Consensys Diligence's Goncalo Sa on Blockchain Security and Ethical HackingJul 25, 2022
**Consensys Diligence’s Goncalo Sa on blockchain security and ethical hacking **
“Software vulnerabilities exist in the fringe,” said Web3 hacker and Consensys Diligence co-founder Goncalo Sa. He was speaking to Orchid’s Derek Silva on this week’s episode of the Priv8 Podcast about the current state of blockchain security and the critical role that ethical hacking plays in it.
“This ‘fringe’ where vulnerabilities exist lies somewhere between specification and implementation. There's a gap between these two things. Vulnerabilities tend to show up here because this is the place where someone will think that a certain component is supposed to do X, but in reality, the implementation of that component fails by a small margin.”
Goncalo said that for this reason, these gaps are where he searches for potential vulnerabilities when he’s conducting software audits. “So when we begin looking for vulnerabilities, we start the process by mentally mapping everything in the codebase. To aid in this process, we create and use tools that help with this visualization.”
And beyond visualization tools, Goncalo said that his team also relies on tools that help to quickly classify different types of hacks and exploits. “Whenever there’s a hack, these tools help us to identify the class of attack. But right now, these tools are too opinionated. They only care about code-related bugs, and not, for example, about business logic bugs.
Goncalo said that there is still more development that needs to happen for cybersecurity tools in Web3. “The security tooling infrastructure is still growing in the Web3 space. But at the same time, security is not about having the fanciest tools – it’s about making it easy for developers to implement the tools they have at hand. Because if they’re not easy to use, people are not going to use them, and systems are still going to be insecure.
“It’s so important to make it simple for developers to use these tools in all parts of the development lifecycle. This will hopefully make end-products a little bit safer. And we’re getting there.”