How Spherex is Tackling Smart Contract Vulnerabilities

16 May 2024

Join us as we sit down with Eyal Meron for our "Innovators in Web3" series, where Eyal shares his journey from a seasoned cybersecurity expert in the Israeli cyber community and former CISO of Bank Leumi to leading strategic visions at spherex.

Ishan Pandey: Hi Eyal, It's great to have you here for our "Innovators in Web3" series. Can you share how your experience as someone who spent many years in key roles in the Israeli cyber community and as CISO of Bank Leumi shaped your journey and strategic vision at spherex?

Eyal Meron: Hi Ishan, happy to be here. My vision for spherex stems from many years of tackling cyber security challenges, together with maintaining a level of protection required in the financial sector.

Web3 is still a relatively new digital space, which has the potential to disrupt the way the global economy works. It is actually a fundamental element in the digital transformation of humanity, but its cyber component must be solved in order to enable the realization of its potential.

When we look at the cyber situation within Web3, it’s clear that the infrastructure layer is well-protected thanks to the principles of decentralization and cryptography. The users, on the wallet side, receive quality treatment both in maintaining the private key and in verifying that its use corresponds to the owner's intention.

Whereas, the application layer, the smart contracts and the interactions that take place within them, is a weak link that is a source of various types of hacks and compliance gaps, in a way that must be upgraded. The current ratio between the scope of activity and the scope of hacks does not allow for a stable financial ecosystem.

Attacking contracts is where the ROI for the attackers is the highest and it is not for nothing that they are attracted to the space. The monetization is fast (they are "one step from the money"), the code is exposed to them, which makes it easy to find vulnerabilities, and finalized transactions are immutable so that after a quick attack the advantage is completely on the side of the attacker. Therefore, the security standard must be upgraded in order for the space of Web3 to realize its potential, and we at spherex made this “upgrade” the core of our mission, as well as our challenge.

Ishan Pandey: spherex's mission is to address major security vulnerabilities in smart contracts. How do you translate this mission into a viable business model that also promotes widespread adoption of your services?

Eyal Meron: First, it is important for me to emphasize that the underlying concept of spherex is to Not allocate more resources for security, rather allocate correctly.

The principle of an audit, for example, is important. Code should be tested to minimize the chance that it has bugs before it is deployed in production, but is budgeting two or three audits the best way to allocate said resources? Is it worth paying for a threat detection service when a professional hacker can easily bypass it? And even when there is an alert, at best the contract will be paused.

We at spherex have developed a proactive security solution, which is embedded within the Web3 project and gives it a security and compliance envelope as part of the ongoing operations of the project. Damage is avoided to begin with, and the business continuity of the project is guaranteed. And all this happens 24/7 without a man in the loop.

Also, the spherex security layer is completely modular, and the security envelope of a project can be adapted to its current needs in its life cycle, so that the security evolves and adapts itself to its needs (and budget), and does not freeze while on the other side there are hackers who invest enormous resources in order to win the learning competition.

Ishan Pandey: With the rapid evolution of digital assets and blockchain technology, how does spherex stay ahead in identifying and countering new types of cyber threats?

Eyal Meron:  A big advantage for security solution providers in the blockchain ecosystem, is the fact that the data is public, including all past attacks. Any capability that we develop is back tested against all the infamous hacks and also re-tested and improved against any new hack that could prospectively occur. This information is how we verify the strength of security coverage, and how we maintain the upper hand against hackers.

Furthermore, our team includes forum members of senior security researchers who volunteer to analyze attacks while assisting those who were attacked to mitigate the damage.

Ishan Pandey: spherex has introduced 'asymmetric countermeasures' to combat smart contract vulnerabilities. Could you explain the implementation process and how these countermeasures integrate with existing blockchain protocols?

Eyal Meron: In a nutshell, we offer our own smart contract that serves as the security engine for functional smart contracts. When a project is built, and uses smart contracts to implement its business logic, it can integrate the protection contract that we developed, and get a set of capabilities that allow verification during the execution process of each transaction that it does not cause damage or behave in a way that deviates from what has been tested and approved.

The most advanced capability we have developed, or our "flagship" product, is the Exploit Prevention. This ability prevents edge cases and ensures that whoever found a vulnerability, that is, a malicious way to use the code of the contract, will not be able to do so without first sending the attack for approval. And so the power actually returns to the owners and legitimate users of the project. They are protected because the definition of what is allowed and what is really required to be allowed relies on what they see fit to do in the protocol in order to realize its true purpose.

Ishan Pandey: How does spherex balance the need for robust security measures with the imperative of maintaining high performance and low overhead in blockchain transactions?

Eyal Meron: On a practical level, the capabilities we have developed rely on a lot of research aimed at making sure that the logic implemented on-chain is low in computational resources and adds minimal overheads, while being independent and not requiring closing the loop with analytics tools that run off-chain. The on-chain capability is backed by off-chain support and analysis tools but they are not part of the process of ongoing on-chain security. This is how we reached a situation where the increase in gas consumption is very low.

But the more important thing in my eyes is, as you said, the right balance. And a correct balance, when it comes to security and stability needs of financial services, is one that does not try to lower gas consumption at the cost of compromising security. A correct balance is one that prioritizes security and stability above, then deals with reducing resource consumption.

Ishan Pandey: You’ve mentioned that human error is a significant factor in smart contract vulnerabilities. What are some key strategies or practices that spherex promotes to mitigate such risks?

Eyal Meron: Our solution’s strength, in essence, is that it does not require human analysis and/or project logic. And what makes it both scalable and immune to human error is the in-depth understanding of how a protocol is supposed to work - i.e. spherex as a solution self-learns from the protocol’s data automatically. In this way, it basically neutralizes the dependence on the human factor, a dependence that leads to both malfunctions and expensive and long processes.

Ishan Pandey: Looking forward, how do you perceive the future of cybersecurity in decentralized environments? What are the biggest challenges and opportunities you foresee?

Eyal Meron: It is important to reiterate that Web3 is still an emerging and ever-evolving ecosystem. And therefore the ongoing battle, or the learning competition between the defenders and the attackers, is far from being decided or understood. I estimate that the adoption of technologies, like ours, is inevitable and will allow a fundamental change to the equation.

Multi-layered protection, with an emphasis on a proactive layer that makes use of the unique characteristics of the space for the benefit of the defender and not against him, is not just nice to have but an imperative addition that will open up a new space for moonshot ideas and opportunities for the community.

Don’t forget to like and share the story!

Vested Interest Disclosure: This author is an independent contributor publishing via our business blogging program. HackerNoon has reviewed the report for quality, but the claims herein belong to the author. #DYOR.