OtterSec's Robert Chen Discusses Blockchain Security
OtterSec's founder talks about security challenges and best practices for blockchains.
Robert Chen founded security company OtterSec, which has worked with over 60 web3 protocol builders to ensure safe networks. He studied computer science at Carnegie Mellon University and previously worked as a mobile vulnerability researcher.
OtterSec conducts security audits to identify vulnerabilities, working with companies before they go to market to deliver safe and secure products. The company specializes in the web3 industry.
I sat down with Robert during the Sui Builder House in Denver to get his views on web3 security, best practices, and the biggest security challenges facing builders.
Wayne Cunningham
Your company, OtterSec, audits blockchains for security vulnerabilities. Can you offer some details about the auditing process?
Robert Chen
We look at two main things during an audit. First, we work directly with the blockchain’s operators to evaluate the security of key components, such as the validator code. And second, we evaluate the protocols built on top of the blockchain. On the blockchain side, we focus on making sure transactions are 100 percent secure. On the protocol side, we make sure that the logic is sound, and won't lead to incidents where the network loses millions of dollars.
Wayne
Does your team hammer away the protocols, like a hacker might, looking for vulnerabilities, or do you spend a lot of time analyzing code?
Robert
We spend most of our time coming up with different threat scenarios, thinking like an attacker and trying to figure out edge cases. We try things like sending really large data packets to see how protocols respond. We set up classic denial of service attacks. We also spend a lot of time figuring out how the blockchain's code really works. In auditing Sui, we were able to look at the core virtual machine code and evaluate it for vulnerabilities.
Wayne
What’s your team’s experience in the web3 space?
Robert
100 percent of our team has a background in web2 security. Those skills transpose directly to web3. And each audit we do in this space builds our knowledge base, because attack vectors tend to be similar from blockchain to blockchain.
Wayne
What challenges do builders on blockchains face when implementing security?
Robert
One of the main problems isn't really technical, it has to do with timing and resources. Builders are often working on really tight timelines with small teams. They want to launch fully functional products in just a few months, which doesn't give enough time to test security edge cases. What makes it even more difficult is that we're dealing with very new programming languages. In web2 programming, we have a lot of ecosystem knowledge to draw from, but in web3 the official documentation may be the only source of information.
Wayne
How much does the underlying architecture of a blockchain contribute to security as opposed to the apps themselves?
Robert
The way the blockchain is designed has a huge impact on security. The Move programming language, for example, is very secure. In our security reviews we find fewer vulnerabilities with Move. That's not to say there can't be bugs in a Move app. We've certainly uncovered issues. But in general we've found that builders developing in Move tend to write safer code. From what I've seen, I think Sui will be a safer environment due to Move.
Wayne
Does blockchain technology have an innate advantage over previous networks in the security arena?
Robert
When the Internet was first designed, people didn't really think about security. It was a trusted environment because the servers were hosted at universities and research centers. People building blockchains had the benefit of hindsight, and knew they needed to think about security early. But blockchain has a disadvantage compared to parts of the Internet because everything is super transparent. Blockchain tends to be open source, so you can look through the code for vulnerabilities. That makes it really critical when you're deploying blockchain apps to think carefully about the platform you're building on and its security protocols.
Wayne
What are the biggest security flaws that OtterSec has encountered in its work?
Robert
I can't talk about specific instances, but one of the more common vulnerabilities we encounter has to do with key management. People need to think carefully about how to store critical keys, whether that's an upgrade authority for the protocol or an admin key that gives access to the treasury. Teams need to figure out secure key management and best practices at the beginning of their projects.
Wayne
Would it make sense to have a central authority for security certifications across blockchains? Could there be a group and technology with a gold standard that could be deployed on existing and new blockchains?
Robert
A central certification is probably a good idea. The hard part would be getting all the security firms working in this area to agree on a certification. There are many security standards in the web2 world and sometimes they conflict. It would probably be easier to come up with a list of common vulnerabilities. If we had an agreed on checklist of vulnerabilities, people who create protocols could go through it and make sure their technology is responsive to them.
Wayne
Any final thoughts?
Robert
We're really big fans of security, and if anyone is interested in chatting about it, please reach out to us using our contact form. If you're launching a protocol, please make sure it's secure. Any security incident hurts the overall sense of trust in the industry.