Digitalization of Shield and Sword: HAPI’s Mark Letsyuk on the Threat of AI and Challenges in the Blockchain Industry
The experts surveyed by Incrypted are hopeful about the cryptocurrency industry’s future in 2024. This sentiment was shared including the challenges posed by ETF adoption in the US, bitcoin halving, and the development of the decentralized finance ecosystem.
However, the industry might encounter significant challenges like blockchain censorship and criminals using artificial intelligence. We interviewed Mark Letsyuk, CCO of the HAPI, to gain insight into these issues and more.
As a company focused on cybersecurity, I can only speculate that 2024 will be a positive year. The adoption of ETFs and the upcoming bitcoin halving, along with the recovery of ecosystems such as Solana, Near, and Cosmos, are all positive developments that could have a significant impact.
Hackers tend to be more active during a bull market for obvious reasons. Do you expect an increase in cybercrime in 2024?
We definitely expect a surge because the use of AI tools and various AI modules for fraudulent purposes is only going to increase, we are absolutely certain of that.
The truth is that our industry will not reap the benefits of artificial intelligence. The technology has its merits. But cybercriminals are always two steps ahead. We will likely witness AI-powered malware that surpasses even the most sophisticated cybercriminals.
In 2025, we may witness the following situation: a decentralized protocol written entirely by artificial intelligence being attacked by a malicious utility also created by AI. A security module, made by a neural network, would check for and try to stop the attack.
Full digitalization of shield and sword.
However, the scenario of machines taking over the world in a physical sense, as depicted in Terminator, is still far from becoming a reality. While the replacement of physical labor and activities is not imminent, there is a trend toward automation at the program level that is rapidly advancing. But this trend also increases the risk of fraud.
Cybersecurity vulnerabilities are inevitable in program code. This is particularly true for blockchain products. Their open-source nature lets fraudsters test attacks during the testnet stage. Once they identify vulnerable code on the mainnet, they launch their attacks immediately.
Artificial intelligence will identify vulnerabilities in open-source code that attackers can exploit.
So hackers will use neural networks to find exploits?
Experienced hackers use their hands, eyes, and scripts to find vulnerabilities in source code. AI modules and neural networks will soon automate this process to rapidly detect these weaknesses.
The security team will also use this tool. Certik has a tool that scans smart contract code for known vulnerabilities in the public domain. Unfortunately, it only helps 90% of the time.
Superficial audits of smart contracts and decentralized platforms, done just to check boxes, are a significant issue.
Certik has developed a tool that small projects can use to cover themselves. By purchasing a minimum rate scanner and loading their smart contract code into it, the program scans for vulnerabilities and reports ‘no vulnerability detected.’ But it only scans for around 90-95% of the most surface-level vulnerabilities.
There’s no full pentest happening?
You can ask Certik for a full audit, but it might be costly, ranging from tens to hundreds of thousands of dollars. This will give you a higher level of certainty.
These scanners can cost up to $5,000. They allow you to scan any smart contract for known vulnerabilities. Such services may soon be available for a monthly subscription fee of $200-300. This has both positive and negative implications.
It is intended to be a validation tool, but many projects exploit the well-known Certik label. The scanner runs a smart contract, and Certik generates a certificate automatically. People upload the certificate to their website or GitHub and claim that their project has been audited by Certik. Yet, this does not guarantee security and hacks could still happen.
Let’s go back to AI again. Can we expect a player on the market to offer security-as-a-service?
That is, an AI-based software module that could connect to a decentralized application or integrate into the blockchain to search for unusual activity or check code.
I estimate the probability of that at 101%. We are currently working on it, as are our competitors.
But, we can’t promise a fast and exclusive turnaround. This is because our team is small and we lack resources compared to companies like Chainalysis, valued at $8 billion. Nonetheless, we strive to be a leading competitor in the industry.
We know that there is a cybersecurity company in Israel that has some of the most advanced developments in the field. The exact plans of Chainalysis, Elliptic, Certik, and others are unknown. However, their vast resources will probably help them make rapid progress, even if they start later.
We will aim to release a product that scans contracts in real time during the first half of 2024.
What other security issues exist besides the threat of AI?
The smart contract undergoes an audit before deployment to the mainnet. Subsequently, for each update, a new audit is required, regardless of its scope. Unfortunately, many companies neglect this crucial step.
According to our information, 1inch conducts dozens of audits for each contract renewal. This makes them the leader in the number of audits in the public domain.
Following the hacking incident, the Wormhole team conducted over 40 audits. This data might be outdated. Both projects might have surpassed these numbers by now.
Aave goes through audits with leading companies for every smart contract update, which can be costly.
That said, we believe cross-chain solutions like Wormhole will remain vulnerable in the future, possibly even more so. This includes bridges between Ethereum and Arbitrum, which are much easier to maintain.
When handling many networks, it’s vital to keep all smart contracts and routers secure. This requires significant resources, budget, and time.
Layer 2 (L2) solutions, which use centralized sequencers managed by 3-of-5 multisignature, may not provide adequate security. We believe this approach fragments the liquidity of the blockchain into unconnected networks, rather than scaling Ethereum.
If it’s a competition and two or three projects succeed in the end, that is acceptable. But if the segment keeps developing like this, it might cause unsafe fragmentation.
What do you highlight as an alternative? Ethereum developers chose to focus on rollups.
Currently, Optimism and Arbitrum are considered the best solutions. But they don’t interact with each other, and there seems to be a lack of synergy between them. This can cause liquidity issues. For the average user, transferring assets to these platforms is equal to moving them from Ethereum to Near or Solana.
Yes, from the user’s view, there’s no difference, including in commissions.
Managing L2 security and bundling transactions in Ethereum is tricky. While there are also issues in the Bitcoin ecosystem, they are minor in comparison.
We recall the Lightning Network (LN) vulnerabilities disclosed in 2023. It led to an exodus of developers, including reputable ones. They believe they need to focus on security instead of adding more channels and liquidity.
The issues with Ethereum’s L2 remain the same. Currently, LN is not a completely secure solution and is quite centralized. While I am less skeptical of Lightning Network, I still have some reservations.
What other issues does bitcoin have?
Censorship, mainly due to Ordinals spam. Even during the bear market in the summer of 2023, the network faced heavy spamming. If you didn’t estimate the commission correctly or if it changed a lot while you were making a transaction, you might get stuck in a mempool for up to three days.
Bitcoin currently lacks interfaces that are easy for users to navigate for transaction processing.
This raises concerns that Ordinals or BRC-20 tokens could flood the network, making it nearly unusable. Block generation won’t stop, and the blockchain will keep working. But high fees and an overloaded mempool might stop average users from sending transactions, essentially halting activity during a bull market.
That’s why some main bitcoin developers are thinking about putting restrictions and sanctions on the network at the protocol level. But censorship is not desirable. This is commonly seen in altcoin networks, but there have been no such incidents in Bitcoin.
If the Bitcoin Core takes this step, it could negatively impact the ecosystem. Currently, I am unsure of any viable options for utilizing bitcoin, aside from holding it or transferring assets to a new wallet every six months for security or interest purposes.
The suggested solutions, like bitcoin smart contracts, tokens, NFTs, and some DeFi products, aren’t enough to bring about mass adoption. When compared to networks like Ethereum, Solana, and Cosmos, they fall short.
If I remember accurately, many of these solutions have some connection to the Lightning Network.
Yes, that is correct. Regarding Bitcoin, as of the beginning of 2023, four mining pools controlled 50% of the Bitcoin hashrate. However, Foundry and AntPool have maintained a long-term trend, each controlling 27% of the hashrate.
Bitcoin maximalists argue that conducting a 51% attack is not in their interest. The same can be said for centralization in Proof-of-Stake (PoS). Validators have no incentive to damage the network. However, we are calculating the Nakamoto Coefficient by pointing to Ethereum’s centralization.
When Foundry, a pool owned by Digital Currency Group (DCG), and AntPool, owned by Jihan Wu and Bitmain, control most of Bitcoin’s hashrate, it raises concerns. Additionally, Foundry has a system to censor transactions at the request of OFAC.
Are there any issues with centralization and related problems in the PoS algorithm?
In the Ethereum community, there’s much talk about staking centralization with Lido Finance. At present, Lido Finance holds up to 33% of the stake, while Coinbase holds up to 15%. If combined, they could control 50% of the stake. It is important to note that attacking a PoS network requires two-thirds plus one vote, which is equivalent to 67%. But, there’s no guarantee Lido Finance’s share won’t grow. It’s a handy tool for people who don’t have the required 32 ETH for native staking.
Lido Finance tried to cap the highest stake at 22%, but the DAO turned down the idea because it would only restrict Lido. Recently, Coinbase’s Ethereum stake share increased from 8% to almost 14%.
In theory, the exchange’s market share could increase if they adopt Ethereum ETFs and allow providers to contribute assets collected under the funds to staking. This is especially true if most providers choose Coinbase as a custodian.
Experts expect Coinbase’s share to increase. By 2024, Lido Finance might control 40-50% of staking, while Coinbase may control 22%. This would mean these two services control over two-thirds of staking, which is a big worry.
Calls for sanctions at the protocol level were ignored. Among Ethereum developers, no one has yet dared to speak out about this issue. Lido Finance is discussing a decentralized DAO, but it is important to note that many large DAOs have failed to meet expectations. Funds hold significant influence and vote accordingly.
DAO has a future, but it is not possible to consider Lido Finance’s DAO decentralized and its decisions serious. They voted against the restrictions that would have conflicted with their material interests.
What is the solution to this situation? Distributed validator technology was discussed at The Staking Summit conference in Istanbul. The Rocket Pool team also mentioned the development of competition. Without a worthy competitor Lido Finance or a group of competitors, we can’t do anything?
The development of competition is crucial, although it may seem unrealistic at present. Lido Finance is strong in the market now. New protocols that create buzz only make their dominance stronger. For instance, Blast quickly gained a significant TVL. This added to Lido’s growing dominance.
Such projects will surely choose the market leader to attract users.
Absolutely. If Rocket Pool can choose, other protocols have no reputation, and nobody knows about them.
Binance used to dominate the market, but its share is now decreasing for obvious reasons. In the Ethereum community, people aren’t happy with Lido. In the Bitcoin community, there are worries about the mentioned pools.
People generally dislike monopolies in any industry, and ours is no different.
It is particularly relevant in security issues. For instance, Kyivstar controls approximately 50% of the market. Communication problems affect half of the country, including banks, ATMs, and terminals.
The situation with Lido is similar: even if they do not intend to act maliciously, imagine what would happen if Lido were to reach a 33% stake. It would be enough to hack Lido and stop the network.
We also analyze the number of validators required to collect 33% of the stake. For instance, in Solana, it takes 24 validators. If these validators conspire, they can halt the network. As far as I know, Coinbase has two validators on this list.
Let’s discuss transactional activity. I’ve heard that in some blockchains, bots are responsible for the majority of the activity. Have you observed this in HAPI?
In networks with low transaction costs, this is a common occurrence. It is difficult to analyze, but we suspect that this occurred in Near, Solana, Fantom, and Avalanche. When Sui saw a sudden rise in active users, it seemed suspicious because the ecosystem wasn’t well-developed.
We’ve seen cases where projects fake transactional activity to boost the user base, hinting at retrodrops. But many of these ‘users’ are multi-accounts.
In 2024, will there be stricter requirements for participating in airdrops?
Absolutely, at the expense of digital identity. For example, we are working on a HAPI ID to improve KYC-free identification. This will aid in detecting and preventing the creation of multiple accounts, as it will be challenging to maintain a high rating on several accounts. We are currently piloting this mechanism with various networks to achieve synergies in this area.
Do you have any advice for our readers?
The greed and carelessness of users make them vulnerable to scammers. It is important to note that many fake channels on Discord and Telegram offer participation in airdrops that require users to connect their wallets or provide permissions. These actions often lead to the loss of funds. It is crucial to be cautious and avoid such scams.
Always verify if the website is the original project site. To do this, you can use CoinMarketCap or CoinGecko. Additionally, there is a concern with Telegram bots where users either transfer their private key or generate a new one that is only visible once and is supposed to be importable. However, the bot code is typically closed and opaque.
Make sure to update apps and passwords often. Check app permissions for your wallet and revoke them if needed. Also, keep an eye on active sessions and turn on two-factor authentication. These steps are crucial. The Ledger example demonstrates that threats can impact all wallets and protocols due to malicious code embedded in one of the libraries for just two hours.
