Riad Wahby is Co-Founder & CEO of Cubist.
Riad is a member of the Electrical and Computer Engineering faculty at Carnegie Mellon University. He is a leading academic researcher on zero-knowledge proofs and their applications, and is also responsible for the design and specification of several cryptographic protocols that form the basis for the security of Ethereum, Avalanche, and many other blockchains.
Riad was previously a cryptographic researcher at Algorand, and spent a decade as an analog and mixed-signal integrated circuit designer at Silicon Labs. Riad received his SB and MEng in Electrical Engineering and Computer Science from MIT, and his PhD in Computer Science at Stanford, where he was supported by a Ripple Fellowship. His work was recognized with a Distinguished Paper award at WOOT 2023.
[00:00:00] [SPEAKER_01]: Hello everybody and welcome to the crypto hipster podcast. This is your host Jamil Hasan the crypto hipster where interview founders entrepreneurs
[00:00:08] [SPEAKER_01]: executives thought leaders you name it all over the world crypto and blockchain and today
[00:00:13] [SPEAKER_01]: Today I have an amazing guest Lisa. He has one heck of a pedigree
[00:00:18] [SPEAKER_01]: So really interested talking to him. He is the co-founder CEO of Cubist
[00:00:24] [SPEAKER_01]: His name is Riad Wahby. Riad, welcome to the show
[00:00:27] [SPEAKER_01]: Thanks for having me Jamil. I really appreciate it. You're very welcome
[00:00:32] [SPEAKER_01]: So let's kick things off. Let's ask you first about your background
[00:00:36] [SPEAKER_01]: What is your background and is it a logical background for what you're doing now?
[00:00:42] [SPEAKER_00]: That's a great question
[00:00:44] [SPEAKER_00]: I'm not sure is the is the short answer, but I'll let you decide
[00:00:48] [SPEAKER_00]: So actually I started out in something really completely different than blockchain or anything like this
[00:00:53] [SPEAKER_00]: I used to be an electrical engineer. I was a circuit designer. I was building chips for actually for like telephony and
[00:01:02] [SPEAKER_00]: Spent a long time doing that and then at some point
[00:01:05] [SPEAKER_00]: You know, I became friends with somebody who's sort of a computer science professor
[00:01:09] [SPEAKER_00]: He was at UT Austin at the time now he's at NYU. His name is Michael Walfish
[00:01:12] [SPEAKER_00]: He's a fantastic guy. Um, and he convinced me like quit your job in
[00:01:16] [SPEAKER_00]: Double-E and become a computer scientist and somehow that worked which is just completely I look back on it
[00:01:22] [SPEAKER_00]: I'm like, I don't know if I could ever do that to like tell somebody like, you know what?
[00:01:26] [SPEAKER_00]: You got a job, but who cares quit go will become a computer scientist. So I did and I
[00:01:33] [SPEAKER_00]: You know, I started working on you know, ZK proofs and I mean kind of before they were
[00:01:39] [SPEAKER_00]: Useful at all in the in the blockchain space. This was a little over ten years ago
[00:01:43] [SPEAKER_00]: Was working on you know, all kinds of like trying to make things more practical trying to you know figure out
[00:01:48] [SPEAKER_00]: where are we gonna use these things and
[00:01:51] [SPEAKER_00]: So then you know, eventually I became I was a grad student I was working with Dan Bonet at Stanford
[00:01:56] [SPEAKER_00]: He's kind of involved in everything web 3 related, of course, and so we worked on all kinds of interesting stuff
[00:02:01] [SPEAKER_00]: You know, we worked on
[00:02:03] [SPEAKER_00]: You know stuff like anonymous airdrops and roll-ups and you name it we
[00:02:09] [SPEAKER_00]: We helped write the the standard for the signature scheme that's now used in
[00:02:13] [SPEAKER_00]: In the aetherium beacon chain, so we kind of did a little bit of everything
[00:02:17] [SPEAKER_00]: And then yeah at the end of grad school we we started to think
[00:02:21] [SPEAKER_00]: My co-founders I started to think about how we take some of this research that we'd been doing my co-founders two of my co-founders
[00:02:27] [SPEAKER_00]: We're actually also
[00:02:29] [SPEAKER_00]: PhD students at Stanford with me and we were thinking about like what do we do?
[00:02:33] [SPEAKER_00]: How do we bring some of this stuff to you know?
[00:02:35] [SPEAKER_00]: The rest of web 3 like working kind of down in the guts you help a little bit
[00:02:40] [SPEAKER_00]: But you know not quite as much as we wanted to right like we wanted to
[00:02:42] [SPEAKER_00]: Talk to teams and figure out what their pain points were and all of this
[00:02:46] [SPEAKER_00]: And we were fortunate to be joined by our fourth co-founder and who is our business mind
[00:02:50] [SPEAKER_00]: Who like actually sort of turned us from folks thinking about like weird technical problems?
[00:02:55] [SPEAKER_00]: That sounded like fun to folks thinking about weird technical problems that not only sounded like fun
[00:02:59] [SPEAKER_00]: But we're actually useful to somebody so so thanks to him
[00:03:05] [SPEAKER_01]: Awesome. Awesome. Thank you
[00:03:08] [SPEAKER_01]: Hopefully she listens to this so
[00:03:12] [SPEAKER_01]: Cubist what are you all about and what are the benefits of cube signer?
[00:03:18] [SPEAKER_00]: Yeah, so so cubist we build key management infrastructure. That's that's cube signer. And so the basically
[00:03:25] [SPEAKER_00]: Let me let me try and illustrate by way of a couple
[00:03:28] [SPEAKER_00]: Horror stories that we heard from from really early folks that we were talking to we heard from one person
[00:03:34] [SPEAKER_00]: You know when we were a small dev shop, you know, there were just two of us
[00:03:38] [SPEAKER_00]: We were sitting around, you know, maybe in the same room even and we had you know a few keys. It was fine
[00:03:42] [SPEAKER_00]: We had some ledgers. It was okay
[00:03:44] [SPEAKER_00]: we could just kind of manage the keys for our for our you know, whatever it was for a defi app or whatever that
[00:03:49] [SPEAKER_00]: way and
[00:03:51] [SPEAKER_00]: then you know, we spread to more chains and we had more developers and
[00:03:55] [SPEAKER_00]: eventually there was just one person who had a laptop and all the keys were on that laptop and
[00:04:01] [SPEAKER_00]: I mean literally somebody told us like we were afraid that this person was getting hit by a bus which I mean
[00:04:06] [SPEAKER_00]: Makes sense. We had another person who was the laptop person and they left the company and only six months later realized
[00:04:13] [SPEAKER_00]: They still had all the keys. So it's like oh my god. This is this is a disaster, right?
[00:04:17] [SPEAKER_00]: so so we started to think about this like how do you do this systematically? How do you make sure that
[00:04:23] [SPEAKER_00]: You know the right people have access to the keys that you know
[00:04:26] [SPEAKER_00]: You're generating the keys in a secure way that they're being stored securely
[00:04:29] [SPEAKER_00]: That that you have sort of all kinds of like disaster recovery
[00:04:33] [SPEAKER_00]: That that you have API access to your keys that you can actually program against them and then on top of that
[00:04:39] [SPEAKER_00]: You know super high speed great performance
[00:04:43] [SPEAKER_00]: And the ability to do things like set a policy on a key
[00:04:46] [SPEAKER_00]: Like, you know, I know that this key is only being used for a particular trading stat strategy
[00:04:50] [SPEAKER_00]: So if somebody tries to make a trade that looks like it's pretty far outside that trading strategy
[00:04:54] [SPEAKER_00]: I want something to just say no like I don't want it to be able to right
[00:04:58] [SPEAKER_00]: I don't want somebody to just like oh, you know my trading strategy is give all the money to hackers
[00:05:02] [SPEAKER_00]: Okay, so you want to avoid that sort of thing? So this is really what CubeSigner is all about
[00:05:06] [SPEAKER_00]: It's a system that lets you do all of these things. All the keys are stored inside of secure hardware
[00:05:10] [SPEAKER_00]: There's this policy engine that gives you this rich ability to this ability to express these rich policies
[00:05:17] [SPEAKER_00]: And everything is sort of API
[00:05:19] [SPEAKER_00]: Programmatic so anything you could do with the system you could do through the API
[00:05:23] [SPEAKER_00]: And and you know, this gives you like all these kind of interesting powers. I have a horror story
[00:05:31] [SPEAKER_01]: I haven't shared it yet on the podcast, but maybe maybe this is a good opportunity to do that. Yeah share. I'm listening
[00:05:36] [SPEAKER_01]: I'm here for you. I had a wallet. I had it for eight years. That's seven years since 2017
[00:05:42] [SPEAKER_01]: I used it worked all the time. It's perfect that you know
[00:05:45] [SPEAKER_01]: Stored some cryptos in there and then recently I was note that they're one of the cryptos is being merged
[00:05:50] [SPEAKER_01]: So I said, okay, this is a good time for me to get it out and sell
[00:05:53] [SPEAKER_01]: so I put some aetherium which I never held a theory minute because you can't be done how many theorem people can't send a
[00:05:59] [SPEAKER_01]: Pocons I put some aetherium it and I said, okay
[00:06:02] [SPEAKER_01]: I tried it I went to the app store and Google and Apple had deleted the app and
[00:06:08] [SPEAKER_01]: Then I just I bought a I bought a what do you call it? The the the Samsung
[00:06:15] [SPEAKER_01]: And said, okay, maybe I try to get in that way and that app was gone
[00:06:18] [SPEAKER_01]: And then I went to the place said okay
[00:06:20] [SPEAKER_01]: My money's frozen so I thought a police report and it got and the cop was like
[00:06:23] [SPEAKER_01]: I go no this this site is the original site. It's called edu and
[00:06:27] [SPEAKER_01]: No, this is like edu wallet here put your keys in there. So don't kill me first try to create a wallet
[00:06:32] [SPEAKER_01]: So I took it and try to create other walls from different apps and it didn't recognize the seed phrase
[00:06:38] [SPEAKER_01]: So the seed phrase always worked now doesn't work. I put it in the edu-wallet site and the next minute
[00:06:44] [SPEAKER_01]: I can't get in but the next few minutes later all my crypto was sent out. So, you know
[00:06:50] [SPEAKER_01]: Total market value 12,000 total cost basis 40,000. It's gonna be a good tax number for my future
[00:06:56] [SPEAKER_01]: But you know, how do you how do you stop things like that?
[00:07:00] [SPEAKER_01]: Like, you know, I thought it was decentralized all along and it was centralized all along, you know, how can you
[00:07:07] [SPEAKER_01]: This still a problem. How can you how can you help other people with that problem where they might think is decentralized
[00:07:12] [SPEAKER_00]: But it's not really yeah, absolutely. This is this is a great question
[00:07:15] [SPEAKER_00]: I mean, this is like that's a that's a good one if it's okay with you. I'm gonna remember that one and maybe
[00:07:22] [SPEAKER_00]: Tell it anonymized to some folks
[00:07:24] [SPEAKER_00]: but no, this is this is exactly the kind of thing that you tend to see right because like
[00:07:28] [SPEAKER_00]: fundamentally like your access to the chain is
[00:07:31] [SPEAKER_00]: Mediated by your like these these keys, right? You have you have some signing keys
[00:07:35] [SPEAKER_00]: You have your wallet and if that's gone your your access is gone, right?
[00:07:39] [SPEAKER_00]: Your your funds are gone. And obviously that creates this huge incentive for people to try and
[00:07:47] [SPEAKER_00]: You know scam their way into into your wallet and this is what you've just described sounds like kind of the classic example of
[00:07:54] [SPEAKER_00]: you know, you know, you're you're you were using this piece of software probably the the the folks who who were
[00:08:00] [SPEAKER_00]: You know running that app like I don't know they they ran out of money and they gave up and then like
[00:08:06] [SPEAKER_00]: their domain went away and
[00:08:08] [SPEAKER_00]: Next thing, you know, somebody somebody buys it up makes it look pretty and now they're just like collecting money
[00:08:13] [SPEAKER_00]: Yeah, absolutely this kind of thing happens all the time
[00:08:15] [SPEAKER_00]: And so I think the the really important thing for for people is it like to be able to use
[00:08:21] [SPEAKER_00]: crypto is to be able to like give them something that's as reliable and as naturally used as
[00:08:27] [SPEAKER_00]: You know Gmail or whatever right? Like you have a Gmail account you log into the Gmail account
[00:08:31] [SPEAKER_00]: Like if you forget about it, okay fine
[00:08:33] [SPEAKER_00]: Maybe in 18 months Google sends you an email saying hey if you don't log in we're gonna delete it
[00:08:36] [SPEAKER_00]: But like you log in it's like everything's still there everything you remember it right? So like we need these these kind of
[00:08:42] [SPEAKER_00]: These kind of facilities for people. I mean look, of course the other way to go is, you know
[00:08:47] [SPEAKER_00]: You put your seed phrase on a metal plate and bury it in your backyard
[00:08:51] [SPEAKER_00]: But that's only good for you know, 1% at best of the space. That's not that's not everyday people
[00:08:56] [SPEAKER_00]: My dad's not gonna do that. Right? I mean he'd make fun of me for doing it
[00:08:59] [SPEAKER_00]: so
[00:09:01] [SPEAKER_00]: So I think like getting like bridging this gap is all about like bringing
[00:09:06] [SPEAKER_00]: Like bringing the the functionality to the users like where they are
[00:09:10] [SPEAKER_00]: And like helping them to like interact with the computer in the same way that they always did but now they get
[00:09:15] [SPEAKER_00]: These extra powers like oh good. You can interact with web 3
[00:09:18] [SPEAKER_00]: You don't have to be this sort of bleeding-edge diehard. You don't have to like learn
[00:09:22] [SPEAKER_00]: You know 10 pages of terminology and like pour through
[00:09:25] [SPEAKER_00]: Forums and whatever just to sort of get started which I think kind of is where we still are unfortunately
[00:09:33] [SPEAKER_01]: Yeah, that's sort of happened if it can happen to me
[00:09:35] [SPEAKER_01]: It can happen to many many many people, you know
[00:09:39] [SPEAKER_01]: So I wanted to find out, you know your outlook on blockchain security, you know
[00:09:43] [SPEAKER_01]: Why is it important and what are the more critically important recent enhancements?
[00:09:48] [SPEAKER_00]: So I think there are a bunch yeah, there's a bunch of really interesting stuff going on
[00:09:53] [SPEAKER_00]: Um, so one one that we've seen that's like kind of huge
[00:09:57] [SPEAKER_00]: Um is this okay. This is slightly older now
[00:10:00] [SPEAKER_00]: But to me this is a great example of exactly the kind of thing and it's very related to to uh, you know
[00:10:05] [SPEAKER_00]: To your story
[00:10:06] [SPEAKER_00]: There's this notion in in computer security generally of supply chain security, right?
[00:10:12] [SPEAKER_00]: And and the supply chain here could mean physical goods being delivered
[00:10:15] [SPEAKER_00]: But it could also mean the software that you're using right?
[00:10:18] [SPEAKER_00]: Like when you start to when you start up an application it relies on some remote server
[00:10:22] [SPEAKER_00]: That application is built from a bunch of libraries that other people have written perhaps, you know in an open source
[00:10:29] [SPEAKER_00]: um
[00:10:30] [SPEAKER_00]: case for example, um
[00:10:32] [SPEAKER_00]: And so all of those are opportunities for something something to go wrong, right?
[00:10:37] [SPEAKER_00]: And so in in the case that you're describing
[00:10:39] [SPEAKER_00]: Basically your supply chain included this this wallet's website, which okay it was compromised
[00:10:45] [SPEAKER_00]: Um, but we've seen other interesting examples of this. So there was a supply a software supply chain
[00:10:51] [SPEAKER_00]: Uh vulnerability that actually affected like last year
[00:10:55] [SPEAKER_00]: I think that affected ledger users where you know, they they
[00:10:59] [SPEAKER_00]: Okay, my my recollection is dim here
[00:11:01] [SPEAKER_00]: But my recollection is that basically there was a sort of a bad update to the app that got pushed
[00:11:05] [SPEAKER_00]: Or or maybe it was like a connector library that people I think it was a connector library that people were using
[00:11:10] [SPEAKER_00]: To like use their ledger through a website or something like this
[00:11:13] [SPEAKER_00]: Um worth double checking me but roughly that the story's the same, you know regardless of the details
[00:11:18] [SPEAKER_00]: But the point is there was just this like tiny little piece of software that you know, you need it for functionality
[00:11:24] [SPEAKER_00]: but if somebody
[00:11:26] [SPEAKER_00]: Modifies it now suddenly
[00:11:27] [SPEAKER_00]: Uh, you know all bets are off and people actually have their wallet strained because of this right? So
[00:11:32] [SPEAKER_00]: You know it there's there's a bunch of pieces and and you know
[00:11:36] [SPEAKER_00]: Any of these things can be the weak link, right?
[00:11:38] [SPEAKER_00]: You've got your ledger or you've got you know, your your virtual private hsm in the cloud
[00:11:42] [SPEAKER_00]: Which is the way we think about cube signer and you know, that is like this very very strong guarantee
[00:11:47] [SPEAKER_00]: Of you know, your keys are safe
[00:11:50] [SPEAKER_00]: And then you have to make sure on top of that that whatever software you're using to connect to it
[00:11:54] [SPEAKER_00]: That's that's also secure you have to make sure that you know
[00:11:58] [SPEAKER_00]: If somebody installs malware on your computer, maybe they can drain it, right?
[00:12:01] [SPEAKER_00]: So to me like as an end user of this space like
[00:12:05] [SPEAKER_00]: Even understanding what the software supply chains look like is already this huge really difficult task
[00:12:13] [SPEAKER_00]: Right. And so to me that's like from a consumer perspective. That's
[00:12:17] [SPEAKER_00]: Number one is like how am I how can I keep myself safe?
[00:12:21] [SPEAKER_00]: How do I like have the same level of trust in the you know, the applications that i'm using as I do in
[00:12:28] [SPEAKER_00]: You know gmail or whatever right because I think if you look at it if you look at sort of normal people day to day
[00:12:33] [SPEAKER_00]: Not sort of crypto diehards
[00:12:36] [SPEAKER_00]: If you think about it like their their gmail account is like sort of the keys to the kingdom, right?
[00:12:41] [SPEAKER_00]: Like you can reset all the passwords you can get access to the banks whatever, right?
[00:12:45] [SPEAKER_00]: So so everyone has that already but the interesting thing here is google has done an extremely good job
[00:12:50] [SPEAKER_00]: Of locking these things down of detecting when something is going wrong, right?
[00:12:55] [SPEAKER_00]: So there's all this kind of infrastructure that's basically invisible, right?
[00:12:59] [SPEAKER_00]: That's happening behind the scenes. I don't see it normally unless you know
[00:13:03] [SPEAKER_00]: Maybe I try to log into my gmail account from a different country and I get a text saying hey
[00:13:07] [SPEAKER_00]: Did you try to do this? Right? So so there it's like oh somebody really is watching right?
[00:13:11] [SPEAKER_00]: Um, but that kind of protection I think is basically where we need to get
[00:13:15] [SPEAKER_00]: And so this is actually one of the things that we're really thinking about hard with kubesigner is like
[00:13:19] [SPEAKER_00]: How do we bring you that same level of protection?
[00:13:23] [SPEAKER_00]: And so um one of the you know, one of the folks that we're working with really closely is is ava labs
[00:13:27] [SPEAKER_00]: Um, we are kubesigner is actually the the infrastructure behind the avalanche core wallet
[00:13:32] [SPEAKER_00]: So if you you know download core wallet and you say, you know login with google basically
[00:13:37] [SPEAKER_00]: That's making you this virtual private hsm. It lives in the cloud. You can access it from any of your devices
[00:13:42] [SPEAKER_00]: You don't have to worry about things like manually copying around your your your pass phrase or sorry your your seed phrase or whatever
[00:13:48] [SPEAKER_00]: But if you decide later, hey, I want to go use a different system
[00:13:51] [SPEAKER_00]: I want to use a ledger or whatever sure you can get the path that you can get that seed phrase out
[00:13:55] [SPEAKER_00]: You can use it in in your ledger. You don't have to use our system at all, right?
[00:13:59] [SPEAKER_00]: So we're not here to trap you
[00:14:00] [SPEAKER_00]: We're just here to help you
[00:14:01] [SPEAKER_00]: um
[00:14:01] [SPEAKER_00]: And you get basically these same kinds of protections because you're actually literally logging in using the google flow
[00:14:07] [SPEAKER_00]: Which means when google notices something seems odd here
[00:14:11] [SPEAKER_00]: Then you're going to get an alert or you're going to you know
[00:14:13] [SPEAKER_00]: Or they're going to say no or whatever and then on top of that you can add things like
[00:14:17] [SPEAKER_00]: You know if you've got a ubique or you've got, you know, google authenticator on your phone or whatever it is
[00:14:21] [SPEAKER_00]: You can actually add that on top to sort of give yourself additional protection
[00:14:25] [SPEAKER_00]: so I I think in this way we're really trying to
[00:14:29] [SPEAKER_00]: sort of raise the floor of protection for everyone and
[00:14:33] [SPEAKER_00]: Simultaneously to give people the ability to protect themselves even more right because you know if i'm if i'm just a gamer
[00:14:39] [SPEAKER_00]: i'm just you know
[00:14:40] [SPEAKER_00]: I've got like five bucks worth of worth of crypto in a game like
[00:14:43] [SPEAKER_00]: Okay, it probably doesn't make sense for me to have like, you know
[00:14:47] [SPEAKER_00]: 10 hardware tokens and like a 30 minute timeout before I can do anything because it's like, okay fine
[00:14:51] [SPEAKER_00]: Then I can't play my game. I've just like ruined my day, right?
[00:14:54] [SPEAKER_00]: But if i'm like really trying to transfer serious value, it makes sense to have that available
[00:15:00] [SPEAKER_01]: It sure does it makes a lot of sense to me, you know
[00:15:04] [SPEAKER_01]: So in addition to my story there have been a few measure a few events, right that have led up
[00:15:10] [SPEAKER_01]: To the increase web3 security measures compared a few years ago, right?
[00:15:16] [SPEAKER_01]: I'm thinking the first event was ftx
[00:15:18] [SPEAKER_01]: Right. Um, and then there were others like you mentioned
[00:15:21] [SPEAKER_01]: Uh ledger, right? What were some of the key events?
[00:15:25] [SPEAKER_01]: You know that led up to the security measures
[00:15:27] [SPEAKER_00]: So I think one that we've seen is
[00:15:30] [SPEAKER_00]: one like trend that we've seen is
[00:15:35] [SPEAKER_00]: That I'd say look we can we can kind of separate these into two categories
[00:15:38] [SPEAKER_00]: One is like kind of squarely computer security
[00:15:41] [SPEAKER_00]: Like did somebody break into my machine effectively and steal my stuff, right?
[00:15:46] [SPEAKER_00]: And the other one is is kind of like how do I know who i'm dealing with like it could be that like i'm i'm
[00:15:52] [SPEAKER_00]: No one's stealing my keys. No one's stealing my tokens, but the tokens are themselves a scam, right?
[00:15:57] [SPEAKER_00]: Like so that one kind of tends to sound more like the ftx situation
[00:16:00] [SPEAKER_00]: And I think these actually end up being kind of a little bit different in how we deal with them, right?
[00:16:05] [SPEAKER_00]: So like rugs and stuff like this
[00:16:07] [SPEAKER_00]: I mean fundamentally in in the sort of decentralized web3 universe
[00:16:13] [SPEAKER_00]: The the best we have really is sort of reputation, right? If I know that somebody is
[00:16:20] [SPEAKER_00]: You know is is has a good reputation if I can make sure that you know, they're they're interacting with uh safe
[00:16:27] [SPEAKER_00]: Tokens or you know, whatever it is like that gives me a higher level of assurance, right?
[00:16:32] [SPEAKER_00]: And by the way, it's not perfect of course because like ftx had a great reputation, right?
[00:16:35] [SPEAKER_00]: So so it's always possible for good people to turn bad or for bad people to you know
[00:16:40] [SPEAKER_00]: Have have been hiding out in in good clothes for a long time
[00:16:42] [SPEAKER_00]: um, so but that sort of thing I I mean
[00:16:45] [SPEAKER_00]: There's not a lot of technical measures to take there other than making sure that people have access to that information
[00:16:53] [SPEAKER_00]: So you can think about this as building up like an information infrastructure where I it should be easy
[00:16:58] [SPEAKER_00]: For a new person in the space to come in and just figure out like you know what this token is probably a scam
[00:17:04] [SPEAKER_00]: This token is not because like the last thing we want is new retail user comes in
[00:17:09] [SPEAKER_00]: First experience that they have is I got scammed for you know, 100 bucks, right?
[00:17:15] [SPEAKER_00]: And it's like okay
[00:17:15] [SPEAKER_00]: For a lot of people that hundred bucks isn't going to be make or break for some people it will be but
[00:17:21] [SPEAKER_00]: For a lot of people like okay, they risked 100 bucks
[00:17:23] [SPEAKER_00]: They lost 100 bucks, but it leaves a tower taste in their mouth, right?
[00:17:25] [SPEAKER_00]: And that's a person that's going to be resistant next time
[00:17:27] [SPEAKER_00]: That's a person that's sort of hurting the goal of like actually getting real web3 adoption now
[00:17:32] [SPEAKER_00]: So so I think kind of thinking through this information infrastructure to help people
[00:17:37] [SPEAKER_00]: Figure out what's good
[00:17:39] [SPEAKER_00]: Uh, or at least figure out what's bad
[00:17:41] [SPEAKER_00]: Is is is really really important and then on the other side
[00:17:45] [SPEAKER_00]: I think we've seen a lot of sort of ad hoc computer security measures that you know kind of worked for a while
[00:17:52] [SPEAKER_00]: But you know the the adversary nowadays is very powerful, right?
[00:17:57] [SPEAKER_00]: Like who is it that's actually trying to steal crypto in bulk?
[00:18:00] [SPEAKER_00]: Well, what we know is that you know
[00:18:02] [SPEAKER_00]: There are a bunch of governments that are trying to do this because that's how they you know fund whatever illegal weapons programs, right?
[00:18:07] [SPEAKER_00]: and
[00:18:09] [SPEAKER_00]: Well, that's
[00:18:09] [SPEAKER_00]: That's a serious adversary, right? They have government level
[00:18:13] [SPEAKER_00]: Resources to throw at stealing stuff, right?
[00:18:16] [SPEAKER_00]: And probably they're not going to like break into my wallet and steal 100 bucks
[00:18:19] [SPEAKER_00]: But but they're certainly going to try and like take over a bridge and steal, you know
[00:18:23] [SPEAKER_00]: A half a billion dollars, right?
[00:18:24] [SPEAKER_00]: So that's the sort of thing where like really understanding like this is actually the risk profile that we face in web 3
[00:18:32] [SPEAKER_00]: Is government level adversaries trying to steal money on grand scale and like what do we do against that?
[00:18:37] [SPEAKER_00]: so I think we've seen in the past some
[00:18:41] [SPEAKER_00]: You know some
[00:18:42] [SPEAKER_00]: Kinds of security measures that are we're already known to be antiquated but but we're kind of good enough, right?
[00:18:48] [SPEAKER_00]: So like a classic example of this. I think you know last year
[00:18:52] [SPEAKER_00]: Or yeah, I think last year there was you know
[00:18:55] [SPEAKER_00]: There was a bunch of folks who were using friend tech got their wallets drained and it turned out to be a classic thing
[00:19:00] [SPEAKER_00]: right it turned out to be
[00:19:03] [SPEAKER_00]: the
[00:19:04] [SPEAKER_00]: um
[00:19:04] [SPEAKER_00]: You know that like sms resets like somebody basically hijacks your sim
[00:19:08] [SPEAKER_00]: And then like they're able to receive sms's and the sms was being used for authentication
[00:19:12] [SPEAKER_00]: Well, I mean don't use that never ever ever use that right?
[00:19:16] [SPEAKER_00]: And so I think you know what ended up happening was well, you know friend tech's uh, wallet provider
[00:19:22] [SPEAKER_00]: Had that as kind of the best option, uh, and so that's what friend tech went with and so that's what happened to their users
[00:19:28] [SPEAKER_00]: Right, and I think there's a couple different things that happen there. One is this was a case where
[00:19:34] [SPEAKER_00]: You know as usual you have to make a decision between you know, am I going to give my users?
[00:19:39] [SPEAKER_00]: um, you know a really nice ux or am I going to kind of
[00:19:43] [SPEAKER_00]: Bug them and be a pain to get them to use better security
[00:19:46] [SPEAKER_00]: And I think a lot of folks really think that that's kind of this iron trade-off right that you can't get both
[00:19:51] [SPEAKER_00]: um, and I think unfortunately what we see is that with a lot of uh, like wallet providers
[00:19:57] [SPEAKER_00]: That's kind of true, right? So like as I said like a friend tech's wallet provider
[00:20:02] [SPEAKER_00]: um, and by the way
[00:20:04] [SPEAKER_00]: I I actually i'm good friends with henry at privy. I like him a lot
[00:20:08] [SPEAKER_00]: We actually we were at stanford at the same time. I know him really well
[00:20:11] [SPEAKER_00]: He's a super sharp guy. I like I love him a lot
[00:20:13] [SPEAKER_00]: um, but I think this was this was you know, this was kind of an unfortunate thing where um
[00:20:18] [SPEAKER_00]: the
[00:20:19] [SPEAKER_00]: You know, this was the best option and so this is what the customer went with and so the result was that people lost money
[00:20:24] [SPEAKER_00]: um, and I think as like providers of this kind of service like we have an obligation to
[00:20:31] [SPEAKER_00]: Not only like encourage our customers to use the right tech to use the right approaches
[00:20:36] [SPEAKER_00]: But also we have an obligation to make the user experience when you do so good because if we don't
[00:20:42] [SPEAKER_00]: Again, this is like person comes in the door person turns around and leaves again because they end you know
[00:20:47] [SPEAKER_00]: They come into the crypto space they see oh, this is a pain. I got to write down 24 words
[00:20:51] [SPEAKER_00]: I need to go buy a ubique or a ledger like suddenly like this this isn't for me
[00:20:56] [SPEAKER_00]: I'm gonna i'm gonna go do something else right? They'll go back to I don't know sports betting or something, right? So, um
[00:21:02] [SPEAKER_00]: Seriously, right? You know, I think a lot of people use them equivalently. Um, so
[00:21:06] [SPEAKER_00]: To me this is like in both cases. We need like we need to start from the user start from
[00:21:12] [SPEAKER_00]: What is it that you know, my dad would see if he were you know trying to invest in in you know
[00:21:18] [SPEAKER_00]: A new mean coin, right? And how would he figure out? This is a good one
[00:21:23] [SPEAKER_00]: How would he like protect his login identity like all of these things like once we can start actually like giving serious answers
[00:21:31] [SPEAKER_00]: To those questions when we can look at with a straight face at one another and say, you know
[00:21:34] [SPEAKER_00]: We're actually doing a pretty good job. We're really trying to get the users
[00:21:37] [SPEAKER_00]: Uh, like empowered here. I think that's when we can say like, okay
[00:21:40] [SPEAKER_00]: We're doing pretty well in terms of security, you know, um
[00:21:47] [SPEAKER_01]: Yeah, I won't even touch me in coins
[00:21:51] [SPEAKER_01]: You know, um
[00:21:53] [SPEAKER_01]: No, now i'm now i'm just like let me hold some basic blue chippers and uh weight, you know
[00:21:59] um
[00:22:00] [SPEAKER_01]: so yeah, but there there is
[00:22:03] [SPEAKER_01]: There's other thing out there people use, you know, it's called staking
[00:22:06] [SPEAKER_01]: You know, um, so I want to find out, you know the current state
[00:22:12] [SPEAKER_01]: Of staking, you know, and how is the secure staking alliance?
[00:22:19] [SPEAKER_01]: Further enhancing this infrastructure including what's your level of work with and partnership collaboration with them
[00:22:26] [SPEAKER_00]: Yeah, absolutely. So, um, yeah, so I I think staking is like fascinating for a bunch of different reasons
[00:22:32] [SPEAKER_00]: Like on a technological level it's I mean first of all, it's like mind-blowing that ethereum managed to switch itself over right?
[00:22:40] [SPEAKER_00]: And we're still like two years out. It's still like oh my gosh. That's amazing. That's like such a technical feat
[00:22:45] [SPEAKER_00]: Um, and people will be looking back at that in 50 years and saying like that's that's a seriously impressive technical feat
[00:22:51] um
[00:22:51] [SPEAKER_00]: But but I think beyond that like I think there are a lot of interesting opportunities here to think about
[00:22:58] [SPEAKER_00]: What does the information infrastructure look like for people who want to stake?
[00:23:01] [SPEAKER_00]: Um, so if you think about uh, like let's just take ethereum staking, uh, and there's plenty of other things that one can stake
[00:23:08] [SPEAKER_00]: But as a starting point, right?
[00:23:10] [SPEAKER_00]: So if I stake with you know with one of the one of the big providers or if I go with a liquid staking token
[00:23:16] [SPEAKER_00]: Uh, whatever it is. Um, you know the the
[00:23:20] [SPEAKER_00]: The notion like the the sales pitch is this is essentially risk-free, right? This is essentially risk for you
[00:23:26] [SPEAKER_00]: Is that true? Well
[00:23:29] [SPEAKER_00]: I mean historically it's been relative. It's been very low risk compared to everything else in the space
[00:23:34] [SPEAKER_00]: Yes, absolutely amazingly low risk, but there are actually real technical risks associated with staking
[00:23:40] [SPEAKER_00]: Um, so even just in the case of ethereum staking
[00:23:44] [SPEAKER_00]: If we look back at the history of slashings on ethereum
[00:23:46] [SPEAKER_00]: There haven't been very many slashings on mainnet like by total value stake tiny tiny tiny fraction, which is great
[00:23:53] [SPEAKER_00]: but
[00:23:54] [SPEAKER_00]: There there is always this this question like okay
[00:23:57] [SPEAKER_00]: What is the actual like danger level of uh, like of slashing for a for a given protocol, right?
[00:24:04] [SPEAKER_00]: Like if I if I decide i'm gonna deposit into lido i'm basically taking on whatever technical risk lido has
[00:24:10] [SPEAKER_00]: Um because if if a bad enough thing happens and lido gets like super duper slashed
[00:24:15] [SPEAKER_00]: Well, okay fine lido is so big that if they get super duper slashed the whole chain's in trouble. But but
[00:24:21] [SPEAKER_00]: I'm thinking about myself here
[00:24:22] [SPEAKER_00]: Like if if if they get super duper slashed then like now that I mean it turns out it wasn't so low risk for me after all
[00:24:29] [SPEAKER_00]: Right. And so if we look back at the history of like how they're operating
[00:24:32] [SPEAKER_00]: Well, they do a really good job
[00:24:33] [SPEAKER_00]: Actually, like they're very careful about making sure that they have a variety of different providers that those providers are taking very different approaches to things
[00:24:40] [SPEAKER_00]: You know, we've talked deeply extensively with those folks. They know what they're doing there. They're really sharp
[00:24:44] [SPEAKER_00]: um, and but still even there we've seen cases where
[00:24:48] [SPEAKER_00]: Things have gone a little bit wrong and only a little bit which is good
[00:24:51] [SPEAKER_00]: But just it's enough to show like okay things could go more wrong maybe so we've seen folks
[00:24:56] [SPEAKER_00]: You know, there's been like I don't know like a data center migration that went wrong
[00:25:00] [SPEAKER_00]: And a few hundred validators got slashed or there was one scary case where nobody got slashed
[00:25:05] [SPEAKER_00]: But it turned out that one of the operators was sort of accidentally exposing all their secret key material of the internet for a few months
[00:25:11] [SPEAKER_00]: And fortunately nobody as far as we can tell nobody stole it and lido made them exit the validators and no no money was lost
[00:25:17] [SPEAKER_00]: Great
[00:25:17] [SPEAKER_00]: But this is the sort of thing that like
[00:25:20] [SPEAKER_00]: There but for the grace of god, right? Like just a little bit differently and things things could have been like 10 000 validators getting slashed is no joke
[00:25:26] [SPEAKER_00]: Right. So, um, so so this is the sort of thing where we like taking a step back. Like how do we think about
[00:25:34] [SPEAKER_00]: Improving the overall level of security
[00:25:36] [SPEAKER_00]: So that means on the one hand things like just telling like helping people to to learn about different providers and their level of competence
[00:25:44] [SPEAKER_00]: And like the level of care that they put in because there is a danger of course of like a race to the bottom, right?
[00:25:48] [SPEAKER_00]: That the bad thing is like you get great yield from this from this provider
[00:25:52] [SPEAKER_00]: But also they're taking a huge risk and like um, and and the difference in yield probably wasn't worth it
[00:25:57] [SPEAKER_00]: Um, so and then on the other hand like how do we help providers to do better?
[00:26:02] [SPEAKER_00]: Like how do we help providers to do a better job of uh, you know of setting up their infrastructure of you know
[00:26:09] [SPEAKER_00]: Of like running the machines of being safe being secure
[00:26:13] [SPEAKER_00]: And so that's really what secure staking alliance is about it's about getting a bunch of different
[00:26:17] [SPEAKER_00]: People in the same room. So we've got folks who are, you know doing security audits. We've got folks who sell insurance
[00:26:24] [SPEAKER_00]: We've got folks who run, uh, you know big validator protocols
[00:26:27] [SPEAKER_00]: We've got folks who are you know working, uh, you know with eigen layer and building avs's we've got you know folks like us
[00:26:33] [SPEAKER_00]: Who are building infrastructure?
[00:26:35] [SPEAKER_00]: Um, and all of these people sort of in the same room kind of having a conversation about what should best practices look like
[00:26:42] [SPEAKER_00]: What are you doing that i'm not doing? How can I like start to be, you know better about these sorts of things, right?
[00:26:47] [SPEAKER_00]: So that to me is like how do we like basically push the industry forward and I think on the on the sort of on the provider side
[00:26:54] [SPEAKER_00]: That's you know, this sort of loose consortium of you know minds in a room
[00:26:59] [SPEAKER_00]: I think that's kind of the right way to go because the alternative as far as I can tell is some kind of
[00:27:03] [SPEAKER_00]: You know heavy-handed governance structure and I think we don't want that like we we want the decentralized world, right?
[00:27:08] [SPEAKER_00]: So so getting people to kind of agree to this to do it
[00:27:12] [SPEAKER_00]: Voluntarily voluntarily is super important and then on the other side like providing that information to people like, you know
[00:27:18] [SPEAKER_00]: This provider is actually following these guidelines that you know
[00:27:22] [SPEAKER_00]: A bunch of people have signed off on as being sort of a good idea
[00:27:26] [SPEAKER_00]: And or maybe this other provider is not following these guidelines, right?
[00:27:30] [SPEAKER_00]: Getting that kind of information to the the end user the person who's actually making the decision to push the button and send the money
[00:27:37] [SPEAKER_00]: That that's super super super important
[00:27:39] [SPEAKER_00]: And then I think the other thing that we can do here and I promise I know i'm being long-winded
[00:27:43] [SPEAKER_00]: But I promise I hope that this is interesting
[00:27:45] [SPEAKER_00]: The other thing that we can do is actually come up with new technical measures that reduce risk
[00:27:49] [SPEAKER_00]: So with with cube signer actually our very first
[00:27:53] [SPEAKER_00]: customers were
[00:27:54] [SPEAKER_00]: Ethereum we're running ethereum lsts
[00:27:57] [SPEAKER_00]: We've got you know few ethereum lsts that use our service
[00:28:01] [SPEAKER_00]: Still to like basically to to manage all the keys all the validator keys
[00:28:05] [SPEAKER_00]: Um, and I think the big reason that that they love this service for that is
[00:28:11] [SPEAKER_00]: You remember I talked about this this policy layer that lets you say, you know
[00:28:14] [SPEAKER_00]: This key can only be used in a certain way
[00:28:16] [SPEAKER_00]: Well, the policy layer is actually powerful enough to express the ethereum slashing condition
[00:28:21] [SPEAKER_00]: So basically the key you can think about it this way
[00:28:24] [SPEAKER_00]: The key basically remembers everything that it's ever signed
[00:28:26] [SPEAKER_00]: And if you ask it to sign something that would be slashable it says no
[00:28:30] [SPEAKER_00]: No, that one's slashable. I'm not gonna i'm not gonna do that and it tells you like this
[00:28:34] [SPEAKER_00]: This is slashable for this reason
[00:28:35] [SPEAKER_00]: um
[00:28:36] [SPEAKER_00]: And so the interesting thing about that is now you actually reduce the the probability that you make mistakes, right?
[00:28:42] [SPEAKER_00]: So like even if you mess up your infrastructure
[00:28:44] [SPEAKER_00]: Even if somebody gets into your infrastructure who's like malicious and is trying to slash you intentionally
[00:28:49] [SPEAKER_00]: You can't turn off that policy. You can't bypass it
[00:28:52] [SPEAKER_00]: So you're you're very very strongly protected. We actually run thousands of validators
[00:28:56] [SPEAKER_00]: Um on testnet mostly but we run these and and we do everything that you should not do
[00:29:01] [SPEAKER_00]: We like run multiple clients we all this kind of bad stuff that would immediately get you slashed
[00:29:07] [SPEAKER_00]: But of course the point is we're testing out our own stuff
[00:29:09] [SPEAKER_00]: Uh, and and and we've been running for months. We've got like, you know top
[00:29:13] [SPEAKER_00]: Top performance on on on the testnet and and you know, we're you know cruising along with thousands of validators with with no slashings
[00:29:21] [SPEAKER_00]: so
[00:29:22] [SPEAKER_00]: Okay. So so I think this is the the the kind of direction that we need to go and one one last thought
[00:29:27] [SPEAKER_00]: I promise. Um
[00:29:29] [SPEAKER_00]: We're we're actually entering an even more complicated universe now, right?
[00:29:33] [SPEAKER_00]: It was already complex enough when we were talking about ethereum staking but now we're talking about
[00:29:37] [SPEAKER_00]: You know eigen layer. We're talking about a bunch of different avs's we're talking about, you know, babalon with all the complexity of bitcoin
[00:29:43] [SPEAKER_00]: um
[00:29:43] [SPEAKER_00]: We're talking about like now this kind of explosion of protocols different places that you could decide to put you know to to invest
[00:29:51] [SPEAKER_00]: Um and different levels of risk and it's really hard even harder to evaluate the risk of these things like well
[00:29:58] [SPEAKER_00]: What does this avs's slashing condition mean for my risk as as an investor?
[00:30:02] [SPEAKER_00]: What is you know the use of uh, uh bitcoin in babalon with you know, some some protocol. What does that mean for my risk?
[00:30:09] [SPEAKER_00]: These are great questions and we're still kind of shaking them out as an industry
[00:30:13] [SPEAKER_00]: The the fact is like for a lot of these things there are still a lot of unknown unknowns, right?
[00:30:18] [SPEAKER_00]: So so taking measures to sort of reduce that as much as possible to put safety
[00:30:23] [SPEAKER_00]: You know to put safeguards in place to you know
[00:30:26] [SPEAKER_00]: Sort of get all of that into the sunlight so that people can actually look at it and examine it and find problems
[00:30:31] [SPEAKER_00]: I think these are super super super important things to do in the future
[00:30:36] [SPEAKER_01]: Got it. So I don't want to make sure that I could summarize what you said
[00:30:40] [SPEAKER_01]: To me and that's basically
[00:30:42] [SPEAKER_01]: How the way the best way to reduce theft and attacks going forward in the future?
[00:30:48] [SPEAKER_01]: Is to stress test them now
[00:30:50] [SPEAKER_01]: And and covering all that stuff so they don't happen in the future. Yeah, absolutely
[00:30:55] [SPEAKER_00]: So so stress testing super important just getting people in the same room super important
[00:31:00] [SPEAKER_00]: Um making sure that all that information is out there for other people to see super important
[00:31:06] [SPEAKER_01]: It's a lot of sense
[00:31:08] [SPEAKER_01]: Um, yeah awesome. So um, and what you said it wasn't long with it. It was very interesting. So thank you
[00:31:15] [SPEAKER_01]: Uh i'm good with everything you said so I would appreciate it
[00:31:17] [SPEAKER_01]: Appreciate your time and appreciate you explain that to me. I love talking to you today and I have one last question
[00:31:24] [SPEAKER_01]: Um, and it's probably easiest one to ask you is this is how can people find out more information?
[00:31:29] [SPEAKER_01]: About you about cubist how can they become customers or clients? How can they start to use?
[00:31:33] [SPEAKER_01]: You know, um your platform. How can they do any of that?
[00:31:36] [SPEAKER_00]: Absolutely. So cubist.dev is our website. Uh, you can send us an email hello at cubist.dev
[00:31:41] [SPEAKER_00]: Um, yeah, you can ping me on telegram i'm quantum but spelled very strangely. It's k-w-a-n-t-a-m
[00:31:48] [SPEAKER_00]: I'll give it to you later. You could put it somewhere. Um, but uh, yeah, I mean
[00:31:52] [SPEAKER_00]: But seriously like hello at cubist.dev is a great way to just like get in touch and happy to talk from there
[00:31:57] [SPEAKER_00]: Our website is cubist.dev. Um, and I think on twitter we're cubist.dev all one word
[00:32:04] [SPEAKER_01]: Awesome, thank you very much for your time today. Jim. Oh, thank you so much. It's been it's been super fun