Blockchain Security Series 7: Mudit Gupta (Chief Security Officer @ Polygon)

Blockchain Security Series Episode 7: Mudit Gupta (Chief Security Officer @ Polygon)

Hosted by Pablo Sabbatella - pablito.eth (Head of Security Research @ Blockfence)

Topics discussed:

- 00:00:00 - How you got into crypto and security

- 00:05:00 - The projects you worked and what you learned at each one (Polymath, etc)

- 00:09:00 - Differences and similarities between blockchain security in 2018 and now

- 00:11:45 - Blockchain security industry standards

- 00:15:50 - Exploiting web3 companies with web2 hacking techniques

- 00:19:00 - The Ronin bridge hack

- 00:24:30 - Do projects have good OpSec?

- 00:26:40 - How to start in blockchain security

- 00:31:00 - Developers and security tooling. The future of auditing: AI, automation?

- 00:35:00 - The future of formal verification

- 00:37:10 - Polygon PoS vs Polygon zk-EVM: their difference and what it means from a security perspective

- 00:40:30 - ZK vs Optimistic rollups security

- 00:43:00 - Polygon multisig

- 00:46:20 - Arbitrum Security Council

- 00:49:40 - Events: what are they? Should they be dropped?

- 00:53:32 - Multichain vs Crosschain. Is the future multichain?

- 00:56:47 - War rooms

- 01:01:30 - Security Alliance (SEAL) initiatives

- 01:05:00 - How to hack a DeFi protocol

- 01:08:00 - Easy tips that have the highest impact in security

- 01:09:40 - Conferences: Devcon, EthCC, EthGlobal

Summary: In this episode, Mudit Gupta, Chief Information Security Officer at Polygon, discusses his journey into blockchain security and the lessons he learned from his experiences. He emphasizes the importance of not relying solely on smart contract audits for security and highlights the need for a security mindset and deep technical knowledge. Mudit also discusses the current state of security in the blockchain industry, including the lack of operational security standards and the need for better tooling. He shares his thoughts on the future of automation and AI in code writing and auditing, as well as the potential for formal verifications to become more accessible to smaller protocols. Mudit also explains the differences between Polygon POS and Polygon ZK-EVM and their respective security guarantees. He shares his experience with war rooms and the importance of monitoring and bug bounties in maintaining security. Gupta also provides tips for securing blockchain projects, such as enabling 2FA and using hardware wallets. He mentions his favorite conferences, including DevCon and ETHGlobal Hackathons. Takeaways - Don't rely solely on smart contract audits for security; other aspects like operational security are equally important. - Develop a security mindset that allows you to think critically and identify potential vulnerabilities. - Deep technical knowledge of the system you're securing is crucial, whether it's smart contracts, chain-level security, or cryptography. - The blockchain industry still lacks operational security standards, and more focus is needed in this area. - Current tooling for security in blockchain is limited, but advancements in automation and AI are expected in the future. - Formal verifications offer a higher level of security but are currently complex, time-consuming, and expensive; making them more accessible to smaller protocols is a long-term goal. Formal verification is a security method that provides a guarantee of security, but it is dependent on the quality of rules or invariants written. - Polygon POS is a hybrid L2 side chain that offers good security guarantees and low transaction costs, making it suitable for retail users and adoption. - Polygon ZK-EVM is a true L2 ZK-based rollup that borrows security guarantees from Ethereum, making it more secure but more expensive to use. - Monitoring and bug bounties are crucial for maintaining security in blockchain projects. - Enabling 2FA and using hardware wallets are simple yet effective security measures for individuals working in the blockchain space.