Inside the 2FA-Enabled Chef’s Jacket with Nori-San: What’s the Password?

This post was originally published on SushiSwap

ayoki

Jun 19 · 10 min read

So I guess the question that I always ask everyone, to begin with, is, what is your role at Sushi?

I am the SushiSwap Security Team Lead and I’m responsible for the security at Sushi in general. That entails operational security, more team activity-related, and more tech-heavy stuff like contract and front-end security.

To further explain, contract security has to do with the smart contracts that are the foundation of the technology that Sushi is built on. Because of the nature of their technology, you can’t fix an existing security vulnerability, rather you can only try and prevent it or avoid it. That’s what’s really special about security in this industry, and why we’re also investing a lot into the best possible security solutions.

How did you first hear about Sushi and how did you get involved?

Getting more involved in the crypto space was on my to-do list for a long time, but before I got around to it I actually got introduced to Sushi through Keno. I’m coming from a more traditional security background and I did a lot of IoT and system security-related research. I had grown quite tired of always working with IoT or Android devices and I thought crypto sounding exciting, particularly from a hacking perspective because of the fact that if you hack a smart contract you get rewarded instantaneously.

Admittedly, I hadn’t worked on smart contracts or in this cryptocurrency space before, so I had a lot of catching up to do before officially joining, for example, I only knew basic Solidity. There was a need for someone to proactively manage the security for Sushi, so I jumped at the opportunity. In the end, I think it was a beneficial move for myself and the organization because I’m bringing more traditional approaches to this space, which I think is a missing perspective in many projects.

Even though you are notoriously our most mysterious core team member, could you tell us a tiny bit about your background?

I’m from a traditional security background, working several years as a penetration tester and Security Engineer. So I’m bringing those traditional security mindsets to a very much less traditional platform which I think adds to its success in some way. With smart contract security, the Sushi team always has taken this very seriously. When I came along we started looking into more operational measures like 2-factor authentication for social media channels and such. I was very surprised that when I put the word out that we needed to do this, the whole team had added the 2FA in a very, very short amount of time. This just shows how seriously everyone takes security here and I appreciate that.

For our community members, what do you think is the most common scam that they should look out for.

There are many unofficial SushiSwap Telegram channels. This is the only official one: https://t.me/sushiswap

I mean, I wouldn’t even ask the question like that, I would ask what is the biggest threat of security for our community members? And that’s a good question because, on one side, we are taking care of the contract security, but at the end of the day, from what I’ve seen at Sushi, the most recent and biggest victims are from scammers at the user level. There isn’t necessarily one that is most common because these guys are always coming up with all kinds of stories. But if you think about it, if somebody would knock at your door and would ask you for your security pin to your bank card, you would ask them to leave.

biswap

People have to understand that private keys are called private keys for a reason, and as long as people don’t, scammers will succeed.

So, if I have to think of the most common scam, I would say that currently, it would be this wallet syncing story. So the scammers basically say that if something’s not working out, it’s because the wallet is not syncing properly. So they’ll approach people asking questions across social media channels and direct people troubleshooting to this website where they want you to enter your private key or your seed phrases… and if you do, all your tokens are gone.

What was the most shocking or outrageous scam you’ve seen to date?

OK, so what I was doing was asking questions in the Discord to see what would happen. I basically copied somebody else’s question they asked a few days ago and I waited for the scanners. At one point I was talking to two scammers in parallel and they were trying to send me to the same website. So this indicates that they are kind of organized, working in teams, apparently. So that was kind of interesting to see. Interesting but also scary in some way because if they start getting organized, they also will learn from each other and they will become more creative, potentially.

Maybe it’s not great to admit it, but it is a tiny bit satisfying to string them along a bit and troll them once we’re in the DMs.

They always prey on those that have a lack of knowledge, trying to hit them with so much pseudo technical B.S. that people just give up and trust them, cause it’s just easier. So they just bombard you with false information that your wallet is out of sync, etc. but there is no such issue. And yeah, and people trust them for some reason and just happily, enter their private key information into their websites, but I am trying my best to eradicate these from our community.

Coming from a traditional security background, what is your overall opinion about the security of the crypto market in general?

I can speak from my experience at Sushi, and I actually suspect that it’s pretty much everywhere in the market the same. I feel like a lot of people that work in this space, even though they are not security professionals, take security very seriously. That’s something that I noticed immediately when I started working at Sushi. People were and are very willing to work together with me on this.

Something that is an unfortunate part of traditional security is that security costs money, but it doesn’t provide a visual result of its budget, like a shiny front-end UI, bringing more customers in with visible revenue. Security is sometimes perceived as annoying.

That was something really interesting when I started working in this space that everybody was very, very eager to work with me and to follow my suggestions. So, not just from the Executive team, but the whole team gave me a lot of support. For example, again, when I asked the team to enroll Two-Factor authentication on their accounts for certain platforms, it was done, nearly for everybody, immediately. So that was an amazing experience for me, to be honest.

But in general, in the community, there are so many people that need to be educated on basic security. And the community members really have to learn how to secure their wallets. If you have all your money lying in one wallet that you’re not having secured with a hardware wallet and giving out your private key because somebody told you to sync it? That just shows that there is a lack of education around security overall.

Nori protecting us in the Discord 😥

What is something that you would encourage every cryptocurrency newcomer or even veteran to invest in, in terms of protecting themselves and their crypto?

The advantage of Decentralized Finance (DeFi) is that nobody can restrict you from using it when you want to do so, like we have seen with other financial trading platforms lately. However, at the same time the responsibility for the security of the assets is at least partially with the user. While we are doing a lot for security at SushiSwap, having that much control over your assets means that you as a user carry a lot of responsibility as well.

The best advice I can give is to try and encourage users to invest some time into educating yourself. What security means and how this technology works. If you’re investing all your money into crypto at least know what you’re getting into and take one or two hours to dive into security.

For example, if you hold long positions, you would want to use a cold wallet. A so-called “Cold Wallet” is a cryptocurrency wallet that not even you have quick access to. It’s just the wallet that is stored offline at multiple places somewhere secure. So if you have large amounts of money, that’s how you do it. And I also think that hardware wallets in general are a great investment. Further you should split up your funds onto multiple wallets to mitigate the impact in case of a compromise… And lastly keep your private keys private.

OK, that’s good advice. How do you think how would you describe the differences and security threats between the cryptocurrency world to the traditional industry from where you’re from?

So from the traditional space there are such things as “Zero days” and they allow you to potentially, undetected, hack other people, for example, mobile phones and so on. And uncovering these security vulnerabilities can sell for up to 2 million US dollars on the black market. These security vulnerabilities are used against targets of interest, like political enemies, or governments, or for example, somebody that has a lot of money, perhaps that would be worth it. But the normal user wouldn’t usually not be affected by such severe security vulnerabilities as long as they keep their system up to date. Because it’s just not worth the investment to have a moment user and energy in this crypto space.

But this industry is very interesting because the second a hacker can hack somebody, they get instant rewards for it because of the ease and speed of crypto. This is what makes crypto scammers so crazy for doing this. It’s like a bug bounty program with jaw-dropping rewards.

How often do you see these scams actually happening?

I mean, what we see happening where these big projects get hacked and everybody’s money gets stolen, is that they are completed by the most unskillful scammers. People talk about hacking with traditional methods, like trying to steal the private keys from someone’s hard drive or something, but that takes skill and hard work because it’s not trivial. So it’s much more popular to see simple information robbery because it’s such a low investment, with no skill required.

Just in case our audience doesn’t know, if we want to actually recover any funds after being scammed is it just impossible?

You would have to beg the scammer to give it back to you because it’s gone and, yes, impossible to reverse or recover. It’s really sad to see, like, people losing $70,000 or really any sum for that matter.

In terms of Sushi, what would you like to see done to improve the security of the platform?

We are actually already doing a lot for security. Both static and dynamic analysis tools are integrated into our development pipeline to continuously look for bugs during the development process. Further we are using Formal Verification to prove that curtain assumptions regarding our smart contracts always hold true.

What I want to do is bring more awareness to the community and make the life of scammers much, much harder. There are already some things in the making.

I think a lot of people tend to put their private key in the Notes app of their phone or write it on a piece of paper and throw it in a closet and never think of it again. Is it that bad to keep your private key on your phone?

Well, you wouldn’t want to keep something written down on a single piece of paper, because if your house burns down, there goes that very valuable information with it. That example actually amplifies having your private keys stored safely in more than one place, because your cold wallet would burn as well, if I’m honest. Keeping your private key in your phone defeats the purpose of owning a hardware wallet, to be honest. But if you are going to go that route, you have to keep your systems up to date. That is the general rule of security. If you store it on air-gapped and encrypted hard drive, I would personally say it’s fairly secure.

As cryptocurrencies continue to grow in popularity and become more mainstream, instead of Banking-Trojans, hackers will start to deploy malware that will exactly look for your seed phrase on your devices, if it isn’t out already.

You’re the only team member to have their head turned in their illustration. Poison Hikari found that really interesting and played with your illustration quite a bit. Why did you choose that pose?

I’m a risk-averse guy, having been in security for all these years. I think the artist is pretty spot on when it comes to people’s faces, so I didn’t want to be recognizable from the avatar.

Which do you prefer? Right or left?

What do you like to do for fun outside of Sushi?

I love skiing and to be honest, I actually love hacking in my free time. Not in the sense you might be thinking: I’m not incriminating myself! This hacking term means, trying to find vulnerabilities in systems to try and improve them. It’s really fun.

What’s your favourite sushi?

Salmon Sashimi.

Hmm playing it safe with the sushi I see!

Sushi is building a comprehensive DeFi ecosystem with AMM, leverage & margin trading platform, token launchpad and NFT artist platform. Follow our socials to keep up with our product launches and find out more on how you can make the most of your cryptocurrency assets with Sushi’s secure and powerful DeFi tools!

Exchange | Kashi | MISO | SAKE | Docs | Discord | Twitter | Telegram | YouTube | Tutorial | Github

Leave a Comment