Time: 26th April 2022,11AM UTC
AMA Group: https://t.me/BNBchaincommunity
Host: Martian, BNB Chain Community Manager
Guest: Eskil, Go+ Co-Founder
Introduction of Go+ and the Guest
Guest: Hello everyone. I am Eskil. I am the Co-founder of Go+ Security. I am a serial entrepreneur and have been in the crypto industry for 3 years.
Go+ is working as the “security data layer” for web3, striving to build “everyone’s security tool” by providing open, permissionless, user-driven Security Services. Go+ security engine covers Multi-chain with Multidimensional risk detection for both crypto projects and ordinary users, making a safer Chain Ecosystem.
Currently, Go+ has developed a complete, dynamic, and automated security detecting platform, including token detection, Blacklist Address Library, NFT detection, dApp contract security detection, real-time risk warning, and interaction security detection, and there are more under planning and developing.
We would love to offer free security data integration to protect both projects and users in the crypto world. We are also seeking similar-minded partners and influencers for cooperation. Please feel free to contact us if you are interested in accessing Go+ API or any other cooperation possibilities.
Question 1 Why’s security so important for our general user? What kinds of security issues do you observe most frequently, and how can Go+ benefit the BNB chain ecosystem?
A: We heard a lot about hacks recently, causing huge losses. As web3 is totally anonymous and permissionless, it’s easy for hackers to steal your wealth without getting any penalty. Web3 security is fragile; According to Decrypt, we can see that 10.5B assets recorded got theft/fraud in web3 during 2021, which is about 4–5% of DeFi’s total TVL. Those are amounts that are being recorded. There are more kinds of scams to ordinary users without statistics, and ordinary users do not have any effective solution to prevent them from those losses now. This might cause a long-term injury to the whole ecosystem.
Those might be a little bit abstract, but I believe some of you guys in this channel have experienced some sort of scam. You might buy a token that can not be sold. Or once you sell or transfer the token, some amount of the token goes to another unknown address. Those are the kind of risks that ordinary users face more often, and according to our security API, we detect hundreds of such kinds of tokens every day. According to our observation, those scams/thefts include:
- Proxy contract
- Mint function
- blacklist /whitelist function
- High buy/sell slippage
- Take back ownership function
- Airdrop scam
Those kinds of scams will be discussed later.
Also, BNB Chain has excellent features of low transaction fees and huge TVL, but those also attract scammers to BNB Chain and cause losses for users. Our API receives data on BNB Chain with dozens of scam tokens every day, reported by users. Using Go+ Security API, users can effectively protect their assets from scams and fraud.
Question 2 What security aspects do users often overlook when trading crypto?
A: There are various kinds of risks in crypto: token contract/smart contract risks, transaction risks, and interaction risks. And often general users can not read code or simply do not have enough time to check the code, they are easily exposed to the risks below:
Risks on contract level- Token & dAPP contract security
Token security is highly related to the token‘s smart contract. Users could encounter risks like fake tokens, tokens with unlimited mint possibility, black and white lists, suspended trading, the tax could be modified and etc. Take probably the most well-known scam — honeypot (which means you could buy one token, but you couldn’t sell) for example. We’ve identified that there are more than 100+ ways to do a honeypot scam, and often those are mixed with other tricks too. And sometimes, even if this token is not a honeypot style, under this token contract, the tax could be modified, which means it could also be switched into a honeypot anytime the contract owner wants;
Risks on transaction level — Owner Change, Price Slippage
Those are risks that are related to transactions. For example, the contract can change the token’s ownership to another address and users will lose the token.
Risks on Interaction level- Phishing Sites, Black Address, NFT Authenticity (Real/ Fake )
Like the Opensea case in early 2022, some NFT players clicked a scam email that pretended to be from an Opensea official. And that email led them to a phishing site and caused millions of losses. Once you link your wallet to those phishing sites, you might lose your assets.
Question 3 What kind of security monitoring and alerting can Go+ Security do for token security?
A: Here I made a list of the function that Go+ can provide for ordinary users.
- Token Contract Security
(1) whether the contract is open source
(2) Whether there is a proxy contract: detect the existence of a proxy contract that can modify logic or parameters of the token
(3) whether the contract has a mint function: If there’s a mint function behind the contract, the token creator can mint and issue more token(and dump the token for profit)
(4) Contract real owner address: some projects will construct a fake owner address to deceive users, by which actually they still obtain the ownership of the token contract and can modify it.
(5) whether there is a take-back ownership function: whether the project party still has the opportunity to get back ownership after giving up the ownership of the contract and modify it to gain profit.
2. Transaction security:
(1) Token with buy/sell slippage: when trading those tokens, users have to spend extra fees.
(2) Whether the token is a honeypot token: detect whether the token can only be bought but cannot be sold
(3) Transaction tax can be changed: the owner of the project can modify the transaction tax of the token, if the transaction tax is too high it may cause it to become a honeypot token
(4) Token with Black/White List: to set trading restrictions so that only some addresses can trade or some addresses can not trade.
(5) Token with transaction suspend function: when triggered, the owner can directly suspend the transaction. No one can buy or sell after that.
(6) Listed DEXes and liquidity: our detection results will also include the liquidity of that token and its listed DEXes.
3. Information Security
(1) Holder information: Go+ API will detect the information of the token holder, including the current number of holders, token supply, address of Top10 holders, whether the address is locked, whether the holder is a smart contract, and a series of other information
(2) LP holder information: Go+ API will find the information of token LP holders, including the current number of LP holders, LP token quantity, the address of Top10 LP holders, whether the address is locked, whether it is a contract and a series of other information
(3) Whether the token is genuine or not: manual judgment to detect whether the token is a fake token pretending to be a well-known token
(4) Whether the team information is verifiable: manual judgment to verify whether the project team information is true or verifiable
(5) Whether it is airdrop fraud: manual detection to find out whether the airdrop token is real or a scam. Many fraudulent token projects will attract users to their website through an airdrop, and then cheat users to get private keys or wallet authorization.
Question 4 As you mentioned in the title: “everyone’s security tool.” So how to use that? What kind of security service does Go+ provide?
A: Go+ Security is an open, permissionless, user-driven security service platform for all types of blockchain users. It allows everyone to submit the potential risk detection and provides detection results dynamically covering multi-dimensions security, and the most important thing is that it’s easy to use.
Users only need to find the contract address of the tokens they want to detect and go to the gopluslabs.io website, paste the address and the website will give a result like a figure below. You can find whether there is some kind of fraud in the token contract or not.
Also, Go+ will integrate API with trading tools, DEXes, and explorers. So once users search for info about some tokens, the front end will warn the risks of the tokens. The figures below are some screenshots from Li.Finance, CoinBrian & AveDex, which integrate Go+ Security API. There are red signs behind those risky tokens to warn users about the risks. But since different portals maintain their way of final evaluation in the user interface, they could look different in the UI and way of assessment.
Those are three of our partners that integrate our API. Also, users can reach our service via other partners, including Arbiproject, MSGSender, Gopocket, Mask and etc. They’ve integrated our security API to prevent their users from scams. Also, we would like to talk with more partners who need security tools, to build a safer web3 environment together. If your products need security detection, we are happy to help.
In the near future we will launch functions including:
- Black address library, like traditional AML, we will partner with other security partners to provide the most comprehensive and up-to-date black address library and warn users to prevent them from interacting with those addresses.
- NFT detection, as NFTs are also a huge part of assets, we will provide NFT detection like token contract detection, to warn users about potential losses.
- dApp smart contract detection
Question 5 Why Go+? Not other security tools or security companies
A: There are a lot of security companies out there to provide security products and services, but Go+ is different from the perspectives below:
- Our product design is driven by real user’s needs
Again, As today’s main theme mentioned, Go+’s aim is to build the everyone’s security tool
Unlike audit firms and security tools, Go+ Security starts from the actual security scenarios of crypto investors based on their needs.
It provides fast, accurate, low-cost, and optional security services, for ordinary users. This kind of service is not available from existing security service providers in the crypto industry. Thus the market is an opportunity for us.
For now, Go+ provides a token detection service to users for free. And now the standardized data processing through an automated detection platform has nearly reached 1M API data call per day from more than 200K independent IP addresses since Feb this year.
- Go+ Security is providing an Open & Permissionless Security service platform, with the propose of building a Web3 Security infrastructure
Go+ Security is an innovative business for web3, and we really don’t see a lot of competition right now. Theoretically, security companies, whether auditing companies, Bug Bounty platforms, or security tool developers, could be competitors to Go+ Security. But in reality, they will find that Go+ is more likely to be their data and service platform. Based on Go+, these security companies can quickly improve their functionality and gain users and revenue.
They can get the most comprehensive risk database from Go+ Security (many security services lack data because they don’t get enough sample size. Detection results for many risks are very different if under different data sample sizes), and they can get revenue from Go+ Security, where white hats can offer their services to users in exchange for payment without relying on any company, and auditing companies can get orders from Go+ security platform. Go+ Security is more like the Web3 infrastructure, helping security practitioners to have better security services capabilities.
- To become the “Everyone’s security tool” in web3
Go+ Security’s core strength comes from a focus on users, not on gaining revenue in a short term. Our team’s main focus is thinking about how to provide better security services to the general user, to fill the gap nowadays in web3.
This determines from the beginning that Go+ Security’s technical path is different from others. Go+ Security will repeatedly think about all kinds of accidents that automated deployments may encounter, in order to allow users to submit with a single click, and will also try various solutions to decompose EVM, in order to make risk identification more accurate.
Question 6 As I heard, Go+ is going to build a security service platform. What’s your plan for the future ecosystem?
A: We observed a trend that more and more developers are integrating the API, and many of them had the brilliant idea to utilize our Security API Data to solve long-tail security problems based on that. While some of them also contribute more Date in different dimensions, helping Go+ build a better and more efficient & accurate security Database.Go+ will insist on the principle of an Open, permission & user-driven way, to reach more security service resources from white hats and developers for cooperation. Of course, onboarding developers and security practitioners are our first priority, as well as reaching cooperation with other wallets, DEXes, explorers, and trading tools. In the spirit of open source, we will make our risk data library public and provide other automated detection tools to further enhance security processing capabilities.
We are also thinking about launching a DAO government by the end of this year, to build a decentralized web3 security infrastructure for everyone, to make security service more efficient, and serve more users while keeping it open and permissionless in the long run.
Question 7 What’s your next step? Tell us more about your roadmap
A: Here’s our roadmap, and we will have a white paper soon to explain those in further detail.
- Black Address
- NFT Detection
- On-chain data monitoring,
- dAPP Smart Contract detection(Now in beta testing, will have official version soon)
- Risk detection during users’ Interaction Process(e.g. Phishing Website/APP)
- Support Rust
- More Customize Security Service
- Security DAO (Beta Version )
- Security DAO (Official Version)
- Privacy Model
- A more decentralized infrastructure upgrade
In Q2, we have upcoming exciting features such as smart contracts and NFT detection. It will increase the overall security of the users. Currently, it is easy to scam people by using smart contracts, since %99 of the users can’t read or can’t check the codes of smart contracts. Also, we will add Rust programming language support so that you will be able to detect risks of tokens or smart contracts in Solana and Near. The auditing for codes that are written in Rust is usually harder and takes more time. Therefore, this update will fill the gap.
Furthermore, we will add a real-time risk warning which will notify users when there is a security breach. For example, it will give you an alert about something unexpected on-chain happened such as exploits in bridges, smart contracts, or flash loans. Then, you can quickly react to save your funds or avoid using those applications. Sometimes even developers of the projects may notice it so late and they don’t have enough time to react.
For Q3 & Q4, we would like to customize security detection, build a security DAO and privacy model, and etc. Keep your eyes on us for more updates.
1. I have tried to search the name Go+Security in google but it doesn’t give any website link. Could you please share the website and social media links?
A: gopluslabs.io and you could also find us on Twitter
we will update our website and a new tech blog to introduce what we are doing, particularly to developers.
Please add a favorite to our website and the partner website which had already integrated our Security API, like Li.FI, Avedex.cc, Coinbrain.com as we had mentioned, welcome more developers & projects to take our API since that is open for everyone! “open& permissionless”
2. What was your motive behind making your Go+security project? What was your motive behind making your project?
A: One point is, as we had mentioned previously, there is a great need to protect ordinary users in the web3 world, by detecting all kinds of risky prospects. Instead of only having a small group of people providing limited service to another small group of people, most of the ordinary users’ needs are totally ignored.
Many of our team members had a long experience in web2 security for many years, and we had seen big security companies turning from an early innovative stage into censorship since most of the mechanisms behind BlackBox. We think in web3, it could be a better environment to have a better possibility to form a more open and transparent way to protect users.
3. Is Go+’s automated detecting tools open source? How does Go+ make a profit?
A: We are not open source yet, after all, a large number of our security policies are dependent on machine learning, semantic recognition, and sandboxing systems, which is our core competency, and in the short term, this is not a system suitable for open transport.
Of course, as our technology matures, we are now preparing to open up our strategy library to support any developer to contribute their own algorithms. Our system will become more and more open source.
We are not worried about profitability, we have already provided some advanced long-tail services based on our security algorithm, super real-time services personalized services are accessed by some of our partners, these services will bring me a lucrative share of profits.
4. What aspects does GO+ Security provide security for smart contracts? is it strong enough to give protection from hackers? how does GO+ security work to secure smart contracts?
A: This is a good question and we are indeed preparing to release our automated contract security detection tool for developers. Unlike traditional audit services that are highly dependent on human resources.
With high fees and a long lead time, the automated contract security inspection tool inherits our long experience in web 3.0 security and combines the mainstream security evaluation standards in the market to automatically flag potential static and dynamic risks in contracts.
It enables developers to avoid security risks at an early stage and at a very low cost. According to our experience, in fact, in the field of Web 3.0, security vulnerabilities and attack methods are highly similar, and we can completely help developers avoid most security risks in advance through technologies such as machine learning and semantic recognition.
We are equipped with a very rich library of vulnerability samples, and attack strategy library, combined with our sandbox system, can be automated to identify the current common re-entry, replay, DoS, and other potential vulnerabilities.
We also analyze and model abstraction of actual security events that occur on the chain, allowing us to evolve our strategy in real time.
5. I think the most important point from every blockchain audit protocol is about TRUST from people. How do you confident that Go+ Security can earn people’s trust despite many competitors such as Certik, Solidity, and otherwise already stolen people’s attention?
A: I totally agreed with what you said. As I had mentioned previously, we build a product for everyone, including all kinds of ordinary users, instead of only serving a small group of people.
Since most of the people, even many of the project team couldn’t access the auditing service, or most of them need to wait in a long queue to get the service, there is great space to provide security service in web3.
Secondly, different from only audit “one-time”, Go+ provides a dynamic risk detection service, since our service is open to everyone. Once a user did the detection, we will refresh the detection result, and make sure the risk raised by the code update could also be covered on time.
Go+ security service is also open to all the developers and white hats, by providing our security API for free. We also welcome third-party to contribute more security data and long-tail customized security services to enlarge the risk Scenario we could protect.
Thank you all for the AMA.