How much does it mean to know about on-chain security: How can ordinary people build a crypto asset firewall?

Host: Alex , Research Partner, Mint Ventures

Guest: Zhou Yajin, CEO of BlockSec, blockchain security company

Recording time: 2025.3.28

Statement: The content we discussed in this podcast does not represent the views of the institution where the guests are located, and the projects mentioned do not constitute any investment advice.

BlockSec's service scope and target customers

Alex: In this episode, let’s talk about a topic that is closely related to you, which is the security of the crypto world. Before we encounter real risks, we often think that we will not be victims of security incidents in the news. How to build a firewall for your assets and allow yourself to invest in a secure environment is a compulsory topic before we embark on the crypto journey. In this podcast, we invited Zhou Yajin from BlockSec, a blockchain security company, to talk to us about the topic of encryption security. Please say hello to us by Teacher Zhou.

Zhou Yajin: Hello everyone, I am Zhou Yajin. I am currently CEO of BlockSec. I am also a researcher engaged in cyberspace security at Zhejiang University. I am very happy to meet everyone.

Alex: OK, let's get to the topic today. I believe that a lot of listeners may not have that understanding of blockchain security companies and security services. Please first introduce to us BlockSec, what kind of service content you provide, what kind of people and institutions will become your customers.

Zhou Yajin: OK, BlockSec is a Web3 security company. We were founded in 2021 and was co-founded by Teacher Wu and I. When it comes to Web3 security, the first thing that comes to mind is security auditing. In fact, BlockSec's business scope is not just security auditing, we also provide a series of other security products and services. Specifically, services can be divided into three major sectors. We call the first sector security against on-chain protocols. On-chain protocol is some smart contracts that we deploy on the blockchain to perform some DeFi or NFT, or other activities. How should the security of these contracts be guaranteed? BlockSec provides secure audit services and secure monitoring products. The second part we are more concerned with is the security of assets. The so-called asset security is the assets that users have at hand. For example, these assets are in their own contract wallets or invested in some on-chain protocols. How to ensure the security of these user assets is also one of our BlockSec's service scope. The third part is compliance and supervision. We have found that more and more traditional financial institutions are entering the Crypto industry. Including the news we have recently seen, these traditional banks in the United States have issued some stablecoin assets on the chain, including Crypto, and entered the cross-border payment industry. In fact, after these traditional financial institutions entered this industry, they brought a problem to supervision. Regulators did not know how to supervise, and these institutions did not know how to comply with regulations. So we are also helping regulators to supervise these players entering the Crypto industry, or helping these traditional institutions entering the Crypto industry to comply with regulations. These are three scopes of our business.

Our customers cover a wide range of customers. What you can think of is project parties that do decentralized finance or other services on the chain, such as providing a Lending platform on the chain and a decentralized transaction platform. These project parties are our customers. We can help them do some secure audits before deploying and putting the smart contracts on the chain, and review whether the smart contracts they develop have security vulnerabilities through a security perspective. If there are security vulnerabilities, they need to be fixed in time. At the same time, when their protocol is deployed on the chain, we will also have a 7×24-hour monitoring platform to monitor the security risks of their protocol. If any security risks occur, our platform can promptly notify the protocol and can automatically block risks and attacks. Therefore, these developers and project parties who deploy smart contracts on the chain are typical customers like us. The second type of typical customers are those who own assets, which may be some high-net-worth customers. They own some assets in the contract wallet, or these high-net-worth customers will invest in some agreements on the chain. Our services and products can help them better monitor the security of those protocols they invest in. Just like the front and back of a coin, from the perspective of the agreement project party, we can help them improve the security of the agreement. From the perspective of high net worth clients who invest in their agreements, we can help them monitor the security of the protocols they invest in. Once the agreement he invests in has security risks, such as being attacked, he needs to withdraw his funds as soon as possible. The third type of customers is the supervision and compliance I just mentioned. This type of customers is mainly some regulatory agencies. For example, the CSRC in Hong Kong is actually our customers, and some overseas law enforcement agencies need to investigate digital currency crimes. They need to use our tools and platforms to facilitate some investigation activities such as withdrawing evidence and tracing funds. This is basically our overall business and the scope of our customers.

Three suggestions on encryption security

Alex: I understand. Teacher Zhou just talked about the type of customers, what kind of needs they have, and a rough industry situation. Then the second question may be more relevant to individual investors, especially the majority of our audiences are those who have just started to enter Web3 to learn and try to invest. If you have a friend who has just entered the field of crypto investment and knows that you are engaged in encryption security services, please give him three suggestions on encryption security. Which three suggestions would you give him?

Zhou Yajin: This question is very good. My friends often ask me some safety advice. They also want to enter this industry, but I also heard that many people will encounter some risks. We once had a joke saying: If you have not been fished or scammed after entering the Crypto circle, you will not become a veteran player in this field. Of course this is a joke, but you can indeed find that there are many risks in this industry. If you want to make three suggestions, the first one is definitely something that everyone will think of, which is about private key protection. In the Crypto field, how to prove that you own this fund is actually to use the private key you own to prove your ownership of this account. A private key is a string of numbers, which is not bound to your personal identity. Once this string of numbers is lost or leaked, others can have control of your own funds just like you. This is very different from our real world. In the real world, your bank password is leaked, and you can call the bank and ask for the account to be frozen, and there is no way for others to withdraw money. But in the Crypto world, if your private key is leaked, the person who owns your private key can transfer your funds from your account without limit. Generally speaking, there are several ways to protect private keys. For example, we have a hardware wallet, and use a contract wallet or a mobile phone APP to protect private keys. Each method actually has its own advantages and disadvantages. Through my own experience and the overall experience of some of our security friends around us, the basic principle is to write down the mnemonic of the private key. Write it down and put it in the safe. No matter whether the safe is owned by your own or the bank, save it well and don’t move it normally, and you can’t use it. Then use a device that you are relatively trusted, whether it is a hardware wallet or a mobile phone, to store your private key. This phone must be a dedicated device. Don't engage in any other operational activities, just to manage your own digital assets. This is the first suggestion. The second suggestion is to be aware of security and risk when trading on the chain. In essence, you only need to remember one sentence: pies will not fall from the sky. We found that when trading on the chain, the risk of phishing users face is very high. Many KOLs and OGs, including the crypto circle we are familiar with, have encountered phishing attacks and lost a lot of funds. If an inexplicable website requires you to connect to your wallet to get the so-called airdrop reward, you need to be more careful at this time and be aware of safety. The third suggestion is that you need to understand a little bit of basic knowledge about crypto assets. Basic knowledge refers to the concept of authorization in crypto assets. This is different from traditional finance. For example, you have a type of digital assets, USDT or USDC. Through the on-chain signature, you can authorize the assets to a contract or other users for use, and such authorization can only be achieved through your wallet to sign a bunch of weird things that you can't understand. So when signing a wallet signature, if you don’t understand or are deceived, you sign an authorized transaction, and others can use all your digital assets. So you need to have some basic understanding of authorization so that you will not sign such a transaction by mistake when signing a wallet signature. To sum up, the basic suggestions are: the first is to protect your own private key and give some actionable methods; the second is to be careful when conducting on-chain transactions, and be safe and do not be phished; the third is to have a basic understanding of Crypto's authorization mechanism, so that some authorized transactions will not be signed by mistake.

Alex: I actually have a lot of high net worth friends around me. They are also OG or veterans in the industry. Logically speaking, they have some of the security awareness you mentioned, but every year I hear some big players around me being stolen. There is a saying in the industry that if a professional hacker catches you, he knows that your wallet is rich, and if he uses all the resources available, it is often difficult for you to escape. Do you think this statement makes sense? Is this really the case?

Zhou Yajin: Your question is very good. In fact, security issues, especially when it comes to Crypto security, are essentially an unbalanced confrontation. If you have enough assets in your wallet, you will easily become the target of targeted attacks by others. Once you become the target of other people's targeted attacks, others will use a lot of resources, whether it is the resources of social workers, technical resources or other resources, and design attack methods against you based on the target's daily behavior patterns, life habits, etc. In this case, it cannot be said that it is 100%, but it is very difficult for you to defend, because others use a lot of resources to fight against you, and you are the only one. So it's a very asymmetric confrontation. Under this situation, I think the basic principle is that the first is that we Chinese have a saying that wealth does not reveal our wealth, that is, you should not disclose the assets you own, and avoid leaking your personal offline identity and the identity relationship between the assets on-chain. The second point is that even if you are a high net worth user and may have been leaked by others, you need to isolate your assets as much as possible. That is to say, the assets you operate on daily basis may be up to 100,000 yuan in your dedicated wallet. If others target you, you can only cheat the 100,000 yuan at most. And your other large amount of assets should be placed in a wallet that you basically don’t need to use. If you need to use these assets, you need to find a security expert to help you review a better set of operational processes and specifications, which can avoid very large risks.

The three most impressive security incidents

Alex: Understand, this suggestion is really important. Can you share with us three of the most impressive security incidents since we started working? It can be experienced by you yourself, or it can be your friends or some of your experiences.

Zhou Yajin: I can share with you a security incident that we actually participated in and were deeply impressed by. The first example I remember was on February 10, 2023, and there was a protocol on the chain called Platypus Protocol that was attacked. It is a platform for lending and other features. There is a security vulnerability in this protocol. Through this vulnerability, hackers stole nearly 9 million USD assets. The reason why I was impressed by this is because the hacker made a mistake when attacking the Platypus protocol. When he attacks a smart contract, he needs to develop a smart contract by himself. A smart contract can be understood as a string of code that can operate on its own. When a hacker attacks, he deploys his own attack contract, and this attack contract completes the entire attack process. But attackers are also humans, and we all know that as long as they are humans, they will make mistakes. He made a mistake when writing attacks smart contracts, which had a vulnerability in the contract that could be exploited. This vulnerability can withdraw the funds stored in the attack contract, which is also the funds obtained from the attack platypus protocol. As a security company, we are actually always following the attack incidents on the chain, and we have a set of attack detection engines that can sense all attacks that occur on the chain at the first time. Coincidentally, we detected it as soon as the platypus was attacked. We will independently analyze this security incident, such as what is the cause of its attack and what is the vulnerability. At the same time, we will also contact the project party to help them and tell them how to patch and deal with it. During this process, we discovered a hacker's vulnerability and told the project party that we could exploit the vulnerability. Then we developed a string of code with the project party to extract the attack funds, which is 2.4 million from the attacker contract. This is also the first time in the entire blockchain security history that we call it hack back, which means that it uses its vulnerabilities to withdraw the funds it stolen to return to the project party. This is a particularly interesting confrontation, and I was quite impressed by it.

Alex: Did you have a cooperative relationship with Platypus before, or did you start to communicate after this incident?

Zhou Yajin: We actually had no cooperative relationship before, and we only contacted us after this incident. I can extend the process of handling security incidents. We have a set of security attack engines inside. When a security incident occurs, our engine will call the alarm as soon as possible, and an emergency response team will analyze it together. First, we will look at which protocol is attacked, and then we will try to contact the project party through various methods, whether it is on-chain Twitter or other methods. In the case of Platypus, we didn't have their contact information before. We contacted the project party through Twitter and helped him analyze the entire reason for the attack, because many times the project party doesn't know why the attack was attacked. Anyway, the money in the agreement is gone, but the reason is not clear. At this time, the security company needs to help him conduct analysis. After the analysis, it involves how to repair the protocol. If the reason is clear, we need to fix the vulnerability, how to apply the patch, whether it is safe after the attack, and track the stolen funds, we also need security companies like us to help him together. We will deal with the project party throughout the entire emergency response process. Specifically for this case, we actually had no contact with this project before, but fortunately, during the disposal process, we contacted it in time and were able to recover part of the funds. In fact, more cases are the attacks we discovered, but we couldn't contact the project party.

Then the second case is also quite interesting, which happened in 2023. Our Chinese listeners may be more familiar with it because this case involves a project called ParaSpace. ParaSpace can pledge Boring Ape's NFT and borrow other assets to get it out. I know that many Chinese OGs are actually holders of Boring Ape NFTs. This protocol actually has a security vulnerability, which should have been attacked in March 2023. I clearly remember it was a time period like morning or noon in Beijing time. After our system has a warning immediately, we first contact the project party and we have to analyze the reasons. However, we found that the first attack transaction that was exposed by our system was reverted on the chain. Revert means that the attacker had insufficient handling fees when attacking, which resulted in the attack transaction not being successful when it was launched. But his attacks on the transaction behavior and trace have been exposed on the chain. Our system can also detect this transaction that we call reverse, which means that it fails but is on the chain again. This is the ability of our engine, and it can be judged that this is an attack transaction. After we judged it, we thought of a way to say whether we can simulate the behavior of attacking transactions and automatically generate an attack transaction like it. However, this attack requires quotation marks, and we need to replace the profit-making address in the transaction with our address. In this way, the funds in the currently in danger agreement can be rescued and placed in our own security account, and then contact the project party to return the funds to them. This is similar to saying that the bad guy's knife is almost cut, but for some reason, the first attempt was not successful. We can also try to withdraw funds in advance using the same method, so that when the attacker attempts to attack for the second time, there is no funds in the protocol and the attack will fail. After we had this idea, we actually had a system inside that we could quickly automate such things, and then automatically generate a transaction like "attack", post it on the chain, withdraw the 5 million US dollars of assets in the ParaSpace protocol, and then contact the project party to return the funds to them. This is actually very interesting. It is the highest amount in history. We call it rescue, which is an action to save funds on the chain. If it weren't for this rescue, their assets might have been robbed.

However, after this security incident, it actually caused a lot of our thinking, because there are many security ethical and ethical issues. For example, after we observe an attack, although the funds in this agreement are withdrawn, this is essentially an attack transaction. It simulates the attacker's behavior. Although the funds are withdrawn out of good intentions and returned to the project party, it is strictly an attack. This involves compliance and security ethics issues. Our thinking at that time was to say, when you see a bad person stabbing a good person with a knife, should you stop him or let him develop. I think we choose to stop it, although there are some moral and ethical issues and safety ethics. After this incident, we also deeply realized that on-chain security cannot save funds through the hack back we just mentioned, which is the method of hacking it back. The project party should be allowed to know the security risks he faces as soon as possible. He must know that the project is attacked, and then he can configure some automated operation strategies. When these security incidents occur, our system tells him that he should be able to pause the protocol automatically, so that the attack will not succeed. It not only prevents attacks and saves users' funds, but also does not have any security ethical risks. This is the whole idea of ​​developing the subsequent phalcon attack monitoring and blocking products after these two incidents. This is the second major security incident in my mind.

Alex: I seem to have noticed this security incident at that time. You just talked about protective attacks. I would like to ask a detail, that is, after the revert attack you just mentioned occurs, you must need an internal discussion and decision-making to see if you want to do protective attacks. How much time has it been separated from discovering this incident to completing the decision to protect funds?

Zhou Yajin: It's very fast. It takes about a few minutes from the first time we know and finally finishing this matter. Because the company has formed a very complete security processing process, it will immediately discuss and make decisions after knowing the security matters. After the decision is made, because there are already some automated tools, it can be done quickly.

Alex: I understand.

Zhou Yajin: The third case is the Bybit security incident that everyone should have paid attention to recently. In February, US$1.5 billion of assets were stolen. This attack is also the single security incident with the largest loss in the security circle so far, and its losses are very different from the two security incidents I mentioned earlier. The previous two security incidents were caused by contract vulnerabilities, but Bybit's security incidents actually have nothing to do with the vulnerabilities in smart contracts. We call it the trust chain too long. In a system with such a large capital volume and such a long trust chain, the attacker found the weakest link through the attack of social workers and then completed the attack. Specifically, Bybit uses a contract wallet called SAFE, which is a smart contract wallet to manage it. SAFE is a multi-signment wallet. You can understand it as a lock that requires three people to open at the same time. This lock can be opened and the funds inside can be withdrawn. This lock is made by a project party that provides such a contract wallet. You will find that the trust chain in this system is very long, including developers of SAFE wallets, people who operate SAFE protocols, and when using SAFE wallets, they have to go through the UI interface in the browser, and the operator of SAFE wallets, which are employees of Bybit with three keys, or people with funding permissions. They have to go through the computer browser or through their hardware wallets when using SAFE wallets. You will find that there are many aspects involved in this. When we talk about safety, the most difficult thing when it comes to safety attack and defense is that when it comes to defense, you have to prevent any shortcomings in your system, because the water level of the system's safety depends on the shortest board in the system. An attacker does not need to break through the very good parts of your system. He only needs to find the weakest point in your system, and then use that point to launch an attack to complete the entire process. The entire attack process in the Bybit case is like this. He may find that first of all, this is a targeted attack, because he found that the Bybit SAFE wallet, which is the smart contract wallet, has a lot of assets. The target he selected is the developer of this SAFE wallet, because we just said that in the end, no matter who operates it, he must use the UI interface provided by SAFE, which is its website to operate your assets. Then if I can break through the developer's computer through social workers or other means, let the developer deploy a malicious code on the SAFE website, and then when anyone goes to the SAFE website to operate his wallet, the operation behavior seen is inconsistent with the operation behavior that occurs on the actual chain, but normal users do not understand it. For example, when a normal user goes to the bank APP to operate, he sees 100 yuan in the bank APP to transfer money, but in fact, 900 yuan is transferred, but I don’t know, because what I see in this APP is 100 yuan in the transfer money. Then if you break through the developer of the APP or the developer of the SAFE wallet, so that the operator sees the operation interface and the actual behavior rules in the wallet, you can complete the entire attack process. It is actually done in this way. Then how can it get the developer permissions? It was through some social workers' attacks that finally completed the entire attack process. In this, even when the SAFE developers are compromised, we actually have other opportunities. For example, if you can tell you what the transaction you signed when you sign your wallet is inconsistent with the transaction you see on the website, there is actually a chance. In the past, many banks had U-Shields. If you have experience, you will find that there will be a display when you press the button on the U-Shield. It tells you that you are transferring 500 yuan now. Are you confirming or not? You can confirm on the U-Shield device. It actually solves this problem, because even if my APP is attacked, the APP tells you that you transferred 100 yuan, but when you finally confirm, U Shield told you that you transferred 500 yuan, and you find that there is inconsistency. Specifically in this Bybit case, if you have such a better reminder ability in the wallet you signed, it can actually prevent such attacks. But the most regrettable thing is that in this case, the signed hardware wallet is not very well made. After SAFE's UI was compromised, it signed such a malicious upgrade transaction, and then the attacker took over the wallet and transferred 1.5 billion US dollars. So this is a more impressive thing. One of the revelations this incident brings to us is that cross-verification must be done when it comes to large amounts of funds. You cannot trust the information a single provider or single point tells you. If you rely on information told by a single vendor or a single interface, as long as this is compressed, the system link will be gone. Therefore, cross-verification must be done, and a third party must help you verify whether what you see is real through the perspective of a third party. In such cases, the risk can be further reduced.

Experience social worker attacks

Alex: In the case you mentioned just now, there is a word called "social worker attack". Perhaps not all listeners can understand the meaning of this concept. Can you explain it?

Zhou Yajin: The full name of social engineering attack is social engineering attack. It does not use some technical means, but a set of attack methods designed for you, your work habits, interpersonal relationships, your work responsibilities, etc. I can give you a case of social worker attacks that I have personally experienced, which is easier for everyone to understand. As the CEO of BlockSeo, I often receive some information, mainly two types. The first type is some invitations to participate in podcasts, conferences, and interviews. The second category is some investment institutions, who will contact you about some investment opportunities. I met someone who sent an email through the company's email saying that he was an investment institution and wanted to discuss some investment opportunities. Our safe sense is still relatively strong. We will observe his email and domain name, and sometimes we will do some back-tuning, look at his company's website, and the investment profilio. After doing the back adjustment, I found that this was a pretty decent institution. Although I had never heard of this institution, I made an appointment with him at Calendar. But at this time you will find that the first strange phenomenon happened. When Calendar was on a meeting, he did not provide you with any meeting links. We usually make appointments for meetings and will connect to zoom, google meet or other meeting software. But he didn't provide any link to the meeting, just made an appointment. When it is time to hold a meeting, you email him and say we are already holding a meeting and send me your meeting link. He will send you a meeting link immediately. After you click on this link, you will find it strange. He asks you to download a software. If you have no experience at this time and feel that you are about to have a meeting, he will use your anxious mind to keep urging you through emails and bombard you with emails. If you are eager to facilitate this opportunity, you may install the software without hesitation, but in fact it is a video conference containing malicious elements that will steal your private keys in your computer. This is a social worker attack I have actually experienced. So you can find that the attacker will attack my position in the company and the job responsibilities I assume, using the mentality I was anxious about before the meeting.

Alex: I saw that there was also a very high attention in the industry two days ago. The founder of a certain agreement said that when he was attending an offline party, his mobile phone left him for about ten minutes, and about a few million yuan of funds in his mobile phone wallet were stolen. Suppose this attack happened when his mobile phone left, is this also a social worker attack?

Zhou Yajin: Yes, I think it belongs to a social worker attack, but it actually does not belong to the social worker attack in our usual sense. Because in this case, his mobile phone is only left for a while. Of course, the main purpose of others inviting him or approaching him is to get his mobile phone, but how to unlock the mobile phone and obtain the funds after getting the mobile phone, actually there are some very strong technical support in it.

Security principles when interacting with blockchain protocols

Alex: I understand. We just talked about many very representative major security incidents. Back to the time when we ordinary people do blockchain protocol interaction, as you said, many of the projects you previously served were Defi protocols, and many of us interacted on the chain were Defi protocols. When we interact with these Defi protocols or other protocols, do we have some security principles that need to be followed? I believe that most ordinary users do not have the ability to read code, and may not even have the ability to read signed information. In this case, how can we minimize this risk?

Zhou Yajin: I think if ordinary users want to do on-chain transactions, they must first do some back-to-back adjustments from the project party. I think it is quite important. If you invest in a project on the chain, if you have a small capital and try it out, it might be fine. But if you say very seriously that I am an investor and you need to invest in on-chain agreements, at this time, because your capital volume is relatively large, you may need to conduct a better due diligence to the project party. The due diligence here is basically divided into the following levels. The first level is who the founder of this project is and whether it is anonymous, because some on-chain protocols are anonymous protocol projects. You have to know the quality of this agreement, you have to know who the founder who appeared outside, and whether he has ever had a history of the project, which is very important. That is to say, you must first make some back-to-backs on the composition of the agreement itself and the identity of the founder. The second point is that you need to make some back-tuning of the project's own technical capabilities. You can see if this project party has undergone audits from a relatively top security company. Like what you just said, many users may not understand technology and code, and cannot understand audit reports, but you can pull down the audit reports and simply review some core key points. For example, which auditors are from, their reputation is like, and do there be some security loopholes in this report that are core concepts? It does not mean that the core security vulnerability found in the report means that the agreement is not safe. It just means that the security company may be more conscientious. It has found some security vulnerabilities, which will reduce the overall security risks of the project party. It is necessary to look at this matter dialectically. After you have a back-to-back to the project party, you should basically use a gradual approach when interacting, and do not use large amounts of funds at one time, as the risk is relatively high. Another thing is that we need to use some professional security tools, such as some attack monitoring, some tools and platforms. If your capital volume is relatively large, you must always grasp the security risks of the protocols you invest in. You can monitor the overall security of your investment agreement through some platforms, such as our palcon platform. For users with relatively small capital volume, I think when doing on-chain transactions, the main thing to prevent is the risk of phishing. After all, the probability of a protocol being attacked is relatively not that high, but the risks of on-chain phishing, authorization, etc. are indeed possible for ordinary users to happen at any time when they are on-chain. To prevent these risks, do not mean that you should not be too greedy, and you will not lose pies from the sky. When you interact, try to confirm that this is an official website, not a copycat website. As for how to confirm that it is an official website, it may still require a certain ability to collect and organize information. Of course, you can also use some security tools to identify phishing websites. In this way, some risks can be avoided.

Alex: I noticed an incident. Two days ago, Binance put down many tokens for projects, saying that the operations they can provide are not up to standard in all aspects, so Binance put it down. Then the project party said that due to various problems, the project may not be operated in the future and is in a semi-aborized state.那么假设这个用户可能一两年前使用过DeFi 协议，这个协议目前项目方没人管了，代码的升级权限也不知道在谁那边。像这种特定案例下，会不会因为他们的升级权限没有得到妥善的管理，导致被黑客或者说是别有用心的人掌握了，导致你之前的授权没有取消的话，钱包里的资金会被这些后续的影响所威胁到。

周亚金： 是的，这个也是有可能的。特别是像你刚才讲的，如果一个用户把自己的资金授权给一些协议，而这些协议和智能合约后续可能都已经没有人维护了，那如果这个授权不取消，实际上就有可能有安全风险。关于这个问题的解决，就是我们一直建议普通用户要比较好地regular review 自己的授权。你可以将不使用的那些授权撤销掉。很多用户可能不太了解自己已经授权给哪些项目方了，我们做过一个工具叫授权诊断工具，你输入一个地址，我们就能告诉你这个地址授权过给哪些协议。我们发现其实很多用户授权给几十个协议，很多协议现在都已经不活跃了，而不活跃和没有安全升级的这些协议就有可能会有安全漏洞。只要有安全漏洞存在，别人就可以通过你授权的协议的漏洞转走你的资金，这其实也是一个蛮大的风险。

Alex： 明白。关于交互的安全，我还有一个问题。过往的一些被攻击的DeFi 协议也好，别的协议也好，我们发现用DEX 之类的相对来说被盗、被攻击的数量不如像借贷或者质押类的这么多。这个跟这两类协议它本身的智能合约类型有关系吗？ Or is there any other reason?

周亚金： 你说得很对。相对来讲，DEX 的安全风险会比其他的借贷、Yield farming 以及一些金融衍生的协议的安全风险低一些。因为首先DEX 的整体协议比较简单，在链上的DEX 里面的协议就是xy=k 这种恒定乘积。当然Uniswap V3 稍有不一样，基本的核心就是恒定乘积公式。那么首先它协议简单，其次它已经有一个非常好的参考样例，就是Uniswap，很多的DEX 都是从Uniswap 这个fork 出来的，所以只需要简单做一些修改就能部署一个链上的DEX。它整体的安全风险的头寸会比较低一点。但是对于lending 也好，Yield Farming 也好，或者说其他的杠杆借贷，还有一些更复杂功能的协议，它本身的协议的设计就比较复杂。比方说我们去做一个借贷平台，原理上好像听上去就是我放一个资产A 进去，借出资产B，我只要控制好它的整个资产的健康度就OK 了。但是比方说你要支持的抵押物的资产的种类、资产的价格波动，然后你如果要支持杠杆，你怎么能时刻保持用户即使还掉你的钱，整个健康度还在。它本身协议的复杂程度就会比较高，所以导致这些协议被攻击的概率更大。我觉得这是第一个原因。第二个原因是DEX 本身是不存钱的，当然DEX 里面的那些钱都是流动性的提供者，就是你提供流动性的钱放在里面。而你真正去使用DEX 的人，只要swap 一下，放token A 进去，马上token B 就回来了，所以你的资产并没有在DEX 的Pool 里面。即使DEX 的Pool 被攻击，大部分用户不会损失，损失的是提供流动性的那些人。而在lending 平台和其他平台就不一样了，你的资产是实实在在放在里面，而且你是超额抵押。你如果是一些其他的更复杂的协议，就是本身就会有留存很多用户的资产在里面，它被攻击之后，受损的用户的群体也会相当于比较大，我觉得这是第二个原因。

然后我们也发现过去在历史上，DEX 其实也不是没有被攻击过。它被攻击的原因都比较简单，首先因为DEX 的风险敞口其实在于授权，因为你要swap 的时候，你需要将你自己的代币授权给DEX 的路由合约，虽然路由合约不存钱，但如果路由合约里面有一些任意执行的漏洞，那就有可能会将所有授权给DEX 的用户的资金卷走。我们发现DEX 有漏洞造成比较大损失的主要都是这种类型，但这种类型相对来讲比较容易发现。只要是一个比较合格的审计师，实际上都是比较容易发现的。

Alex： 所以在刚刚您说的授权的漏洞这个案例里面，如果一个审计公司发现DEX 有任意执行这样的权限，一般都会去给他建议说这是不合理的，或者在报告披露的时候会去提醒大家这个事情？

周亚金： 对，这一定是个漏洞，一定是不合理的。如果让安全公司审计，它必须要把这个给修复掉，这是一个非常critical 的漏洞。

区块链安全行业的现状和潜力

Alex： OK，刚刚我们聊了很多在安全攻防上，以及如何保护个人资产安全的一些具体问题。我们来聊今天最后一个问题，关于区块链安全行业的情况。就像您说的，21、22 年的时候因为DeFi 很多，区块链安全行业的客户量非常大。那么到今年为止，目前安全行业的行业规模水平大概是一个什么样的级别，另外它的发展现状、利润水平大概是怎么样？

周亚金： 这是一个很好的问题，因为我们在区块链安全行业里面，你得时刻知道这个行业目前的阶段在哪，天花板在哪，才能更好地去发展公司。目前其实没有一个公认的数据说整个区块链安全行业的market cap 到底是多少。但是网上有一些报道，或者他们根据自己的测算，他们觉得区块链安全的整体行业规模，一年大概是在30 亿美金左右。这个规模其实相比于传统网安的产业是相对比较小的。比如说在2024 年，整个传统的网安的规模应该是在1000 亿美金左右。1000 美金对比30 亿美金，其实差距还是比较大的。我觉得这跟整个行业发展的现状是有关系的，因为区块链安全本质上是服务区块链行业的一个安全的产品和服务，区块链行业整体其实现在还处于比较早期。比方说之前发展得比较好的时间段是在Defi Summer 的时候，有一些新的创新点进来。最近一两年，Defi Summer 的金融创新的热潮过了之后，好像并没有一个特别好的更创新的东西进来，导致整个区块链产业的规模实际上在2022 年应该是达到了TVL 最高的时候。我记得那个时候的整个区块链安全的TVL 的最高水平应该是177 个Billion，就是1000 多亿美金。但今天我在参加这个节目之前看了一眼数据，现在的整个TVL 是99 个Billion，也就是说离最高峰可能一半多一点点，导致说我们区块链这个行业的发展好像遇到了一个瓶颈。

但是与此同时，我们也发现了这个行业新的潜力，就是传统的金融机构在慢慢进入这个产业。传统的金融机构进入产业里面有一些信号，比方说传统的银行在链上发稳定币，而且是符合监管的。传统的支付比如说Stripe 这样的支付厂商在支持Crypto 的支付。一些是跨境支付的通过Crypto 来解决传统的跨境电商所面临到的支付问题。所以我们会发现说虽然没有像21、22 年DeFi Summer 所带来的创新引发了TVL 的新高，但是传统的金融机构和有真实场景需求的商家在进入这个行业，他们进来之后会带来整个行业的合规化。一个行业如果想发展得比较大，一定是要在监管的框架和体系里面合规地发展。我觉得这是我们能看到的最近一两年的机会。所以总体来讲区块链安全整体的产业规模还比较小，还处于早期。但是随着传统金融机构的进入，越来越多的监管和合规化之后，我觉得这里面爆发的潜力还是比较大的，这是我自己的一个观察。

头部安全公司的护城河

Alex： 好的。我印象非常深刻，在21、22 年的时候，当时感觉区块链的安全公司，尤其是做智能合约审计的都非常赚钱。甚至说一些比较知名的安全公司如果能让你插队安排快点审计都感觉是对你的优待。您认为比较头部的那些安全公司的护城河主要有哪些？

周亚金： 我觉得可能有几个点。第一个点在于说品牌和信任。特别是安全审计，它其实是对品牌认知要求非常强的一个服务。您刚才讲到之前市场比较好的时候，审计非常火，可能需要排很长的时间。实际上今天头部的安全审计公司仍然是这么一个情况，并不是说一个项目方来审计，马上就能有人力资源去供给。头部的有品牌效应的安全公司仍然处于这么一个供不应求的状态。所以我觉得一个护城河就是品牌跟信任，怎么在区块链安全行业里面建立比较好的品牌形象，以及品牌背后所带来的信任，无论信任是来自于用户、项目方或其他的参与方，这个是非常重要的。第二点是需要安全的创新技术。我们除了解决区块链安全问题，除了做安全审计之外，真的没有其他的需要补充的解决方案了吗？安全的审计它只能解决项目的智能合约部署在链上之前，做一次安全的review。可是真正项目上线之后，项目方可能改参数，它有可能做一些日常的configuration，日常的升级因为排队或者成本考量没有再去做审计，那就是有很多在智能合约部署了之后因为各种原因导致了安全问题。我们不能只依赖于安全审计解决这样的问题，得要有一些安全创新的技术和产品能去解决这样的问题。这个也是我觉得BlockSec 跟其他的区块链安全工作非常不一样的地方，我们除了有安全的审计服务到协议上线之前的智能合约安全之外，我们还有很能覆盖到智能合约上线之后攻击的监控跟阻断的平台，这也是全球唯一一家区块链安全公司里面，兼有智能审计和攻击监控，能覆盖整个智能合约全生命周期的一家安全公司。这非常重要，就是你得要有安全创新的技术和产品能在这个市场里面帮助用户真正解决问题。第三点是合规、监管，以及地缘政治的影响。Crypto 这个行业一定最后是会需要在合规跟监管底下才能有可能获得大规模的发展机会。这个观点不是每个人都认同，只是我们在这个行业里面待了那么多年，我们能看到这个行业要发展一定是在阳光底下，一定是在合规跟监管的体系底下，才能把传统的那些老钱吸引到这个行业里面来。在这个情况底下，提早做好合规跟监管的产品跟服务。合规跟监管的产品服务需要你对这个行业的监管政策、合规要求有比较深的理解，然后还能把它变成产品化。另外所谓的地缘政治的影响，就是有一些地区选择供应商的时候，其实是有一些地缘的考虑。比方说香港的监管机构可能比较倾向于选择非美国供应商的产品。那么当你对监管政策合规了解比较深，又有比较好的产品，还能有一些地缘政治的影响，我觉得这是区块链安全公司的护城河。

Alex： 了解。今天咱们聊加密安全这个话题维度还是挺多的，从具体的一个安全事件，到每个人需要注意的一些安全性的原则，然后包括整个行业的发展规模等等我们都有聊到。非常感谢周亚金今天能够到我们节目分享这些真知灼见，希望我们以后还能有别的机会再聊一聊更多相关的话题

周亚金： 谢谢Alex。