Blockchain Security Series 8: Rosco Kalis (Founder @ Revoke cash)

Blockchain Security Series 8: Rosco Kalis (Founder @ Revoke cash)

Hosted by Pablo Sabbatella - pablito.eth (Blockchain Security Researcher)

Powered by Blockfence

Topics discussed:

- 00:01:30 - Your story. How you got into crypto and security.

- 00:03:30 - Bitcoin.com (Cashscript)

- 00:05:30 - Chaingrep: human readable transactions

- 00:07:50 - Revoke.cash

- 00:08:30 - Revoke browser extension

- 00:10:00 - Revoke.cash: how it started

- 00:15:20 - Step by step how revoke grew.

- 00:17:50 - Browser extension

- 00:22:10 - OpenSource, getting revenue.

- 00:28:35 - ERC20 allowances: what they are, how they work, unlimited allowances are a frontend issue?

- 00:32:15 - Approvals for NFTs (ERC 721)

- 00:34:10 - Source of most hacks? Users signing malicious transactions or protocols getting hacked?

- 00:38:20 - The process of exploiting a contract regarding allowances, why it takes time, black hats copying the original attacker.

- 00:44:20 - Phishing attacks

- 00:50:30 - Scammers using gasless transactions, signatures

- 00:54:25 - Revoking an off-chain approval

- 00:57:40 - Approval Hacks & Exploits Tool

- 00:59:55 - Wallet Health feature & ScamSniffer integration

- 01:04:00 - Conferences and hackathons: EthCC, Devcon, Trufflecon

- 01:06:40 - Becoming a target. Your personal OpSec and Revoke.cash.

Takeaways:

Rosco Kalis got interested in computers and programming in high school and later studied computer science in Amsterdam. He became fascinated with Ethereum and smart contracts during the 2017 crypto bull market. He created the Revoke browser extension as a side project to help users avoid scams and understand token approvals. The extension provides warnings for token approvals and listing NFTs for sale, which are common ways scammers steal money.

Revoke cash is an open-source project, and Rosco believes in the importance of keeping security tools accessible even if he stops working on them.

The risks of browser extensions include malicious extensions and supply chain attacks. Rosco acknowledges the trade-off between convenience and security and hopes that wallets will integrate better security features in the future.

ERC-20 allowances are necessary for tokens to interact with smart contracts. Unlimited allowances can be a front-end bug, but they offer convenience for frequent token swaps. NFTs have limitations in token approvals, making it challenging to give limited approvals for individual tokens.

The source of most hacks related to allowances and permits is phishing and scams. Users often unknowingly sign malicious transactions due to the complexity of understanding what they are signing. Protocol hacks are less common but can result in significant losses.

Old contracts and abandoned protocols can still pose risks, as attackers can exploit vulnerabilities and drain funds. The process of exploiting contracts with allowance issues is not immediate and can involve multiple attackers over time.

Revoke cash is a valuable tool for managing and revoking token approvals to protect against hacks and scams. Hacking and exploiting token allowances is a common method used by attackers, and it often involves targeting valuable assets and taking advantage of token approvals.

Phishing attacks and impersonation of Revoke Cash are prevalent in the crypto space, and platforms like Twitter and Google need to improve their security measures to combat these scams.

User education and awareness are crucial in preventing hacks and scams, and users should regularly check and revoke their token approvals.

Attending conferences like ECC and Devcon can provide valuable insights and networking opportunities for those interested in blockchain security.

Founders in the security space may become targets themselves, and it's important to prioritize personal security and stick to their area of expertise.

Sound Bites

"I always try to open source everything I build."

"Hackers will just target the most valuable assets first."