but instead refund the user after the auction ends. Thus, an attacker could exploit a vulnerability on the MISO platform to bid for free and get refunded for the difference between the submitted amount and the current bid, until all funds in the contract are exhausted. In other words, this vulnerability put more than 109,000 ETH (worth $350 million at the time) raised by the project at risk of being stolen.
After realizing the seriousness of the vulnerability, Samczsun contacted the Sushi team and conducted a conference call to inform them of the specific vulnerability, and then communicated closely with the project party to deal with the funds in the smart contract urgently, and finally resolved the crisis within three hours. Afterwards, Samczsun received a bounty reward of 1 million USDC from the Sushi team.
In an interview with Immunefi afterwards, Samczsun described the discovery of the vulnerability as a "strange combination of excitement and fear." "Excitement, that you've just found what you've been looking for. Fear, because the clock is ticking and every second that passes, someone else finds the same mistake. My heart rate goes up in direct proportion to the amount at stake."
After this battle, Samczsun's influence expanded from the security circle to the entire encryption industry, becoming the most well-known white hat hacker and encryption security researcher in the industry.
However, Samczsun's outstanding contribution also vaguely implies an uneasy and cruel fact, that is, the encryption security ecosystem is still quite fragile, and the security awareness and defense capabilities of various projects are uneven. The sense of responsibility and morality of the industry chooses to disclose to the project party, but most hackers choose to attack actively after discovering the loopholes to achieve more profits.
This has also led to various security incidents that have occurred in the encryption industry one after another this year, such as the theft of more than 600 million U.S. dollars in the Ronin cross-chain bridge, the theft of 80 million U.S. dollars in Rari Capital (although Samczsun had previously reported and repaired major vulnerabilities in the project), Beanstalk Major security incidents such as the theft of more than 80 million US dollars from Farms have repeatedly impacted the confidence of the encryption community and caused huge losses for DeFi users.
All the contributions of Samczsun are a blessing to the industry, but it also reflects the tragedy of the industry.
