E13 - NiftyApes Open Source Audit w/Kevin Seagraves & Zach Herring - 9/1/2022
Download MP3On this episode of I, Degen, we chat with Kevin Seagraves and Zach Herring from NiftyApes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us. Join us to learn from an OG Ethereum security researcher on how he approaches securing a feature-rich DeFi application in a sea of ruthless blackhats.
I, Degen - Episode 13 - Open Source Audio Audit with Kevin Seagraves & Zach Herring from Niftyapes.money
If you have a moment, please check out episode 13 I, Degen sequence on Zeevo. Give your feedback on the show, and we'll mint you a custom token of appreciation 🙏
Listen at: idegen.fm
Listen at: idegen.fm
Contact us: @idegenfm
Intro
On this episode of I, Degen we chat with Kevin Seagraves and Zach Herring from Niftyapes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us.
Welcome to I, Degen gentleman, and thanks for taking the time to chat with us. Before we jump into the audit, can you tell us a bit about yourselves and what NiftyApes is?
Intros Kevin Seagraves & Zach Herring:
Who are we talking to?
Tell us about your background and how you built an NFT lending platform.
Tell us about your background and how you built an NFT lending platform.
For KS: Can you tell us more about your work with ETHSecurity?
Hunt questions:
Intro NiftyApes:
- What is NiftyApes?
- How does it work?
- Why did you build it?
- Who’s gonna use it?
- What is HARBERGER AUCTION?
- When release?
- Let's talk about the “regen” side of Nifty Apes and the 1%? that goes to public goods. Why was it essential for you to do this?
Open Source Audit:
Security audits are expensive and rarely a priority for founders. This is especially dangerous when it comes to Defi apps and protocols, given the natural ability of an attacker to take something of value.
The idea for our Open Source Audit is to help others learn about securing a crypto project by asking some questions about how you’ve approached the security of the Niftyapes.
- Can you give us a high overview of the tech stack? How does NiftyApes look from a zoomed-out view? What web2 components are at play, and what web3?
- Can you talk a little bit about your overall approach to securing niftyapes?
- How have you approached the security in your web2 interface?
KS: we only store tx receipts in DB after a tx has taken place and been confirmed, so the attack surface for us on Web2 is low.
3(b). Have you taken steps to ensure your DNS records are secure?
- Contract audits - Can you give us an overview of your process with the contract audits?
- How did you find your auditors?
- What was the process like?
- What did they find?
- You guys have gone out of your way to make security a priority for NiftyApes (from the front page):
- Does NiftyApes have a bug bounty program? If so, how does it work?
- Nocoiners and others have been all over a brewing problem at NFT lending platform, BendDAO. Specifically,
“The NFT lending platform BendDAO has collateralized almost 3% of the entire Bored Ape collection, and many NFTs have recently entered the “danger zone” of liquidation.”
ZW: Would this kind of thing be a potential problem on Niftyapes too?
- Game theoretical bugs are new and emerging class of attacks in DeFi that don’t necessarily exploit bugs in code but instead bugs in the relationship between values of pools, balances, and the connected systems.
- In the coming years, we will likely look back at this as the golden age of on-chain hacks, where trivial bugs lead to massive payouts for blackhats.
ZW: Are you tracking any risks related to game theoretic bugs? For example like, Flash Loan attacks?
- The unprecedented sanctioning of the Tornado Cash contract addresses by US Treasury in early August has added a new complexity for DeFi developers. What is your take on the sanctions at NiftyApes?
- Any advice for crypto founders on developing and deploying more secure projects?
Outro Questions:
- Top musical artist you’re listening to right now?
- Tech gadget you can’t live without?
- Best book you’ve read recently? Or a book that has a notable impact on you?
- Your preferred place for crypto news?
Contact Info for NiftyApes
You can find more info about NiftyApes on their website niftyapes.money or their Twiiter @niftyapes.
You can find Kevin Seagraves on Twitter [@captnseagraves] (https://twitter.com/captnseagraves) and Zach Herring @zherring
Full show notes on hackmd can be found here.
Full show notes on hackmd can be found here.