Sipan Vardanyan is co-founder and chief executive officer of Hexens, a Yerevan-based global cybersecurity firm that provides web security solutions and services with a focus on Web3.The proud recipient of several hacker awards in pentesting and open-source intelligence (OSINT), Sipan boasts the title of the youngest chief information security officer of an Armenian bank at age 22 and was the Open Worldwide Application Security Project (OWASP) Armenia chapter lead.Sipan is also a co-founder of ARMSec, Armenia's premier security conference, and is an advisor to multiple global tech startups, offering expert guidance and insights to help them grow and thrive in their respective fields. Vahe Karapetyan is co-founder and chief technology officer of Hexens, a Yerevan-based global cybersecurity firm that provides web security solutions and services with a focus on Web3.Vahe is a security researcher with more than a decade of expertise in cybersecurity. He's conducted over 200 security assessments for leading global financial institutions, web applications, and other critical infrastructure.From research and academia to consulting IT and financial organizations globally, Vahe brings a wide breadth of experience to his role as he guides Hexens’ auditing teams in facilitating a safer Web3 experience for everyone in the space.
[00:00:00] Hello everybody and welcome to the Crypto Hipster podcast. This is your host, Jamil Hasan
[00:00:08] the Crypto Hipster where I bring you founders, entrepreneurs, executives, thought leaders, artists.
[00:00:13] You name it all over the world. Crypto on blockchain globally and today I have, actually
[00:00:19] I got a double treat for you. I have two amazing guests in the same interview. I'm really
[00:00:24] looking forward to this and I'm going to butcher their names and I'm going to do my best
[00:00:29] they are the CEO and CTO of Hexins. I have the CEO, Sipan Vardanian and I have the Chief
[00:00:37] Technology Officer, Vahey Karpeckian. Welcome to the show and how do I do?
[00:00:44] Thank you so much. I'm excited. Thanks for inviting me.
[00:00:47] Nice meeting you. Great, awesome good meeting you too. Thank you for joining me today. So
[00:00:54] let's kick things off and ask you first both what's your backgrounds are and are they
[00:01:01] logical for what you're doing now? Well pretty much me and Vahey has started our IT career in
[00:01:09] pretty young age but at some point we shared our path so I would say for the last decade,
[00:01:16] me and Vahey are managing teams of cybersecurity experts and doing offensive security
[00:01:22] different type of offensive security services to the critical infrastructure.
[00:01:28] And over these years we actually been doing a lot. For example, we
[00:01:34] co-founded the Premier Armenians Cybersecurity Conference,
[00:01:40] armseg.org and we're chapter leaders of Ovasp Yerevan and of course doing
[00:01:47] Genjule Investments and actually advising lots of startups mainly by our own expertise which is
[00:01:53] of course mostly cybersecurity. Yeah, throughout our career we've been really passionate about
[00:01:59] cybersecurity overall but after getting into the blockchain world I believe in 2016 or 2015
[00:02:08] it was quickly, it became really evident for both me and Vahey that we want to pursue
[00:02:16] our next venture in the specifics of the WebTree Cybersecurity and make the WebTree Space
[00:02:24] much safer because I truly believe the knowledge and expertise that we're bringing from our
[00:02:29] traditional experience in WebTree Cybersecurity is absolutely crucial for the field.
[00:02:36] I'd like to add a bit to there's very interesting part in the question that it's like how logical
[00:02:43] is our background for WebTree because basically there's two main passes how people end up being
[00:02:50] in WebPree security. It's either being in WebPree, let's say doing development or other kind of
[00:02:55] stuff and being in security and then transitioning like WebTree security and transitioning to WebPree
[00:03:01] so our pass is going from WebTree security and in my opinion I think it's a bit more logical than
[00:03:13] transitioning from development to security but staying in WebPree because this fact that we had
[00:03:19] prior experience in cybersecurity as an industry it helps us to see a lot of gaps that there are
[00:03:26] in WebTree world so there's an interesting, let's say reusable experience that you can apply to
[00:03:34] when you transit this way. See that is good news for potential people who are going to go do the
[00:03:41] same route down the road you know go up to the road three so that's good to know. So for my listeners
[00:03:48] the first speaker was Cipan the second was Vahey keep your voice keep those voices in your head
[00:03:55] listen so last time I had interviewed X-ins we didn't talk about these two things but I guess
[00:04:03] they're new but I don't find out what they are glider and remedy right what are they all about
[00:04:12] what made how do they work it will make some great yeah I believe I can start this one so
[00:04:19] remedy is the platform where we realize the craziest experiments where we basically take our
[00:04:28] craziest thoughts and and make them reality right now remedy consists of many different moving parts
[00:04:36] and definitely over the next decade we're going to build really cool stuff on top of it but
[00:04:42] at this point we already got launched the glider which you mentioned glider is the main
[00:04:48] technology that we pushed out there it is right now available everybody can visit glide.r.xvc and
[00:04:55] check it out so what glider does it's actually I would say it's a revolution in cyber security
[00:05:03] tooling for the web tree because it is the very first tool that effectively finds bugs and
[00:05:09] vulnerabilities on scale and we're talking a bit different type of tooling that an average cyber
[00:05:16] security used to use for example like how it works in simple words so you can describe any
[00:05:25] pattern or you can describe any vulnerable scenario and then run this check across all the
[00:05:33] deployed smart contracts across all the EVM-like chains and yeah for example if somebody got a
[00:05:41] favorite vulnerability or the favorite attack vector you can play around describe that attack
[00:05:47] vector in the glider and then see what kind of matches there are across different chains.
[00:05:55] Yeah this is also called like variant doing variant analysis in cyber security basically you can
[00:06:01] if you know any kind of vulnerable scenarios you can try find whoever is vulnerable to this
[00:06:06] scenario and also maybe you don't know of them let's say but you can come up with one as a you never
[00:06:13] saw it in the wild out there during your audits or whatever but you can just you know sometimes people
[00:06:19] have crazy ideas when they sleep or whatever so you just wake up with some idea you're like is
[00:06:26] there any contract to who has this weird stuff in it and it will be vulnerable we can just
[00:06:32] query that all over like throughout all the blockchain and you can find all the contracts that are
[00:06:38] vulnerable yeah and this this security tooling on scale I think it's super important for web3
[00:06:48] because basically one of the main differences between web3 is that web3 is mainly open source
[00:06:53] so almost every project that one would care about it has its code open source
[00:06:59] and like before glider no one was leveraging this fact as far as we understand we're like this
[00:07:05] the first tool to do that and yeah we're we think this is going to be a game changer yeah
[00:07:12] yeah remedy is basically at 360 cyber security platform and glider is just one of the
[00:07:19] well one of the really great and absolutely unmatched packs that we we deliver we should yeah
[00:07:30] sounds good I think it's funny you said sometimes make up a mill tonight with a great idea
[00:07:35] I used to think I did that and I wake up in the morning I wake up in midnight right it down
[00:07:40] go back to sleep wake up I'm like what did I write down you know so you know
[00:07:47] yeah it never worked for me so one of the things your company does is reshaping the web3 cyber security
[00:07:56] right why is it important to do that and what are some of the current address risks and unaddressed
[00:08:04] risks that require your solutions well the fact that web3 cyber security has to be revealed
[00:08:15] it's it's pretty much obvious basically for everyone who is aware of what's happening in web3
[00:08:21] in terms of security incidents like the amount of the amount of money flowing to the malicious actors
[00:08:29] pockets is just like it's too big for the this small of an industry it is really too big and
[00:08:38] it's easily measurable just how much money we're losing to hackers and it has its own reasons of course
[00:08:46] the reasons are pretty much evident because a single bug in a single line of code directly
[00:08:52] can lead and probably will lead to a loss of funds and of course blackheads are leveraging this
[00:09:00] and we have to create as much cybersecurity effective cyber security tooling and products
[00:09:07] and measures and methodologies basically any kind of solutions to minimize the risks for the field
[00:09:13] as much as it's possible because it is really crucial when your money is basically a piece of code
[00:09:24] there's also an interesting distinction between web2 and web3 in that sense so web3 is much more
[00:09:34] nuanced as Sipano already said so the let's say if you found a critical vulnerability in web3
[00:09:40] in a smart contract you're basically like the the illicit actor is just seconds away from this
[00:09:47] high liquidity assets that he can steal and to make profits in contrary in web2 world if you have
[00:09:56] a critical vulnerability on some web server or whatever like there's still so many stuff that can go
[00:10:02] wrong there's still like the attacker needs to spend a lot of a lot more time the probability of
[00:10:09] successful attack is much lower if you have a critical it doesn't mean that it will necessarily
[00:10:14] bring your like full business loss or huge monetary losses for the company like and this
[00:10:21] stuff is crazy in web3 because like you're just seconds away of just being going bankrupt the whole
[00:10:27] like I don't know billions of dollars in one protocol so given this distinction and also the fact
[00:10:34] that web3 is very fresh it's kind of premature especially in the security field it is
[00:10:42] unfortunately very beloved by black attackers these are the bad actors in the field so they're
[00:10:49] like white attackers the good guys like us who try to find these bugs and report to the project so
[00:10:56] they can fix it and their black head hackers who just really want to steal that money and this
[00:11:02] why there's there are a lot of actors that do black hunting unfortunate thing in web3 and this is
[00:11:08] one of the biggest let's say risks and issues we're trying to address as well it is basically 10 times
[00:11:15] easier to monetize the black head skills in web3 rather than web2 yeah so we're saying white hat
[00:11:25] are the good guys you guys building the security solutions and black hats are people like like
[00:11:31] Lazarus group and others pretty much pretty much okay good to know they do have political reasons
[00:11:40] right yeah it looks like it's for the new program yeah we don't know right so there are some practical
[00:11:52] applications that decentralized security has in the like the real world like there are some
[00:11:58] things that you're bringing over right because you're coming from the web2 world into a3 so those
[00:12:02] applications right what do you see coming over in the wrong run to build the future of web3 security
[00:12:14] I would say the the ethics is super important here because let's say for example this is also
[00:12:21] very good example of about the glider so it is a very powerful tool if you give it to like if white
[00:12:28] hat uses it it will give a lot of benefits to everyone in the industry but if black head uses it
[00:12:36] it can be disastrous as well so like it I think the most important part in in decentralized
[00:12:45] security let's go that way is that it is decentralized like it's hard to centralize it's how to
[00:12:52] monitor is to send the rights who can use what everything is open out there the contracts that are
[00:12:57] vulnerable are out there you cannot censor the transactions mainly if we're talking about
[00:13:01] public chains like ethereum and other chains as well so this has its own benefits but also this
[00:13:10] like of let's say a bit a bit of regulation and it brings to a situation where anyone can do anything
[00:13:19] it's a bit like a wild west going out there and a lot of funds are being stolen so I think
[00:13:28] it's very hard to keep this decentralization and also to try to regulate and control something but
[00:13:34] I think that eventually we must find something in between the compromise and try to address this
[00:13:43] it's not too easy it's it is hard but I think eventually this is something that we need to
[00:13:48] think of as as anyone in web-free cybersecurity yeah I would say
[00:13:58] I want to get into the ethics a little bit later but this is I've been doing my own cyber security
[00:14:04] for a number of years and I haven't had a problem and that is if I have any altcoins
[00:14:11] I put them in a wallet right and I put no ethereum in that wallet because you need ethereum to pay
[00:14:17] for gas to extract from the wallet and thieves never make deposits yeah because the deposits
[00:14:25] it's basically one of the only ties on chain that can leads to a their own animization of the hacker
[00:14:32] that's basically the most dangerous part for any hacker how we actually got the first funds
[00:14:39] well it took two sides how we got funds and how we actually cash them out those are two main points
[00:14:49] got it so your role is to strengthen each stage of the security life cycle I'm really interested in
[00:14:58] no you know I'm not familiar with what each stage is could you walk me through please what the
[00:15:04] what the security life cycle is sure so basically when you imagine running I can't
[00:15:10] I understand why like it's it's a bit hard to to describe the life cycle
[00:15:19] particularly because like it's it's it's very comprehensive let's say topic in that sense but
[00:15:26] basically like you're developing some code you're deploying it so there's a lot of steps
[00:15:32] in that process and there's also a lot of things that you can do during this process to stay secure
[00:15:39] like you can run your code through analyzers you can after you're written a code you can have
[00:15:45] internal team review the code you can have external team to review the code then you deploy
[00:15:50] your product and there are other stuff that you can use like bug bounties and like by the way
[00:15:56] remedy the second part of it that is launch out there except the glider is the bug bounty part
[00:16:02] so we're also trying to cover that post deployment stage as well of the life cycle and I would say
[00:16:08] that the most important parts in this life that in the security life cycle and overall
[00:16:15] how a project or company should think of their securities that cybersecurity is not a state like
[00:16:24] is you're not secured because you're in the state of being secured but it's a process and if you
[00:16:31] if you're constantly in this process that we can say that like you're let's say in that case
[00:16:37] we can say that you are secure but actually we're living in a world where there are no guarantees
[00:16:43] and security it's more like a risk management yeah you mitigate your risks you understand the cost
[00:16:50] but you can never guarantee that okay I'm doing everything right but there's still
[00:16:56] something can go wrong like no one is guaranteeing you that you you are unhackable there are no
[00:17:01] one like no code in the plant is unhackable they will be someday that it will be hacked
[00:17:07] yeah but the thing is that you need to be prepared for this and also you reduce the probability of
[00:17:14] being hacked yeah that's there's the main part you know I'm going to have to challenge you
[00:17:24] on as a follow up when I have to challenge you and see we have on April 21st Bitcoin is going
[00:17:33] through what's having it's going to be have deep they always said that the potential the possibility
[00:17:40] to even hack Bitcoin which is saying it's unhackable they could still have a 51% attack mathematically
[00:17:48] right can at this point in its life cycle Bitcoin be hacked or is that impossible um
[00:17:57] is it unhackable it is it's not unhackable like any other piece of code
[00:18:04] or even hardware like it is it is hackable theoretically it's out there but maybe it's so hard
[00:18:10] that like no human being right now can come up with the way to hack it because like past experience
[00:18:17] of hacking of security it shows that everything can be hacked and like this we inductively think
[00:18:23] that it's also it cannot be unhackable and with the 51% attack scenario yeah that's that's
[00:18:31] possible as well that's that's even more I think theoretically there's more possible than someone
[00:18:36] finding a hash collision and trying to hack a Bitcoin or whatever but I think here the game theory
[00:18:45] and the incentives of the miners will break and I think in that sense it will not it will not make
[00:18:53] sense from their point of view to do this 51% attack just to destroy the Bitcoin as a system
[00:18:59] at but only like simultaneously they are earning these bitcoins like they're making fortune of it
[00:19:06] and making them pro their this price you go zero basically you got the 51%
[00:19:13] why would you want to destroy it if you got the first 51% yeah that's the point
[00:19:19] got it so incentives are no but the possibility exists
[00:19:25] possibility yeah got it so um I want to go back to what you said um about ethics
[00:19:36] right ethics like what's the role of ethics in you know crypto and blockchain because a lot of
[00:19:46] chains I don't see it you know existing but it as opposed to security why why why is ethics
[00:19:55] blockchain ethics important going forward in this industry now it is indeed a painful question
[00:20:02] I would say and it's matter even more in web tree cyber security because of how much is the
[00:20:09] mistake I would say it's it's never been like it's really never been this tempting for an average
[00:20:16] cyber security researcher to become a black hat this is like unprecedented risk reward and return
[00:20:26] return investment for the black hat I think I think in general there are some so trying to
[00:20:36] let me try to continually idea that Sipon was telling about um let's say like there's a very
[00:20:45] talented security researcher who found a critical bug and he's basically seconds away from
[00:20:51] stealing like 200 million dollars or like worst of dollars or assets uh like it if if the person
[00:20:59] doesn't have the ethics like it's gonna be disastrous 100% like if he doesn't follow the ethics if
[00:21:07] he doesn't really understand why he needs to follow the ethics like there's nothing that can stop him
[00:21:12] actually from doing it and as we see from both the web two world as well and in web tree also
[00:21:20] uh there's still a lot of white head hackers good guys who are seeing this who are really in the
[00:21:27] situations when they are one second away from billions like life changing I don't know
[00:21:33] not even life but like I don't know it's life changing money they still act uh properly
[00:21:42] uh following the ethics white head ethics without any second of even giving a thought
[00:21:50] of of any other way to do it that's the most important part because as the stakes are high
[00:21:57] any any person can become a black head and this is going nowhere if we if we have these hypothesis
[00:22:04] that if any kind of white head can become like that we can we cannot make it through like the web tree
[00:22:10] will not uh get to the mass adoption it will not be the future of the finance like as I don't know
[00:22:17] everyone hopes so in web tree uh so we do need this ethics and the ethics is kind of rewarding as well
[00:22:25] so if if maybe not a lot of the listeners would know but in web to in web to world and in web
[00:22:34] to world the bug bounty that you get for reporting a bug a critical bug are just so different like in web
[00:22:42] to if you find uh let's say critical vulnerability on facebook most probably will get like 30k tops
[00:22:49] in in in web tree the biggest payout out there that anyone can like try to get is $50 million
[00:22:58] like 30k and 50 million dollars that's like you know uh you can't even compare them
[00:23:06] this numbers uh so yeah like it's rewarding the web to world is moving to
[00:23:13] what's trying to move to the fair let's say uh marketplace of of white heads and projects
[00:23:20] we still are in the process there's still a lot of uh things going wrong both from
[00:23:26] hunters side and from project side like hunters doing uh black head think and projects trying to
[00:23:32] scam the hunters when they do the white head think so there's a lot of stuff going around but
[00:23:37] we slowly that steadily moving the way where we you know give the ground of these proper ethics
[00:23:44] we believe we believe it is absolutely possible to achieve a state where we can provide fair
[00:23:50] outcomes and positive some gains for every participant in the markets and that's one's one of the
[00:23:56] missions of the remedy uh i believe it shall be achieved by creating the right environment where
[00:24:06] incentives are set right I'm thinking in my head you know um 30k versus 15 million i think
[00:24:19] i had opt for the 15 million yeah i thought you know sounds better um so i want to ask you about
[00:24:30] you know today today and this is going to be published after the sensing comes down with
[00:24:35] sankbank been freed is in a new york uh you know court to receive a sentencing you know a lot of
[00:24:43] things imploded over the past couple of years i was a Celsius customer um block five all this other
[00:24:51] you know um and that was not the future of finance right sent to c5 it was not the fuel so what
[00:24:57] is the future of finance oh that's a good one uh i would hope that it's more like Isaac asimovs
[00:25:06] imagined not like Huxley or Orville did yeah personally i hope it is decentralized at least at
[00:25:14] least much more decentralized than it is right now uh we i think a lot of like one of the things
[00:25:21] why web pre-industry let's say hyped is because there are a lot of people who just uh were already
[00:25:28] sick of this finance industry that we had uh but with it has its own pros and cons but i think
[00:25:36] the the cons are much uh the list goes on and on uh is much bigger than pros and people are
[00:25:44] trying to explore new new new new new ways let's say or new places for potential five
[00:25:53] fine like world of finance and web pre is something that gives this hope to all that people
[00:26:00] uh yeah sure like it's super fresh there are a lot of people in web tree who don't really
[00:26:05] understand that this is very important stuff going around right now we're trying to shape
[00:26:12] possibly the future of finance and hopefully or like i don't know why opinion uh and but they are
[00:26:18] acting like very childish uh the same story like send back when freed uh it's not only a
[00:26:24] story like there's there's other uh like there's terrelluna uh like people getting scammed for
[00:26:31] millions of dollars people are just not acting responsible uh they are uh there are lots of
[00:26:38] unfortunately illicit actors as well but i think it's just it's it's it's it's happening always
[00:26:46] when some new industries starting to grow it's rather natural yeah i think it's a natural process and
[00:26:52] if we do everything correctly i think we could get rid of almost the biggest part of these issues
[00:26:58] at the end of the day i would say crypto like for me personally i see it as a way for the
[00:27:04] for for everybody for the humanity to achieve the freedom to transact at the first place
[00:27:10] it's is the financial freedom is is the tool that has a chance to be adopted and we shall we shall
[00:27:16] fight for it and i'm off yeah i'm off for fighting for i think that's great how do you
[00:27:27] i appreciate it sir yeah uh i i want to talk about i yeah i want to talk about something else
[00:27:34] you talked you said in the first few minutes and we discussed throughout the course of this
[00:27:39] podcast which said black hat hackers errors in code bounties that are all attack vectors right there is
[00:27:50] an additional attack vector that's not cyber related but that people should be aware about
[00:27:58] and want to get your insights and thoughts about how they can educate themselves
[00:28:03] and those attack vectors i call it the i call it mainstream media right i say i see articles out there
[00:28:12] with pure uncertainty and doubt and just really really really bad takes but are in publicate
[00:28:18] major publications that normal people read like the Wall Street Journal and Bloomberg and stuff
[00:28:22] like that right so how can we deal with attack vectors of journalists that uneducated journalists
[00:28:31] saying negative things about the industry negative things about certain coins what do people
[00:28:35] need to look out for and need to look forward to make their own decisions where tree by definition
[00:28:42] like it's it's it is a high risk place and if you're in web tree and you don't understand it's a
[00:28:50] high risk place like it's rather strange for me and people that do understand that web tree brings
[00:28:58] some new type of risks they they certainly shall adopt an obstacle operational security rules
[00:29:05] and be more cautious and of course do your own research each and single time web tree requires
[00:29:11] a more deeper approach to due diligence before investments than the traditional assets do because
[00:29:18] of the regulation because of the SEC because of the many prior requirements for the assets to be
[00:29:25] there tradable at the first place and we see some like 12-year-old kids can run their own meme tokens
[00:29:32] and mime points and everybody can just they've been so the biggest difference is that the second one
[00:29:38] shall not go through an approval process so nobody is actually guaranteed it's not a rock pool
[00:29:44] or it's not a scam or you're not going to lose all your money so of course it's pretty much
[00:29:49] obvious but do your diligence each and single time I think in general if we do whatever we can
[00:29:57] for at in the educational part try to educate people more I think it will it will impact it as well
[00:30:08] this this issue of that you're that you mentioned yeah I mean that's also part of the natural
[00:30:15] process of this new industry coming out and growing very fast I agree I agree so gentlemen I want
[00:30:26] to thank you very much for your time today I really enjoy speaking with you I have one final question
[00:30:31] an opportunity to have people learn more about you how can they learn more about your company
[00:30:37] about excellence about Clad or Remedy how can people become clients how can they be more aware of
[00:30:43] the cybersecurity needs how can they do any of that sure so a excellence is the head company
[00:30:50] it's hexens.io we pretty much got a lot of information there as well as public audit reports if
[00:30:57] any hackers are out there I really I assure you're going to enjoy reading that and of course
[00:31:04] we got lots of openings at hexens lots of career opportunities so you can find that too there
[00:31:11] and if you're interested to work on the next generation of cybersecurity tooling and actually make
[00:31:17] the future of money more safer go to r.xyz and enjoy the ride
[00:31:27] great thank you very much for your time today thank you so much for inviting us it was great
[00:31:34] have a nice one