Since 2008, when the Bitcoin was invented, there has been discussions about cryptocurrency security. Cryptocurrencies are kept in digital wallets and you can access them by having a private key to approve buying and selling. The problem appears when the private key falls into the wrong hands and an outsider can make transactions on our behalf. Situations like this happens on a daily basis. But the issue of cryptocurrency security is not limited to only this simple case.
We were invited to participate in the BlockHash LLC podcast episode by Brandon Zemp to deepen the knowledge about the security issues in cryptocurrency. If you would like to know these fundamental aspects of blockchain, just click on the player!
In the podcast episode about cryptocurrency security, we were answernig the following questions:
- What is most important when you build a crypto exchange?
- What are the most important security issues when you develop a cryptocurrency platform?
- 2020: best technologies, projects, Tezos and Algorand.
Read our podcast transcription
BlockHash (Brandon) : All right, Konrad. How are you doing?
Ulam Labs (Konrad): I’m fine, thank you. How are you?
Brandon: Fantastic! Thank you for taking the time to come on the podcast and working on getting this scheduled. Really appreciate it. Before we get started, do you want to tell me a little bit about your backgrounds and how you got to what you're doing now, so that the audience can kind of get a little bit more familiar with who you are.
Konrad: Yeah, of course. I hold a bachelor in computer science and electronic engineering. My journey started at Nokia, I was working in the LTE department. I was doing the low level work that mostly drivers for the hardware. And then, it was 10 years ago and there was not that much work for me in the industry, except the big corporations like Nokia. But I never liked the corporation. I always wanted to work in a smaller company preferably on my own. So I started to find other opportunities. I switched languages to a higher level - Python language and I found work as a Python web developer. Then I created my own company with blockchain projects. And it was certainly interesting for me. Currently we are trying to focus only on the blockchain industry and trying to do more and more crypto projects both private and public blockchains.
Brandon: Gotcha. Did you do any work in blockchain before Ulam Labs?
Konrad: Not really. We have been building the different web systems as well at Ulam Labs. But once my friend said that he will be starting the new crypto project. I replied that I have some “guys” that could help. There was lots of trust. So we started that year and it was quite big for us. We had to integrate with many blockchains at the same time and there was lots of infrastructure work. Blockchain is not only - like people think - writing smart contracts. But then it's also building cross-chain applications, chronic cross-chain applications in order to communicate between different blockchains.
Brandon: What do you do at Ulam Labs? Exactly, what's your main focus in terms of what you do there regarding blockchain?
Konrad: Currently we have so many technologies that it's really hard to focus only on one of them. For example, there are components that are trying to focus only on the Ethereum and the smart contracts and trying to build the DeFi systems. You don't store the private keys for your customers. They store keys themselves and then communicate through the smart contract platform. Currently, for example, for the client in Austin, Texas, we'll be working on the standardized way of connecting the IOT devices because the components already have a robust IOT.
IOT devices that they sell to all the clients need to have some kind of bridge, some kind of an Oracle is able to inject data from the IOT devices. So we are trying to inject data into the blockchain. At the moment we are working on the Eaton, on the building the chain. That works and gathers the data from IOT devices. It would be a kind of bridge that will allow customers to receive data.
In June, we will be presenting this solution. I am not sure what will be the next steps for the IOT device. We are trying to specialize more. I believe we will also do the exchanges. Another of our London clients, we have prepared the platform that is mostly used for stable coins. You have Bitcoin and what you can do is to borrow a stable coin. For example you have the Paxos and you are borrowing stable coins, and then you are having those stable costs, next you are selling it. So you are basically holding more Bitcoin than you will have here. This allows you to have some kind of leverage. Next step is the following, if the Bitcoin will go up, let's say 10%, you will have double the profits. Something like that, it's quite a robust platform because you can use many currencies and many different blockchains as a collateral.
Brandon: Are you mostly focused on Ethereum or you are branching out onto other platforms like EOS?
Konrad: From our perspective, when you are building the cryptocurrency exchange, it really doesn't matter that much. We are specializing and we will try to open source it. Some kind of the interface, the standardized interface for all the blockchains. Let's say you have Binance with hundreds of different blockchains. And you need to have a business application with a unified interface for all the blockchains. So for example, I have deposits across tens of different blockchains. It definitely has to be the same, but the blockchains are completely different. They have different confirmation times, different protocols and different transactions. Everything is different. So unifying, this is quite hard. Indexing all those transactions, you need to have a unified indexer for all the blockchains. So it's another challenge. So we prepared something like that. We would like to (after polishing it a little bit) open sourced it one day. Or maybe even create some kind of the startup on our own. I saw similar things on the market with that kind of unified interfaces.
Brandon: That's cool. Now it is usable for different blockchains? That is important though, cause I mean, Ethereum is, you know, developing a lot of competition. As you know, a lot of these plot projects are going through different phases. It's definitely a good thing that you guys are usable by different, different projects out there too.
Let's talk about security for a second. So I know you wanted to discuss that as well. What, what are some of the issues in crypto that exist regarding security we have to still solve, they're kind of lingering around.
Konrad: There are two categories that we should probably discuss. So the first category is that when you are building the DeFi applications. What you do is you have to prepare smart contracts or smart contracts and a system that will be the frontend for the clients that will be interfaced with that.
So for example, one of the startups that I am tracking at the moment is the Atomic loans from Canada probably, or New York. This is their model. If you ask why it's important? Because you don't hold the private keys at all.
Basically the biggest problem here is that the bugs in the smart contracts are the potential problems. Especially if you are doing this on Ethereum, and most of the defi projects at the moment are built in Ethereum because the “Ethereum killers” are just starting.
The other category is when you are building applications and you have to store the private keys because you have a cross-chain application for example, and you hold the deposits in different blockchains and then you need to exchange them. For example, simple case - Binance or other exchanges, it doesn't matter. It doesn't really matter. If you accept exchanges that exchange only the ERC 20 tokens on top of Ethereum.
So going back to the biggest problem - storing the private keys, this is what we did for the client. You are generating private keys to hold deposits of your clients. And their private keys are stored somewhere in that new platform. You have to struggle and think deeply about how to design the system so that those keys are secure.
The biggest problem in the second category is stealing private keys. Sometimes it is so easy that like some really good engineers could even remember the key by just looking at it. How this probably should be tackled is that you need to prepare a separate system inside the system and design the interface so that the private keys are never exposed outside of this system.
Then limit access to that system only to a small number of the people from the technology partner (let's say to two). And then you design the system. So it will be super simple so that there will be no changes deployed in time because the more you change the model, the more you risk that someone may change the system. This is how you tackle this problem. But then you need to design the interface.For example, we created and called such a solution “Wallet Manager”. And it was responsible for issuing the transactions. You can say to the system: create me a deposit, a wallet, and it will give you a token (not the private key) to the world.
What is most interesting is that we got in generating the deposit wallet for each customer separately. When we are creating the wallet, we are at the same time. We are telling that system to white list certain outputs, so that when you hold that token, you can only withdraw from the deposit to the certain addresses.
Brandon: So the white list for your guys's wallet helps allow crypto to be withdrawn only to certain addresses to help prevent it being stolen. Correct?
Konrad: Yeah, exactly. If you will not do this that way, then the biggest problem is even if you have these two systems. Let's say less secure. It will be the main system where most of the business logic is there and most developers are working on that. And then super secure one where you have only the CTO or the technical leader. So then the problem is that even if the interface between the system is with the token, the developer in the main system could steal those tokens. And then in one second issue all the withdrawal. It's quite dangerous. Yeah. So we add this white listing addresses, so even if you steal those tokens, the biggest harm you could do, is that you could withdraw those addresses to all the internal addresses or our customer's address.
Brandon: Right. Is this going to be like, like an app that you guys are going to launch or is it just going to be a service through Ulam Labs?
Konrad: We are not building our own system yet. This is how will we tackle this kind of problem for our clients.
Brandon: Have you guys thought about developing your own product?
Konrad: I would like to do this. But the problem is that I would need to have a cofounder to drive the business, et cetera and I could take the technical part. One day I will try to do that.
Going back to the security. Like I said, this is basically how you tackle these programs in crypto. This is quite unique because in normal payments, when you have the credit cards, you don't have this problem at all.
When we have the project not involved in crypto, we use third party providers so that we don't have credit card information, they don't even go through our platform at all. The user provides a credit card on the frontend of the application. Then we use a third party JavaScript library that just takes that credit card and then stores it in their own platform. Not even going through our platform. They do something that is called a cross-site request. And they store it on their servers and only give us only a token so we can charge that card on our behalf. Stripe or PayPa also have something like that and it solves all the problems. In 10 minutes you can see the payments in the system. And for the crypto it's not like that. Probably one day there will be something like stripe for crypto. The biggest is that there are so many blockchains you really have to integrate all of them at once.
Brandon: The closest services I've seen to Stripe would be like BitPay or Coinbase commerce in the US but other than that, there is like a really good service for the industry to encourage people to accept crypto as a business.
Konrad: Exactly.
Brandon: And in terms of security, it seems like this would be something very useful within an organization or big company that has a lot of assets maybe in crypto, maybe a crypto hedge fund, who knows? It seems like it'd be a really good way for someone that handles a lot of volume in crypto to secure where they're sending their money, protect their private keys, white list certain addresses. Is that a side of the industry that you guys are helping create this for as well? Or is it kind of just in general for everybody?
Konrad: I think that in let's say 5 to 10 years, crypto will go into the state as a self custody. Most of the exchanges and most of the applications will not hold private keys at all. Even if you are following on Twitter most popular crypto guys, like Erick from Shape Shift, a smaller exchange but quite prominent one. They already said that their exchanges are self custody even if they are cross-chain. But still, if you would like to send crypto, you need to send it to them. So let's say that I would like to buy 10 Bitcoins for Ethereum , yeah. So you still need to send the Ethereum to them. They are not quite there yet. But like I said in the future when we have a solution, we'll be able to connect all the blockchains together. So after having something like that 100% decentralized, you can exchange one coin for another from two different chains. The problem will ultimately be solved when everybody stores their own keys.
The other problem is that there are some people that don't want to hold the keys. They will have parties that they trust. So the problem will exist for those kinds of people. The next five years I think will be really, really interesting. And maybe because we have the Bitcoins and Ethereum, I hope that there will be a superior one.
Brandon: You covered quite a lot with security. It sounds awesome what you guys are doing. Sounds like you guys are creating some great solutions for people. Security has still been a huge issue in crypto, whether it's been a software computer factor or whether it's been a human error factor. I mean, there's always been some issues with crypto and with people losing their money or sending it to the wrong place or hitting the wrong button. So it's definitely an area that needs to be tackled and really hard.
Konrad: Yeah, exactly. When you are doing that transaction, you cannot reverse it. And this is the difference between normal banking and crypto. Sending assets to the wrong address is not a security problem. The problem is to prevent the leak of private keys. Even one of the employees could steal private keys and then sit quietly for a month or even a year. Even could leave the company and then withdraw the balance. This is like an interesting case. So things like the rotating private keys, while doing our platforms we have to do all those stuff. So even if you come this far, you have to rotate them, et cetera, et cetera.However, there are some security standards that you have to comply with. Like the DLTL, the ledger technology license. If you would like to get this kind of license from for example Giblartar financial commission, you need to comply with some security standards. You need to do an audit of your infrastructure. And we did it for one of our client.
Brandon: Now it makes, makes a lot of sense. That's all. That's really important to, um, before we wrap up and get to the end of the podcast, I want to get your thoughts on the current state of the industry right now. It's definitely a very interesting time in 2020 with a lot of weird things happening, a lot of black Swan events coming to fruition. Bitcoin is just sitting right under 10,000 in the market, just kind of creeping up very slowly. A lot of projects are getting a lot of development done. Just from your perspective, I'm just very curious, what your thoughts on the industry do you think it's starting to grow a little bit more rapidly this year. Do you think it's awesome? Challenges? What are your, what are your thoughts.
Konrad: I am not a trader and trying not to gamble with the crypto that much yet. I am basically like a plain holder. Let's say I am buying Bitcoin and other crypto and just holding it.
For me already this topic is Interesting. First of all because Bitcoin is still a store of value. So nothing changes here, but the lighting's network it's quite a promising thing. We will see from the Ethereum perspective. They find DeFi projects which are really awesome. I think that they will do lots of good work there.
There'll also be lots of bugs in the smart contracts, I think. It’s because the slowly DD which is the language of the Ethereum virtual machine. In my opinion, it allows too much freedom. And this involves lots of bugs here, which we will be able to see in the coming years. And even more interesting for me is the new proof-of-stake blockchain, so called Ethereum killers but I would not call them like that.
I’m checking a couple of them and they are super interesting. I'm a little bit afraid of the business side of them. So I think that the technological background is super strong. I am talking about the four really important ones: Tezos, Algorand, Cardano and Cosmos.
They are trying to focus on different business areas. Technically there are super, super strong from the business perspective and marketing perspective, which is probably even more important than the technical aspect. I am still crossing my fingers and I would like to do more with them.
We are currently looking for the customers who would like to utilize those blockchains. If a customer comes to me and says that he would like to build a platform, MVP in two months for Tezos or Algorand I would kill myself to do that. I would say let's do this for free just for a portfolio item. My guys, yeah they would not sleep because this is so exciting.
Brandon: I think it's really interesting. I think we're about to see for the first time, Ethereum has some serious competition. It's been having some bottleneck issues for years now.
And we're getting to the point where it's gonna have some real competition, whether it's Cardona or Tezos or iOS or another platform. They're coming up very, very quickly, especially with Ethereum having trouble getting to theorem 2.0, with staking in a thing that they've promised. Ethereum does have a monopoly on the market right now in terms of building applications like dApps and services and getting institutions involved and more investors.
They're going to lose that market share in a lot of ways, but I don't think they're like out of it either. So from my opinion, I see there being quite a competitive race to the top here. Outside of Bitcoin, like outside of just being like crypto or cryptocurrency, but like the blockchain itself, being able to build on top of it.
I see that there being quite a race, whether it's Cardano, EOS, Tezos whatever it is out there. There's a lot of really good projects, Hashgraph, if you really want to branch out of blockchain, really solving some issues. And a lot of that stuff will go live in 2020 so I find it very, very interesting what's happening this year. And we might see a lot of market auctions. We might also see a lot of cool development and maybe some cool use cases. It's a very interesting year. Conrad, thank you for coming on the podcast and taking the time to talk about cryptosecurity and sharing your thoughts, especially making it work with the time difference and everything.
Are you looking for an experienced blockchain development company?