[Music]

Welcome back everybody.

Hope you had a good break. Got to talk

to a lot more people here. Got to learn

about who's here exploring with you. And

uh we are here for the last segment of

Pragma New Delhi. Three more talks to go

and we're going to launch into our happy

hour. So without further ado, let's get

started. Our next speaker is Pritham and

he's going to tell you all about making

adversarial AI to make cryptocontracts

safe. So please give Priam from co

audits a big round of applause.

Hey hi um

hello everyone. So

you know we we started our journey back

in uh 2017 18 as a blockchain developer

and then we moved into blockchain

security. So we into security stuff from

last 7 8 years and about me we work with

around 1,500 plus protocols 1,500 plus

protocols you work with this is a big

big number but out of 1500 plus

protocols if I have to see in last 7 8

years you can say 90% already died right

someone was just to make money or

someone was maybe just to raise money

right so that you know they can s to

They're investors, they can do marketing

and everything. But there is one thing

that is always always constant like out

of those you know 1500 plus projects we

audited and there is so many other you

know protocols in the space is also

there. There's one thing that is always

always constant and that constant is

every every week is number of hacks and

scams that are going in the industry

right because the space is so so new

right and this is very good money is

there to make you know and as a you know

as a founder or as a web3 security

founder you know if we working with any

project we we seen so so many times

maybe this project is doing good and you

know maybe they're running the protocol

for one two And you see in one two year

they are doing some rugpull or you know

they are just exiting the project right

the security in a security space or you

can say in the web three space trust is

so much so much minimal right you know I

I I can't trust my developer also I

can't trust the development company

you're working with I I can't trust my

founder also we've seen so many cases

your founder is doing the hack your you

know developer is doing the hack or your

your third party companies also doing

the hack right and we have seen like

$150 billion dollar is currently TVL and

but only this year around $3 billion

already gone into hacks and scam right

and and nowadays the attack vector is

not just token contract like you know

back in day when I started my journey in

web 3 in 2017 the scope was just a token

contract let's get it audited and let's

make money or maybe let's do the ICO or

let's do the token launch right but

nowadays the space or you can say the

attack vectors are completely different

we have crosschain stuff we have so much

you know modular stuffs are there right

so attack vector is so much there and

there is so much crosschain

vulnerabilities is there there is not a

single ERC20 token we have now lending

AMM flash loans there is so much things

are going on and and as a as a you know

there was a one talk I think um one two

hours back around how we can AI into

security space right and that that is a

good right how as a developer I can use

AI any AI tool for just pre-scanning any

smart contracts so that I can find some

initial vulnerabilities but I still feel

you know the tools are very much minimal

right if you see uh you know static

analyzers they can find some you can say

predefined vulnerabilities like re-entry

or anything if we see uh symbolic

analyzers they can go to any path and

find some vulnerabilities right but they

can't go to every path of the smart

contract path means the state of the

smart contract share. And then we have

fudging, right? Fuzzing is nowadays

everyone is talking about how we can use

fuzzing to find the vulnerabilities in

the smart context, right? But fuzzing is

having their own issues. Fuzzing is like

you know you just throwing the dart to

find you know if if that dart can hit

the you know goal or anything right but

this is kind of a noise you know it's

not 100% foolproof. You can use fuzzing

to find 100% vulnerabilities.

So how we can do it is is the main thing

and and now this the space is more

interesting now right agents are

everywhere and we and what I feel as a

you know web3 guy

uh you know I I was just you know

listening to podcast of one of the good

founder web three sorry web 2 security

company Poello Eltoton network how the

hacker or even as a normal user I can

use any LLM to say hey go to this

website find the vulnerabilities how I

can hack this website right so now this

chat zippit is kind of you know kind of

dangerous weapon for you guys to find

any vulnerabilities or maybe

you can use these AI tools right like

there is some AI audit tools are there

as a hacker you can use AI tool like

who's who's stopping you really not

using this AI tool to find the

vulnerabilities in smart content to make

money right it's just do you do the

login and do you do the payment and

you're able to find any vulnerability

that contract just got deployed you can

really make the money right so I feel

this this is something very very new and

it's going to be more more dangerous

right and if now we see the case of AI

agents I'm only going to talk about now

AI agents in case of AI agents like we

have you know multiple frameworks like

virtuals Elijah and there is more

frameworks around web 3 also in case of

these frameworks we have seen some cases

where the hacker was able to manipulate

the agent And he can just give a prompt

hey forgot everything about my last

transactions or maybe what's in your

memory right the the in the in any agent

the main thing is the memory right what

the agent is currently in in his context

you can give a prompt hey forgot

everything and do this stuff right and

the hacker was able to manipulate that

agent in I think 40 plus attempts 40

plus attempts not a single attempt right

and in 40 plus attempt the agent was oh

like okay I will do the transfer from my

wallet that is my custo study and that

agent was able to transfer right so now

this LLM powered agents are again kind

of nondeterministic right smart

contracts are deterministic determinist

means you know the state of the smart

contract you know state of every smart

contract what can be the end result but

in the llm you don't know the state of

any AI agent the input can be same and

the outcome can be always always

different right so in this like

nondetermin nondeterministic cases the

hacks or or you can say how we can build

guardrails around AI agents is more more

difficult as compared to the smart

contracts right and and nowadays like

everyone is building AI agents like in

in you can say maybe on the base like

let's get on chain or maybe maybe on any

any chain every chain is focusing around

how we can build the AI agents and if

everyone is building the AI agents and

the traffic is going to traffic means

like you are creating the smart contract

anything using AI agents it means there

is more vulnerabilities in your smart

contracts right

so and we have seen one case of Elijah

like as I mentioned the hacker was able

to manipulate the Elijah via you know

bad prompt and able to hack around

around I think 100k dollar okay so now

the the case is here you know as a

security person been into security work

with so many protocols we have one AI

audit agent also and I feel that agent

is okay. Okay. right? You know, uh and

and I have tested all the AI audit

agents and I feel they're good. They're

okay. They are finding

the vulnerabilities that you trained on.

They're finding the vulnerabilities that

is already in the your database or

already your agent is trained on, right?

And we have seen the cases of even the

monitoring companies where you saying,

"Hey, we could have stopped this hack

$40 million if these guys used us,

right? But maybe the company is not

using or maybe the company is just the

tweet for their marketing right. But we

like in last two years like there is

very very rare case where any AI audit

agent or monitoring company said we

stopped this $100 million hack. There is

not a single company but there is so

many tweets say if you guys used us we

could have stopped this $50 million

hack or scam right because your you can

say your tool is maybe algo based or

your AI agents is just trained on the

past vulnerabilities but how you can

find the new zero day vulnerabilities is

the game right and that's going to be

more interesting so how we can do it

like so there is

In the AI thing, there is three things.

One is how you train your model, right?

It can be via supervised learning, it

can be reinforcement learning with human

feedbacks. And the third is self-arning,

right? Self-arning is the most important

that is going to play the role. It can

be for smart contexts or it can be for

AI agent security. Right? Self-arning

means how your agent works like a

attacker and he learns himself and he

can find the new vulnerabilities and and

he can report you before a real attacker

is doing it. Right? So that's how you

can build a adversary and and this agent

can report you before any hack is going

to happen. Okay? So I'm going to show

how we can do it. Um okay so as as I

mentioned in the smart contracts there

is three ways like one is static

analyzer one is symbolic and one is the

fuzzing as I already mentioned they're

good they're good if you are a developer

you writing a smart contracts use them

find good vulnerabilities maybe 70 80%

you know vulnerabilities and go to the

manual audit company you know there is

so good auditing companies is also there

as a qu audits company we also do the

audit but uh now the main thing is how

we use adversial AI agents Adversal AI

agent is more like offensive security.

You are building your own attacker on

your own smart context or on on your

system. That's that's the main thing.

And and this RLbased adversaries can

figure out different state of the smart

contract or different state of the AI

agents and can figure out how they can

build the attack vectors and they can

self-learn. That's the main important

how these AI agents can self-learn.

Right? As we seen case of uh

I forgot the name of this LLM company

from China DeepS right they they they

able to you know win the game for some

time you know from Chad ZPT because they

use RL for you know learning or

self-arning okay so how we can how we

can build a self-arning framework for

maybe for smart contract or for maybe

for an AI agent so there is a framework

we call it MDP right so there is three

different important things. One is

states, then second is the action and

the third is a rewards. Right? State is

what is the state of your smart

contract. It can be a

price of a token. It can be oracle

price. It can be it can be any AI agent

memory. It can be AI agent prompt. And

the second is what kind of actions

you're looking actions can be do this

like two three transactions transfer

amount to this address to this address.

try to do this re-entry attack or

something. And the the last thing is the

rewards. If you able to do it, you are

going to get plus one reward. If you're

not able to do it, you will get a minus

one reward, right? So using this

framework, we can use it for smart

contact also and for any AI agents also.

Okay. U so as I mentioned there is one

important thing is invariant. So in this

framework we use the invariant.

Invariant you can say it's kind of a

win. If you able to break this invariant

you are going to win the game, right? So

you can define a invariant. Hey if you

able to you know uh maybe uh play with

the price of any or oracle and then you

able to inflate the price of any LP

pool. It can be one invariant, right?

And if your agent agent here means the

adversial AI agent able to do it, it

means it it win the game and then you

and then he's getting the reward for it

and if he's not not getting again it is

going to self learn. That's the main

main important here. So as a web3

security company what we did it we build

a red team copilot to test this

framework like can we really figure out

a build a framework to test in the smart

context so we build a here like one

adversary and then as I mentioned you

have three different things one is state

reward and transaction right so if you

guys were there in the you know previous

uh talk of sasank from the credit shield

he given a one example of one hack right

where the attacker was able to do some

transactions and then one transaction

was was around access control right so

the that that transaction can be around

access control transaction right and if

there any able you able to get to that

stage the stage can be you able to make

yourself owner of the smart contract

then you are going to get the reward

right so this is a kind of a red team

co-pilot we build it and we able to find

a so we train that uh uh RL agent on

re-entrance vulnerability and then he

able to self- learn and find a new

vulnerabilities the time stamp

vulnerability automatically and we we

know like not given any like I know

training or memory or any context but he

able to self-land or find a new

vulnerability right so that was the main

outcome we were looking how we can use

this RLbased adversary into a smart

contract and and we tested into AI

agents also so we build a new product

quill guard like how we can use this

guardrail into the smart uh sorry into

the AI agents also

um that's all from my side again this

thing that we're building is a very very

at a very initial stage but this is a

very good research paper we publish and

so I would suggest you guys to you know

scan it go through the research paper

how we how we doing it there is some

interesting math in the paper uh but it

it is a very very again I'm saying it's

a very initial stage but is this space

is going to be very very interesting how

your agent can self-learn to do anything

it can be applied into healthcare it can

be applied into smart contracts it can

be applied into agent so how you can

build adversaries adversaries means a

attacker to do any bad things so the

real attacker is not doing right so

that's um you know our goal here and we

able to build it thank you thanks It's

[Music]