In the light of recent events and security breaches, several organizations within the blockchain space started reviewing their code and underlying infrastructure for flaws.
Telos a high-performance blockchain in the course of an independent security audit discovered a severe flaw within the Ethereum EVM that could potentially have resulted in the theft of tokens as is usually the case.
Blockchain security firm Sentinel discovered the bug on the Go Ethereum end of the Telos blockchain architecture. The great news is that they were able to patch it up and things are running as usual within the Telos ecosystem.
With such a serious issue affecting ETH core, things could have turned out differently if not for the vigilance of the Telos team and adherence to strict security protocol.
We reached out to them and Michael Tzezailidis, the Director PR/IR at Telos happily gave us an audience into what really happened.
Here is what he had to say.
Michael Tzezailidis Director PR/IR at Telos
Please, can you give us the details about the security vulnerabilities that were discovered within the Telos blockchain?
To be clear the Telos Blockchain mainnet has been serving c++ smart contracts ever since 2018.
It has been audited thoroughly and is a seasoned layer 1 platform. As for the Telos EVM (our newest product), prior to the audit it had been vigorously tested for bugs internally.
We have used every known test script available and we even wrote an entire library of test scripts ourselves.
Once we brought the Telos EVM to a green light state, we brought on a team of really talented white hat auditors to go at it with a magnifying glass, line by line.
We knew the code was tight, but we wanted them to go at it with fresh eyes to seek out any security holes and to help tweak it for performance.
As we were hoping our code was pretty tight, there were some minor issues but to our surprise the real discovery was a major security flaw on the Ethereum EVM.
No one was expecting this. Ethereum has been heavily audited over the years and it could even be said that they are continuously audited.
That’s why the odds of this high priority bug being found was extremely unlikely, but it happened.
Just how efficient are security audits within the cryptocurrency and distributed ledger ecosystem?
I wish I could say they are great, but they’re not. Like doctors, there are lots of doctors out there, but not all of them are good and even less of them are gifted.
Same with auditors.
Many of them just run standard well known scripts, issue a stamp of approval, collect their checks and move on.
They went through every line of code with the highest of standards and then they analyzed the outcome of it.
Honestly what they did for the Telos EVM was very helpful, but what they have done for Ethereum is legendary; this find may have literally stopped the next 100 plus million dollar crypto heist.
In light of the recent attacks within the space, what issues come to light that need to be addressed immediately?
Nothing is bullet proof, but platforms definitely need to run vigorous audits on their code.
Believe it or not there are platforms out there who have either never been audited or their platforms were just not audited thoroughly.
Someone should audit the auditors.
As for Dapps, especially defi dapps, they should quickly migrate to where audits have been properly performed. With all the hacks, due diligence is definitely warranted.
Please, can you explain to us what the fuzzying testing method is and what the benefits are to security testing in cryptography?
The way it was explained to me by the auditor, Guido Vranken, is that he drops through every line of code side by side and compares results between two platforms.
In this case he was comparing the Telos EVM with the Ethereum EVM. Telos is the first EVM to be a non-fork off of Ethereum.
The Telos EVM is mechanically an EVM 2.0 plus.
It is a completely different EVM and far more robust than anything else out there.
What are the best methods for determining vulnerabilities in blockchains and distributed ledgers?
The only correct answer to this is to do everything possible to make sure that it is as secure as possible.
This will require many test scripts and countless hours of code analysis.
The most important variable is to build a team of seasoned and talented people who really care and love to take ownership.
This includes vetting the auditors.
As we enter a phase where cryptocurrencies and their underlying technologies gain mass traction and attention in popular culture, what best practices can you recommend as regard ledger security?
Backup, backup, backup and backup again. Can’t lose those keys so keep them somewhere safe and secure.
That being said, Telos adds features to make management more human-friendly, like our simple, human-friendly 12-letter account names and secure web wallet make this even easier for people moving forward.
What other programs are you currently running to ensure the stability and security of the Telos blockchain?
Apologies for the boring answer on this, but quite simply we are fanatics about the security of our network.
We are all hands on deck at all times and follow rigid protocols. Maybe better not to fully detail ;).
Are there any plans in place to create automated security audits which unlock tokens for those who discover them? How practical is such a scenario in today’s distributed ledger community? What are your thoughts on such mechanisms?
Personally I love the idea of rewarding someone for the discovery of a security flaw.
Although it is not formalized, the Telos community would definitely show lots of love to anyone who found a security flaw.
What roles do you think insurance will play in the fallout of security issues as blockchains and distributed ledgers mature?
This will be interesting to watch unfold, but insurance companies are masters of the invisible exit door.
I can envision the agreement docs being 100 plus pages.
Yeah, maybe if the premium was super high you’d get something, but I personally wouldn’t depend on insurance companies insulating me under these circumstances.
Can artificial intelligence in the future determine such vulnerabilities or is that wishful thinking? Please, can you tell us the reasons for your answer?
AI could always run a series of known test scripts and seek out known vulnerabilities, but they can’t step into the realm of innovation.
They can’t think for themselves and play hacker.
They can only do what they are programmed to do. I think anything more than this is generations away.
As world governments and state actors continue to look into proper regulations for cryptocurrencies and their allied technologies, what do you think will come next for the cryptospace and distributed ledger space?
Governments are going to do exactly what governments do.
They will try to get a piece of the action.
They will do so via taxation, penalties and violations.
They will create rules to track trades so that they can tax gains, but I believe anything above that would be counterproductive for them.
They know crypto is here to stay.
They just want their cut.
As a next-generation ledger, what are we to expect within the next decade from Telos?
A truly utopian network with true decentralization and true utility.
Sincerely, Dapps that use Telos absolutely love it.
It is very sticky!
I really mean it in a literal way when I label the network as “truly utopian”.
Tell me what’s wrong with blockchain and Telos has a remedy.
From speed and fees to ESG and decentralization it’s all in the formula.
What’s the importance of outside auditors when it comes to blockchain/ledger security?
Aside from it being a third party stamp of approval, it’s a fresh set of eyes.
Again this depends on the level of talent and skill of the auditor.
Just because they claim to be an auditor does not mean they are beneficial to the security of the chain.
How determined are bad actors against ledgers and blockchains? What do you think can be done to have more “white hatters” within the space?
There is a trillion dollars in defi right now.
I guess that can be pretty motivating for people who see the holes.
To combat this temptation, white hat hackers can enjoy rewards, recognition and a lifetime of new customers.
No doubt about it, Sentnl will probably get lots of new business because of this Go-Ethereum bug they found.
I’d much rather be them vs someone on the run.
As more smart contracts become complex, what steps are you taking to ensure that bugs and loopholes are found before they go live?
This will happen sequentially along with our growth.
We will just continue to be thorough, but for the most part it shouldn’t make too much of a difference.
How do you aim to eliminate the “human factor” in security flaws within the Telos blockchain system?
Telos blockchain is built to run code and generate blocks securely.
Periodic code updates are run on testnet up until they get the green light.
Aside from that, human intervention is limited regarding the code.
Our good name is beyond important to us.
How can the wider cryptocurrency community aim for higher security standards?
They just have to push for it and I think that most chains do have this goal.
The real challenge ultimately goes back to finding talent.
Almost anyone can run a series of standard tests but it takes a really smart, super skilled, outside of the box thinker to find new vulnerabilities.
Note that running existing tests is just in regards to EVM.
A new platform will require line by line auditing and countless custom script tests.
Where do you see the decentralized finance (DeFi) space in the next decade?
Running on the Telos platform.
I know this reads funny or maybe even arrogant but I’m being serious.
I say this because on Telos there is no front running.
If defi is truly concerned about theft of value, front running theft is literally racing into the billions.
The Telos EVM is the only EVM that prevents front running.
Institutions would be foolish not to use Telos and traders would be novice.
It’s really a far bigger problem than people understand.
All amms running on Ethereum or Ethereum forked EVMs are plagued by front running.
Only on Telos can you NOT rearrange the order pool.
It is strictly first in first out protocol.
No one can see your trade coming and then jump in front of you just to middleman you for a significant ADDITIONAL expense( as they can on other networks ).
It is just not right and it’s more money stolen than any bank robbery in the western world.
The system is being completely gamed on the Ethereum Network(this includes Polygon, BSC, and just about any other EVM).
Do you have any secrets to tell us? Care to spill the beans?
We are the Ferrari of the smart contract space!
10,000 tps pre sharding, half second block times, near fee-less transactions, .000002 kWh per transaction(the greenest), most advanced governance(only platform to share its governance with it ecosystem), truly decentralized(no ico), exclusively no front running, staking at 14% Apy, the only platform capable of generating blocks for EOSIO c++, solidity and vyper(that’s 95+ percent of existing dapps), the ESG blockchain…
We are very focused on seeing the following find its balance; market cap vs utility. We encourage any interested party to compare us to any chain out there. Sincerely.
If you had three wishes and a Genie that could make them come true, what would they be for Telos?
For the chain to be validated for all it has practiced in private.
To be directly compared to Cardano, Ethereum, Polkadot, BSC and any other Layer 1 that wants to bring their platform to the race track for a benchmark challenge.
For all crypto investors to understand that their AMM trades are safest on Telos via exclusive no front running. This includes institutions.