serial-coder.com
Posts Projects Misc Tags Categories About
serial-coder.com

Contents

[ Interview #1 ] The Path to Smart Contract Auditing: My Interview with DittoETH

 included in Ethereum Security
   1737 words   9 minutes 
Contents


Originally published at https://dittoeth.com/interviews/5_phuwanai.

Hey everyone, long time no see! 🙋‍♂️

In late November last year, I was interviewed by DittoETH, one of my auditing sponsors for the Code4rena public and invitational audit contests. 🙏

The interview covers my career journey as a smart contract auditor 🕵️‍♂️ and other ad-hoc topics. It was great, and I want to share it with you. If you are a smart contract auditor or want to become one, this interview might be worth reading.


Table of Contents


.    .    .

The Interview


An introduction to me by DittoETH:

On our featured auditor this week, our guest is Phuwanai Thummavet, aka serial-coder, is a leading smart contract auditor and security researcher with deep expertise in Ethereum and EVM chains. On Code4rena he is ranked #46 for 2024 and #173 all time. After transitioning from private blockchain work with Hyperledger Fabric, he’s become a key figure in Southeast Asia’s growing Web3 ecosystem. Today, we’ll explore his journey, the challenges of smart contract auditing, and his insights into the future of blockchain security.


.    .    .

1. To kick things off, would you mind introducing yourself and telling us about your path into the world of auditing within Web3 and Ethereum?

My name is Phuwanai Thummavet (aka serial-coder) from Thailand. I’ve been an independent security researcher for a year, focusing on EVM chains mainly. I was a lead smart contract auditor for 2 years at Valix Consulting, an audit firm localized in Bangkok. Before I entered the auditing journey, I was a private blockchain architect and developer working on Hyperledger Fabric for 3 years.

The turning point that changed me to the public blockchain domain (i.e., Ethereum) was that I saw a new challenging career opportunity to be a smart contract auditor, which has a higher upside in terms of income. And I began to think auditing could be my long-term prospect for work. By the way, IT security is also one domain of my interest.


.    .    .

2. I see you’re from Thailand. How has the reception of crypto been there? Has there been good adoption of crypto by the public? Do you see it becoming a significant and growing part of the economy?

Of course, we can say that Thailand is the biggest hub of the crypto industry in Southeast Asia. At the time of this interview, Thailand is holding the Devcon, ETHGlobal, and many other side events. The reception of the crypto in Thailand was pretty good. We have many crypto communities in several cities from the north to the south, including Bangkok, Chiang Mai, Phuket, etc.

Thailand is one of the world’s strongest countries in terms of crypto adoption. There are many research groups and businesses. Regarding the regulation, we have one of the most advanced regulations in attempting to advocate related businesses and protect citizens. Even though some rules may impede the adoption, I think they can be improved as time passes. Hence, I still can see a lot of possible opportunities out there waiting for new inventors to discover.


.    .    .

3. What is the tech scene like in Thailand generally?

In the last bull-market wave, many companies kept an eye on DeFi and NFT products primarily. Nowadays, they are expanding their attention to broader domains, for instance, building public goods products, researching on-ramp and off-ramp solutions for better crypto adoptions, synthesizing real-world assets on-chain, creating crypto-arbitrage products, etc.

In other technology sectors in Thailand, I think healthcare is interesting. As you know, the world is facing an aging society. Thailand is a well-known country where foreigners come for therapy. We provide the world’s standard health services with competitive pricing.


.    .    .

4. What are you keeping an eye on these days in the crypto and other tech spaces?

I still keep my eye on crypto tech primarily. I’m interested in products or solutions for onboarding users to the crypto space, especially products applying Account Abstraction.

The emergence of Uniswap V4’s Hook feature is also intriguing to me. On the one hand, I can foresee the next evolution of DeFi derived from this feature. On the other hand, the Hook feature also brings challenging security concerns for developers as well as auditors.

Off-chain oracle technologies are also one of my interests. Many Chainlink competitors have emerged recently, such as Pyth and RedStone. They have a pull model as opposed to Chainlink’s push model. As an auditor, pull oracles come with many new challenging security concerns.


.    .    .

5. You mentioned account abstraction (AA). From your standpoint, what’s the latest on this? It seems like it should have taken off very quickly, but that doesn’t seem to be the case yet. Is there something I’m missing from a technical standpoint that still has a ways to go, or are most users of crypto just on desktops?

Well, I’m unsure what the actual holdup of AA is. It could be that it was introduced during a bear market and is waiting for the next bull market wave to shine, or it is still too complex and needs a more standardized version for broad adoption.

However, you can see some actual implementations. For instance, Safe provides the AA as a modular part of its wallet, and ZKsync also supports a native AA that gives better flexibility and user experience.

Furthermore, I also see the upcoming evolution of the AA in ERC-7579 aiming to minimize the AA complexity and standardize it for better interoperability and easier adoptions.


.    .    .

Both models have limitations. The pull model was introduced for cost efficiency, lower latency, and more use case flexibility compared to the push oracles. In the push model, the oracle network (e.g., Chainlink) offers regularly scheduled updates to keep on-chain data up-to-date. This way requires much more expensive gas costs to support every asset on every existing chain.

Meanwhile, the pull model offers a more dynamic and flexible approach by delegating users as price update deliverers. Specifically, an update payload will be appended to the user transaction, which will be extracted and verified on-chain. After validation, the update payload will take immediate effect, and then a contract requesting the asset price can consume the updated price atomically in the same transaction.

On the one hand, the pull model can reduce costs and latency as the oracle network does not need to update on-chain assets' price data periodically. On the other hand, allowing users to deliver price updates may come with a larger attack surface than the push model.

Example security concerns:

  • Can a user evade updating the price data?

  • Can a user replay a spent update payload?

  • Can front-running attacks with a newer update payload DoS other transactions with older update payloads?

  • Multiple price updates in the same block (or transaction) can occur in the pull model. Can this lead to price manipulation?

  • Etc.


.    .    .

7. Have you been in touch with the people you used to work with at Hyperledger? What’s been happening in that scene? How has their road to adoption been on the corporate side?

I sometimes give consultations regarding Hyperledger (Fabric) architecture to my clients. As you may know, Fabric is a private/enterprise blockchain framework. It is usually used privately by enterprises or corporates to solve some purposes, such as reducing trust between parties in the consortium, enhancing transparency and traceability of supply chains, etc. As it’s used locally, you may only see it a little.

There are a lot of private adoptions, especially in the supply chain domain. Some shipping companies use a private blockchain to track their shipments, collecting data from sensors attached to their containers, which can be tracked back later if issues occur, providing non-repudiation to all parties involved.


.    .    .

8. What’s been the most interesting project you’ve audited thus far, and what has been the most challenging?

I gained new knowledge from every project I participated in. For example, your project was my first time auditing an order book system implemented on-chain, which was eye-opening to me.

But, if I had to pick one, I would say Uniswap V2. It was the very first project I learned about auditing. Uniswap V2 has a simple but powerful codebase. I learned the power of the atomic transaction and the immutable concept from it, which turned me into the auditing journey.


.    .    .

9. If you could go back and give your younger self one piece of career advice, what would it be?

For sure, I should sold my house and bought Bitcoin. lol

Another one may be that I should entered the audit career earlier.


.    .    .

10. Outside of your professional work, what hobbies or interests do you have that help you unwind or inspire creativity?

My hobby is watching movies and concerts. I watch a variety of movies. But I prefer sci-fi movies (e.g., Interstellar and Inception) and adventure movies (e.g., Indiana Jones and National Treasure). I’m also fascinated by conspiracy-fiction movies (like Angels & Demons and The Da Vinci Code).

Another is watching all kinds of motorsports at tracks. I used to ride motorbikes, but it’s not for now.


.    .    .

11. Looking ahead, what personal goals do you have for your career in the next few years?

I still believe that auditing could be my long-term career. I might sometimes wind down from audit contests and change my focus on bug bounty hunting more. Or, I may change my focus to another specific domain, such as the ZK field.


.    .    .

About DittoETH


DittoETH is a decentralized pegged asset issuance protocol built on Ethereum. The protocol is built with the original principals of cryptocurrencies, offering censorship resistance, neutrality, custody-less and permissionless trades, and collateral management. Pegged assets or DittoAssets are collateralized by ETH via liquid staking tokens (LST) of ETH, as opposed to endogenous collateral.

DittoETH can support pegged assets for fiat currencies, cryptocurrencies (long and short), and commodities. In order for users to issue pegged assets, high collateralization of staked ETH must be locked in the contract to maintain protocol solvency and price stability. Additionally, the neutrality of DittoETH ensures open and full-access trading for any user.

Follow DittoETH on:


.    .    .

That’s the end of this post. I hope you enjoy the interview and find something interesting. And that’s for today. Bye!! 🖖


Originally published at https://dittoeth.com/interviews/5_phuwanai.


Updated on 2025-01-08
 EthereumSmart ContractBlockchainSecurity
Back | Home