Episode 92 of the Public Key podcast is here! When we were recording this episode with Raz Niv (Co-founder and CTO, Blockaid) back in December of 2023, the web3 industry was on full alert due to a Ledger supply chain attack. Blockaid was first to break the news and this episode talks about the attack as it unraveled and how they are working to keep web3 secure. 

You can listen or subscribe now on Spotify, Apple, or Audible. Keep reading for a full preview of episode 92.

Public Key Episode 92: Protecting Web3 Users from Malicious Transactions and Scams

When  Ian Andrews (CMO, Chainalysis)  was recording this episode with Raz Niv (Co-founder and CTO, Blockaid) back in December of 2023, the web3 industry was on full alert due to a Ledger supply chain attack. Blockaid was first to break the news and this episode talks about the attack as it unraveled and how they are working to keep web3 secure.

In this episode, Raz expresses Blockaid’s mission to provide security tools for web3 builders and protect users from malicious d’apps, wallet drainers, address poisoning  and suspicious transactions and connections, particularly in the realm of scams, phishing, and hacks.

Raz discusses the company’s partnerships with major players in the ecosystem, such as MetaMask and OpenSea, and how their technology is providing real-time indications of potential risks and malicious activity in web3. 

Quote of the episode

“Something that we’re seeing on every integration. So like every new wallet or every dApp or marketplace we’re starting to work with around 10 percent of malicious dApps or like malicious transactions.”  – Raz Niv (Co-founder and CTO, Blockaid)

Minute-by-minute episode breakdown

• (2:15) – Introduction to Blockaid and the problem of security in Web3
• (4:05) – Raz’s background in Israeli Cyber intelligence units and interest in Web3
• (6:40) – 1 in 10 dApps are malicious, data collection and trends
• (10:25) – Blockaid’s backend architecture and data sources
• (12:27) – Ledger supply chain attack and explanation of how similar attacks work
• (15:50) – Highest fund loss per capita in Web3 than any other industry 
• (19:45) – Blockaid’s role in MPC wallet architecture
• (23:02) – Privacy considerations and data collection by Blockaid
• (26:35) – Address poisoning attack and its dangers
• (28:44) – Blockaid’s plans to improve detection and expand integrations

Related resources

Check out more resources provided by Chainalysis that perfectly complement this episode of the Public Key.

• • Website: Blockaid: Web3, secured -Enable builders to protect users from fraud, phishing and hacks.

• Blog: Malicious dApp 101: Wallet Drainers Are Stealthier, More Complex than Ever

• • Blog: Blockaid + MetaMask: Securing Web3 Users While Preserving Privacy
  • Attack Report: Attack Report: Ledger Connect Kit
  • Press Release: Tel Aviv–based Blockaid raises $33 million to help root out nefarious crypto wallets

• Event: Chainalysis Links Conference NYC 2024 (Apr. 9-10, 2024) – Early Bird Pricing On Now!

• Blog: The Data Accuracy Flywheel: How Chainalysis Consistently Identifies and Verifies Blockchain Entities

• YouTube: Chainalysis YouTube page 
• Twitter: Chainalysis Twitter: Building trust in blockchain
• Tik Tok: Building trust in #blockchains among people, businesses, and governments.
• Telegram: Chainalysis on Telegram 

Speakers on today’s episode

• Ian Andrews * Host * (Chief Marketing Officer, Chainalysis) 
• Raz Niv (Co-founder and CTO, Blockaid)

This website may contain links to third-party sites that are not under the control of Chainalysis, Inc. or its affiliates (collectively “Chainalysis”). Access to such information does not imply association with, endorsement of, approval of, or recommendation by Chainalysis of the site or its operators, and Chainalysis is not responsible for the products, services, or other content hosted therein.

Our podcasts are for informational purposes only, and are not intended to provide legal, tax, financial, or investment advice. Listeners should consult their own advisors before making these types of decisions. Chainalysis has no responsibility or liability for any decision made or any other acts or omissions in connection with your use of this material.

Chainalysis does not guarantee or warrant the accuracy, completeness, timeliness, suitability or validity of the information in any particular podcast and will not be responsible for any claim attributable to errors, omissions, or other inaccuracies of any part of such material. 

Unless stated otherwise, reference to any specific product or entity does not constitute an endorsement or recommendation by Chainalysis. The views expressed by guests are their own and their appearance on the program does not imply an endorsement of them or any entity they represent. Views and opinions expressed by Chainalysis employees are those of the employees and do not necessarily reflect the views of the company. 

Transcript

Ian:

Hey everyone. Welcome to another episode of Public Key. This is your host, Ian Andrews. Today I’m joined by the co-founder and CTO of a new exciting company called Blockaid, Raz Niv. Raz, welcome to the program.

Raz:

Hey hey, Ian. Thank you for having me. Excited to be here.

Ian:

Well, your company is working on what I view as the number one problem in Web3, which is security around the user experience. At Chainalysis, we monitor closely all the scams that are out there. We see the dollars that unfortunately are going directly from end user wallets into phishing and hacks and wallet drainers, and it’s incredible. The dollars are massive, but the number of victims really, it’s just daunting. I personally can’t see the ecosystem moving forward if we can’t get a handle on this. For people that haven’t heard of Blockaid, maybe we can start just an overview of what is the product that you’re building, what can it offer to people?

Raz:

Yeah, sure. In Blockaid, we provide security tools to Web3 builders in order to stop malicious transactions or malicious connections, and protecting users from scam phishing hacks. So far, we’ve been fortunate to work with some ecosystem giants such as MetaMask, Xerion, Rainbow, OpenSea.

Ian:

Those are massive, massive companies. I would guess that almost everyone in Web3 is using MetaMask, at least as one of maybe a few wallets they use. It’s certainly a primary wallet for most people I talk to who are doing anything in the EVM ecosystem. What’s your relationship with MetaMask like? What is the solution that you’re actually providing there? What would I experience as an end user maybe with using MetaMask?

Raz:

I think as a user you will get an experience that is very much similar to a non-HTTPS site on a regular browser. Basically what we want to do is to indicate to the user that the transaction they’re about to sign at the moment or the DApp they are about to connect to will be a malicious one. From the user perspective, as soon as I’m connecting to a DApp, if this one is flagged as malicious by Blockaid, by our attack, you will get an indication of, hey, this is a malicious site you might don’t want to proceed through.

Then on the transaction phase, so whenever you will be prompted to sign a transaction, we will help your wallet to first of all explain it to you, making sure you understand exactly what are the technical implications of this transaction, but secondly and even more important, giving you some indications of whether this transaction imposes you to any sort of risk. I think, for example, we can help you understand that this transaction is an approval, but more precisely we can help you to understand that the spender that you’re about to approve your funds to is a malicious one.

Ian:

I think that last point you made there that you’re actually helping the user understand what it is that they’re signing is so critical, because often it’s really opaque. My experience, every time I hit approve inside of MetaMask, I sweat a little bit, because you’re never quite clear what the contract is doing and what you’re actually approving by signing it, which I’ve never really understood how we ended up in that position in a Web3 world so I’m grateful that you’re working on this. If I’ve got the latest version of MetaMask on my phone, is Blockaid already there or do I need to take some action as a user to add that capability?

Raz:

Blockaid is there, you should just enable it on your settings, on the experimental settings, and very soon we’re going to be on by default.

Ian:

Amazing. And it’s not just MetaMask. So people that are using Rainbow wallet, which I think is pretty popular in the Solana ecosystem, the Xerion wallet, they’ve all similar setup with all of those as well.

Raz:

Yeah, exactly. 100%. We’re helping these wallets and more that we’ll be able to announce soon.

Ian:

Well, I’d love to hear about your background. Like so many, I think security experts, you’ve come through the Israeli Defense Forces experience. Of all the things in security, what led you to this place of Web3 and brought you into the world of protecting unsuspecting crypto users?

Raz:

So Ido, my co-founder and myself, we were lucky to serve in the Israeli Cyber intelligence units, both in 8,200 and the Prime Minister’s office. So we actually met there the first day of our army service. A couple of more other folks have been with us on this exact same day as well. And I think when you’re handling real operations, so there is a lot to do in regards of making sure you have access to the relevant networks. But I think when you’re looking on a broader thing such as open source intelligence or even a trace of funds, like blockchains and crypto is something that is heard often on these operations because unfortunately, as you know better than us, a lot of these organizations are using blockchains as their infrastructure.

So I guess this was not the first time where Ido and I heard about blockchains. For me, I already heard about it during high school when I did my first degree in applied math, so there were a lot of nerds talking about blockchains. And right after the army, Ido and I knew we’re going to start a company in blockchains in Web3. We were fascinated by the technology, but also by the potential that this ecosystem has. And we started to look for problems. Now, funny enough, we didn’t know that we’re going to solve security, we just looked for general problems to solve.

So there are a lot of people that are finishing their army service from these places, and they were open a cybersecurity cloud company. So we always had this joke on this alumni list of hey, we’re yet another cloud cybersecurity company, but please join us because we have these great VCs and these ninja engineers. And then when we looked on problems in Web3, the first thing that hits us in the face was security. How is different from regular security infrastructure? What is done pre-production? What is done post-production? What is done manually? What is a service? What is a product? And we’re both pretty technical, so we started to dive into it. And we started to Blockaid.

Ian:

Such an amazing story. We’ve had a few founders with similar backgrounds who were lucky enough to work in 8,200 or some of the other branches of the defense forces, and it’s amazing to me the talent and expertise and great companies that are coming out of that experience. I was reading one of your blogs, I think the launch blog actually had this quote, we’ll link to it in the show notes, but you made the point that one in 10 DApps are malicious. First, I’m curious, how do you collect the data to figure that out? I assume this is part of the back end of Blockaid, but I was also wondering what’s the trend line on that, if you have any insight. Is that going up or down as we think over time?

Raz:

I think this is starting that we’re seeing on every integration, so every new wallet or every new DApp or marketplace we’re starting to work with. We’re seeing on their traffic around 10% of malicious DApps or malicious transactions. The way we’re able to get this information is both via the data we’re getting from the customers. So for example, a wallet user is not connecting to a site. This site is sent to us, we’re able to scan it in real time, and we’re seeing of course, a massive decrease as soon as we’re starting to work with them. But this stuff of on the initial integration, when we’re starting, we’re seeing around 10% of the sites that users are browsing it, specifically on consumer wallets. It’s just a constant thing.

Ian:

It’s incredible. Do you get any data about the origination of these malicious sites? One of the things that we’ve noticed in research here at Chainalysis is about 75% of ransomware payments accrue back to actors that are operating out of Russia. So you can categorize ransomware broadly as being a Russian national driven category of cyber security or security issues. Is there a similar Nexus here when it comes to these malicious DApps, or is it more widespread?

Raz:

Actually one of the things we’re doing at Blockaid, rather than just improving our detection engine, is to track and follow these attack groups. Basically we’re gathering information in regards of the signatures of different wallet drainers, both on-chain, the contracts, the addresses, the byte codes they’re using, but also on the web, two sides of things. The size they’re using, the infrastructure they’re using, where they’re hosting their sites. And I think you can see a variety of different types of actors. One of these is, as you mentioned Ian, are these nation-state attackers that are related with the country you mentioned and other countries as well. And you can see they have a much more organized infrastructure and their attacks are very targeted.

We’re seeing this also very aimed to institutional users. But also on the other hand, we’re seeing a lot of groups of whether these are script kiddies or more of a scam as a service type of infrastructure. So actually we’re seeing someone that is developing a wallet drainer, and then they’re selling these wallet drainers to other, and you can see actually a rev share done on-chain. So using their contracts, they are giving you 80% of the profits, 80% of the funds that were drained from the user, and the rest 20% are going to them, to the infrastructure builders. So seeing different sorts and types of groups starting from script kiddies to more of organized development groups to these nation state attackers.

Ian:

Yeah, we’ve seen the similar category of the as a service offering where it’s like, here’s a complete toolkit, you get contracts, you get a website template, you get some domain hosting services like Go, which is just wild to me. It gives me the sense that it’s very hard to think about stopping these malicious DApps from getting deployed because the ability to scale this out horizontally at relatively low cost just means that anybody looking to make a quick dollar off people unfortunately can stand one of these up. It doesn’t require a high bar of technical difficulty, so you’re going to have lots of people coming after it, right?

Raz:

Yeah. I think all in all, it’s an economical play where attackers will keep do it as long as it is profitable for them. For an attacker to dispatch a new domain and just use the same infrastructure, is something that is very easy. This is why, by the way, the usage of a deny list or statically comparing domains or statically comparing addresses is not good enough because for attackers, it is very easy to move their funds to another address or another contract or to host their domain on another domain. But if you’re actually looking on their patterns, you might make it much more harder for them. But for your point, it’s very easy. These things are built as a service. Just type here the address you want the funds to get into, and we’ll do the rest for you.

Ian:

So now this brings me around to, well, how does Blockaid actually work? How can you possibly keep on top of this ever expanding list of malicious apps? What does the backend architecture actually look like?

Raz:

I think when we’re talking about data sources that are relevant in order to train our engine and to keep it being able to handle the greatest and latest type of attacks, we’re looking on mainly three data sources, which are on-chain. So we have a very heavy on-chain infrastructure that we build to index on-chain activities. We have a lot of components on the off-chain side of things. So living on the wallets, you’re seeing both the domain, the Web2 elements of the interaction, but you’re also seeing the Web3 ones. So this is the second one that we’re looking into a lot of. For example, signing these SDKs and trainers of these attackers, their different network operations, their anti [inaudible 00:14:43] techniques, their obfuscations, their evasions.

So this is the second data source. And the third one is data that we’re able to see from our integrations. So as I mentioned before, being able to get this data from our different integrations to see all the different applications that are listed on OpenSea, to see specific trends of consumers goes into different DApps, just gives us a better idea of what is happening at the moment and where the attacks are taking place. I think even just now, before starting recording this show, so we were in the middle of an attack that will take place, I think it’s public now, a lot of people talked about it on Twitter.

But Ledger Connect Wallet SDK was compromised using a supply chain attack, and we were the first one actually to publish a message in regards of it. And we’ve seen a malicious transaction translated from one of… There were a lot of very known sites, for example, hey.xyz of the Lens protocol. So someone just contacted us and said, “Hey, why is hey.xyz flagged as malicious? This might be a false positive.” And then we had a researcher from the other room said, “No, no, it’s an ongoing attack.” And now we know everyone are panicked. But we were able to actually get this from our data, from our engine, without any human in the loop, which is very cool.

Ian:

That’s incredible. So that gives you the machine side of being able to scale to effectively an unlimited number of these malicious DApps being deployed. Talk more about what’s going on with Ledger. So you said there’s a supply chain attack that is affecting Ledger devices. So if I use their hardware wallet, and I would assume updated it to the latest version, I’ve mistakenly installed some malicious code. Is that what’s going on?

Raz:

Not exactly. This attack has nothing to do with the actual Ledger device and the Ledger wallet. I think what it’s done is basically Ledger has a model to embed on that. So similar to how MetaMask has a model for anyone to connect and other wallets, so also Ledger have their own code that is enabling an integration with Ledger. But with this attack, the presence of this code was the problematic thing because we believe there was a supply chain attack and the NPM package was actually compromised. An attacker was able to inject a wallet draining code into this package, and then taking advantage of the majority of the dubs in the ecosystem or importing this package. And then they will just have freeway inside these very known DApps. So there’s nothing to do with the usage of a Ledger wallet, it’s just the presence of this code in any application. So it also basically influences any wallet that interacts with this site, not only Ledger.

Ian:

That sounds incredibly frightening. So for people listening, if you’ve got a hardware Ledger device, you’re fine, but you probably shouldn’t be authorizing any new DApp until there’s a resolution to this issue, because any DApp, even on a legitimate site you’ve interacted with previously, they could have implemented this malicious code just by updating to the latest version of Ledger, unknowingly, accidentally. And if you then authorize that contract by connecting your wallet, you risk having your funds drained. Is that correct?

Raz:

Yeah. Or just use a wallet that uses Blockaid and you’ll be fine.

Ian:

There you go. Do you guys have an implementation with Ledger yet with the hardware wallets or are you working on it?

Raz:

So at the moment, we can talk about the wallets I mentioned earlier, which are MetaMask, Xerion, Rainbow, and OpenSea.

Ian:

Yeah, there we go. All right. So the hardware ones hopefully are coming in the near future. One of the other statistics that I pulled out of one of your blogs, it was a position that Web3 is broken, primarily because the fund loss per capita exceeds any other industry. And this actually was a mind-blowing stat. I spent all day long looking at loss in crypto, we do a lot of analysis in our research, but I hadn’t really contextualized it in that way. For a relatively small industry, we’re far exceeding any other category. Do you think as Blockaid becomes more widely adopted, this is the solution? Just intercepting at the transaction or DApp authorization level, does that solve the majority of that loss that you’re seeing?

Raz:

Yes. So I tell you how I look at things on the ecosystem and why the ratio is so high, as you mentioned. I think coming from a regular traditional security industry, when you’re looking on attacks, whether these are data breaches or code execution on different infrastructures. At the end, let’s assume you’re, I don’t know, a country that wants to make money out of cyber crime. So being able to do it on a regular cybersecurity industry, you have a lot of hops in the way in order to actually be profitable. So you need to create an access to a relevant network to tunnel your data in there, to have an operation going there to get the relevant data, to get this data out, maybe then sell this data or I don’t know, or maybe use this data as credentials to other systems that are enabling you at the end to have assets or to gain any asset value from it.

When you’re looking on our infrastructure, the actual exploitation results in the attacker gaining an immediate gain from it. And I think this is why so many people, and specifically nation-state attackers, are enjoining this ecosystem and the fact that you need to find the vulnerability and to exploit it, but rather than this scam a user, but then you have something profitable in your end. So this chain of gaining value from an exploitation from a scam is something that is very short on our ecosystem. Now to your question in regards of whether a transaction level or a domain level interception solution is the final solution to this problem. In our ecosystem, yes, we’re looking at transactions similar to… So basically transactions are code that is being executed, right? Very similar to how on a modern operating system or on a modern personal computer, when you press a file, it just loads to your computer and it ran.

And I believe every file that is loaded to an important computer is go through a list of inspections, whether it is statical scans on the disk, whether these are scans that are going through on the loading time, whether these are scans that are done on the running time of the actual application. And here it’s very similar. We call it transacting, but we’re actually executing code and this code is actually what holds our assets. So I see no difference in the aspect of whenever a code is executed, we must scan it and make sure there’s nothing harmful of it. Whether this code is emanating from a wallet going through a DApp or running inside of a smart contract, a code that is run should be validated and it should be validated in many layers. And this is exactly what we’re aiming to.

Ian:

How do you think about some of the custody solutions? I think about Fireblocks as an example or Paxos or BitGo, where obviously MetaMask is more of an end-user retail solution, but I would have to imagine that what you’re building ultimately should end up in some of those more institutional wallet management software as well.

Raz:

Yeah. This is a really good question. I can say we are working with some institutional wallets, just can’t expose them at the moment. And I think the protection there is very similar from a user experience perspective. It is also embedded into the flow of the wallet connecting to DApps or transacting. But the attacks there are very more tailor-made and for specific users. Instead of just spray and pray different domains, these attacks that we’re seeing there are more very much targeted to specific users, making sure that the IP that is connecting to them is the IP of the specific victim that they want to attack. And I think these wallets are all exposed to the same risks as MetaMask or other consumer wallets are exposed to. And it’s very important to first of all understand that they are exposed to it, but secondly to understand that these attacks are different and requires different models and algorithmical ways to solve them.

Ian:

How about some of the MPC wallets. Coinbase introduced, I think, a novel solution and I’ve now seen other providers come out with the similar architecture where I self-custody the funds, I control the wallet, but if I were to lose my private key for some reason, my phone gets stolen say, I can go back to Coinbase and they can actually help me effect a recovery. So it’s not quite the despair that one might have if they were using solely MetaMask on their phone, where there’s really no recovery path there. Does Blockaid have a role to play in that MPC wallet architecture?

Raz:

Yeah. I think MPC is a great thing for the ecosystem. It basically enables users to not only rely on their secret phrase among other things that it is enabled. I think the way we like to look on this user stack in the modern blockchain environment is you have the first layer, which is a wallet. This wallet can be an MPC wallet. And I think also it aligns with the type of scams and fraudulent activities and exploitation we’ve seen in the ecosystem.

So I think looking five to 10 years ago, there were a lot of attacks around exchanges that got hacked, like key got compromised then led to user fund to get lost. And I think MPC is a really good solution to these types of breaches and is really great for the ecosystem and I think this is one of the main reasons we’re seeing more and more wallets embedding this solution. But on top of this layer, on top of this, we like to call it an access layer. You have a wallet, you are now accessible to the chain, you’re able to sign things and you’re also able to split the signature process among different variants. You mentioned…

Ian:

Someone losing their phone and then being able to recover.

Raz:

Yeah, social recovery. Exactly. I just forget word, sorry. So it enables us social recovery among other things. But the layer on top of it, the data layer, the application layer, this is something that is not the expertise of a wallet to solve because we talked about them giving you a nice access to the chain and also a way to have more complicated signature flows. But I guess to have this expertise of data and to be able to observe so many data, which some of it prevalent to specific wallets and protect users from, okay, so I’m able to sign and I’m able to be the only one that is able of signing, but what am I signing on? Is what I’m signing is risky? Should I go on and proceed? And this is the second layer and exactly what we’re aiming to solve as Blockaid.

Ian:

I’m curious, did you ever consider building your own wallet?

Raz:

I think it’s not something we aim to do in the near term. I think it’s a different type of company, it’s a different DNA, and we’re the complementary part of the wallet.

Ian:

One of the interesting attacks in the last year you actually mentioned at one of your blogs was when Vitalik’s Twitter account got hacked and he posted… Not he, but the attacker posted a link encouraging people to go visit a site to mint the future, I think was the tagline in the tweet. But obviously it was a malicious site. Talk about how your technology would pick something up like that. Because I get the sense that you’re detecting these malicious DApps upstream of users actually being impacted and funds being lost potentially. How does that actually play out in a case like the Vitalik attack?

Raz:

Just to give some context around this attack, Vitalik Twitter account was hacked and was used in order to publish a group of different wallet drainers. A lot of people of course, trusting Vitalik went in these sites and started to sign different transaction that resulted in a major loss of assets from them. As Blockaid, we were able to detect the exact same group of sites more than 24 hours before they were even published or the first user even connected to them. And the way we’re able of doing it, it is because… So we talked before that we have about us having three different data sources. I think on this case, we’re scanning the entire internet looking for threats, and then we’re able to extract transactions from these sites without requiring users to actually go into them.

So basically we’re simulating the sites on our side and are able to extract all the possible transactions. These are not really transactions, they just like a transaction that are suggested to a user that is connected to the site. So we’re taking these transactions and evaluate them. Also, we’re looking, the SDK that was used is this an SDK we’re very much familiar with from other types of attacks. So we’re able to basically indicate all the words that are working with us and immediately mitigate it on our engine so every wallet that went through these sites was protected, both on the domain level while connecting to these sites, but also on the transaction level while transacting.

Ian:

And is that typical? As new malicious DApps are being launched, that automated protection is happening in the background before even the first funds are being stolen, you’re able to block those transactions, warn users if they come in contact with the DApp?

Raz:

Yeah. This is something that is constantly done by our backends. We’re also combining this with the data that we’re seeing via the different integrations we have. For example, let’s assume we scanned a site and it was flagged to be benign, but then we’re seeing a transaction that is originate from this site and it is the malicious one, it is automatically prompted for us to check whether there is a front-end that is compromised, similar to what happened with Ledger today. So it’s a combination of these things, but we’re aiming to basically indicate the user before even connecting to the site that there is a malicious activity that is related with it. We want to indicate the user as soon as possible on their flow that there is something malicious going on.

Ian:

I am curious about another topic. I imagine people listening here going, “Wow, this sounds amazing. We need something like this.” But you’re also collecting a lot of data, and I know that many people who are using cryptocurrency are privacy conscious. They don’t want information about the places they’re connecting to or funds that they’re sending being shared. In a lot of cases, I think the reason why they’re using cryptocurrency at all is that privacy layer. What should people know about how you’re collecting usage data from individual wallets?

Raz:

This is a great question. I think what we’re doing is very similar to how a node provider behaves. So basically as a user that uses a wallet, there are no external data that is sent that is not sent to a node. So basically you have the same level of privacy of using a node provider.

Ian:

So for people not familiar, a node provider, say someone like Alchemy, you’re connecting, you’re going to be sending a transaction which ultimately ends up on-chain so it’s public data anyway, but you’re not giving up things like your IP address or your physical location or browsing history from the built-in browser in the wallet or something like that. None of that data ends up with Blockaid.

Raz:

Exactly, yeah. We like to say that node providers are similar to the cloud infrastructure of blockchains. Yeah, exactly.

Ian:

Yeah, that’s great. When you look across the security landscape, we’ve obviously paid particular attention to hacks of DeFi protocols. Not all of these are malicious transaction related, right? There’s been things like private key compromise that we saw on the Axie Infinity Ronin Bridge hack last year. We’ve seen things like BadgerDAO suffered an attack that was really Web2 related, I think, where their Cloudflare, the provider of their CDN network, was compromised and that allowed people to manipulate code on the front end to the BadgerDAO site. And then obviously we see things like flash loan attacks. Are those on the roadmap? Are they ever in scope for Blockaid or do you see those as another category of problem that other tools are more appropriate to solve?

Raz:

I think you mentioned the Ronin hack, a key compromised, but the cool thing is they also resulted in a transaction that sent on-chain. Now, whether this transaction should be scanned on the wallet level or on the protocol level, the smart contract level, it’s an implementation detail, but it is all a result of a transaction that is sent. On the BadgerDAO example that you gave, which is essentially like a case that we’re solving even today. The front end was actually hacked and the incident was really more on the Web2 area of things, but it also resulted on users transacting a malicious transaction. So it could have been prevented on the transaction level.

The common thing that all of these attacks have is that eventually, in order to actually trigger the exploit, they require transactions to be sent, and if you’re able to scan this transaction, it can be done on different layers, so you’ll be able to prevent them. It’s similar to how a credit card company, a key can be stolen, but the final result would be a transaction that is made. So if you’re able to analyze this transaction and indicate, “Hey, this transaction behaves differently from what I know,” you’ll be able to also stop it. So it’s similar here. Everything results in a transaction and if you’re able to stop this transaction and to scan it on the relevant place, you’ll be able to just prevent this attack, whether it was a result of more of keys that got compromised front and it was compromised, etc.

Ian:

Yeah. Amazing. And when I look across the crypto ecosystem, we’ve seen obviously a rise of DeFi platforms in terms of transaction volume over the last few years, but there’s still, I would say a significant portion of people that really only interact with some of the more centralized platforms like exchanges. How do you think about that layer of the ecosystem? Is there a product that you develop potentially for exchanges to be monitoring their infrastructure or is that out of scope?

Raz:

So I think anyone that is transacting or have any form of transacting, we can help to them. Whether it is an actual Web3 transaction or a DeFi transaction or just a transfer of funds. But basically we’re aiming to help anyone that is exacting or even receiving funds. For example, we haven’t talked about it, but also we’re seeing a lot of attackers shifting from trying to make you sign malicious transaction to actually send you some stuff to make you interact with malicious components. It can be an airdrop to your wallet that includes some malicious code, it can be a transaction like what is called address poisoning, like poisoning your wallet with different addresses. So exchanges are also exposed to this. So anyone that has any form of sending or receiving transaction can gain from integrating with Blockaid.

Ian:

Talk more about that address poisoning attack. This is a flavor of cyber attack that I don’t think gets talked about as much, but seems very, very dangerous.

Raz:

I think this attack is included on a new attack vector that we’re calling incoming transactions. So up until now, attackers try to just straightforward getting a malicious transaction to be signed by a victim, whether these are from a front end that is compromised or from a site that is impersonating another site, just like implementing another on-chain mechanism to get the funds to, and we’re seeing some sort of a shift into sending you transactions. And this new vector also includes attackers that are trying to send you transactions from addresses that are look similar to other addresses on your portfolio in order for you to copy these addresses and to interact with them. So a lot of indexers and also a lot of wallets are showing you only the first and last four bytes or three bytes of the address so for attacker, it’s very easy to create these type of addresses, just a difference in the middle. So attackers are using this effect and trying to get you to, in the end, interact with these types of addresses.

Ian:

Be careful what you click on is the message, or use a wallet that’s got Blockaid, I guess would be the other solution here. Now excitingly, you and your co-founder have recently announced you’ve raised $33 million so I would imagine that there’s significant growth plans in the future. What’s on the horizon? As we look out to the next year, what should we expect from Blockaid?

Raz:

At a moment we understand exactly what is the problem we’re solving, we’re understanding the value that we’re bringing to our customers, but also we want to make sure that we’re able to improve and to detect these latest and greatest types of attacks. I mentioned earlier that we’re seeing what we do similar somehow to an antivirus on a blockchain environment. And for antivirus to be the best, it should always have these very fast feedback loops, being able to detect this new type of attacks or understanding there are new technologies that should not be flagged as malicious because they’re doing some weird stuff. So there’s a lot of work to do in order to improve our detection engine. We’re going to also announce a couple of more types of integrations and just keep building and protecting as end users as possible.

Ian:

That sounds exciting, Raz. We’re going to keep a close eye on the work you’re doing at Blockaid. Thanks so much for joining us on the podcast today. I really enjoyed the conversation.

Raz:

Thank you for having me.