AMA with LetsExchange and HackenProof

Are LetsExchange and its services, including crypto swaps and the bridge mode, secure indeed? What is better: a one-time security audit or a bug bounty program?

Alex J., CPO at LetsExchange, and Sashko, CTO at HackenProof, discussed these and other cybersecurity questions, such as the most frequent hack types, how to become a blue team hacker, and more, in a recent AMA session hosted by LetsExchange on X spaces.

Below are the key takeaways from the AMA session.

LetsExchange (moderator): How do you feel about 2024? What are the lessons we should take from that year?

Sashko, HackenProof CTO: The security paradigm has shifted significantly during the last three years. If we look at the stats, we will see that many more individual hacks occurred in 2022 due to smart contract or platform vulnerabilities. In 2024, over half of attacks were phishing, social engineering, or similar attacks.

The ecosystem's main issues right now are end-user security, the security of team members, and the security of the people we work with. Malicious actors find it much easier to compromise one person than to look for vulnerabilities in your codebase. The code has become much more secure over the last few years.

LetsExchange (moderator): So, in your opinion, as CTO, what is the most important thing for a crypto project to boost security? Is it a one-time audit, or is it a long-term bounty program?

Sashko, HackenProof CTO: Security is a continuous process. You can't have a one-time measure to ensure you are secure enough as you have a development pipeline and consistently implement new features and hire new team members.

You always need to consider your organization's security. A one-time audit is definitely not enough. At least, you should conduct external audits every year because your product will undergo many measured upgrades and updates during that time.

That's why the bug bounty is a good initiative for companies. It is a continuous process that allows submissions to be made throughout the year. You don't need to worry about every update for external audits.

And, of course, teach team members because people are the weakest point of any security system.

Odin (community): To hunt for bug bounty, the users with coding knowledge seem to have the upper hand. So, for novice users without experience and expertise in that field, do you plan to introduce some educational content or guidance to help them?

Sashko, HackenProof CTO: We have a YouTube channel where we share educational insights about bug bounties and security research. We also have a blog where we share educational content. The platform has a disclosed reports area where you can learn from previously reported vulnerabilities that were paid for. The platform itself has valuable content.

You don't need coding or cybersecurity experience to start in bug bounties. Many submissions have a business logic root cause, and you just need to understand how the application should work to break it. Any security engineer's main job is to fully understand the main task that the app should solve and what may go wrong.

Dan Farmak (community): Can you elaborate on the recently launched DualDefense Flash Pools? What advantages do they offer to clients and security measures?

Sashko, HackenProof CTO: The DualDefense Pool is quite an innovative solution on the market right now because we see the huge problem of all the security consulting services: no auditor can guarantee the quality of their jobs. For example, we can track whether a project was hacked or not after a specific company performed an audit. But this is not enough in terms of service provider guarantees. If I request an audit, the reputation is not enough. I want to be sure that I will never be hacked because just one hack will be the end game for my organization.

So, DualDefense Pools are the guarantee that HackenProof gives. First, HackenProof performs an audit. Then, a community audit follows. It is provided by the HackenProof community. We have more than 30K bug bounty hackers who will look into the code base and your application and try to find critical issues. And Haken, as a company that did an audit, will cover all critical vulnerabilities discovered by the community.

LetsExchange (moderator): Alex, has LetsExchange encountered hacker attacks, or maybe you've heard of someone who got hacked weirdly?

Alex, LetsExchange CEO: I don't remember any story about myself, and as of today, LetsExchange has successfully mitigated external threats and has not experienced any security breaches due to hacker attacks. While no platform is entirely immune to cybersecurity threats, LetsExchange maintains robust defense to minimize risks, and I can name several of them:

Proactive testing: We routinely perform penetration testing, including simulations by red team hackers, to identify and address potential vulnerabilities in our system.
Continuous improvement: To strengthen our platform further, we incorporate lessons from red team exercises and security assessments into our protocols.
Сollaboration with Hackenproof: We continue to work with white hat hackers who help us systematically identify potential security threats. And we eliminate the threats we find.

Alex (moderator): Sashko, do you have anything else you'd like us to ask or anything else to add?

Sashko, HackenProof CTO: I want to ensure that over the last year and a half, while we're working together with LetsExchange, LetsExchange has never received critical submissions, maybe just the low or mediums. It's an outstanding result because, according to our experience, the first critical issues arise after the first three months after the launch. So, those are excellent results. This is why we can proudly say that LetsExchange is a secure and safe platform so far.

These are just the main highlights of the AMA session. To learn more useful insights on crypto security, about how HackenProof works, and our collaboration with it, listen to the full AMA.