Calling the Zaif Exchange Hack and a Look at the Interplanetary File System (IPFS)

On this episode, Faizaan and I do a victory lap for calling out the Zaif exchange hack over two months ago. We will also do a deep dive into IPFS, what it is, what problem it solves, how it works, and how Cloudflare is getting involved in this space.

Here’s a transcript of QuantLayer Crypto Podcast #16.


The episode in its entirety can be listened to here:

QuantLayer is a software consultancy based in Brooklyn, New York. All opinions expressed by podcast guests are solely their own opinions and do not reflect the opinions of QuantLayer. The information presented should not be construed as investment advice. Guests may maintain positions and assets mentioned in the podcast.

Hey everyone. You got QuantLayer here, Vikram speaking and joined by Faizaan, also known as the wizard. Hey, Faizaan!

Faizaan: Hey, how is it going?

Vikram: Good. I think we got to do a victory lap for something we called out about two months ago on our podcast. I think it was episode five actually. The podcast title was Crypto Teams Need To Communicate Better and what we did was we went through a bunch of the data issues that we see across crypto exchanges. One of these data issues was with Zaif which is one of these crypto exchanges based in Japan. They just announced that they got hacked and lost about 6,000 bitcoin as a result. A little bit of bitcoin cash and MonaCoin which is this kind of funny, weird, Japanese-focused cryptocurrency. They lost them because of the hack. The issue that we had been seeing with them was they kept adding fake data to their production API. So that’s just really bad data hygiene. Imagine logging into your Ameritrade account and seeing the ability to buy tickers of non-existing companies so you can buy non-existing stock. It’s just really bad. That is something that you don’t want to be doing in a staging environment. You don’t want to put test data in production. That’s just ridiculous. We’ll link to the podcast transcript for that episode in the show notes. But, what we basically thought was if they’re doing this with production data, there are probably other fundamental tech issues at Zaif, right?

Faizaan: Right.

Vikram: So, this is basically what happened. This is from a coindesk article which I will read here. “The licensed exchange, called Zaif, is operated by the Tech Bureau. It said on Thursday that the exchange first noticed an unusual outflow of funds on the platform around 17:00 Japan time on September 14, after which the company suspended asset deposit and withdrawal services.

Tech Bureau explained that after further investigation, it discovered that hackers with unauthorized access to the exchange’s hot wallets had stolen roughly $60 million in bitcoin, bitcoin cash, and MonaCoin. That being said, the exact amount of bitcoin cash stolen remains unknown.”

The last bit is kind of funny too. They actually don’t know how much they lost. So that’s basically what happened. They lost bitcoin, bitcoin cash, and MonaCoin as a result of the hack and then if you go into Zaif’s actual press release and it’s in Japanese. I don’t know Japanese. I’m just trusting Google translate here. But, there are some tech-focused issues that they detailed and those are pretty interesting.

The first one, since September 14th, some services such as deposit and withdrawal of virtual currency are not in operation at our service. We’re causing serious inconvenience to our customers. As a result of our survey, it turned out that some of the deposits and withdrawal of Hot Wallets were hacked by unauthorized access from the outside and part of the virtual currency managed by us was illegally discharged to the outside. So, I think that’s an interesting fact here that the funds were in a Hot Wallet, not Cold Storage.

Faizaan: Yeah. That’s one of those things where incomplete isolation that’s not necessarily doesn’t give anything away. It’s obviously way better that they had a Hot Wallet hack than funds stolen out of Cold Storage. But, given that there were indications that they are pretty careless with some of their technological management, it’s definitely something to be wary of.

Vikram: Yeah. It’s interesting to like consider what could have happened. I mean, we don’t know, right? It was a Hot Wallet. That means that it can be accessed likely from a web address, right? So, they could had like administration details and notepad or like an Evernote. I mean, who knows. Basically, like someone had access to the login that shouldn’t have, or someone had access that should have and just ran away with the money. It’s a pretty big problem.

The second thing that comes up in the press release, the reason for not being able to determine the damage quantity at the moment is that the server is not restarted until secure confirmation of safety is insured in order to prevent secondary damage. As soon as the quantity of the virtual currency is determined, we will report is promptly. I mean, what do you think about this?

Faizaan: This one is much more alarming. The first item, okay, you had a Hot Wallet hacked as you mentioned. Potentially some procedural issues to your security in how you are managing your keys or passwords or some sort of information management issue. The second one is more alarming because it sounds to me that they cannot see what’s going on while their system is down like by auditing their logs, history of transactions, anything like that. They’re scared that if they restart it that basically the hack will continue, so they don’t have a way of like restarting it into a safe environment. This is alarming because it just means that they’re like pushing to production without any foresight from like DevOps perspective on like what happens if we have a disaster. You don’t want Hot Wallet to get hacked but it does happen, so you should have a better plan in place.

Vikram: Right. I think we’ll cut down that point about disaster recovery in a bit but I imagined that this should be on top of the mind of crypto exchanges especially on the hacking side.

The third part that’s mentioned. Okay. Currently, we are checking and strengthening security, rebuilding the server, etc. I like the et cetera. …in order to restart the system of depositing/withdrawing virtual currency, we are committed to restoration as soon as possible so please wait for a while.

Faizaan: That’s just a funny certain phrase.

Vikram: Yeah.

Faizaan: The same thing as I mentioned before, this I think reaffirms my initial suspicion that the way that they set things up, they can’t safely restart the system without the hack continuing. With the system down, they’re not able to see what happened. Again, we don’t know what happened for sure, but this is almost always the case of having like bad logs and just not being able to audit past transactions or history of how your system is being used. It’s important in production in general and like really important when you’re dealing with financial transactions. The fact that you need to somehow have the system running to go back and build a history of transactions is alarming because you should have all the logs for all of that anyway. This is not something that’s crypto specific. You see it all the time where the way things are built and deployed in locally or in test environments are how they get deployed to production, but the reality is there’s a lot of things you can do in terms of deleting data, receiving data, manipulating data, that you can’t do in production and so it’s very easy to paint yourself into a corner. This sounds like what they’ve done here.

Vikram: Yeah. We have seen, as you said, we’ve seen this stuff, right? Like you’re working on an older application maybe, data has not been configured as it should have. You want to add a new feature that requires like some major change on the data side.

Faizaan: Yeah. I mean the most straightforward example that often comes up is you have an old system, you’re building a new system, you need to bring all of the old users into the new one. Let’s say of 100,000 users and you built the whole thing without a plan for how you’re doing to do that. You see sometimes situations where you have to basically communicate to all of your users the steps of going to the new system and get there correctly which is not a great flow. That’s not the exact same thing as this, but this is a scenario of like painting yourself into a corner with the correct plan that you can make these transitions much more seamless or also a lot safer in terms of like if you do lose data or your system goes down, like you’d lose all of your users or they don’t end up having to like reset all of their passwords or something like that.

Vikram: Yep. I guess one thing worth talking about is I think a lot of people listening are probably interested in this stuff, just broadly. If we’re just talking about production applications overall, of course this is going to vary from application to application like some requirements will be a lot lower, some will be a lot higher, but I imagined, the bar should be a lot higher when it involves people’s money. Something your production application at a crypto exchange should be the bar for that production application should be a lot higher than say like a to-do app or something like that.

Oftentimes, my head is probably like a handful of things that are super important. Faizaan, let me know what you think about this. I am sure you have a few other thoughts as to what else should be important. But five things came to might: One, a staging that you want to test new features and updates one, and they’re tested before release. Logging.

Faizaan: I would add to logging, like not just logging stuff, but making sure that you can actually ask questions of your logs that are going to be important to you. So, it’s not helpful to just log stuff and then your question is, what transactions happened in these last seven days. You can actually get the information.

Vikram: Right, that is a great point. I also wonder on the logging side. What are they doing for logging for like unauthorized access if someone is trying to access the Hot Wallet or they track IPs and things like that. Logging can mean a lot of things.

Faizaan: Yes. Exactly. Especially if you’re dealing with people’s money or your own employees that have access to your Hot Wallet. You essentially want to audit usage so any actions taken within the app by an admin that has access to anything sensitive should probably just be auditable.

Vikram: And then, as far as logging. I know we’ve used papertrail, right?

Faizaan: Yeah, that’s one service where we can just send all of our logs to.

Vikram: That’s one service for server logs. I’m not sure if they do other type of logging, but as far as server logs go, they have been a very useful one.

Faizaan: You can send anything over there. It just depends on what you want to do.

Vikram: Yep. Then, bug tracking / notification. So, when your production application sits a bug, you want to know when that happens. At prior podcast, we talk about bugsnag for a bit so you can listen to that in terms of what they offer but that’s a great tool for being able to capture when a bug hits your platform. You can give a x10 for it. If you have logging setup, you can use the timestamp to go look at the logs and it just helps will this flow a better.

In security of course. This is broad and I know that, but in terms of did Zaif have any kind of security audit in place happened before hand. You know, having funds transferred out of a Hot Wallet sounds like some pretty sloppy admin credentials being shared or some of kind of inside job. I would say security into two categories where you know, you have the technical portion of it which is like making sure you’re doing everything correctly from a techno perspective.

The second is the processes and then what’s they called IM which is like identity and access management where you should know who has the authorization to do what and it should be impossible to revoke it. Too often you see you know like the whole Dev Team have the access to do whatever in whatever environment. You don’t know if the dev is careless with that information, they’re using a personal computer, then they leave to go to a different job, you should have everything in place where you can track who has access to what and be able to revoke it.

Faizaan: Right.

Vikram: Again like to the point about the person, an employee leaving, again a lot of the stuff might not be malicious. It might just be an absence of consideration, so having some kind of system in place for that is super important. Of course, disaster recovery like your database goes down and gets corrupted like what happens.

Faizaan: Yeah, you don’t want to suffer data loss but in the event that you do, you should be able to restore it to some reasonable state and in the event that for some reason that you can’t, that’s where then you can rely on the log key and auditing. In their scenario, it’s pretty alarming because it looks like they can’t get their transactions out from anywhere without actually essentially re-running the app and doing their debugging on a live app.

Vikram: Right. That just sounds scary as a crypto exchange.

Faizaan: That’s bad.

Vikram: I don’t mean this to say, oh we’re so great or anything like that, but you know, we do regular backups for alerts because we have 2,000 alerts some in everyday over the course of a month, we have 50,000, 60,000 alerts coming in. If our database went down like for a day, we need to have have regular backups of that data. We don’t want out users to not have access to alerts for like a 24-hour period even on the applications running.

Faizaan: Right.

Vikram: So, a lot of basic stuff.

Faizaan: I would say, going back to your original point, we discuss a lot of these things, not possible to know from the outside, whether or not like Zaif was following a lot of best practices, but seeing things like test data in production, it’s sort of the canary in the coal mine is the right analogy but it sort of gives us an inkling that maybe things are not alright with their process.

Vikram: Yeah. It’s a red flag. I think I tweeted this out earlier, but I was like, look, if you put test data in your production API, I’m just not going to use your exchange. I think it’s just bad data.

Faizaan: Sloppy. It’s just sloppy.

Vikram: Sloppy. Yeah. There’s this other thing that we wanted to talk about a little bit. So, Cloudflare. It’s a CDN. They just announce that they are supporting IPFS through a web gateway. I thought this would be interesting to talk about, Faizaan.

Faizaan: Yeah. So there’s a number of topics here to break down. The first pieces, I’ll just give a very basic summary of IPFS. Obviously there’s some really good videos and articles that we can add to the show notes for you guys to dive in more deeply. But IPFS stands for Interplanetary File System which is a very grandiose name. We’ll break down what that means.

The idea with IPFS is that rather than asking for give me all of the data at this location, you actually say, give me your request content by its hash. So let’s say I have an article. I can hash that article and with that hash, I could say, give me the article that corresponds to this hash.

Vikram: So, quick question to step back for a second. Why would you want to do it this way?

Faizaan: There’s a number of reasons. So the idea here is that, rather than having a centralized server-client model where you ask the server for the data, and essentially they can give you back whatever because you don’t know what you’re asking for. You’re actually just saying, give me what’s at this location. So, you are trusting the server. You’re also relying on that the server is going to be there. It hasn’t gone down. You’re trusting that what they are giving you has not been tampered with. Essentially, IPFS solves a couple a problems. It’s a distributed system so it gives you the redundancy and resilience of that. Because you’re requesting content by hash, it’s inherently tamper proof because you’re saying give me the content that hashes to this. Someone can’t give you something tampered because the hash is not going to be like that.

Just to give you an example of why would I use IPFS over just serving something over a server. Let’s say you have a distributed app like Crypto Kitties. You have the data for the kitties on the ethereum blockchain but obviously, storing things directly on chain is very expensive and you would want somewhere to be able to put the artwork and the assets of the site and things like that, like the site itself, the Crypto Kitties and so on. You could essentially put those on IPFS and now your app is fully distributed. You’re not relying on a central server, but rather on a series of nodes that are serving your content.

Vikram: So, just to understand this better, the hash rate, does the file that is corresponding with the hash one to one or is it broken up across hashes?

Faizaan: The hash is not a file. It’s a block of data. A file could be multiple blocks of data. The way an arbitrarily large like let’s say file or application or repository would be stored is by this data structure. It’s basically a Merkle directed acyclic graphs. So there’s two parts to that. One is the Merkle piece and the other is direct acyclic graph.

The idea is, let’s say that I have a file that has four blocks of data, right? I don’t know that I need to request those four blocks and then that they turn into this file.

Vikram: Okay.

Faizaan: So, I can request the file and then the system will basically like, then I can get back the blocks and the way it works with this Merkle is that I can easily verify that these four blocks are what make up that file because the file has a hash, but each of those blocks has a hash. Let’s say I have four blocks. The first block would have a hash, second block would have a hash, and so on and so forth. Think of those as leaves of a tree. The first two blocks, their hashes have another hash and similarly for the third and fourth block. Those hashes ultimately are the root hash so you can sort of see how it forms a tree.

Vikram: Yep.

Faizaan: This gives you two things actually. This gives you integrity, so you know that I can’t swap out one of the blocks on you either. Like, I know that the hash of a block, like the content to the block has to hashdown to the hash they request, but here, for requesting something that’s compiled of multiple blocks, it also provides security. A side effect is also that it essentially gives you a version control system, this Merkle is the same data structure like Git uses, like that’s how Git actually manages your different versions. It’s immutable. It uses these hash-base references. Basically you’re just putting it into like this global system that multiple nodes are running for serving up files.

Vikram: Got you. You’re breaking up file, I assume, because of size like you’re limited to size of each unit.

Faizaan: Yeah. I will post some stuff about the specific implementation details but the idea is that, it’s just an arbitrary chunk of data that can compose into larger chunks of data as opposed to the files or videos or images or what have you.

Vikram: That sounds pretty badass.

Faizaan: Yeah. Just to give you a real world example of something that’s out there that’s similar in terms of the problem it solves. Like Netflix uses something like 30% of the bandwidth in the United States I believe. It’s in that order of magnitude.

Vikram: Yep.

Faizaan: Obviously when we’re all streaming Netflix, it’s not all coming from one server somewhere, like you find in India, in New Mexico, like that would be very unpractical. So what Netflix actually does is they cache their most popular content directly at the physical location where the ISPs are all over the world. When you request certain things like in my region, I’m maybe more likely to watch something to do with cars, I’ll fetch that show from potentially my closest node. This basically gives us the idea of like a distributed system that’s some more resilient and also more performing. Individual nodes can go down. In fact, parts of the internet can go down and you’ll probably might still be able to stream your Netflix.

Another example just to lay some groundwork is I think we talked about the way traditional internet would work. So, if I type in, we get taken to our landing page. What’s happening there? The first thing is, there’s something called DNS. Basically what that does is it maps like to the location of our server. Again, this is a semi-centralized process. There’s multiple servers but they are all like central organization, CloudFlares, Google provides it. There’s a number but it is a somewhat centralized system. So, I use DNS. I find out where I want to get the information and then our server just gives me back whatever they want. We can change our site everyday and you can go to QuantLayer and you’ll see something different.

That can be a good thing or a bad thing. It’s a bad thing if that’s happening because someone is like tampering with it or someone has somehow intercepted our traffic and is sending you a fake site. It’s a good thing because by having that address, I know this is where is. I’m not saying, give me some specific image on this website. How would I know how to get that? So that brings us to one problem with IPFS which is, like let’s say a very simple website, just HTML, CSS, a couple of images. How do know where to go and get them? This brings us to an IPNS. What IPNS is it’s a hash that’s immutable reference to another hash. So, what I can do is I can take my domain, point to DNS settings to the URL for this hash. I can basically constantly update what actual content that hash points to. If we deploy a new QuantLayer site, it’s going to have a different hash, then if we deploy another one, it’s going to have a different hash. Rather than constantly changing our DNS settings which is not practical, we can just swap out our IPNS. This essentially solves that issue of IPFS hashes being immutable, but you’re still wanting some sort of a immutable reference that you can connect to your DNS.

I sort of went out a tangent with how you fetch data and use DNS, but just to jump back a step, where is this data stored? Like we just talked about, there’s no servers anywhere, or there’s no central server. There’s different nodes, so how are you getting this data from these nodes? Basically what happens is these nodes have these distributed hash tables. That was some of the stuff that we talked about earlier. Basically what will happen is when I ask for a specific piece of content by hash, it gets looked up on this distributed hash table. Now, the distributed hash table, the key is the content that I requested and the value is one of two things. It’s going to be either the content itself if it’s very small and it actually makes sense to put it on the hash table itself, or it’s going to be a list of the nodes that I can actually get the data from. Basically, if I would say I want this content that has this hash, I go look it up on a distributed hash table and then I know which nodes I can fetch the data from.

Vikram: Yep.

Faizaan: A version of this was BitTorrent where you were connected to all of your peers and you would fetch data by blocks and then you would compose all those blocks up at the end. That’s an example of a similar system. People always say like, wow, why interplanetary. If you think about it, if you have a server-based system and you’re on Mars, if you’re trying to access, there’s unfortunately going to be a lot of latency. You’re going to get alerts. I haven’t checked the speed of light, how long it takes to get to Mars. You’re going to be a little bit behind on getting alerts.

Vikram: Yes. Your trading is going to suffer.

Faizaan: Yeah. You know, if you’re on Mars and you’re trading on Earth-based product, you’re at a disadvantage. The nice thing about IPFS is if we talk about that Netflix example of where I was able to stream my car show from my local server in India, it’s that same idea where if we’re publishing some of the stuff into IPFS, a lot of these content could get cached on Mars so you don’t have to go to our server directly. A couple of things to add in terms of like why would you use IPFS? Okay we talked about it’s distributed and redundant, but you could argue as so as the CDN. You can just go use a proprietary CD and then you get some benefits. One big item that people really like about IPFS is the idea of censorship resistance. Because it’s not controlled by any central authority and you have all these distributed nodes. In fact, it doesn’t actually matter how the nodes communicate so even if the internet goes down, as long as you have some sort of other overlay network, you can still bypass various censorship and several content, so that’s a pretty big deal.

Vikram: Yep.

Faizaan: Coming back to Cloudflare.

Vikram: One question before Cloudflare.

Faizaan: Sure.

Vikram: Certainly, certain types of data are probably better suited for this than others. Like I imagine like video on this would just be a non-starter, right?

Faizaan: I don’t know off the top of my head how much… If you remember back in the day when you would torrent legal things like Ubuntu, the more people that were like seeding the content, essentially the more nodes there were, the faster things would download. So it’s a similar idea. It’s not necessarily a video won’t work. It really depends on the strength of the networks. If you push something up and it does not get distributed widely because it may be slower initially, but if it becomes something that’s heavily used and distributed but a lot of nodes, then it can be relatively performing as well.

Vikram: Okay. Just understanding the distribution part a little better, just trying to visualize it, so when you say upload, I’m just uploading a file to IPFS and I want to share that file with you, do I just give you a hash of its contents?

Faizaan: You could.

Vikram: Okay.

Faizaan: If you know the hash of the content then that’s how you would do it. If you look at something like how a torrent file would work, it basically knows all of the blocks of data that it needs and then it goes and finds them, and then it composed it back into like the Ubuntu distribution at the end.

Vikram: Because I’m just picturing, like we’re talking about censorship resistance. There’s this whole story from a few months ago where someone in China was writing about how terrible their work conditions where and they encoded into the ethereum blockchain. You just needed access to the public, basically the transaction hash of the ethereum blockchain for that, and then to just read that note. I’m just wondering like, if people wanted to use this for something like that to write public letters, open letters, and then have that shared with people.

Faizaan: It’s fundamentally the same thing because you have this hash-based structure that’s distributed, that you’re writing data on in an immutable fashion. Fundamentally, you’re solving the same problem but IPFS is just much more economical because it’s expensive to write contracts on to ethereum so if you’re using it as a data storage, it’s not the best way.

Vikram: Right.

Faizaan: You may use it to store reference. That’s coming back to that distributed hash table we talked about. We don’t store all of the content on the DHT. If the contents are very small, we’d put it there but if it’s large, we store references to all of the places where the content is, so we can go get it and hopefully that’s multiple sources to it’s censorship resistant and whatnot.

Vikram: Got it. So what is Cloudflare up to here?

Faizaan: Okay, so Cloudflare. They do a lot of stuff so I’m not going to cover all of their stuff. Three things that they’re known for is that they have CDN service that’s a content library network which I related to earlier. They provide DDos which is distributed denial-of-service protection so basically, let’s say we have our single QuantLayer server and some botnet decides it’s going to send like a million request or let’s say a billion request because I think we handle that, so let’s say that it wants to send a billion requests to try and take us down, Cloudflare would essentially intercept and redirect that traffic so that our site doesn’t go down. So, it basically block the malicious traffic and let the good guys through. They also are DNS providers so they will run name servers that do that name resolution. Basically, if you need security or some sort of performant manner of serving content over the web, they have some sort of product to help. This CDN being the performance side of things, DOS protection being the security side of things, so they just have a suite of products in that general domain.

In theory, you don’t need Cloudflare, you can interact to the IPFS directly, but what Cloudflare does from just a developer and DevOps perspective is, if you don’t need to run your own nodes but you still want to be able to fetch files from IPFS, they give you this gateway which is effectively an API that let’s you fetch data by hash. I don’t remember the exact URL but let’s say we have a gateway. It would be QuantLayer/IPFS/hash and if you went there, you’d get back the file. So, Cloudflare essentially let’s you just make an HTTP request to get back data that’s on IPFS.

Vikram: Yup.

Faizaan: This is a big deal obviously like having more nodes in the system is good, but also making it very easy to fetch IPFS data as an important step in increasing adoption because you’re just making it easy from development and DevOps perspective. What also makes it nice is because it’s an HTTP gateway, you can point your regular DNS directly to the content as well. If we put an image on IPFS and we have our normal website, we can just reference that IPFS URL in one of our image tags, so that’s pretty slick.

Vikram: Yeah.

Faizaan: That’s sort of all I had on that topic. We will post some links. It’s definitely an interesting technical space.

Vikram: One thing, we’ll post through their press release because it’s pretty good, right? The walks through IPFS, how it’s used. I think their list is like there’s billions and billions of files… there’s 5 billion files that have already been uploaded to IPFS. I know what’s going to be on the mind of regulators when they hear about this technology. There’s a section called like dealing with abuse. It’s basically they’re saying like IPFS is a peer-to-peer network, so there’s the possibility of user sharing abusive content. This is not something we support or condone. Then they say if there’s any abuse of content that’s found, you can report it here. I don’t know how this will be handled with but it is certainly an important concern.

Faizaan: Yeah. Another thing to keep in mind is also with EU privacy laws, the right to be forgotten or whatever. The stuff you put into IPFS is immutable. You can’t go back and delete stuff. It’s just something to keep in mind.

Vikram: Yeah. It will be an interesting feature ahead. We also wanted to go over some interesting alerts that came through the dashboard this past week.

Faizaan: Yeah. One that we had pointed out earlier, I just thought I’d re-mention it. There’s this company called Livepeer and they have this library called Merkle-mine. We’re seeing some contracts again that’s using over 20% of the ethereum network. Now, the library is open source so maybe it’s Livepeer. There’s some video streaming service, maybe it’s them using it or someone else. But, over 20% of the users buy a single contract is pretty severe.

Vikram: Yeah, and if that happens over a couple of contracts like right now, I’m just looking at our dashboard, so there’s an address using 5% and another address using 6%, and an address using 21%. So, over 30% of the network is being used right now.

Faizaan: Yeah. I mean if they’re using it to stream video, maybe they should think about putting some of that on IPFS.

Vikram: Yeah.

Faizaan: Another one that came through, and this one caught my attention because of the title. Scam alert: Betvibe makes false claims about core team members. That’s what was just in the feed, and then I clicked and I got the summary. The summary was pretty good as well. Basically, this company, Betvibe is just saying stuff that is not true about their core team which is pretty alarming. They have people in their site that don’t have any references to Betvibe on their LinkedIn profile or anything like that. Just seeing something like Scam Alert and being notified to be aware of this coin is useful. I followed up on who actually put this out there. There’s this team working on something called MetaCert so I’ll just read what they say they do. “MetaCert protocol is decentralizing cybersecurity for the internet by defining ownership and URL classification information about domain names, applications, bots, crypto wallet address, social media accounts, and APIs. The protocol’s registry can be used by ISPs, routers, wifi hotspots, crypto wallets, and exchanges, mobile devices, browsers and apps to help address cyber threats such as phishing, malware, brand protection, child safety, and news credibility. Think of MetaCert protocol as the modern version of the outdated browser padlock and whois database combined.” So that’s pretty neat. Basically, they just scan all of these stuff and they’re generating a whitelist of stuff to block that’s scammy or shady.

Vikram: Yeah, that’s really cool. I’m just looking at the team page. They just pick random people and put them as team members.

Faizaan: I don’t know if that’s what they did but that brings us to our next alert which came through, which again had scam in the title, and whenever I see that, I get excited. So, basically this Tkeycoin just had a fake team on their page or just some bunch of stock photos.

Vikram: I’m just looking at it right now. It’s just a bunch of stock photos.

Faizaan: Imagine there’s the fakest thing that you could come up with. Like, why is this guy in an apron holding a bunch of muffins.

Vikram: Maybe this is a joke.

Faizaan: This guy has like a colorful bowtie. Imagine just picking a random selection of stock photos and throwing them on a crypto page.

Vikram: There’s a guy holding a rose.

Faizaan: Yeah. It’s not one of those goofy text sites where people have their hobbies in the photos. It’s really just a bunch of random stock images. I thought that was pretty funny. It’s nice to see like scams getting caught and being pushed through and just like showing up with that right in the title. You see it real quick.

Vikram: Yeah.

Faizaan: I love looking through the Github stuff as well. There’s something called the AElfProject. The PR was called, transaction lost bug fixed. I didn’t do a super deep dive into it but basically they pushed up some code that was fixing timeouts that were happening and also transactions getting lost. Again, if that’s a coin you’ve invested in or interested in, that’s something you’d want to follow up on like, hey! Are these lost transactions and something that’s not live or is live and why is it happening, and what is this fix? Are some questions that would come to be in mind.

Vikram: the GitHub alerts are really interesting because you just search for some common keywords like buy fix, bug, or fix, or transaction even, and there’s a lot of stuff that comes up. Again, we mentioned it before. You don’t have to actually be a developer to get some value out of the GitHub commits. Some of the alerts that we end up surfacing, like they have titles like the one that Faizaan was just talking about, transaction lost bug fixed. You don’t need to be a developer to know like, oh there’s something wrong with transaction.

Faizaan: It raises some important questions that you need to have answered at the very least.

Vikram: So there’s a ton of cool alerts that come through and I think the Github ones and I think the Telegram chat ones are probably my favorite in terms of interesting information that comes out of them.

Faizaan: Yeah, because it just raises so many questions about that specific project. Another one that came through. This one just got me because it’s a big number, “Bitcoin Hedge Fund records 10,000% returns.”

Vikram: Okay.

Faizaan: This is interesting because 10,000% returns. Oh, wow. But, you know, we’ve seen early buyers of bitcoin with those kinds of return and much greater, that’s not anything surprising. We’ve also seen a lot of hedge funds pop up like last year when the price rallied, but what’s interesting about these guys is they’ve been in operation since 2013. I think they spun up when bitcoin was around $125. That basically explains a lot of their returns. But they have not just HODL bitcoin. They’ve actually traded into a number of vaults as well.

Vikram: Right. This is Pantera Capital.

Faizaan: Pantera Capital. That’s right.

Vikram: Yeah. 2013 seems like it’s ages ago in this space.

Faizaan: Yeah. I mean I remember 2013 because late 2013 and early 2014, there were some spikes. I just remember a few people that I knew that held bitcoin were like constantly checking it.

Vikram: Yeah. 2013 to 2014, I think it went from like 100 to 300, to 1,000 in a very short period.

Faizaan: Yeah. It like touched 1200 and then went back to below 1,000 and didn’t come back for a long time.

Vikram: For like years, for like 2 years almost.

Faizaan: Yeah.

Vikram: It went from 1,000 to around 200, or maybe a little below that before it started picking up again over the last year or so, or more than last year.

Faizaan: Going into the next alert. I always like looking…

Vikram: Before we go into that already. It does bring into interesting topic around this concept of like when people want to call a bottom. Why do you think people do that? Why do you think people feel the need to say, okay bitcoin has hit its bottom.

Faizaan: I think there’s some subset of people that have to have definitive answers to something, and they would rather come up with a strategy for getting them an answer that they are like happy with than just not having it. Like honestly, I think that’s what drives a lot of technical traders. People need to have some range or number that they can get to based on something. I think that’s all it is.

Vikram: Historically, I have never met anyone who has been able to successfully call a bottom on a regular basis. Calling a bottom is saying, something goes from like 100 to 5, and you’re saying, oh five is the bottom, and then it never ever goes below 5 again. For someone to be able to do that on a regular basis, that’s like clairvoyance. You just can’t do it. In crypto you see it so often.

Faizaan: There’s a steady stream of, in my mind, garbage articles that all they do is say someone predicted a thing. Back in 2014, they predicted a thing and they are right; or back in 2014, they predicted a thing that was wrong. It’s just a steady stream of articles from the CNBC and the like.

Vikram: Investing in something or trading on something just because somebody was right one time like three years ago is not a good strategy. I’ve heard this before, like oh, John Paulson, he called the housing crisis and he made a billion dollars or something like that. Then he lost a bunch of money like two years later. Again, all these stuff is the best traders and the best portfolio managers are not necessarily right even 50% of the time. They can be right like 20% of the time, and this is just math. Like, if you’re right 20% of the time but your payoff is 100x and you’re wrong the rest of the time when you lose all your capital. I’m just giving an explanation from the options side. You still have made a ton of profit. So if you ever hear a portfolio manager, we’ve talked about this before on few other podcast, but like portfolio manager comes on and says, oh yeah. This is bottom. They’re doing that not because it’s the bottom necessarily but in the chance that they’re right, in two years, they’re going to have a ton of money come their way that wants to invest with them. I think media just likes it too because it drives a lot of traffic, like Oh, you know, Paulson said this and now he’s saying this. People are going to read it. I know I will read it too.

Faizaan: John McAfee?

Vikram: Right. Yeah.

Faizaan: We’ve talked a lot about the financial stuff, but I’m always interested in the nonfinancial uses of blockchains. We’ve talked about identity before, fraud protection, anti-corruption. A big problem is counterfeit drugs. I think one report I read said, 700,000 people had diarrhea from counterfeit drugs. When I say drugs I mean like pharmaceuticals. I think 20% of that is in India, so counterfeit drugs are a five billion dollar market in India. That’s huge. We saw it come through that basically India is going to put drugs in their supply chain on the blockchain so in real time, you can validate whether something you have is counterfeit or not, which is pretty sweet. It’s one thing to put a serial number on something, but someone could replicate that serial number, and how would you know whether it’s been produced yet or sold or consumed? By putting that on the blockchain as it passes through the different steps, you could very quickly look up like hey this serial number has already been sold so what I have must be fake. That’s pretty cool real world use.

Vikram: Such as the Indian government has already hired Oracle in order to create a pilot project involving the blockchain technology. I imagine like Oracle is probably selling this kind of product pretty heavily for this kind of stuff.

Faizaan: I assume all the big enterprise services companies… I see those ads for IBM blockchain where they’re like tracking coffee.

One other item, I know we talked about Elon Musk and Tesla. I have some non-Tesla related Elon news so anyone that follows him on Twitter, you see he had this crazy amounts of ethereum, crypto scam bot activity where there’s like these ethereum giveaways. He just tweeted at the founder of Dogecoin, like hey can you help me with this? I guess that guy wrote a script to help clean it up and it’s helped with filtering out some of these scam bots.

Vikram: Nice.

Faizaan: It’ll be good to see some of that stuff get mainstream and back in so that maybe Twitter can take some action against that sort of thing.

Show Notes:


  • A victory lap for calling the Zaif exchange hack over 2 months ago
  • Cloudflare IPFS
  • The purpose of IPFS and how does it works
  • What IPFS is
  • Where data is stored
  • Why interplanetary
  • What Cloudflare does



Hey everyone, this is Vikram again. Thanks for listening to us. If you’re
an exchange, a trader or working on a crypto project get in touch with us.
You can reach us on twitter at or email us