zCloak Space Script: Focusing on New Solutions in the Web3 World as Security and Trust Issues Occur Regularly
On April 27th, 2023, at 8:00 PM Beijing time, zCloak Network organized an online panel with the theme “New Industry Solutions for Web3 Security and Trust Issue”. The panel was attended by Zhang Xiao, founder of zCloak, Tom, leader of the DATT(Digital Asset Think Tank of the Hong Kong Polytechnic University), Turing, co-founder of LegalDAO, and Adam, co-founder of SharkTeam.
【Introduction of the Speakers and Projects】
Professor Zhang: Hello everyone, I’m glad to be here today to discuss Web3 security issues with you all. In short, zCloak Network is a privacy-first DID and verifiable computation infrastructure based on zero-knowledge proofs(ZKP). We hope to truly return data sovereignty to users in the Web3 world. zCloak has developed and implemented a series of fundamental infrastructures, such as the zkID Credential platform, the zkID Wallet, and an SDK based on user VC that facilitates developers to build and innovate. Tonight, I‘d love to discuss in-depth how our new product, the Valid ID platform helps users avoid and prevent Web3 scams.
Tom: Thanks for the invitation from zCloak Network. I’m the head of the Digital Asset Think Tank (DATT) under the FinTech Center of the School of Business and Management at the Hong Kong Polytechnic University. I used to be in the finance industry, having worked in investment banks in New York and Hong Kong. Currently, I manage a hedge fund and focus my PhD research on blockchain. DATT aims to explore and study the current status of the digital asset and IT industry in Asia, discussing how to use blockchain technology to solve practical problems in economic and social development with experts and scholars in the industry. We also regularly share our research findings with policymakers, such as the Hong Kong Monetary Authority, the Hong Kong Investment Funds Association, Invest Hong Kong, and Cyberport. Finally, we hope that through DATT, we can provide more opportunities for the industry to communicate.
Turing: Hello everyone, I am Turing, the co-founder of Legal DAO. Legal DAO is currently working on a Web3 compliance product based on global legal resources. We hope to be deeply involved in the construction of Web3 and provide global legal services to everyone. Besides, to better provide legal support for users, we have been constantly integrating emerging technologies in Web3, including underlying technologies and AI tech. In addition, we have made many friends in the industry to work together with, such as zCloak, and I really look forward to the discussion today!
Adam: Good evening, everyone. I’m Adam, the co-founder of SharkTeam. SharkTeam mainly focuses on Web3 security-related products, including smart contract auditing and on-chain security analysis, such as on-chain risk security alerts, the monitoring of on-chain transactions and addresses, and Web3 security research reports. At the same time, SharkTeam continuously provides security services for Web3 projects. I’m delighted to be part of today’s discussion!
【General Question Discussion】
Cassiel: Let’s move on to the first question: What impact will Web3 security issues have on various fields? As I mentioned earlier, there have been numerous incidents of stolen Twitter and Telegram accounts, which may pose a direct threat to the digital asset security of Web3 users. Tom, as the leader of the DATT, which has been exploring and researching digital assets and the current state of the IT industry, could you please share some ideas based on your experience?
Tom: Sure, I have worked on many Web2 projects during my time in investment banking. In the Web2 world, the main security problems happen in the application and data layers. While for Web3, constant interactions and innovations in different areas may indeed create security issues, especially Dapps in Web3 involve various patterns, such as cross-chain Dapp, identity infrastructure, and digital wallets. Based on our research, the resolution of security issues in Web1.0 and Web2.0 was limited by the rudimentary tools. For Web3, the major problem is that it seems impossible to take preventive measures at the beginning of the transactions, as transactions are difficult to change once executed. According to our experience, a typical security approach involves establishing mechanisms to verify whether transactions meet security conditions. Therefore, I would like to consult with the experts here on how to prevent these systemic problems from organized attacks at a technical level, including issues related to cryptographic native issues, smart contract loopholes, etc. Specifically, I am interested in the following directions: 1) data loopholes, 2) the design of security decision-making, 3) attestation and signatures, and 4) how to make key management and usage more user-friendly among the existing DID and wallets. I believe that there is much we can do on Web3 after learning from the experiences of Web1 and Web2, which is what DATT has been pondering and exploring.
Cassiel: Then Adam, would you mind sharing your ideas from a security service standpoint?
Adam: To be honest, although the development of Web3 is rapid, it is still in a very early stage, which is mainly reflected in three aspects. First, the business models are still in their infancy. DeFi, a term that is familiar to most people, is considered old in the context of Web3, but it has only been around for just over two years. Some newer business models, such as NFTs, GameFi, and recently emerging derivatives are also facing the same problem. These quick-developed business models brought about various business-related risks and security issues. So it’s impossible to rely on a single technology to solve all security problems. Therefore, security prevention for Web3 should be approached as a systems engineering process. Due to Web3’s rapid-developed and strongly innovative business models, attack points are more widespread and open, such as private keys, cross-chain infrastructure, wallets, and identity security, all of which can be targeted by attackers. For project teams, the first consideration should be to introduce the concept of business security modeling early in the business design process, just like on Web2, to plan and separate the risks from the business level.
Second, from the perspective of technique, project teams should have standardized development practices and technical processes. For example, before launching, there should be an awareness of code freeze; otherwise, many security loopholes may be inadvertently introduced by developers during later modifications, creating unpreventable security issues. At present, many project teams and developers may think that smart contract audits and DID privacy security are the entirety of security issues, but for a project, these are only part of the picture.
Lastly, the operational and emergency response is crucial. Many projects are attacked late at night, and we discover the attacks but are unable to contact the project teams, we can only watch as the project is attacked and user assets are stolen by hackers. For the project team, the emergency response and security operations are lagging, including the slow response to security incidents and the delay in contacting partners to block attacks. This is also due to the lack of a well-established operational and emergency response system. In summary, Web3 is developing rapidly, but whether from the perspectives of business models, technology, or operations and emergency response, a comprehensive security system has not yet been established. This is something we need to work on together in the future.
Cassiel: Thanks for your sharing, Adam. Adam has shared his views from the perspectives of technology, business, operations and emergency response. Now, we can have a brief discussion, and Professor Zhang and Turing can also respond to some of the questions raised by Tom.
Turing: I’d like to make a brief supplement. We’ve actually discussed many systemic security issues, so I’d like to offer some thoughts from a legal perspective. You might wonder why the advancement of legal matters related to Web3 has been so slow. It could be because traditional financial and legal professionals have had relatively little exposure to emerging technologies like blockchain. As a result, there is no benchmark basis for addressing the various security issues in Web3 or for subsequent liability investigations, making it difficult to reach a consensus that everyone can uphold and maintain. Personally speaking, the absence of an identity system is a core reason for the slow development of the legal industry in Web3. In Web3, a person might become untraceable if they change their address, while in Web2, a person can still be found as long as they have an ID. So, the main difference is that the identity system in Web3 is absent compared to Web2. As a result, it is impossible to establish a complete reward and punishment system and business system in the Web3 world, as well as the accumulation of credit and reputation. Therefore, for the legal industry on Web3, I think partnering with organizations like zCloak to gradually establish a privacy-protected identity authentication system is an excellent entry point. I’d also like to hear Professor Zhang’s thoughts on this.
Professor Zhang: Thank you, Turing and other guests for sharing. I have gained a lot of inspiration personally. First, I would like to answer the questions Tom mentioned earlier. Indeed, blockchain infrastructure currently carries a high value, whether in terms of stable coins or other financial assets, or the tokenization of real-world assets. However, there are serious problems in asset security and investor protection overall. In the blockchain industry, we are all familiar with the phrase, “Not your key, not your coin.” This means that If you don’t control the private key, there’s a high probability that the money won’t be entirely yours. Especially for on-chain transactions and infrastructure based on smart contracts. Once a transaction or a block is generated, it is extremely difficult to reverse it unless a hard fork is performed, which comes at a high cost. This requires us to be cautious when using our accounts for transactions in such an environment.
Tom previously mentioned the issue of wallets. I believe wallets are an essential infrastructure in the industry, mainly for managing our private keys nowadays, and the security of private keys determines the security of our assets. However, the usability of current crypto wallets is not ideal. For ordinary people without enough computer knowledge, professional terms like public keys, private keys, mnemonic phrases, and derivation paths can be quite confusing. This inadvertently raises the barrier to entry for using crypto wallets. Nevertheless, crypto wallets should be accessible to the general public. So, many new-generation wallets aim to simplify the user experience. Such improvements in usability are commendable, but we find that security and usability are somewhat contradictory to a certain extent. Usually, if one thing is simpler and more convenient to use, the more compromised its security will be. For example, from the perspective of controlling private keys, the security of having full control of private keys in the user’s hands and partially in the user’s hands will undoubtedly differ. Therefore, while we have seen progress in the wallet industry, related security still needs to stand the test of time.
Another issue Tom mentioned is the security of on-chain assets. In addition to native crypto assets, many real-world assets are gradually being tokenized. No matter the asset type, whether it’s a token represented as a smart contract on-chain, an NFT, or even 100 tons of oil in the real world, the ownership, auditing, security, insurance, and legal endorsement of these assets after being tokenized are all crucial. So the authentication and verification of the authenticity of on-chain assets are necessary.
Adam also mentioned that security is an overall issue; solving the smart contract security problem doesn’t mean that the entire security issue is resolved, especially since the smart contract security problem may not have been fully addressed. For example, after auditing a smart contract, if it is updated later, is the running smart contract still the one we think it is? Most people cannot tell. Especially in terms of auditing, the audited code might be code A, but the project party actually deploys code B on the chain, and ordinary people cannot distinguish between them. In this regard, we promote a relatively new concept, which is the identity of on-chain assets or contracts. For example, after a smart contract is audited by SharkTeam and deployed on-chain, can this audited contract display its corresponding audit information during its operation? Or can we somehow trace whether an on-chain smart contract has been audited? By establishing some kind of link on the chain, users can know that the contract currently running has been audited by a certain auditing company. Similarly, for an on-chain asset, can its audit results be displayed and interacted with in this way? See, the discussion of on-chain security issues ultimately returns to identity. Every smart contract and asset can have an identity, but who provides effective notarization and endorsement for its identity? Where should it be displayed, in what form, and how can users verify it? These are all interesting questions that need to be addressed as industry and technology develop.
Tom: I’d like to follow up on questions based on what you all just mentioned. First, regarding the smart contract identity verification that Professor Zhang mentioned, there are many different auditing companies in the web3 space. What are the technical differences between them? Do typical projects need to be audited by 1–2 or even more companies? Is it possible to have an internationally recognized auditing standard? Secondly, considering what Turing and Adam mentioned earlier, is the law always lagging behind technology? If so, how can we ensure that our technology complies with regulations? Currently, we are constantly communicating with Hong Kong’s regulatory authorities regarding stable coins, exchanges, and real assets, but we find that the current legal regulatory strength is insufficient. The newly introduced stable coin and other currency regulatory systems in Europe took the most advanced lead, but after studying its regulations carefully, it’s easy to find that it is unable to meet the essential innovation of the web3 world. So how can we keep a balance between web3 innovation, legal regulation, and security technology?
Adam: Regarding Tom’s first question about auditing and auditing standards, it’s actually quite difficult to establish a clear standard. Even in web2, there are various audit service providers working on one project, it’s common because there is no 100% security. We can only keep adding effort to solving security problems, but there is no way to establish a quantifiable standard that guarantees safety. Secondly, as Professor Zhang mentioned, “stamping” contracts is a common issue we encounter in providing security services. Currently, we bind the specific audited contract to the audit report with a one-to-one hash, including binding it to the GitHub commit. However, there is a problem that the auditor and the project are actually on the same side. The consensus is that we take for granted that the project side should deploy the contract we audited and revised, but there is indeed a possibility that the developer made unintended modifications afterwards, even with some top-tier protocols. Some project parties do this intentionally, getting a contract audited but not deploying it, while ordinary investors cannot tell whether the content of the report is the same as the actual deployed contract. So for the “stamping” solution, it is technically possible, but there may be difficulties in implementation. I assume that we can use emerging business models, such as insurance, to help solve this problem. Of course, this would also involve some legal aspects, but I think it’s a possible solution.
Turing: Insurance is indeed a more explicit hedging tool. From a legal perspective, it is somewhat similar to audit integration in web2. In web2 audit integration, if a company’s expenditure exceeds a certain value, the company must accept a higher level of inquiry and review of its transactions. This can be compared to the entire web3. Currently, auditing companies in the web3 world have their methods and principles for reviewing projects, and there isn’t a unified standard yet. However, related industry alliances are constantly emerging, so I believe that a unified industry consensus will emerge over time. Legal DAO’s lawyer resources cover many countries globally, and I believe promoting the formation of such industry consensus will require multiple parties to call for action.
Adam: Yes, a wallet data platform combined with a business model for hedging risks through insurance might be more effective. We are also looking forward to the emergence of such solutions. Verifying whether the audited contract and the actual deployed contract are the same can be done through a relevant certification system, which would be especially meaningful for addressing rug pull issues.
Tom: Regarding insurance, I want to add that based on my investing experience, the biggest problem with this type of insurance is that although the premiums are not high, which is around 1%, the coverage period is very short, generally within three months, and the amount of coverage is also limited. The protection for DeFi is still in its early stages, including liquidity and efficiency, which are not very high.
Adam:The difficulties in implementing decentralized insurance are related to evidence collection and identification. Is this related to law?
Turing: Let me give you an example. For instance, in defining the ownership of goods in logistics, firstly, a low-power chip can be attached to the courier package, and the chip would register at every base station it passes. However, when the goods arrive and there are problems after opening the package, it is impossible to make sure whether the damage occurred during transportation or after receipt, so it’s hard to solve the problem from a law perspective. And it’s quite challenging to define such specific issues.
Professor Zhang: Adam mentioned a point that I think could even be considered a product direction. For contract audits, we all know that each contract has an address. If a project upgrades a contract, will the contract’s address remain the same?
Adam: The address will also change, but the process of contract upgrades is prone to security issues. Just before the Hong Kong Web3 Festival, a project lost 800 ETH due to a new contract upgrade, as it is easy for problems to arise, but people tend to overlook them.
Professor Zhang: So for audits, the project submits a specific version. After the audit of this version of the contract is completed, it is difficult for investors to determine whether it is the actual smart contract deployed on the blockchain, or if the initial deployment was indeed that contract, but was subsequently replaced.
Adam: Yes, especially for teams who embezzle, many will use contract upgrades to replace core contracts, and users cannot detect these issues. However, the outer layer of the contract will have a proxy contract, which will change after the contract upgrade, so it can actually be discovered. But there is no related infrastructure right now, as this demand needs to be further clarified. Tom, do you have any other questions you’d like to discuss?
Tom: Sure, there are mainly two questions. First, insurance, how to implement this business model, including the intermediate claims and compensation. Who will execute supervision? All these need to find a perfect business model. Second, the standardization of contracts and addresses. We have previously docked with the China Quality Inspection Center, which issues certificates in line with international standards. To be honest, they are the most professional industry standard maker, and they issue standards in various industries, blockchain industry is also included. Can we use the power of the state, not only in China but also in other countries, to develop and improve industry standards together? Finally, I think there is an impossible triangle in web3 too, which is decentralization, anonymity and privacy, regulation and accountability. Currently, there is no method that allows these three to coexist reasonably.
Cassiel: Given the frequency of security incidents, the implementation of some security solutions may not have been as effective as expected or may have certain limitations. I would like to ask the guests about your thoughts on possible future solutions for the security of the crypto industry. Professor Zhang just mentioned that zCloak officially launched the Valid ID platform earlier this month, which seems to be a new approach to addressing the web3 trust crisis. At the same time, zCloak has been committed to providing users with privacy computing services based on zero-knowledge-proof technology. “Privacy” and “security” are actually inseparable. So would it be possible for Professor Zhang, to share with us what solutions zCloak has in progress or has already built for web3 privacy data security?
Professor Zhang: Indeed, this topic is deeply related to our new product. Among the various security issues we discussed earlier, I think one of the core reasons is trust and the transfer of trust problem. The issue of trust can be traced back to the lack of an on-chain identity system infrastructure. The problem that Valid ID can solve is simple: “Who is who.” Currently, there are only wallet addresses on the chain, which only show what signatures were made, how many transfers were made, and what transactions were performed. Besides, the anonymity or semi-anonymity of blockchain addresses can protect individuals’ privacy. However, for institutions, their demands on the chain are actually opposite individuals. Institutions (audit firms, law firms, government and agencies) need to let everyone know who is behind a specific address, so an on-chain identity system becomes crucial. In the traditional world, if you want to know who is behind a website, you can query through CA certificates. However, this doesn’t work in the blockchain world.
And Valid ID is a small exploration in the on-chain identity system direction. We hope to apply the Web2 approach to solve identity issues in Web3, using web3 native technology. The method is simple: we perform technical verification and certification of the web2 identities of companies, institutions, and entities. After completing the verification and certification, we bind their web2 identity to their web3 on-chain address, forming a certificate that we call the institutional identity in the form of verifiable credentials. At the same time, we store these certificates in tamper-proof chains or Arweave databases, thus forming an immutable binding relationship between on-chain addresses and off-chain real identities. When someone sees a certain address, they can clearly know which institution is behind it.
There is another important issue: who should decide the identity behind an address? If we continue to adopt the CA certification method, it would be contrary to the decentralized philosophy of Web3 and blockchain. Thus, in the initial construction period of Valid ID, we wanted to establish it as a decentralized platform, so we introduced a multi-party attestation mechanism. The attestation of the identity behind an address is not determined by a single institution but jointly recognized by multiple institutions, we call it Social Attestation. It’s simple to understand this. The more people who repeat a fact, the more likely this fact is to be true. Therefore, we use the social attestation method on the Valid ID platform.
Currently, we have introduced several functions on the Valid ID platform. One is to perform various digital signatures based on the authenticated address. We found that many Web3 practitioners have been working in the industry for a long time, but they are still using Web2 social tools, such as Twitter, Instagram, etc., to express opinions or promote projects. This poses a significant security risk. What if an organization’s official account is hacked and faking information is posted causing users to lose money? A decentralized society will definitely not want to see that the identity of Web3 projects relies on Web2 platforms to ensure. Therefore, the Valid ID solution combines Web2 identity with Web3 addresses, meaning that control of an institution’s identity is actually the private key held by the institution itself. Hackers can steal the institution’s account but cannot obtain the institution’s identity private key. Therefore, control of identity remains in the hands of the institution itself. The Valid Sign feature allows everyone to include their digital signature when posting any information on any platform. This is important in many application scenarios. For example, when users post a loan request, adding your signature allows the recipient to verify through our platform whether the message was genuinely posted by the person to prevent a series of phishing scams.
Another great inspiration to me is the contract audit we just discussed. I was just wondering that is it possible to express the audit information of the contract on the chain and bind the contract file to the institutional identity. When users see a contract, they can check it on the Valid ID platform whether the contract belongs to an institution verified on the Valid ID platform. Therefore, we believe that Valid ID is a very beneficial supplement to zCloak in the exploration of individual privacy identity. zCloak has always been working on zero-knowledge proofs for user-side privacy data, but it can only guarantee the correctness of the calculation process, and the authenticity of the calculation data needs to be ensured by DID and verifiable digital credentials, while the reliability of verifiable digital credentials depends on the reputation endorsement of the issuing institution. Valid ID is a solution to institutional identity credibility. So zCloak actually conveys the authenticity of the attestation through institutional identity authentication and then adds zero-knowledge proof methods to allow users to demonstrate their identity with certain trustworthy attributes and characteristics in a ZKP manner, achieving such a serial effect.
Cassiel: Thanks for sharing, Professor Zhang. Tom and Adam, what are your thoughts on future security solutions?
Adam: Indeed, Web3 is currently lacking a secure identity infrastructure. Many security issues may have some solutions in the process, and we can do something about security and identity later on. I’m looking forward to that. Another point I want to discuss is that despite the emergence of many security solutions, security issues continue to arise for two reasons. The first is that the entire Web3 security infrastructure is incomplete, it turns out to be that the trust costs are high, and trust efficiency is rather low. In this situation, many people inadvertently create loopholes for hackers to attack. The second reason is that the implementation of many security measures is not that solid. As the Web3 industry is a relatively FOMO field, people have many innovative ideas, but they face many problems during the implementation process. Whether it’s market changes or other factors, they all affect people’s enthusiasm and efficiency, which leads to some products and projects failing to implement services effectively, such as the aforementioned DeFi insurance. It is a good business model, but it has not developed as well as we expected, fundamentally because it has not been implemented seriously. In the end, there are many systematic projects, such as auditing, on-chain security analysis, risk warning, attack monitoring, and anti-money laundering, waiting for us to build and develop in the web3 security field. These projects also face the same problems of implementation and the inability to be widely used by users to create value. This is a principle that we, as web3 security service providers, constantly push ourselves to remember, and we hope that the web3 industry can also form such a consensus.
Tom: Adam just mentioned a point — is it possible to create a to C-end security audit tool? It seems that most security audits are currently to B-end, where project parties queue up for audits and then go on-chain. Can we develop a plugin for the C-end users that provides real-time alerts when they log into various Dapps? Ordinary users cannot catch many contract code issues after updates, so this plugin can provide risk warnings and suspicious point alerts during user interactions with different contracts, assisting them in stopping actions like transactions that may cause losses until the project team identifies and fixes the loophole. I think DeFi users who frequently use wallets have a certain demand for and willingness to pay for such products. I wonder if such a product has appeared in the industry before.
Adam: C-end security warning tools do exist. Currently, they are mainly integrated into C-end traffic entrances, such as DeFi or wallets, through APIs like Crypto API/Security API. If a user interacts with a high-risk address, the wallet development and operation team may not know about it, but after integrating our API, it is reflected as a C-end function like the security warning. This is what many projects are doing now. Of course, it would be great to have a secure entrance that covers all the security functions, but currently, the market is mostly targeting C-end users through API methods, and it needs time to develop.
【FAQ】
Tom: I think there might still be a need for an aggregated solution in the future, as a major problem in Web3 now is that there are too many scattered products and services, as well as security products. I wonder if a comprehensive solution can emerge in the future that includes auditing, identity verification, monitoring, accountability and, compensation after problems arise. Are there any project parties that have created an integrated product, be it for the B-end or C-end? If not, what is the reason for not doing so?
Professor Zhang: I think the difficulty of such a one-stop solution is quite high. This has high requirements for a project’s professional ability, technical strength, knowledge of laws and regulations, financial knowledge, supervision and policies. It may only be possible for large-scale institutions, or even those with government backing, to undertake all of these aspects. For ordinary companies and organizations, it would already be quite an accomplishment to excel in just one of these areas.
Adam: Yes, the development of many products needs to be phased. Some products and services, even developed now, might not necessarily be accepted or understood by users, as there needs to be a balance between efficiency and security. Sometimes, too much security may inevitably affect efficiency, so it’s still a matter of progress.
