18 Oct 2022 · 47 min read

Mitchell Amador on Crypto Bug Bounties, Web3 Security and Immunefi | Ep. 170

In an exclusive interview with cryptonews.com, Mitchell Amador, Founder of Immunefi, talks about the Founding story of Immunefi, building new web3 security systems, and tells stories about finding bugs that have protected $60bn+ in user funds. 

About Mitchell Amador

Mitchell Amador is the Founder of Immunefi, the leading bug bounty and security services platform for web3 that protects crypto projects and regular users. In a span of less than two years, Immunefi has saved more than $25 billion dollars from being hacked and actively guards over $60 billion in users’ funds.

Before Immunefi, Mitchell was best known for making Sophia the Robot a worldwide sensation as the CMO of SingularityNET and as the VP of Marketing at Steemit, where he drove its adoption and growth, resulting in a peak $2 billion valuation. In addition, he was a member of the rLoop Hyperloop team, drove growth for the world’s dominant web .pdf company, and helped launch the largest user-owned open world, Decentraland.

Mitchell Amador gave a wide-ranging exclusive interview which you can see below, and we are happy for you to use it for publication provided there is a credit to www.cryptonews.com. 

Highlights Of The Interview

  • Stories about finding bugs that have protected $60bn in user funds
  • The founding story of Immunefi - finding problems in the security stack
  • Blockchain and crypto hacks - will they ever slow down? 
  • Anonymous workflow; wiped devices, custom operating systems, CUBEs, VPNs, limited access to socials, etc. 
  • Building new systems - it's going to be weird, but it will work 

 

 

 

Full Transcript Of The Interview

Matt Zahab 
Ladies and gentlemen, welcome back to Cryptonews Podcast. We're buzzing as always, and we got another incredible guest locked and loaded for today we have Mitchell Amador, the founder of Immunefi, the leading bug bounty and security services platform for web three, to protect crypto projects and regular users. In a span of less than two years, Immunefi has saved more than $25 billion from being hacked Holy crap, and actively guards over 60 billion in users funds. The company's paid out the most significant bug bounties in the software industry, amounting to over 60 million including 10 million for a vulnerability discovered in wormhole, which is pretty bananas. And we'll get to that later. Before Immunefi Mitchell was best known for making Sophia the Robot a worldwide sensation as CMO of SingularityNET. And as the VP of Marketing at Steemit where he drove its adoption and growth. She was also a member of the rLoop Hyperloop team drove growth for the world's dominant web .pdf platform and helped launch the largest user-owned open-world Decentraland. Without further ado, I'm very pleased to welcome Mitchell Amador to the Cryptonews podcast. Mitchell, welcome to the show, my friend. 

Mitchell Amador 
Thank you. It's an intimidating list of athletes don't hold me accountable to it.

Matt Zahab 
Hey, when there's a good bio, it must be read properly. Kudos on the impressive background and for the listeners at home who cannot see you. That is one of the coolest company shirts I've seen so far. How can I snag one of those bad boys?

Mitchell Amador 
Oh, you have to find a critical vulnerability and save a lot of people's funds. If you do. I will deliver it myself. 

Matt Zahab 
Is that how you get Immunefi shirt? Interesting. No, no e-commerce store yet?

Mitchell Amador
No, no heavens no. So it's a matter of aesthetic quality. You know, you can't just make merch available it has to be earned through blood and suffering. 

Matt Zahab
Gotcha. 

Mitchell Amador
We have made a whole bunch of interesting swag, but only the best white hats in the world can claim it. 

Matt Zahab 
So I feel like this could be like a Yeezy 2.0 sort of when it came out and Yeezys were going for like 10 grand a pop on eBay. And Craigslist and Facebook marketplace because its supply was so low is that what's going to happen to Immunefi shirts like only white hat. That's it? 

Mitchell Amador 
Quite possibly. I don't even know if we'll make enough for a market to form, God willing to loan. Really exclusive Hermes style.

Matt Zahab 
Yes, Hermes what a brand. Nothing better than a Hermes tie. By the way. Do you have any Hermes ties?

Mitchell Amador 
No. I didn't even know they made ties. I didn't know they made male stuff. 

Matt Zahab 
To me the goat of ties. Incredible.

Mitchell Amador 
Okay, well, I'll have to on my partner now, she will judge me. 

Matt Zahab 
Unless it's unless there's only knockouts. But anyways, enough about fashion. Let's get into the fun stuff here. Immunefi, you are the founder of Immunefi and you and the team have paid out an absolutely absurd amount of money over 60. Mil and money. Did you ever think that you'd be paying out such a large sum of money to people literally saving billions of dollars? 

Mitchell Amador 
Yes, I was absolutely certain of it. It was the reason we launched the company.

Matt Zahab 
Actually?

Mitchell Amador 
Yeah. I mean, when we when we started. So for some context, right, you know, you can tell from my background, I've been in this space for a long time. And those are very generous roles, you have to deal with whatever problems are coming your way. And like the security stack in crypto today is 100 times better than it was many years ago. And so we would have incidents like this all the time. And this is what built up the understanding for founding Immunefi in the first place. We knew that security was a losing game. Presently, in this space, we knew how much money was at risk, because you know, we had been those exchanges who got hacked, we had been on the inside of incidents, dealing with them protecting a project's Treasury or protecting their infrastructure that manage their keys. Right. We knew how vulnerable things were. And we knew how valuable it was to protect them. Because we had been in those situations where you have to do basically anything. You have to play ball with whoever comes your way. You have to find a way to protect your assets and your infrastructure. Because to not do so is certain death for everything that you've created. So far the total destruction of the equity that you've labored on for years, and years, and years. So it's like you know, you say, Oh, well, did you think you would be paying out like a $10 million bounty? Well, yeah, of course, on a long enough timeframe. Two years was pretty fast. Not gonna lie, but like on a 510 year timeframe for sure. Right, because we had like just looking at the stable coin examples, right, or the exchange examples, there have already been many, many incidents, that would have been preferable to have been avoided, were paying 10 mil out of pocket to eliminate that risk factor would have been vastly preferable. And knowing that it was a certainty, everybody would take that deal. So it was only a matter of time. Until we got to these kinds of numbers. The only question was when, right? Can we bring this new standard to this space? How long will it take for people to realize that you really, really, really have to prioritize security over everything else? And we were fortunate that it happens sooner rather than later. 

Matt Zahab 
How do you pay these bounties out? Like how do the nice white hat dudes and do that? who find the bugs? How did they get paid out? 

Mitchell Amador 
The important question, so not only preparing to get your Immunefi shirt, but you're also being like, how do I get my ticket? Well, it's all, you know, pretty, pretty intuitive. So we've got two ways of basically dealing with this. Number one is, white hat submits the vulnerability, right, the bug report goes through our very, let's call it in depth process for packaging and structuring that report. That whole transaction is settled, which can be a long process, in and of itself, right, it can stretch over. We've seen things dealt with in 15 minutes, we've dealt with things that take 45 days, right? Very complicated cases, slow cases. Okay. And that can be as simple as okay, we all agree on the impact and the severity cool, or, Hey, look, we agree it's real bug, but we disagree on the impact. Okay, now we have to discuss it. So we get through all that. Right, we validated this is a real bug, hopefully, for you. Yeah, it's a million dollar critical vulnerability. And what do we do now? Well, it's very simple. We say, hey, look, here's the address, we've checked it three times, we've noticed, you know, people make mistakes with their address this, we've cut a punch a little features in, that will triple check on behalf of the users and we say, Look, I'm sending their fee that simple. And it's almost always paid out on crypto, there are some exceptions where we'll send money to a bank account. But the vast majority of users prefer paying money in crypto, typically, that's stable coins USDC. Sometimes USDT, oftentimes a dye, you know, the white hats, especially do prefer dye. And sometimes that's in tokens. So for example, some of the European native tokens right there in the Aurora tokens, but it will vary. And there's not a clear connection between, say bounty size, and whether it's in tokens or stable. CO payment, for example, was all in students. 

Matt Zahab 
Can you explain the difference between how a white hat would work with Immunefi and how a white hat would just sort of go their own way? Let's say Company X has $100 million bug and white hat person, why goes hey, I'm going to work my magic here. What's the like? What are the pros and cons with working with you guys, we're versus just doing it themselves? 

Mitchell Amador 
Sure. So this is part of the reason we formed the company in the first place, the experience of rolling your own bug bounty program, right and disclose it vastly more so on the side of the white hats of disclosing was so bad, and so horrendous and so painful, that we knew that there needed to be a solution, or we'd all be risking catastrophic destruction across the ecosystem. So if you're on your own, I'm helping deal a friend deal with the case right now a bunch of projects don't have a bug bounty program, they found an amazing vulnerability that puts serious assets at risks. What do you do? Well, you try and get in touch with the relevant personnel at whatever institution that you're dealing with. Now, if you've ever done sales before, for example, and you're trying to reach the right person, you know how hard that can be to navigate and be like, Oh, hey, who's responsible for your security, inside Company X, Y, Zed. So you're gonna be on this wild goose chase, right? Just for the beginning, you found that like alive payload, you've got an exploit, it can be run, the whatever the institution is, they're vulnerable. And yet, you know, you're going to spend days, weeks, months, just trying to get access to the right person. Yeah, then you get access to the right person. So you're lucky most of the time, you may, you may just not ever get access, and you just have to call it a day or you publicly disclose whatever. But let's say you get lucky you make a break and what happens next, or they have a bug bounty program of their own. Let's say they run it. And they hosted themselves. What happens next? Well, then you're now talking to who you hope is either it's either going to be an engineer, typically, or is going to be the head of security, or sometimes it's even going to be the CEO or a COO, if they don't have that kind of function. And in all cases, this person is going to be rattled. But they've just discovered that you've got a sword of Damocles, right, a sword hanging by a thread over their head and you've had it for days, weeks, months. And you're saying you want something for it? At least, that's how they interpret it. They're very nervous. They're adversarial. They're like this person could really mess me up. Do they want to take advantage of me, that's the only reason they would get in contact, right? That's not the case. Obviously, the white hat by act by disclosing in the first place is showing their good faith. But people in a state of fear don't respond that way. And so they worry and the stress over it, and now you're trying to explain, hey, here's the vulnerability, here's how you should fix it by you know, please, you know, also pay me for my good work. Ideally, you know, this stuff doesn't isn't free. And they're like, is it real? I don't think it's real. I think you're trying to scam me. And then they're like, oh, shoot, it's real. But I still think you're trying to scam me, just even if it is real. And you disclosed in good faith.

Matt Zahab 
So the whole process, it's an absolute shitshow. And, and again, I'm trying to put my feet in the in that in a corporation shoes. It's like if I had $100 million hack insight bug rather, inside my corporation in some in John comes out to me and goes, Hey, Matt, you got to pay me 10 mil to save 100 What do you say? Like that's, that's a pretty crazy situation. You know, like, those situations don't grow on trees. And I would also be like, John, you're full of shit. And then I'd probably get 100 Mil stolen from me.

Mitchell Amador 
That's what Equifax did. And they had like, you know, half of America social security data from them, right? So it's like we all empathize with our customers, like we really do. We been in that position, we know how hard it is. But at the same time, none of that is the right response. All of that is counterproductive. All of that creates a horrible experience for the white hat, who is otherwise saving your bacon, and showing that they're operating in good faith. It's destroying your future security potential, because word gets out, and then nobody wants to help you. Nobody wants to deal with you. Because after all, you just you screw, whoever approaches you in good faith and takes a risk. And it's a mess. And there's nevermind, like, imagine calculating a reward. You have no bug bounty program, you have no expectations. Like, how do you calculate that? Well, it's straight up negotiation, where you're indirectly it's a zero-sum game. Like, no matter how you cut that, odds are, the white hat is going to be very dissatisfied with you, because you'll want to preserve financial resources. And no matter what you do, like you will probably be very dissatisfied with what you pay, because you're always gonna be like, well, couldn't we have gotten a cheaper? There's no sense of what's fair value. It's just a recipe for bad experiences. And this is what all bug bounties were in crypto. For years. Before we came along, just constant bad experiences that made bug bounty programs so effective that the vast majority of the space didn't even bother using them. Like they weren't even worth the time.

Matt Zahab 
Was there a particular instance, which made you feel the need to co found the company? Like what like, were you a part of a hack yourself? Or a co-founder, whatever the case may be?

Mitchell Amador 
I mean, let's just say I've been, I've lost plenty of money in our industry. But that wasn't the thing that kind of spurred me on. That's like cost of doing business. We're in crypto early, you know, things are a mess.

Matt Zahab
Shit’s gonna hit the fan. Right?

Mitchell Amador
You can do everything, right, it still happens like tons of wallets, for example. I messed up how they create their seed phrases. And that led to vulnerabilities on the line that's happened like half a dozen times, and let you know, all the funds you put in there vulnerable some years later. Like, it's just comes with the territory. But the moment where I was like, Okay, we need a systemic solution was when I was on, I was in Switzerland on this on this mountain, I was super sick. I was very sick and moody and unhappy. And I didn't like Switzerland, so expensive. And it was cold, like bad combination of traits. For me, the food isn't to my liking. It's like everything is just making me irritable. But I had all this this money maker now. At and it was a lot for me. And it's gonna be a lot for a lot of people. But it was a lot for me. I was like, I don't really feel good about this. I don't really feel safe about this. What do I do about this? I've been in this space for so long. I know lots of security people, but for some reason, like, where are my security assurances here? Why should I believe that the money that I put here is safe. And I started checking. I was like, I shouldn't believe it, make it out, run some of the best security ops and in the space, for sure. But when I went to check, right, why should I be certain about it? You know, you go and ask the person you're like, look, all code is insecure. All code is going to have bugs. And we do the best possible work that we can. They're an amazing, amazing team. But there's just like that as a risk factor for them too. And you don't get the inside view. You don't get to see the audits. You don't get to see the security reviews. You don't get to see the QA that's going on to validate how good they're doing it from the outside. You're just like, I don't have a lot of good reasons to be confident of any particular smart contract that my money's in. And it was at that moment when I understood so that when I just did when I digested that insight fully, I realized that it's like, okay, this needs a systemic solution, we need a whole security stack. And if we don't develop that security stack, we are going to doom this space to an incredible number of thefts. Furthermore, that security stack, it has to like it needs to start the most important piece. And the thing I was totally missing was like, What are your trusted assurances? What are your security assurances? How do you protect yourself when you're on Main net when all the money's really there? And that's how we came to this conclusion of bug bounties for like, you know, we identified a whole list of what the problems in the security stack were, where all the things needed to be addressed, what kind of technology needed to exist, and we came to the conclusion of Okay, this one, bug bounties is the hardest. It's the hardest. It's the least fun. It's the worst experience. And it's the most important to actually saving people from getting robbed. So we're like, oh, well, you know, me and my friends, we all had the same nature go to the hardest problem. throw ourselves against the wall. So that's what we did. 

Matt Zahab 
A couple of things there. One, I love that story. Thank you for telling me that. I often find that people have these aha moments in life similar to you did while you know being on a mountain in Switzerland, freezing your balls off, like when you're out of your comfort zone, like great things happen, you know, and it's weird like that. It's almost paradoxical, where a lot of incredible ideas are created when you're in the best of moment sipping on a Mai Tai on a beach in Thailand or Bahamas. And on the flip side, while you're freezing your NADs off on a cold mountain in Switzerland, it's funny how the world works. Not sure if you have any commentary on that. But the second is you finding an unsexy problem. And it being very profitable. That's another sort of, you know, rule in life that is so apparent that no one likes to go after, like, if you were to ask me, and no offense to you in the team, I'm sure not offense taken, you guys are doing very well, heck, you just raised a lot of money, but he's willing to, we'll get to that soon. But like, I wouldn't want to be paying out bug bounties. That's not a space I'd want to work in. But it's friggin important. It's not sexy, but it pays the bills. And it does more than that. It's just yeah, not sure where I'm going with those two points. But funny how life works. Sometimes.

Mitchell Amador
It's true. So there's this, you know, funny phenomenon, you got those great ideas on the one side, but the things that really move the needle, right, in a systemic way, in a way that applies to everybody, or large populations, the simple things, right, like somebody found a way to make insurance, cheap and easy to calculate, and suddenly everybody can get insurance for like, Well, why would anybody care about that, but then you have, you know, 1020 30% of the population no longer stressing, every day of their life, that their house is gonna go on fire, that the house is gonna get flooded. This frees up this enormous bounty of human energy and potential. Right, life is like that. And for our part, like, the root of that is the anxiety, the fear that founders have, that we had, when we were building. We're, we're building all this incredible infrastructure, we're trying to create the rails, right? We're trying to create the piping for a new world. And we're vesting work, we're all in we're putting skin in the game, where are you know, all in on our portfolio, like that project is our dream that we're trying to build. And our whole life path is contingent on its outcome. And you're stuck with this overwhelming fear and anxiety that a single vulnerability because some engineer had a bad day or drank too much of a smile, whatever, vulnerability slipped in, and you got wrecked. Because of that. It's like this incredible reverse. It's like a it's like a hell lottery. A lottery from hell, you know that you might have drawn that lucky ticket because someone made a mistake. And the result is the destruction of years of your labor. And we're like, okay, that's not good. That's like that's toxic. Now, we're motivated to go and fix that. And that does mean, we have to deal with like, really tough workflows and really tough problems. But I think that freeing people up so that they don't have to worry about these things, either as a founder or as a user of these technologies is ultimately extremely worthwhile.

Matt Zahab 
I love that. Can you Mitchell, can you walk me through a couple of good stories about finding bugs that have helped protect some of those 60 billion and user funds will be love stories in the crypto news pod. You don't have to not you don't have to drop names. But if you have any really good stories, I'd love to hear. 

Mitchell Amador
There's been a lot of such cases. Obviously, a lot of this stuff is discrete. I'm trying to be careful with what I say. But there was this fun case like I'll go back to the this was a very early days for us. It was this third or fourth critical vulnerability that we dealt with the project called ArmorFi and the founders A guy named Robert Forester, he's a great character, and is a strong security guy was a bug Hunter himself. So he understood right away the value of what we were doing, and decided to post this big million dollar bounty on day one. And he's all geared up, he's pumped, he's gone through multiple audits, he's like, I've done everything that could possibly be done. Now I'm gonna launch within 24 hours, someone across the world had found a gamebreaking vulnerability that would have allowed someone to steal all the user funds that were in that product. His was an insurance coverage product. And so one exploitation, which would happen to be the claim function, someone could click trigger the claim function, and they would just take it all. It's like the biggest insurance pay day in the history of crypto, right. 

Matt Zahab
One click

Mitchell Amador
One click, and what was the cause of it? What was the cause of it? An extra asterisk, just want to call on messed up the math, multiply the exponent by the exponent. So resulted in all possible funds, just this minor thing that should have been caught in QA, should have been caught by automated tooling should have been caught in both audits, yet. Everybody missed it. Everybody did. And as a result, like the only person who could come and save the day, this function would have been triggered, by the way by the first person who claimed from that insurance product. So it's like, it wasn't like, oh, well, maybe the hack wouldn't have happened? No, it was 100% certain that it would have been triggered. The first person to claim their money back would have taken all everyone's money. And he would be like, well, we'll go if I go to court. But the guy who ended up saving the day ended up being this young German gentleman who just looked at it, he was like, Well, you know, I think this is an incredible project to think this is incredible bounty, and I think I can solve this issue. Let me disclose it. Within, you know, one, two hours after the disclosure, we were tying things down, pausing the contracts, cleaning everything up being like it's all on hold, it's all on hold. And it's a funny event. We fixed it, the use of funds were all saved. They had a token with that project in it, and it pumped on the news that the bug bounty worked and that the security was so effective. Pump like three, very absurd, but I was happy that it worked out well for him. So that was okay.

Matt Zahab 
What did the German lad get? What did he get for his bounty.

Mitchell Amador
We've got about a million dollars worth of tokens, Commander being what ended up being a little bit more by the time it was delivered.

Matt Zahab
Wow, maybe I should learn how to code and be a white hat or

Mitchell Amador
It's a increasingly compelling career path. What can I say? But you got to be you know, really, really into it. It's not easy. If you think about bounties. Right? And you think about security bug bounties are basically well what if you did code review? If you did vulnerability analysis, but you put it on max difficulty what's the gaming term for suicidal difficulty? Well said whatever that is, it's just all on all of them all the time. 

Matt Zahab 
That's a great analogy that well that's the novella quote right play stupid games win stupid prizes play big games play big no win big prizes. There's a pretty friggin big game you're playing.

Mitchell Amador 
Sure well I've won a lot of super prizes in my life so

Matt Zahab 
You’re preaching choir retweet king of the stupid prizes over here. Mitchell we got to take quick break and give a huge shout out to our sponsor the show and that is PrimeXBT I love PrimeXBT you guys know why? Because they offer a robust trading system for both beginners and professional traders doesn't matter if you're a rookie or a vet. You can easily design and customize your layouts and widgets to best fit your trading style. PrimeXBT is also running an exclusive promo for listeners of the Cryptonews podcast use a promo code CRYPTONEWS50 that is CRYPTONEWS50 all one word to receive 50% of your deposit credited to your trading account. Again, that is CRYPTONEWS50 CRYPTONEWS50 all one word to receive 50% of your deposit credited to your trading account. Now back to the show with Mitchell. Mitchell, you guys became the biggest and leading security platform for all of crypto in less than two years. That is definitely something to write home about. That is incredibly impressive. You got to give me a couple tips here. Couple tidbits. A couple of golden nuggets, obviously right time right place. No shit. However, give me some non-obvious things that you and the team did to scale to this incredible feat.

Mitchell Amador 
I can tell you some secrets but they're gonna scare you Sure. Do you want to if you want to. 

Matt Zahab 
I'm all ears hit me. 

Mitchell Amador 
Okay, well, you know, number one, you got to be lucky. Right time right place always the most important thing. But for us something that proved super effective. And it's been the general philosophy for how a number of my circle I guess I run our operation has been, go and do the hard things wherever the hardest problems are, is the major opportunity where there's a chance to create real value. And we took that to the limits. With Immunefi, we went, we basically launched and we went directly to hardmode. So for example, we started taking customers like right from day one, when all we had was a Google form, right and a mediocre listings page, just a table, just a giant A, and we're like, No, we're in business. Let's go. We did full on trying 24/7 processing of reports from day one. They were just coming to hit our inbox, we would analyze them and send the results back to the customers, which is an incredibly difficult thing, if you know what it's like to run 24/7 security teams.

Matt Zahab
I don't and that would be nightmare fuel. 

Mitchell Amador
Almost nobody in this space, does it? We're one of the only ones. So you know, we did that. And this is from day one. Another day. One thing, while this was more like day 30. But when we discovered this problem, like there were these disputes between the projects, what do we do? It's like, well, you basically need like an arbitration system between them. Right? How do we get that in? And the answer was like, there is no law in this. There's no framework for dealing with there's no nothing. And it was like, Well, I guess we'll just have to make it ourselves, which is what we did. And we became the mediators, now we have a whole set of doctrines on how to interpret these types of events and how to handle them and a whole series of case studies and histories for how to work them out. It was, you know, this is this common theme of like, okay, what's the most difficult problem things that nobody have ever solved before, that are extremely ambiguous, it's like go towards them. They exist as points of user friction, if you solve them, you create incredible value. For everybody not winning wasn't just for the customers, right? Obviously, it was for us as a business. But it was for the customers by driving actual bug reports. Bug bounties didn't work in crypto, but for us, we made them work. And it was for the users. Sure, we took that suffering on ourselves, you know, indefinitely nights, staying up until 567 am in the morning to get the job done. Right handling super stressful cases, and disputes mediations and making no work. But the result of that was billions of dollars in funds saved the result of that was the creation of a whole industry dedicated to proactively saving projects and use your funds. So like we went towards the heart thing, and the results was a whole industry. And I think that applies in a lot of cases.

Matt Zahab 
Well said. I love seeing how passionate and fired up you are about this. Like it's I can tell you absolutely love this shit. There's no need for Firestarter under your ass any morning.

Mitchell Amador 
Yeah, well, I look at it this way. So in addition to just being pretty passionate about making blockchain work, which we're doing, right, like, if we succeed in our mission to make the space more secure, we are directly enabling the blockchain world and if we fail in our mission, a blockchain world is not possible. The fear of hacks, risk and the like insecurity in our space will invalidate its potential to be the rails the future financial rails of the world. So that's motivating. But you and I, Matt, you and I have money in this space in this domain. And if we don't protect it, well, I don't know where are you? But I'm going to be a pretty sad panda. About it all. I do not want to get robbed. So motivated. I'm motivated in protecting you and motivating protecting me I'm motivated in creating something for the future. It's, it's worthwhile and security is the principle.

Matt Zahab 
Mitchell will crypto hacks ever slow down? Now? I know this is a difficult question. Because even web2 hacks are still apparently all the time he talked about the Immunefi, not Immunefi, Equifax hack, which again, half a billion users or however crazy it was. This shit grows on trees every single day web two companies get hacked most of the time, it's data. And sometimes it's hundreds of millions of dollars. But in crypto, it's more money than anything else. Are we ever going to see the slowdown? Or will the hack parade always just be a crazy thing? Because of the nature of the decentralized systems in space?

Mitchell Amador 
That's a difficult question that you asked me difficult questions. But the answer is, it's nuanced. No, the hacks are never going to slow down. Number one, but at the same time, the hacks will get less less damaging, right? on a percentage basis. Right. So what you're gonna see is the pace is going to continue to increase an increasing increasing increase, just like we see with the history of scams in our space. And we see with hacking and scams in the traditional financial markets, like you don't hear about it. There's 100 times as many hacks 600 1000 10,000 times as many hacks going on in traditional tech and finance that you just you just never learned about. It becomes a constant thing and that's the direction where crypto is gonna go. It's just going to be constant and never ending. Like now we're at the point where hacks are Multiple times a day, that's not going to stop. And that just comes with the increase of growth in the space. And the increase in the number of people who have the skills to exploit and you catch that guy in a bad day. And he's, he's going to do it, right. He's poor, he's lost his job. You know, he got beat up by the system, whatever, you know, he's justified he feels and making the exploits. That's what it's gonna do. But security in the space is also improving, right, we're in this never ending arms race with human greed and malevolence. And so we're also getting better at protecting the space. Every day, more and more white hats are signing up to us Immunefi best hackers in the world are signing up to join us in protecting projects. Every day projects are getting more sophisticated in their security practices, building a better layers of defense, setting up better bug bounty programs that result in more eyes on code, and more vulnerabilities prevented from exploitation. And so what you're gonna find is, the hacks are going to continue to explode, okay, and the magnitude of Hacks is also going to increase just because that's a statistical phenomenon. on a percentage basis, the effectiveness of hacks is going to decrease gradually, as security catches up more and more. And it's this kind of, you know, we're mitigating the damage, we're mitigating the risks, it doesn't completely eliminate the events, they're still going to happen, they're going to get bigger, they're going to get worse, but less of them are happening on average relative to the amount of money at risk. And you see this with a lot of the hacks now, right? The bigger hacks are a lot rarer. It's typically much smaller hacks that are happening, the basis, that was not how it was in the early days, where most of the incidents were very, very large amounts of money. So the trajectory is good. Right? The trajectory of security in our space is really improving dramatically. Day by day. We're certainly doing our part to do that. But yes, the hacks are not going to slow down. And yes, they are going to increase some freedom. Interesting. So we also have to be ready for that reality.

Matt Zahab 
Are we going to see what was the biggest hack so far? What was it wormhole? 350 mil?

Mitchell Amador 
No, no, no, the wormhole case was not it's not even remotely close to the largest. 

Matt Zahab 
What's been the largest?

Mitchell Amador 
Well look like you could look at the Binance case, which was, you know, just this week, last week, that was five more than 500 mil and BNB. stolen from the bridges. Now the attacker only got away with about 6070. But that's still you know, basically free mint dilution of the entire base. By about 500 mil. You're the ronin hack, which was almost $600 million. Yes, yes. Right. That was a huge case.

Matt Zahab 
Are we gonna see a 10 figure hack?

Mitchell Amador 
Of course we are. I mean, it's already happened, like the Bitfinex hack years ago is equivalently 10 figures, or might be 11 figures today. 

Matt Zahab 
I mean, I mean, a present day, I mean, on the day, for sure. It's gonna happen. It's gonna happen. 

Mitchell Amador 
No doubt. I'm 100%. Certain. I mean, we for context, right? We can look at the optimism case, we can look at the polygon case, we can look at some other cases, we know that aren't public, right? We have already been there preventing the 10 figure hack multiple times over, how do you think we got to the 25 billion number, which is conservative, the real number is more around 35 to $40 billion dollars, by the way, at this point. So like, that's, you know, that's the are we going to get to a 10 figure hack 40 times over. Alright, think about that. It's not just a single isolated case. There have been, I think, I don't know if we're up to a dozen yet. But you know, we're not far off. 

Matt Zahab 
And you probably you and the team have seen some crazy shit that the public probably has no clue up. And never will.

Mitchell Amador 
Of course, of course, you know, most of these things. So you hear about these exciting cases, like the armor I just mentioned, or, like the Polygon cases, you hear about them, because the Polygon team is so good faith, right. And so prone to public disclosure, and supporting the community that they're going to share. Right? What's going on, they have such great security practice, basically, that they're going to do that and props to me.

Matt Zahab 
They're not going to give not gonna give the true reason why.

Mitchell Amador 
Well, they're doing what they're gonna do. And I think what they that approach of making things transparent is the right one, but a lot of projects don't, right, or a lot of situations they consider very sensitive, and those ones never make it public. And you can see the amounts of money moving around, like there's like, it's a good incentive to be like, Well, okay, well, I can talk or I can keep this private and their dollars. That's not bad. Yeah. Right. So we have tons and tons of cases, affecting billions and billions of dollars that don't see the light of day because everybody agrees for whatever reason is relevant to them that it's best to keep it quiet and we support that, you know, if the both parties want to keep it private, that's their business. It's not ours. We are happy to do our duty and protecting the community and we draw ball.

Matt Zahab 
So, when that situation happens, is it like, you know, Everyone does a virtual handshake, Doc's get signed, and then NDAs get fired across everyone's desk, everyone signs them up, boom, back to sort of that arbitrary third party, you know, mediator, and that's it Case Closed.

Mitchell Amador 
Typically we don't need NDAs or docs. I mean, I want you to understand a great number of these white hats disclosing are anonymous. They're not going to reveal their identity.

Matt Zahab 
Like fully, fully non, you know, zero about them.

Mitchell Amador 
Yeah, they want to do their good faith action. But they don't want to get iced. They don't want to be punished.

Matt Zahab
Gotcha. 

Mitchell Amador
Because they did something that they thought was right, which happens, right, that's happened a lot in the history of hacking. And that's happened a lot in the history of bug bounties where you get punished for doing a good deed. And so there's this privacy element. And so some projects will they might send over an NDA, and it's like, okay, well, if that was in the terms of their bug bounty program? Sure, let's do that. That's the right thing to do. That's what you agreed to do.

Matt Zahab   
But if it's not and it doesn't happen. How did how did these white hatters stay fully non like give me their means of communication? Are they signal plus proton mail? Are they like carrier pigeon? Like what's, what do they do?

Mitchell Amador 
It's really hard to stay fully unknown, right? Because you need such great OpSec that you never slip up even once. Okay, which is nigh impossible. That's extremely difficult to do. That's like writing software with no bugs. Yeah, super, super hard to do. But there are ways that you can do that. So typically, they're going to have devices that are dedicated to certain functionalities, and only use them for that. So they might have something they only use for crypto transactions that the only use for bug hunting, or they only use for communications, they might be on custom operating systems like tails, or heads. Or they might be using cubes to limit access. Things like VPNs are obviously a given. But they'll use other types of masking software to make it even more difficult to pull out information. So for example, your browser is telling, you know, Apple, or, you know, we're using Google Chrome, it's sending Google information back on what kind of hardware you're running, right? What's the fingerprint of your machine and a whole bunch of characteristics. And there's lots of ways to block that. And to obfuscate that, they're going to typically use those, they may also limit access to any socials or infrastructure that they use with this machine, right? Because the moment you log into proton, sure, proton says they aren't tracking anything. But like, they can check where your IP came from, they can check, you know, try and collect more information in your browser, more information on your hardware if they're savvy enough. And so you also want to control how you access all that infrastructure. A variety of measures like this, in aggregate, combined with a very, very disciplined use of a very small number of tools is how you stay anonymous. And like, consider if you really want to stand on anybody, like you can't use Google Docs, right. And you can't use a ton of applications, your phone, if you use an iPhone, it's always in lockdown mode, which is you know, iPhones are not private at all. So you probably won't even be an iPhone user. But you're doing all this stuff, right to limit access, making your potential attack surface very small by using a small number of applications, dedicated devices, and being extremely disciplined about how you interact with anything on there. 

Matt Zahab 
So, at least just from white hat and non user to you and company gets hacked. What's the means of call? Is it emails telegram? Is it signal? What do you guys use? 

Mitchell Amador 
The means of comms? Well, we use our application. So the reality is that bug reports are really complicated things to deal with. Right? It may take us days or weeks to resolve the incident. There's a ton of nuance, you need a lot of eyes on it. So it's not going to be like oh, it comes to us and then we deal with it for them. No, no, it goes to Mike go through our layer of triaging where reviewing the report, they'll go through an automated system, and it'll go to the project. But the project could be 10 people, right? It could be a single engineer, or it could be a whole engineering and security team. And they need to go back and forth and talk and they may need to talk to us privately. So the whole we have an application where all this communication takes place. Touch and it happens after the submission of the report that creates basically the report. And then from there, we have a giant thread. We're handling all sorts of different types of communication between the white hat between the project and then under various conditions with Immunefi itself.

Matt Zahab 
So it all happens. That makes total sense. It all happens within Immunefi walls. 

Mitchell Amador 
Right. And we of course, like this is the most sensitive data we understand that we are the castle to bring in crypto. And so we are constantly perusing our infrastructure right. Manning our walls end to end, locking this down to make it as protected in a safe environment as possible. 

Matt Zahab 
No double parenthesis in any Immunefi code.

Mitchell Amador 
Let's just say that we write very clean and efficient.

Matt Zahab 
Clean, sexy, and efficient code. I love it. Mitchell, this has been an absolute treat man, I've had so much fun chatting with you. And hopefully we can do this in person one day, we are getting a little tight for time here. The race, congrats on the race from framework, one of the best VCs in the space. Walk me through that whole process. You know why you guys decided to work with them? The money, the whole nine yards? What are you gonna do with it? Tell me about the framework venture race.

Mitchell Amador 
So that was a tough one, right? We came to the end of last year. And our thesis was just, you know, really beginning to take off. Okay? And we're like, Okay, well, what do we do? You know, next? Well, we need to raise we need we've built something that's really amazing and really compelling. And it produces so much value for the community. But we need more help. We need more people, we need more resources, we need more engineers, like we need so much more to really deliver on our mission. So let's go out and raise, the first thing that we did was shop that around to all our partners be like, Well, what do you think? And it's at that point framework, you know, volunteered itself, which was surprised they were our seed investors. And they were very supportive, extremely helpful, very hands on product partners, a rare thing in our space. And we liked that, but we didn't expect them to want to back us to the next step. They said, No, no, let's, you know, let us do it. Let us do it. So we started talking back and forth about how it would work. And I mean, I think I was really happy with basically everything and how they conducted themselves super high integrity, they basically gave us the pitch for where they were going. And I was like, okay, yeah, these are the right partners. For us. These are the people who can help take Immunefi, to make us the, you know, the disclosure layer, the 911, layer for vulnerabilities in all of crypto. And they've been that way ever since. So I can count on them to hop on a call with me and grill me about product and get something really valuable insights any day of the week. Which is that's, you know, the first thing I don't know, you want to talk about, you know, how we're going to use the money or what you want to do? 

Matt Zahab 
Yeah, well, you can get into it and have some fun here.

Mitchell Amador 
Okay, so we raised $24 million. And that wasn't just from framework. Framework was the lead, and we're eternally thankful to them for that, but was also some of our other partners. So basically, everybody who's invested in us in the past, double, triple, or quadruple down in our last round. So that when we guys like the blueprint forest crew, that would be electric capital and other group of amazing people, who would be the bid scale, guys, like a whole bunch of them. And, you know, we wanted to raise this money to really deliver on this vision of building the 911 layer, and the 911 layer of the space requires, you know, instinct communications, it requires extremely effective levels of filtration so that you can identify what the high priority cases are, right from the get go. It requires a extremely high value funnel, right and extremely high value flow of attention going in that can turn into high value bug reports, which you know, that leads to kind of our marketing and our community functions and all the work that we're constantly doing there, to nurture the security community and grow it more and more and more, we just don't have enough people, we've really don't have enough people in the space right to protect the space. So And finally, and probably the most important thing is we're going toward this world where we need more and more trust. The problem with bug bounties is trust. And so we're creating all this frankly unique technology these unique assets things that really have never been seen before in order to facilitate what we feel will become a multi billion dollar market for vulnerabilities in the not so distant future.

Matt Zahab 
Well said. Hey, congrats on the race not a doubt in my mind you guys are gonna put those down arrows to good to very good use. Mitchell absolute treat last question for you hot takes we love hot takes in the Cryptonews pod let's get a check and boots on Step inside the hot take factory What is something that only perhaps Mitchell believes in that most other people don't doesn't have to be crypto related can be food sports, politics, geography, space, celebs fashion you name it can be something good? A metric of hot take.

Mitchell Amador 
There's so many. How about over the next 100 years there's going to be a whole bunch of new religions that appear and they're going to be good and they're going to spread like wildfire you know, some single digit number probably new Christianity news our app isn't.

Matt Zahab 
Good. If we were starting the religion of you know Mitchell security and, and lovely corporate T shirts. What would that look like? Like tell me if you're if you were the head priest or head preacher of said religion, what would that look like?

Mitchell Amador 
I was the head priest. Well, for starters, we'd have better shirts, right? If you're gonna go for taste, you gotta go all the way. Whatever you do in this life, you gotta go 110%

Matt Zahab
You can't be half-pregnant. 

Mitchell Amador
Right. You can’t be half-pregnant. So I think, you know, the aesthetic value is going to be a big thing. It's going to be a big thing for it will be a big thing for me. But it's going to be a big thing for this future, as all these people around the world, figure out that, you know, the old systems don't work anymore, just like they don't work for money. As we're seeing crypto. Well, you know what, they don't work for a lot of things anymore. And so they're going to build new ones. And it's going to be weird.

Matt Zahab
It's going to work though.

Mitchell Amador
It will, it will work. And that's the thing. There's going to be new religions and they're going to work and people will prefer them over the old way of doing things. And for a modern, you know, like you and I, it's like, our world will be cast into the past. Just like in the way that you know, we think of the ancients were like pagans worshiping, Hera and Zeus. That's weird. What does that even look like? Right Norse. Behrman going in some ugly, rotting log temple praying to a poorly carved statue. What does that even mean? It's totally different, but they're gonna look at us the same way and our strange gods of modernity and economic wealth. So it'll be interesting. I hope to live long enough to see a lot of it come to fruition.

Matt Zahab 
I love that. Mitchell. Thank you so much for coming on man had an absolute blast. Before we let you go. Can you please let our listeners know where they can find you and Immunefi online and on socials?

Mitchell Amador 
Sure, so everybody, you can find me on Twitter @MitchellAmador. That's MITC H E L L A M A D O R. So you can follow me there. I usually talk about security or Spitfire about how the world's going wrong, which is a natural pastime of all security people I feel. So there's that and you can learn more about Immunefi and what we do at Immunefi.com That's immunefi.com. Check out our blog on medium. It's got a lot of these crazy stories and especially good one if you want to fund read is inside the war room that saved primitive finances hail of 48 hours of straight suffering to save millions of dollars of use or funds should be fun. 

Matt Zahab 
I love that, Mitchell. Thank you so much, man. What a treat. Can't wait for round two. Hopefully, it will be in Portugal in person with two Shure mics and not yetti mics. No free ads but sure you're the go. Thanks, man. Appreciate it. 

Mitchell Amador
Thank you. 

Matt Zahab
Folks. What a great episode with Mitchell Amador from Immunefi. What's an episode tons of incredible stories fresh off a $24 million raise. We'd love to see it. If you enjoyed this one. I hope you did. Please do subscribe it would mean the world to my team and I to the team love you guys and to the listeners. Thank you so much. As always love you more than you know keep on growing those bags and keep on staying healthy, wealthy and happy bye for now. We will talk soon.