As Nolan’s “Batman Begins” ignited the masterpiece trilogy back in 2005, this will be the subtle shift where the abstract became concrete, became real, when we eventually look back at Firewall’s creation of safe blockspace. So, what the f*** is “proof of tech”?
The classic "testnet" experience makes little sense to us. We’re doing it differently. Here are the goals of this phase:
In other words, provide a reason for you to care, and prove we are as radically different [and better] as we claim to be. This will give you, potential future users, supporters, owners, a deep-dive into our technology innovation, deep understanding of our capabilities, and how we see the future.
My role here is to act as Van Gogh, painting out how we see the future, something that seems undeniable to us but not fully understood from the outside looking in [yet]. You can decide if my write-ups offer insights or just the ravings of a madman ;).
I called out the fundamental shift in our approach, which stems from the implicit design of every smart contract network today to accept smart contract exploits and other forms of onchain theft. Doing so by ending the concept of chain security at “this cryptography is valid”.
The starting point for this journey into safe blockspace begins with the Safe Sequencer. Recall this description:
We embedded our A.I. model and other pattern recognition into the EVM and blockchain execution client to filter out malicious transactions at run-time. It adds this line item to the standard checklist: (3) transaction does not steal user assets
I won’t bother to explain the attack in detail, there’s already countless deep-dives into the structure of it. Instead let me focus on the relevance. I chose to start our product and technology demonstration with the infamous Kyber exploit for a few reasons:
It occurred on a blue-chip DeFi application that many considered “safe”
It stole considerable sums of assets
It was an advanced attack, with high-levels of complexity. There’s some exploits that developers, teams, and users scoff at: “Oh, I would never make that mistake”. Nobody scoffed at this!
What I’m demonstrating today is centered on our recreation of the Kyber exploit, using the same set of smart contracts, and replicated state of the application with different accounts acting as traders doing swaps, liquidity providers managing AMM positions, and finally the attacker with our version of the attack contract to perform the same vulnerability exploit.
The true Kyber attack drained across many chains and pools, but for simplicity and purposes of our demo we only replicated a single Kyber pool — the USDC/USDT pair.
The message we aim to communicate — smart contract networks today, rollups, alt-L1’s, altVMs, …, yes even the chain your money is currently sitting on RIGHT NOW, leaves you fully exposed to the wild west. This is simply the default, completely normal [pre-arrival of Firewall].
For our proof, we need a guinea pig. Who better than the most popular rollup with $5 billion in assets today, Base?
Two high-level steps: (1) replicate the attack on Base’s testnet, (2) replicate the attack on Firewall’s testnet.
It’s simple really. The attack succeeds and drains the Kyber AMM once again on our guinea pig, Base. In this case for ~$21,000,000.
The attack fails on Firewall’s chain, currently built on our fork of the OP-Stack, because it’s running our Safe Sequencer.
Understand this. The Safe Sequencer let every normal user transaction through for swaps, deposits and removals of liquidity, flash loans, and so on. However when it analyzes the intent of the attacker’s transaction, turning all the state properties, historical context, and more into a calculation or inference, it classified it as malicious.
As a result our sequencer does not include the transaction into the chain, instead it blocks it. That inference and calculation literally takes place in our blockchain execution client, that houses our implementation of the EVM and our A.I. model.
Every DeFi user providing liquidity to the Kyber AMM on Firewall has been protected without lifting a finger. Without doing anything besides putting their assets on safe blockspace.
In stark contrast, every DeFi user doing the same on Base (in this case) has had all their money stolen.
Users swaps are performed on the Kyber Router. The Kyber USDT/USDC Pool holds user assets. LP Positions handled through the Kyber AntiSnipAttackPositionManager.
The Attacker’s smart contract lives at 0x7Ad358403b22Af978987FF7928d62f37144cCC53 .
For those who want to dive-deep, you can easily trace the entire sequence of the hundreds upon hundreds of normal user transactions, the hundreds of LP’s transacting in the Kyber pool supplying ~$22M in assets, and the eventual brutal theft by the Attacker’s transaction at 0x36c62e8b727f98f441152a9db3a8bcda5492e623e60ccbe417902b70e5bf2e40
Confirmed by Base's sequencer, whoops there goes $20,000,000 in user funds
Note, the token balances visible in the Attacker’s contract, ~$10.9M USDT and ~$9.5M USDC. This is the liquidity stolen from the depositors of the Kyber AMM.
All addresses for smart contracts, tokens, users, and the attacker, etc. remain the same across Base and Firewall’s testnet for your ease. There’s miscellaneous participating contracts I have not listed below, but there easy enough to find via the explorer and all verified.
Kyber Core Contracts
Core Token Contracts
Attacker
The Kyber Vulnerability Checker contract can be used to verify the existence of the same vulnerable state on the Base instance, historically pre-exploit, to what existed and continues to exist on Firewall’s testnet present day (as the attack attempts are filtered out).
Note, there’s still about $1.6M available to be stolen on the Base deployment for any takers.
Since the attack transaction wasn’t included into our testnet chain by the sequencer, you won’t see it in the same form as Base. There’s a couple ways to currently view its data make-up and status through our explorer.
The one time seeing this screen for a transaction is in fact the correct result.
The Kyber Vulnerability Checker on our chain. Same address as on Base as well.
Kyber Core Contracts
Core Token Contracts
Attacker
*importantly, the contract code is verified and bytecode is available on both testnets for easy comparison to prove everything is the same on both testnets, and the same as the initial Kyber event.
I’ll be pushing out some changes to also display verified source code on our explorer shortly to make the comparison even easier. In the next weeks simpler deep-dives, etc. will be made to walkthrough this all for non-technical folk
This goes to show this can and will quite literally happen today, two years later. It is not theoretical, attacks and smart contract exploits occur on Base specifically, and every other chain, all the time. They will continue to happen without safe blockspace.
Nothing changes without somebody driving it forward. We are that somebody who will fervently compel that change through pure sheer force of will [and great technology].
The question is do you want to be an unwilling participant in the next major attack, or a safe spectator from safe blockspace?
You’re probably wondering what the algorithms listed via the explorer on different contracts are, e.g. ReentrancyGuard or Charmander.
The main topic I’m fielding in terms of intelligent questions the past few weeks summed up is “this sounds insanely awesome, but how does it work?”.
How is our A.I model shoved into our sequencer and part of the EVM? How is our EVM instrumented with pattern recognition? How do these enhancements take generic data and turn it into mathematical classification of malicious behavior? Equally important to us, what are the downsides, what about user rights to censorship-resistance?
I planned to dive into the details of the how today in this write-up, but honestly it’d make this too long. I’ll keep this scoped to the introduction of “Proof of Tech” and starting as soon as this Monday, be releasing frequent content to dive into the plethora of technical innovation and magic that goes on under the hood of Firewall.
I will also be fully explaining the downsides, or shortcomings of the Safe Sequencer specifically too. One fact I know, it’s superior to what exists today, as we’ll continue to demonstrate.
Stay on the edge of your seats just a bit longer. For now, feel free to reach out to me for questions, and please dive into and understand the Kyber demonstration above.
**I’ll be upgrading the Firewall explorer, particularly through the next week to be more “user-friendly” now that we have external eyeballs on it trying to understand what’s going on. Currently it’s a ton of hex and encoded data…Thanks for reading!
- Devan
Right now it’s standard for a crypto project, particularly infrastructure, to launch a testnet. Testnet is a large hype moment. Users rush to do actions, “test” the chain or application, and activities kick off for a period of months to years. This makes little sense to us, for both you and us.
As we journey through “proof of tech” and the availability of our first stage of testnet, there’s user and technical feedback that is valuable, particularly as we dive into trade-offs and our design choices.
What is not valuable and something we have little interest in, as an example:
Yes we’re aware of some bugs in the explorer. Yes we’ve set testnet block times slower (it does cost money to run a testnet). These are not pressing concerns for us. Instead I encourage you to focus on what matters. Focus on the net-innovation on display.
That is not to discourage people from using our testnet in a purpose to verify or understand our technology or product though! I’ll be helping walkthrough over the next month how to do that effectively, balancing both your time and our time and resources.
My point is, use or dive-into this testnet, our product demo’s, and my write-ups for the sole purpose of seeking alpha (whether that’s as a future user, supporter, or hopeful participant) and understanding. There’s no purpose to spend your time on random activities I have not specified in the hopes of farming this deployment.
As previously mentioned, I will make it abundantly clear when user activation is expected, and what we will find valuable from participants. “Proof of Tech” is a preparation step for what comes next.
An aside
When thinking about the status quo of “launch testnet, time to farm”, I think it was normalized because for the longest time new chains or similar had one aspect to show off; how much faster or “cheaper” their transactions were for people using their product.
The only way to demonstrate that product to people was having them send meaningless transactions. At some point, years ago, this became mostly pointless. Rollups introduced an architecture which commoditized these aspects.
Then the farming game was spun out of that from necessity, to pretend there was something interesting being offered or put on display, to extract as much leverage as possible from future token, and general intellectual dishonesty. Eclipse as project overall and “Turbo Tap” are a peak example.
In contrast, our innovation introduces a net-new dimension to the game, safe blockspace, which needs a novel and honest approach to demonstrate its capabilities in an easy-consumable manner that we’ll be playing out over the next months.
Combine this with our goal to focus on value, utility, and users and you’ll understand our approach to these next months.
.webp)
