Blockchain Security Series 7: Mudit Gupta (Chief Security Officer @ Polygon)

Описание: Blockchain Security Series Episode 7: Mudit Gupta (Chief Security Officer @ Polygon)
Hosted by Pablo Sabbatella - pablito.eth (Head of Security Research @ Blockfence)
Powered by Blockfence

Topics discussed:
00:00 - How you got into crypto and security
05:00 - The projects you worked and what you learned at each one (Polymath, etc)
09:00 - Differences and similarities between blockchain security in 2018 and now
11:45 - Blockchain security industry standards
15:50 - Exploiting web3 companies with web2 hacking techniques
19:00 - The Ronin bridge hack
24:30 - Do projects have good OpSec?
26:40 - How to start in blockchain security
31:00 - Developers and security tooling. The future of auditing: AI, automation?
35:00 - The future of formal verification
37:10 - Polygon PoS vs Polygon zk-EVM: their difference and what it means from a security perspective
40:30 - ZK vs Optimistic rollups security
43:00 - Polygon multisig
46:20 - Arbitrum Security Council
49:40 - Events: what are they? Should they be dropped?
53:32 - Multichain vs Crosschain. Is the future multichain?
56:47 - War rooms
01:01:30 - Security Alliance (SEAL) initiatives
01:05:00 - How to hack a DeFi protocol
01:08:00 - Easy tips that have the highest impact in security
01:09:40 - Conferences: Devcon, EthCC, EthGlobal

Summary:
In this episode, Mudit Gupta, Chief Information Security Officer at Polygon, discusses his journey into blockchain security and the lessons he learned from his experiences. He emphasizes the importance of not relying solely on smart contract audits for security and highlights the need for a security mindset and deep technical knowledge. Mudit also discusses the current state of security in the blockchain industry, including the lack of operational security standards and the need for better tooling. He shares his thoughts on the future of automation and AI in code writing and auditing, as well as the potential for formal verifications to become more accessible to smaller protocols. Mudit also explains the differences between Polygon POS and Polygon ZK-EVM and their respective security guarantees. He shares his experience with war rooms and the importance of monitoring and bug bounties in maintaining security. Gupta also provides tips for securing blockchain projects, such as enabling 2FA and using hardware wallets. He mentions his favorite conferences, including DevCon and ETHGlobal Hackathons.

Takeaways
Don't rely solely on smart contract audits for security; other aspects like operational security are equally important.
Develop a security mindset that allows you to think critically and identify potential vulnerabilities.
Deep technical knowledge of the system you're securing is crucial, whether it's smart contracts, chain-level security, or cryptography.
The blockchain industry still lacks operational security standards, and more focus is needed in this area.
Current tooling for security in blockchain is limited, but advancements in automation and AI are expected in the future.
Formal verifications offer a higher level of security but are currently complex, time-consuming, and expensive; making them more accessible to smaller protocols is a long-term goal. Formal verification is a security method that provides a guarantee of security, but it is dependent on the quality of rules or invariants written.
Polygon POS is a hybrid L2 side chain that offers good security guarantees and low transaction costs, making it suitable for retail users and adoption.
Polygon ZK-EVM is a true L2 ZK-based rollup that borrows security guarantees from Ethereum, making it more secure but more expensive to use.
Monitoring and bug bounties are crucial for maintaining security in blockchain projects.
Enabling 2FA and using hardware wallets are simple yet effective security measures for individuals working in the blockchain space.
DevCon and ETHGlobal Hackathons are among the favorite conferences for Mudit Gupta.

Bites:
"Most projects do not understand that smart contract audits are not enough for security."
"A good security researcher needs a security mindset and deep technical knowledge."
"Right now, we simply do not have sufficient tooling for blockchain security."
"Formal verification is really the only security method that gives you a guarantee of security."
"Polygon POS is a hybrid L2 side chain where we have checkpoints and milestones which guarantee a state."

Quotes:
43:00 - “Anyone who says they don’t need upgrades doesn’t understand software development”

“Future is 100% multichain, I can not imagine a future without multiple chains being live, because we are just gonna have different chains specializing in different things and having different strengths and so on, and we already have like dozens of L2s and so on. So multichain is definitely gonna happen. Crosschain may happen but I am not very bullish on it.”