Troy Le of Verichains On Rethinking Blockchain Security

Roberto Popolizio Roberto Popolizio

Whatever you know about cybersecurity, cybercriminals probably know that too and are already finding new ways to breach your defenses and steal your sensitive data.

How can you always stay on top of the latest threats, vulnerabilities, and emerging trends to effectively protect yourself or your business as cyber threats grow in number and sophistication?

In this new interview series by Safety Detectives, I am talking to cybersecurity experts and business leaders who share untapped insights from their experience and expertise that will help you be more aware and effective in protecting your sensitive data.

My guest today is Troy Le, Head of Business here at Verichains, an independent security firm researching new critical zero-day vulnerabilities in the blockchain industry. More than 200 clients trust Verichains with $50 billion assets under protection, including firms like BNB Chain, Aptos, Bullish, Polygon, Wemix, Ronin Network, and Kyber Network.

Prior to Verichains, Troy has co-founded Algorithmics Vietnam and Le & Co Estate Agents, and held multiple roles at OYO, Keller Williams Vietnam, and he was a real estate Auctioneer in Australia. He has also been keynote speaker on topics related to ransomware threats to the banking sector and blockchain security .

To start, can you share the story of what inspired you to pursue your professional path?

My background is in sales and management, and over the last couple of decades, it’s been hard to miss the fact that software has been transforming the world. This is evident in the sharp rise of consumer and enterprise SaaS.

I joined Verichains about 2 years ago, when it was acquired by VNG Corp, one of the largest tech companies in Vietnam. I was brought on as the first corporate headcount, tasked with transforming a previously unknown but highly technical research lab into a global cybersecurity brand.

At Verichains, we’re at the intersection of blockchain/Web3 and cybersecurity, which is a fascinating and dynamic space in tech. In Web3, the technology cycle moves fast, and novel solutions and implementations are always being introduced to the market. For example, in the last couple of years, we’ve seen the rise and widespread adoption of zero-knowledge proofs, a piece of privacy-enhancing technology now widely used in blockchain scaling solutions known as Layer 2 blockchains built on top of Ethereum.

However, with rapid advancements come new vulnerabilities. New technologies generally require time to mature and become safe and stable enough for widespread use. At Verichains, we focus on identifying and addressing these vulnerabilities to ensure the security and stability of these cutting-edge technologies.

Working in such a rapidly evolving field is both challenging and rewarding, as it keeps me engaged and constantly learning. The opportunity to help shape the future of cybersecurity in the Web3 space is what drives me every day.

📗How Zero-knowledge proofs work

Imagine you and your friend are looking for Wally in this image:

To start, can you share the story of what inspired you to pursue your professional path?

You know exactly where Wally is, but your friend doubts you. To prove you know Wally’s location without revealing it, you cover the entire page with a large piece of paper, leaving a small cutout that shows only Wally. Your friend can see Wally through the hole, so now he’s sure that you know where Wally is, but he still can’t determine his exact location in the picture.

You have proven that you know Wally’s location without giving away any specific detail. You’ve proven your knowledge without giving away the secret!

What are all the pain points you solve and for whom? Explain it in simple terms.

At Verichains, we tackle a range of cybersecurity challenges for both traditional ‘web2’ businesses and blockchain-native ‘web3’ companies. Our clients turn to us because they need to manage their IT budgets efficiently while keeping their systems and software secure against ever-evolving threats.

For Web3 Companies 
Unlike traditional software that can be updated and patched regularly, smart contracts are immutable once deployed. This means any bugs or vulnerabilities in the code are permanent and fixing them can be incredibly costly, often requiring the deployment of new contracts and data migration.

To help with this, we offer thorough security assessments for Web3 projects. Our services include static and dynamic analysis, formal verification, and manual code reviews early in the development process. This allows us to identify and fix vulnerabilities before the smart contracts go live.

Essentially, we help Web3 developers and project owners ensure their smart contracts are secure and reliable right from the start, preventing costly mistakes and giving them peace of mind.

For Banks and Fintech
Banks and fintech companies face increasing threats of fraud, identity theft, and the compromise of sensitive customer data. Bad actors are now developing more sophisticated methods and increasingly targeting devices and users directly. To address these challenges, we offer BShield, our bank-grade application security solution.

BShield protects financial institutions from these sophisticated cyber threats with advanced protection measures like real-time threat detection, robust encryption, and secure authentication processes.

Our goal is to ensure the safety and reliability of digital assets and sensitive information, making the digital world a safer place for everyone.

What makes Verichains stand out in the blockchain security industry?

Our technical expertise comes from our active involvement in security research, consistently finding critical zero-day vulnerabilities that impact core blockchain technology.

A great example is TSSHOCK, a comprehensive security study of Multi-Party Computation (MPC). This research has helped MPC solution providers safeguard billions of dollars in digital assets, highlighting our commitment to advancing blockchain security through innovative research.

The three attacks uncovered in TSSHOCK enable a single malicious party to steal potentially millions or even billions worth of crypto assets in seconds without leaving a single trace.

We provide a broad range of security services and complete solutions, making it possible for organizations of all sizes and at different levels of technology maturity to benefit from our expertise. Our team of elite white-hat hackers and security researchers has successfully mitigated some of the biggest hacks in Web3 and worked with industry leaders like Binance, Ronin, Wemix, Aptos, Klaytn, Sui, and Polygon.

What really sets us apart is our cross-domain expertise in key areas of cybersecurity. We excel in cryptography, the core technology behind encryption, and reverse engineering (the skill of taking software apart to understand and secure it better).

For instance, we developed the Revela decompiler tool for the Aptos Foundation, a public blockchain project that evolved from Facebook’s Diem. This tool, the first of its kind for the Move programming language, allows anyone to decompile Aptos smart contracts and recover the underlying Move source code. This aligns with the open-source spirit of blockchain and Web3, where transparency helps improve security.

In short, Verichains offers a unique blend of

  • Innovative research
  • Comprehensive security services
  • Cross-domain technical expertise

What are the most overlooked cybersecurity and online privacy threats that you see affecting end users? Why are these threats particularly concerning?

Balancing convenience with privacy is a significant challenge in online safety, but there are practical steps you can take to protect yourself.

1. Limit the amount of personal information you share online. Be selective about what you post on social media and other public platforms, and regularly review and adjust your privacy settings to control who can see your information. By understanding that oversharing makes you a more attractive target, you can minimize the value of your data to bad actors.

2. Always verify the legitimacy of a source before clicking on links or downloading attachments, and ensure the website is secure (look for HTTPS and a padlock symbol) before entering any personal information.

3. Regularly monitor your accounts. Frequently review bank and credit card statements for any unauthorized transactions and set up account alerts to notify you of suspicious activities.

Staying informed about the latest online scams and tactics used by cybercriminals is also essential, but there are so many educational resources available. It can feel overwhelming.

Start by understanding the risk and reward for criminals, and strive to be disciplined in limiting the sharing of personal information. By taking these steps, you can make yourself a less appealing target and reduce the risk of becoming a victim of online scams.

In your opinion, have tools and technologies improved enough to help end users secure their online privacy effectively? What improvements can be done in this area?

While we’ve made great strides in helping people secure their online privacy, with advancement in encryption, secure messaging apps, and privacy-focused browsers, challenges remain, particularly in balancing usability with security.

On the other hand, the explosion of smartphones and social media means that enormous amounts of our personal data are being collected every day, often without us fully realizing it. This includes not just what we say and do online but also information about where we are and who we interact with.

This kind of data, called metadata, can paint a very detailed picture of our habits and relationships even without access to the content of the communications. Protecting our privacy in this environment requires not just better technology but also stronger rules and privacy laws to protect end users and demand more transparency from companies that handle our data.

These two cases highlight the significant harm that can be caused by the illegal sale and use of metadata:

  • In 2014, Cambridge Analytica, harvested the Facebook data of millions of users without their consent. This data, such as user profiles, likes etc., was used to influence the American voters’ behavior during the 2016 presidential election through advertising.
  • Meta has been fined 1.3 billion USD by the EU for the illegal transfer of users personal data from the EU to the US. This data can be used for targeted advertising and surveillance purposes.

A positive trend is the rise of services that help people find and remove their data from large data brokers who collect and sell it without permission. The data brokerage industry is vast and operates largely in the shadows, trading in vast amounts of personal information often without our knowledge. These services cannot completely eliminate new data collection, but they can still help individuals reclaim their privacy and reduce the risks of their data being misused.

The downside is that these services can sometimes be expensive, and the general public may not be aware of them at all. This further highlights my view that the battle for privacy will continue to intensify, and whether we like it or not, it will ultimately fall on each of us to better educate ourselves and limit our own exposure.

How can our readers follow your work?

Website: https://www.verichains.io/

LinkedIn: https://www.linkedin.com/company/verichains/

X: https://x.com/Verichains

About the Author

About the Author

With over 13 years of experience in managing digital publications, Roberto has coordinated over 5000 interviews with the biggest names in cybersecurity, AI, cloud technology, and SaaS. Using his knack for communications and a growing network of cybersecurity leaders, he provides newbies and experts alike with beyond-the-fluff online privacy tips, and insider perspectives on the ever-evolving tech world.

Leave a Comment