.png)
1 year ago
65 BOOK THIS SPACE FOR AD
ARTICLE ADJoran Honig sprung from the womb in 2018 as a fully-fledged ConsenSys Diligence tool builder and has become one of the most feared whitehats in the space, owing to the sheer complexity of his bug reports. He has been hanging out on the Immunefi leaderboard and is aiming to reach the top 5 by the end of 2023. As a proper Dutchman, he enjoys tulips, coding in obscure languages, and capital accumulation. We met at his second house in Giethoorn and conducted this interview on a paddleboat to learn more about his bug bounty tradecraft.
You are mysterious. The only thing that anyone knows about you is that you are a Dutchman and team lead at ConsenSys Diligence. What is the Joran backstory? How did you get into crypto? How did you get into security and auditing?
It’s all a bunch of fortunate accidents.
I’m not a big fan of unnecessary work, so after hearing and reading about DARPA’s cyber grand challenge, I got obsessed with automatic exploitation and vulnerability detection. It’s really cool how you can use techniques like symbolic execution to both detect issues and automatically generate working exploits.
Then later, I was doing this course in university on blockchain technology, and you’d be awarded some bonus points for doing something cool. Mythril, an automatic vulnerability scanner using symbolic execution, was suggested as one of the options for doing something really cool.
Now as one does, I couldn’t sleep one day, and I figured I might as well write a vulnerability detection module for Mythril. Long story short, I submitted a few PRs, got the bonus points, and joined ConsenSys Diligence to spend more time developing security tooling.
Developing an efficient symbolic execution tool is a very effective way to learn and get into smart contract security!
Another happy accident got me into bounty hunting. A while ago, I accidentally met with Travin, one of Immunefi’s co-founders. Turns out someone had intended to meet us individually and accidentally set up a call with just the both of us 🙈.
After talking with Travin, I figured, why not try this bounty hunting thing? It could be fun. I spent some weekends and vacation days hunting for bugs, with some nice results!
How many protocols have you secretly built?
🤫
None? 😉..
Robert Heinlein once wrote that “specialization is for insects,” which you have cited and which your last name alludes to in what could be a stunning act of nominative determinism (Honig->honey->honey bee). Your bug reports are some of the most specialized and technically complex in the field–so much so that sometimes projects can’t even comprehend them. The coincidences are piling up. Do you have something you’d like to admit?
Shit.
The bird has flown.
I repeat.
The bird has flown!
In my defence, my bug reports have diverse specialties.
I don’t mind diving super deep into a specific topic and specializing, as long as I get to do it over with a different topic tomorrow.
Also, bees are cool. Just sain’
🐝 bzzz…
Can you discuss these specialties a bit more? What subareas of blockchain security do you think show promise for aspiring researchers and whitehats?
The insane diversity of fields that web3 projects touch on is one of the best aspects of hunting for bugs in this space. It’ll be challenging to list all the promising and interesting areas, but here we go:
Game Theory & Economics — Probably one of the lesser explored topics in smart contract security (well-researched at the consensus layer), but nonetheless very promising. Simple mistakes in incentive design can give an attacker an unfair and exploitable advantage.
Zero Knowledge — Zero knowledge is one of the hottest topics right now and is definitely worth exploring. It promises enormous improvements in scalability and enables a range of new applications that weren’t previously possible. On top of that, there is a whole new class of bugs to find with circuits that are underconstrained!
MEV — Knowing all the ins and outs of MEV is incredibly useful. Projects often don’t have an accurate view of the capabilities that attackers can have. Diving deep into the consensus layer and learning exactly how flashbots work can be a huge boon!
Logic Errors — Most of my findings require a so-called kill chain, a series of bugs that allow the attacker to get to the money. Some require a clever trick with MEV, others some economic consideration, but all have at least one logic bug.
Getting good at finding thinking mistakes is the highest-leverage thing you can do.
Web2 Vulns — Not all software is smart contracts. Web2 architecture can be exploited as easily as smart contracts and often lead to the same impact. Popping a shell and getting the owner keys for a repo is enough.
Every day, more than 25,000 people die from lack of bug bounty knowledge. More will die if you don’t tell our readers your bug bounty secrets.
RIP.
What is your go-to bug bounty toolkit? Do you use Hardhat? Foundry? Brownie?
My bounty hunting toolkit is very low-tech.
My main tools are VS Code + Bookmarks — Visual Studio Marketplace.
For PoCs, I try to stick to the framework that the protocol itself was using, so they can easily include it as a unit test to confirm the vulnerability and validate a fix.
One of the more special tools I use is cadCAD, which I’ve used to illustrate economic attacks.
How to maintain motivation is a recurring discussion in the bug bounty world. Everyone has their routines and tactics. What keeps you motivated? What is the thing about bug bounties that keeps you coming back?
Bounties provide a nice challenge, and you have none of the pressure of an audit.
Outside of that, I have three rules for maintaining motivation:
Keep it interesting — I only look at projects implementing something cool, interesting or difficult. No shitty NFTs, coins named after yet another dog breed, or convoluted pyramid schemes.Zero tolerance for grifters — If a project I’ve submitted a bug to acts dishonestly, I immediately stop looking at their project and report none of my other findings. There is nothing so demotivating as a project trying to grift you out of a bounty they promised.Freedom — If I feel like building some tools, learning a programming language, or even how to be a beekeeper, I’ll do those things and not force myself to hunt bugs. Interestingly, many of these unrelated side activities end up contributing to my bounty hunting in unexpected ways.What is the future of security in crypto? Are we likely to come up with some kind of system that reverses or even prevents hacks? What are some interesting possible innovations or areas that could use some development?
The ability to reverse hacks will almost inevitably come at the cost of decentralization. Not everybody cares about decentralization, and a range of applications will be making the trade-off for the ability to reverse hacks.
Prevention is much more interesting because we can do so without compromise. Unfortunately, it’s fundamentally impossible to completely prevent hacks. 😢
No, not even formal verification prevents hacks!
Verification checks if your code matches a specification. If the specification is wrong or incomplete, your code can also be.
Complete prevention might be off the table, but we can still get close. We already have tons of tools and techniques that can help you catch and sometimes wholly avoid certain bug classes. To name a few:
FuzzingSymbolic executionVerificationStatic analysisI expect that more powerful analysis tools will become much more usable in the future, helping people discover even more bugs.
It is said you are an expert in game theory. First, explain the role of game theory in smart contract security. Second, solve this problem, if you dare.
I like to dabble 😅
Many smart contracts create a system with economic incentives. Ideally, the mechanism design ensures that everyone benefits from participating (why else would they participate?).
Good game theoretic system designs are often fair and stable. Sadly, not all protocols achieve such a design. Some systems, like a pyramid scheme, work until they don’t, and then the bubble pops at many participants’ expense.
Unfortunately, the “tokenomics” research for some projects focuses on how a token might go to the moon rather than evaluating the different mechanics and looking at issues that might cause damage to the participants in the protocol.
Not all projects with weak designs run into trouble, and not all flaws are exploitable by a clever attacker. However, we should pay careful attention to our protocols’ mechanism design to ensure there aren’t any (exploitable) flaws.
If you’re interested in learning more about game theoretical attacks, then you should check out this article: Game Theory — Exploiting Superior Knowledge
Now for the puzzle.
I’d let the cart move its first set of wheels on the track to the two people and then switch the lever to keep the second pair of wheels on the main track, derailing the train.
If all goes well, my train kills no one, and as a bonus, my train will form a barrier in case the other train comes my way.
Bengali (Bangladesh) · 
English (United States) ·