Please ensure Javascript is enabled for purposes of website accessibility
Home TRANSCRIPTS Mitchell Amador Podcast Transcript

Mitchell Amador Podcast Transcript

Headshot of Mitchell Amador

Mitchell Amador Podcast Transcript

Mitchell Amador joins host Brian Thomas on The Digital Executive Podcast.

Brian Thomas: Welcome to The Digital Executive. Today’s guest is Mitchell Amador. Mitchell Amador is the founder and CEO of Immunefi, the leading bug bounty and security devices platform of the on-chain economy. Working at the front lines of Web3 security, he has directly helped prevent over 38.5 billion in hacks and thefts across the ecosystem. 

Through Immunefi’s growth, he has helped protect many of the ecosystem’s most critical protocols, including MakerDAO, Optimism, Filecoin, LayerZero, Chainlink, Arbitrum, Lido, and Polygon. Mitchell has led and participated in dozens of live on-chain incident response war rooms, stopping exploits in real time, and negotiating the return of millions in stolen funds from international black cat actors. 

Well, good afternoon, Mitchell. Welcome to the show.  

Mitchell Amador: Thank you. It’s great to be here.  

Brian Thomas: Absolutely, my friend. I appreciate you doing this. You’re in Portugal, I’m in Kansas City, the United States and several time zones and calendars to get here, and I just immensely appreciate you for making the time. 

And Mitchell, if you don’t mind, I’m gonna jump right into your first question here. You founded Immunefi in December of 2020 and helped scale bug bounties from an experimental practice into a core security standard for all Web3, building what’s now the largest blockchain security community with over 45,000 researchers and more than 25 billion in user funds protected. 

What did you see early on that convinced you incentive-aligned crowdsourced security could work where traditional cybersecurity models had failed?  

Mitchell Amador: Sure. Well, I, I think it was being native to the industry and understanding how rapidly things spread in crypto was key to that insight, and specifically I came to two conclusions. 

Number one, the proliferation of the success of DeFi, which happened very quickly all of a sudden as things do in crypto, meant that we had sudden gaping security holes that scammers and attackers and a whole host of negative actors would coalesce around very, very rapidly. A key and essential quality of crypto is how quickly things diffuse, how quickly information travels throughout the whole network in this process of viral diffusion. 

This applies to good things like realizing all of a sudden that things like DeFi and on-chain finance are really, really useful and have unique value propositions you just can’t find anywhere else, but it also applies negatively in the sense that when people realize that there is an opportunity to steal money, it quickly diffuses through the criminal side of that same network, and that’s what we saw. 

And so in seeing that, knowing that, having, having had a front row seat to the consequences of that in twenty seventeen during that initial market run that really led to some great things, but also to a lot of damage to a lot of people, I realized that the only way we could possibly keep up to that was if we corralled the global security community in the same way, knowing that the security community will outnumber the criminals and the attackers many times to one. 

So it was less of a, a total certainty that this would work. It was more of a absolute conviction that this is the only thing that can work right now. We simply do not have time before the realization that, hackers and thieves can earn life-changing money here by attacking these systems. 

Before that diffuses through the on-chain society, we need to bring the security community to bear and protect as much as we can. It was this necessity that drove these insights  

Brian Thomas: That’s awesome. And absolutely you saw, first off, you had experience in the DeFi space here, but that security gap was definitely a necessity, and we saw that I’ve been in this space as well for quite a number of years. 

Love this place, this, this space here, blockchain Web3. And crypto did scale quickly. We saw a lot of things come and go, and, and part of it was, with this scaling of, of these different platforms and currencies, we saw a lot of fraud that went on, and security’s obviously paramount now, and I appreciate what you’re doing to secure this market. 

Mitchell, you’ve argued that security has to move from static to continuous, real-time threat monitoring and tooling that keeps pace with evolving risk, and that the industry needs to treat security as infrastructure, not insurance. What’s the practical difference between those two mindsets, and what changes inside an organization when it makes that shift? 

Mitchell Amador: Sure. Okay, there’s a few things here. Number one, we’ve gotten to the point where these systems have so much money and are so mature, there are many, multi-billion dollar protocols effectively at this point, that you need to understand there are attackers who are perusing your infrastructure twenty-four seven trying to find ways to rob you. 

Now, the North Koreans with Lazarus Group are, of course, the most famous of these attackers, but there’s a great many others. Criminality is an inclusive and open society, so there’s lots of people who are snooping out your stuff at this stage. Now, to deal with that, the only way you can, you can do that is you need to shift from a, “Oh, hey, we have a, a, a anti-crime problem, an anti-petty theft problem,” to, “Hold on, we’re in a never-ending war against some of the most well-funded hacker groups in the history of the world,” typically backed by nation-states. 

And the consequence of that, the essential consequence is you need to be thinking on the frontier, on the frontier of competitive advantage and protection all the time if you want to stay safe in that environment. Okay? You are now either so many– like so many other countries in the world that need to be investing in R&D and staying on the cutting edge of whatever you can do to stay safe. 

Now, given that, that’s where real-time protection comes in. And it’s less of a, “Hey, let’s go and use these products. Let’s go and use these tools.” It’s more of a mindset, how do we constantly stay on the edge of security given that we’re in the most adversarial and hostile and dangerous environment in the entire internet? 

Okay? And out of that comes, “Hey, maybe we should be investing in real time truly. Hey, maybe we should be investing more in bug bounties and similar types of crowdsourced tools, which are the most effective way to access the latest and the greatest in security knowledge and know-how. Hey, maybe we should be trying out new technologies and new techniques like firewalling otherwise.” 

Like, it doesn’t really matter what the specific tool is. What matters is, are you on the frontier? Because your attackers, they certainly are. And if they get, the equivalent of a, of a nuclear cybersecurity weapon before you do, you’re done. Okay? So this is the first part of that question. Now the, the second part of that was on the, the distinction between, is security infrastructure or is security insurance? 

And the reality is these, these two things are gonna converge in crypto over time. But that convergence is gonna take at least another five to ten years. And the reason is because insurance, provides a, a financial backstop for protecting in, against risk in the most general possible way by saying, “Hey, we can just afford to bear the cost,” or whatever this is. 

But it can only do that when it has effectively priced risk. And that means knowing really, really well the nature of the type of risk you face and the kind of damages that could be inflicted. And we are not there. We are not there for your crypto. We are a long way from it. We’ve been tracking every kind of hack and every kind of critical disclosure event that happens in the industry. 

Over ninety-three percent of all critical disclosures in crypto in the last six years or so have gone through Immunefi for context. So we have a really comprehensive data set on all this. And while we can tell you what the average hack is likely to be and what the median hack is likely to be and, and, and h- what’s the probability, a project will get hacked in any given year, there is a huge variance. 

There’s a, a really long tail and that creates a power law effect in terms of impact that makes the risk quite difficult to price at this stage. Okay? And in consequence, we cannot think of security as insurance. It cannot be so predictive, and it cannot be so, wide-ranging in coverage. What we can do is think of it a security as infrastructure. 

We can think of it as the walls, right, around your town. We can think of it as the moat around your castle that while not foolproof, right, while, while possible to defeat and you know that perfectly well, provides an extremely advantageous form of protection that will cover the vast majority of threats that you could possibly face. 

And can be done at relatively low cost as well. All things considered the cost of these security measures is almost nothing compared to the amount of damage that they prevent. And so this is the attitude that we need to be taking. Number one, we need to have this attitude of like, “Hey, it’s cyber defense, not cyber security.” 

We’re at war. We’re, we’re, we’re fighting against nation-state actors, not petty criminals for the most part. And number two we need to be thinking of this as a constant piece of infrastructure that our societies and our, our economies require to sustain themselves. It’s not gonna be foolproof. It can’t cover all the risks. 

It can’t cover all the costs. But it is impossible to live without it. And the moment we do that, we become a defenseless nation in a, in a very, very hostile forest  

Brian Thomas: Thank you. Really appreciate that. And there’s so much to protect here. You talked about this being a multi-billion dollar industry, of course, but there’s a never-ending war engaging with these professional hacker groups, state-sponsored hackers. 

But we have to shift to a mindset to an ever-vigilant continuous monitoring security. And you did kinda talk about the infrastructure versus insurance, what is that really? And we know those will converge in the future, but, but right now, again there’s a whole lot of things that need to fall into place before we can move in that direction, so I appreciate the insights. 

Mitchell, you’ve warned that generative AI, including the latest frontier models, has become the main driver behind the increased frequency and sophistication of DeFi exploits, with hackers using AI to rapidly scan code bases and craft exploit payloads. You’ve called the next three to four years a critical test, with the asymmetry favoring attackers until defenders deploy the same AI for defense. 

How is Immunefi arming defenders for that fight, and who’s winning right now?  

Mitchell Amador: Sure. Well, right now, I would say that the attackers are winning. Okay? And you can see that in the increase in the frequency of hacks that happen in crypto. You can also see that in the mass proliferation of new vulnerabilities and hacking and, and cyber attacks that are happening in the broader economy. 

So that’s the reality. Attackers are moving fast. They’re leveraging this latest and greatest tooling from the frontier, and they’re using them to great effect. Now, we recognize that it is extremely difficult for defenders to keep up with attackers in this way. The reason being, every change to their security posture and their tooling requires a complicated and risk-sensitive decision-making process and governance process, for lack of a better term. 

All these tools cost money. All these changes require people. All these things change your internal corporate or governmental policies. There’s no easy way to do these things, right? They need to be done step by step with proper security controls so that you don’t make a misconfiguration or you don’t step over your own foot in such a way that makes the attempt to implement the cure to this problem even worse than the disease by introducing new vulnerabilities. 

And because of that, the attackers always have the edge. They’re always moving faster. But there is a, a flip side that we can take to this whole situation. We can flip the coin and say, “Hey, well, why don’t we just leverage these same fundamental advantages that attackers have for defenders instead?” 

And we have the perfect tool to do this in the form of the bug bounty program. And so what we’re doing at Immunefi, we already have thousands and thousands of security researchers around the world. Almost all of these guys are running their own AI stacks. They’re effectively their own independent red teams now. 

We can no longer get just like, hey, a hundred eyes on code. It’s like we can get a thousand eyes on every piece of newly deployed code that comes through Immunefi. More defense in depth than we’ve ever seen before. And what we’re doing is making it as effortless as we can possibly do to give them the latest and greatest in frontier models and in vulnerability finding technology. 

Because this way, we’re gonna turn our army of white hat hackers, who have been defending society for years, into a force that can move even faster and leverage the existing security tooling that most major companies and protocols have to keep them safe even better. And moreover, we accelerate that because we’re getting them access. 

We’re getting our white hats access to customer code faster and earlier than attackers get it, so that every single co– piece of code that hits the internet in crypto has had- effectively the review of a thousand different eyeballs from a hundred different AI systems, from hundreds of security researchers around the world before an attacker even has the opportunity to see it. 

And we believe if we can do that, and if we can do that well, then we could prevent something in the realm of ninety-five, nine… I would say yeah, probably ninety-five percent of all of these attacks that are presently plaguing the internet as a whole  

Brian Thomas: Thank you. Appreciate that. As you mentioned currently, the attackers are winning in these attacks and exploits and especially if they’re using AI, just again makes that whole entry point for the bad guys to enter with AI, of course, we talk about that here a lot. 

Defending is constant proactive work. It can be daunting, as you talked about. But your premise is to provide safety and security, and security in a fast and simpler way. Your goal is to find vulnerabilities before the hackers do, and I, I just like that mindset that you have, is to make people feel safe knowing that they’ve got a good partner like you and Immunefi to help them thwart these attacks. 

So I appreciate that And Mitchell, the last question of the day I have for you, you’ve cautioned that the next systematic failures will come from a shared assumptions failing everywhere at once. Shared code, shared signers, shared infrastructure, shared ops oracles, the invisible dependencies that break next. 

As crypto scales into mainstream finance, what does on-chain security need to look like five years from now to be genuinely fit as critical market infrastructure? And what has to happen for the industry to get there before those shared dependencies fail?  

Mitchell Amador: Sure. Okay, this is a multifaceted question. Number one, these shared dependencies that are such a risk. 

The reality is crypto and the internet as a whole has tons of shared dependencies, and for a lot of cases, nobody’s particularly responsible for these shared dependencies. There’s no grand organization with infinite budget and a big security team that is maintaining a lot of these open source repositories or tools. 

It’s just something that everybody uses. And that creates problems because you can have players who have multiple– basically, this dependency lives in their security perimeter, but they feel like, “Hey, well, it’s not mine. Do I really need to be the one to maintain this?” And when everybody thinks that way, those systems get compromised. 

So there are a number of cases, for example, compromising wallets where they would depend on an open source cryptography library. And an attacker, being clever, would not go after the wallet itself, but would instead go after the cryptography library, compromise that because it was being maintained by some unloved volunteer, take it over, and then introduce very subtle vulnerabilities that they could compromise downstream in order to affect the wallets as upstream or downstream users, rather. 

So there are lots of cases like that that have happened. Bridge hacks are a great example of this, and there have been some cases recently, such as the Kelp DAO hack, that suggest that even further. And we need to solve this as a whole. We’ve figured out so many of the problems in on-chain security, but what we need is to now solve the last set of ecosystem-wide problems, the same problems that countries and international unions have solved for safeguarding their local economies by creating the conditions, right? 

And maintaining the conditions, the public goods, so to speak, that all commerce and all economic growth depend on. And we need to do the same thing with crypto. That means taking care of these dependencies, among many other things. So that’s number one, I would say, on the list. And what was the second part of that question? 

Just refresh me, Brian.  

Brian Thomas: Yeah. What has to happen for the industry to get there before these shared dependencies fail? 

Mitchell Amador: Great question. Two things. Number one, we as ecosystem managers, we need to have this attitude of stewards, and we need to do this either at the level of layer one blockchains, either at the level of bridges and cross-chain communities and products, or we need to do this at the level of financial players and the states that govern. 

And you see various forms of that going on today. You have players like Ethereum who try to manage the, their own ecosystem, their own kind of thriving and open garden. You have financial players like USCC and Coinbase that are pushing their point of view. And then you finally have national players like the United States government, which is trying to put its point of view in the form of US stable coins around the world, or Europe with its MiCA propositions. 

So you have various attempts to, to safeguard that situation like so. Now, all of this has to happen before, I would say two things. Before we have many, many more trillions of dollars, and I think we should be going expecting a world where we’re gonna have ten or twenty trillion dollars on chain over the next four or five years. 

We need to solve these kind of ecosystem-wide coordination problems by then. And then now we have another threat that’s kind of gone in parallel, which is the rise of frontier models and their application to cybersecurity and specifically finding vulnerabilities. And we need to build defensive tooling in conjunction with this kind of social technology, so to speak. 

We need defensive tooling that is advanced enough and well-distributed enough across the ecosystem such that even if frontier models continue to advance at the crazy pace they are, we believe we can create ultra-secure code, which eventually becomes truly an objectively secure code with no effective vulnerability. 

That’s the second factor. Both of these things are not done today. There are many different players who are making both of these moves today. I believe, with, with conviction, that we will solve both of these problems within two to three years, quite frankly. But it is unclear which design philosophy, which kind of opinionated worldview for each of these categories is going to be the one to do it. 

But if any of them succeed anywhere, then it’s game over, and now crypto is clear to scale to countless tens of trillions in wealth on chain for society to manage  

Brian Thomas: Thank you. Appreciate that. Obviously, in this crypto DeFi space, there’s a lot of shared dependencies you talked about which most folks that are in this space they think it’s not their responsibility. 

And you talked about an example bridge hacks. We need to change that mindset, as you mentioned, creating conditions for prosperity and security like we do in the TradFi space in, in local economies. We all need to have that attitude of being good financial stewards, no matter if you’re, running a layer one blockchain or a bridge, et cetera. 

I really do appreciate that. At the end of the day, mindset has to be community-wide and, and you’re leading the charge there. So, I appreciate that. Mitchell, it was such a pleasure having you on today, and I look forward to speaking with you real soon. 

Mitchell Amador: Awesome. Thank you very much, Brian. It was a pleasure to be here. 

Brian Thomas: Bye for now.

Mitchell Amador Podcast Transcript. Listen to the audio on the guest’s Podcast Page.

Subscribe

* indicates required