Jucoin Labs:
Followin' we are also very honored to invite the Lunaray team to join our event today. They are actually an innovative company dedicated to blockchain security. Their goal is to provide more comprehensive security solutions for the entire blockchain ecosystem. Their uniqueness lies in the launch of a full life-cycle Web3 security solution, which has led a wave of trends in the industry. We look forward to a deeper understanding of our project through this exchange, and now let's move on to the AMA topic.
First of all, we warmly welcome the speaker to our AMA today, and we look forward to your simple introduction of the project, as well as the core concept, including the background of the project's establishment, to give our audience a deeper understanding. Thank you.
Lunaray:
Ok. Hello everyone! We Lunaray are actually a company mainly focused on the Web3 security ecosystem, and as the host introduced, we are committed to ensuring the security of our Web3 ecosystem. Our base is in Singapore, because we have also been struggling in the traditional security industry for many years, and we have seen that many of our friends in the Web3 industry have lost millions or even tens of millions due to security issues, which is really heartbreaking, because they are our friends in the Web3 security field, right?
Lunaray:
They may be due to some personal security awareness issues, or because they don't understand the importance of security, which can lead to the theft of their entire or most of their assets by hackers, which I find very heartbreaking.
Therefore, we established Lunaray to ensure the security of the Web3 ecosystem. Our mission at Lunaray is to help industry friends as much as possible to avoid hacker attacks and ensure the security of their assets, right? To ensure that everyone as a Web3 player and Web3 user can truly operate with confidence in the Web3 field, this is our mission.
Lunaray:
Of course, we at Lunaray have been established for about 8 years, and we have accumulated a lot of experience in the service industry, and we have transformed the relevant experience into relevant security services to ensure the security of users in our industry. Because this is our mission, our goal is to make Web3 more secure, without worrying that one day you will open your wallet and find that all your assets have been stolen by hackers, right? We also provide industry-leading full-chain Web3 security solutions, and this is a simple introduction to our Lunaray team.
Jucoin Labs:
Okay, thank you very much. In fact, through the introduction just now, I think everyone is also very eager to learn more about how Lunaray specifically protects user security, and on the issue of user security, I believe every listener or friend is very concerned about the core issue.
In the field of blockchain security, technology is the core advantage, especially in terms of security, it needs to be fully guaranteed in technology. What unique highlights does Lunaray have in technology, and can you share with us your product system and the overall service system and process?
Lunaray:
Ok. I believe we are all as Web3 players, and for Web3 users, you may have heard a saying, which is that if you haven't been hacked by users in Web3, it's like we haven't entered the Web3 industry. Although this is a joking remark, it can also indirectly show that hackers or attackers are rampant in the Web3 field, because Web3 has a series of characteristics, such as anonymity, right? The feature of anonymity makes hackers not have to worry about their behavior being discovered by others, or can better hide their attack methods and steal funds, right? This is the current state of web3.0.
Lunaray:
As a security team, after in-depth research on these situations, we have summarized our own set of security solutions, and we provide full life-cycle solutions for Web3 projects.
Many people may say that we only need security solutions, what is a full life-cycle security solution? We integrate security into the entire life cycle of the Web3 project, because for a Web3 project, we know that it may have a project planning cycle, project development, project launch and operation, and finally project continuous iteration and update, right?
Lunaray:
So the first step in integrating security into the entire life cycle of the project is that in the project planning stage, we provide some security consulting and security training, because many of the project parties or project teams who do Web3 projects may not be security professionals, they may have a very good idea.
They just implement this idea, but they may lack some security concepts, they may design models, for example, a simple example, it may involve economic models, security vulnerabilities, right? If the ecological economic model has security vulnerabilities, it may hinder the early or mid-term development of the project, right?
Lunaray:
Being attacked by hackers can lead to the overall disruption of the project's operations, so we can provide some security consulting and security training services to the project parties in the project planning stage. We share the security issues we have summarized from our daily research process with the project parties, so that the project parties can design a robust and secure economic model or security architecture when designing the project, right?
When the project is in the development process, if the architecture is secure, then as long as we ensure the security of the development, we can ensure the overall security of the project.
Lunaray:
The first step is that we provide security consulting and security training at the project planning stage. The second step is when the project planning and design are completed, and in the secure development stage, right? The project may need to develop some things like smart contracts, or develop some products like wallets.
When the project is in development, we also get involved, we can provide security assessment for the project, code security assessment during development, and security audits after development, and a series of services.
As I mentioned earlier, because many project parties or developers actually don't have a very deep understanding of security, or have done a lot of in-depth research in the security field, the code they develop, including smart contract code, may have some security issues that can be attacked by hackers.
Lunaray:
We as Web3 players can all see that in the Web3 field, there are countless cases of smart contracts being attacked, and the loss is in the millions or tens of millions.
So during the project development, we can also provide some security assessment and security audit solutions for the entire project development code. Then in the subsequent project operation, we can also provide security monitoring, threat intelligence and simulated attack services for the project in operation.
Some people may wonder, our project has been developed and designed, why do we still need security when we deploy it to the chain or officially operate it?
Lunaray:
I can give you a case example, there was a very famous DeFi project before, and it was actually attacked on the chain once. After the attack, the attacker completely depleted all the funds in their lending pool, right?
In fact, when we analyzed the attack, we found that the hacker did not succeed in the first attack, because he lacked Gas Fee, which caused the attack to fail, but the transaction had already been published on the chain.
Followin' must be translated into 'Followin'. <助记词>seed phrase must be translated into 'seed phrase'. <貔貅盘>crypto honeypot must be translated into 'crypto honeypot'. DeFi must be translated into 'DeFi'. Gas must be translated into 'Gas'. Token must be translated into 'Token'. gas must be translated into 'gas'. USDT must be translated into 'USDT'. TRON must be translated into 'TRON'. ETH must be translated into 'ETH'. HT must be translated into 'HT'. AR must be translated into 'AR'. ONT must be translated into 'ONT'. RON must be translated into 'RON'. CHR must be translated into 'CHR'. OKX must be translated into 'OKX'.Followin': However, the cloud disk may have a weak password, and his account may be a weak account, right? It may be hacked, and after downloading the screenshots or related documents from his cloud disk, the attacker may have recovered the private key to complete the attack.
Right? Of course, there are also various other relatively niche attacks that I won't go into one by one, but the main purpose of these attacks is to steal the private key, which is the first major category.
The second major category is to deceive the transaction signature. Deceiving the transaction signature is actually a relatively common attack, right? It's a pure on-chain attack, or it may not be a pure on-chain attack, but it's all done through signatures, right?
It's that I trick you into signing a transaction signature, and once you sign the transaction signature, the hacker can take over your assets or steal your assets.
Followin':
There are several ways to deceive the transaction signature. The first is the deception of on-chain authorization, where the attacker's contract requires you to sign an authorization transaction, authorizing a certain amount of USDT to his address, and once you sign the transaction, the attacker can then transfer the money from your account.
The second is the deception of off-chain authorization, where the signed transaction needs to be sent to the blockchain. The off-chain generator, the hacker lets you sign a transaction, but this transaction does not need to be sent to the chain, you just need to send the signed result to the hacker, and then the hacker can use the chain to transfer your money.
Followin':
Next is the deception of multi-signature authorization, where through blockchains like TRON, there is a multi-signature function, right? The hacker lets you multi-sign a transaction to transfer your transfer and ownership to the hacker, and then the hacker will control your address.
The last one is the deception of fake transactions, where the hacker sends you a fake transaction, which looks fine to you, but once you sign it, it transfers the funds to the hacker. The third one is the similar address attack, which is actually quite common, and many people may have noticed it. Whenever you receive a payment, there will be a similar address sending you a Token, and the similar address is very similar at the beginning and end, so it's hard to tell the difference if you don't open it, right?
Followin':
But if you're not careful, when you copy the address, you copy the fake address, and you end up transferring the money to the hacker. Although it doesn't seem easy to be deceived, there are still many people who have been deceived by these attack methods and transferred their funds to an unrecognized address, right?
The fourth is the attack on the accounts of centralized exchanges, right? There are several ways to attack the accounts of centralized exchanges. The first is the simplest, which is to steal the account and password. I get an account and password, and through that I can control the exchange account to transfer money, but this stealing of account and password may be less and less common these days, because the major exchanges have probably done a good job on security measures, and just having the account and password is not enough to withdraw, you may need two-factor authentication, email verification code, and so on.
Followin':
Then there is the theft of cookies. Our cookies are actually a way for us to authenticate on the exchange. For example, when we operate the exchange, we log in through the browser, and then when we close the browser, the next time we open the browser, we are still logged in, and we didn't enter the password. This is because we have a Cookie, and the attacker can steal the cookie to operate our centralized exchange account and steal our assets, right? Next is the remote control of the computer to operate, directly installing a Trojan on our computer to directly operate the browser on our computer to complete the transfer of funds, these are the ways to attack the centralized exchange.
Followin':
The fifth way is that the wallets and other Web3 facilities used are attacked by supply chain attacks, for example, have you heard of the case where the Atomic Wallet was attacked? Many people used the Atomic Wallet, which is said to be a decentralized wallet, but after using the Atomic Wallet, they found that their private keys were not leaked, and the private keys were stored offline, but their money was still transferred away. At that time, the Atomic Wallet incident was quite big. According to our analysis, it should be that the Atomic Wallet suffered a supply chain attack, and the attacker planted malicious code in its code, so when you use the official Atomic Wallet, the code has already been implanted with malicious code, causing the information you generate to be obtained by the hacker, right?
Followin':
Of course, software wallets and hardware wallets may also be attacked by hackers. So when we choose hardware wallets and software wallets, we must choose large suppliers. Why do we need to choose large suppliers?
First, their security capabilities are strong, right? As a large supplier, they can invest a lot in security to ensure their security level, right?
Second, their compensation ability is strong, right? If we use a small exchange or a small wallet, if it is attacked, it may just run away, and we will lose without any compensation. Of course, if we use a large exchange or a large wallet, if there is a security incident in the exchange or wallet, they may compensate us to reduce our losses.
Followin':
The last one is the fake project, and we have seen a lot of fake projects, such as the crypto honeypot, for example, we may invest in some fake projects when investing, which may also lead to the loss of our assets. These six points summarize the common ways for users to lose their assets in the Web3 field, right?
Overall, it is mainly due to the lack of security awareness, right? Causing us to easily believe some attackers, easily believe some false things, resulting in the loss of our funds.
Jucoin Labs: Thank you very much, I actually learned a lot during the process of listening. I believe our audience friends will also pay more attention to security issues in the future, and try to avoid them as much as possible. In fact, what we just discussed was mainly about how security issues arise, including some common or easy-to-guide behaviors that lead to security vulnerabilities and result in fund losses. Users need to take some measures to prevent this. Especially for our individual users who are just entering the circle or not very familiar, how can they better avoid all these situations? Are there some simple ways to give our community users a brief introduction? Lunaray: No problem, and I just said that most of the attack incidents are actually caused by the lack of security awareness of users, right? So in order to prevent our assets from being stolen by hackers, the main thing is to improve our own security awareness. I have summarized a few points here, and these points are all very important. If we can do these, it may be 95% done, and the remaining 5% may be very difficult, but I think as long as we do well in these 95%, we can largely ensure our security. The first is that when we download software, download wallets or other plugins, the first point is that we need to compare the URL, to see if the download URL is the official URL, right? This is the first point. It's actually very simple. The second is that when we download plugins or use plugins, we must pay attention to whether the plugin we use is officially released, for example, when we download plugins in Chrome, there is also an issuer, we need to compare whether the issuer is the official issuer. Lunaray: The third is that when we download plugins or download wallets and other software, we must download them through official channels. Lunaray: The second is the problem when we sign on-chain transactions. The first point is that when we authorize, we must pay attention to the object of authorization and the amount of authorization. Lunaray: And one more point about the similar attack, how do we pay attention? When someone transfers to us, when we copy the address, we must not only compare the beginning and end, right?Here is the English translation of the text, with the specified terms preserved and not translated:Because constructing addresses with similar beginnings and endings is actually quite easy, a powerful computer can generate them in a very short time. We must be more careful and check all the digits of all the addresses, right? Then we can see and prevent the attacks.
Of course, there is another very important point - how to ensure the security of the accounts of our centralized exchanges, right? I have summarized a few points: first, the exchange account must be set up with two-factor authentication, which is a good way to protect the account.
Lunaray:
The second point is that we should try to keep our large fund accounts or wallets independent from the wallets we use daily. For example, I may have 100,000, but I usually only use 10,000 USDT for operations, leaving the remaining tens of thousands of USDT in an account or cold wallet that I don't use often. This can prevent us from suffering huge losses if we are attacked unintentionally or by hackers in our daily operations, right?
This can reduce the losses we suffer after an attack, because no one can guarantee that users will not be attacked 100%. We can only do risk control to greatly reduce user risk.
Lunaray:
The last point is that when using wallets, exchanges, or Web3 infrastructure, we must choose large-scale providers with strong security capabilities and compensation capabilities to provide us with better protection. Finally, when participating in projects, don't fall into the trap of and the like.
Jucoin Labs:
Okay, thank you very much. I think these suggestions are very meaningful and effective for all our audience friends today, and I really hope that each of our audience friends can keep these suggestions in mind and implement them in every action and detail of their on-chain operations to ensure their fund security.
This AMA event is actually a multi-community dissemination and participation, and it also supports everyone to better understand the issue of security. In order to better popularize security knowledge, I am also curious whether Lunaray has plans for more security education activities in the future, including how to make users better understand some basic knowledge, and whether the knowledge shared with our audience friends today will have more contact scenarios in the future to let other people know this information. Do you have such a plan?
Lunaray:
Okay, I think as our vision says, our vision is to make web3 more secure, so we also look forward to contributing our professional strength in the Web3 field to make the Web3 world more secure. So in the future, we will also invest more efforts in community activities. In fact, in community activities, for user training and explanation, we will talk about what is secure and what is insecure, which is simple education, right?
We will talk about how hackers attack and how we should defend against these attacks, which is our education.
The second aspect is the experience. This attack is not a real on-chain attack, but a simulated attack in a test environment. We have been doing this, right? We build experimental environments based on real attack methods, but all the backends are connected to test chains, so users won't suffer real losses. When users operate on the test chain, they can experience what consequences the attack will bring if their money is lost. I think this is our philosophy of "practicing is better than preaching a thousand times", and this is what we want to do in the future.
Lunaray:
Of course, as I just mentioned, we will also invest more efforts in the community to do this, to strive to make most of our users understand, experience, and be able to better protect their assets.
Jucoin Labs:
Okay, thank you very much. I just felt that letting users experience the test chain is very rare and can really make everyone recognize the deficiencies in their own operations. I believe that after today's audience friends understand this, if there is an opportunity in the future, they will also very much hope to participate in this experience and testing, including optimizing their own security awareness.
In terms of market positioning, what is the customer profile of Lunaray's main customers? I just heard that you also provide a lot of security-related services for project parties, and have some suggestions for individuals, including doing some security testing. How to meet the needs of different customers, and whether there is a more detailed plan, as well as the overall plan for the services provided to different customers.
Lunaray:
Okay, Lunaray's main customers actually have a few aspects. Of course, the needs of these customers are more or less the same, but the core point is actually very unified, which is to protect asset security. Their needs may be slightly different, right?
Because different types of customers have slightly different business forms, we have also proposed targeted solutions. For example, for centralized exchanges, their problem may be that their attack surface is very wide and their business logic is very complex. It may involve the security of employees, the security of the operating environment, the security of R&D, and the security of compliance and emergency response, right?
Lunaray:
So we provide a series of services for centralized exchanges, such as network security construction, how to ensure the security of the R&D environment, testing environment, and operating environment, as well as compliance, because as we all know, various countries are now putting forward compliance requirements, including Hong Kong, Singapore, and Malaysia. We have also conducted a series of studies to help them meet these compliance requirements.
Another point is emergency response, because exchanges are big targets, with large funds and assets, so hackers are also willing to invest more costs to attack them, right? So we also have some emergency response services. When an exchange is attacked and partially compromised, we can help the exchange analyze the reasons, and how to improve and enhance our overall security processes to raise the security level.
Lunaray:
Of course, we also provide security testing and security audit services, including security design, security testing for the exchange's code, website, and APP, as well as security audit services.
The second aspect is that we provide services for project parties, as I just mentioned, we provide a full life cycle service from project preparation, development, to operation, including security consulting, security auditing, and security monitoring services, right?
We provide comprehensive coverage of the entire Web3 project life cycle to minimize the security blind spots of Web3 and maximize the protection of customer security.
Followin', of course, the last one is aimed at ordinary users, we ordinary users, our security service for ordinary users is mainly about the service of recovering lost assets. Many customers may have some problems, such as their wallet has been staked or has some short positions, but if the wallet's private key is stolen by hackers before the staking or airdrop expires, right?
Lunaray:
So we want to get back the assets we have staked and the airdrop assets, but they haven't expired yet, but I'm afraid that after they expire, the assets will be directly taken away by the hackers, so we also help customers use our technical capabilities to recover the assets for the customers as soon as they expire, right?
Basically, these are the main services we provide for our customers.
Jucoin Labs:
Okay, thank you very much. So after understanding the general services, whether it's a project party or an individual, they actually have the opportunity to communicate with the Lunaray team. Whether it's through the Twitter account that the audience friends have noticed today, or actively interacting and leaving messages on the Twitter account, we are really looking forward to everyone raising their security awareness and protecting their own capital security, especially on-chain. In addition, in the Web3 field, security issues are a long-standing topic, so there will be many similar competitors or other companies providing corresponding services. Does Lunaray have any unique or differentiated advantages that can be shared with everyone?
Lunaray:
No problem, in the Web3 field, our observation of the industry is that the security services of many security companies in the Web3 field are quite homogeneous, such as providing contract code audits and deep testing, right?
They may be quite homogeneous, so I think the core advantages of Lunaray, or the points where we differ from these homogeneous services, are where, right?
I think our core advantages are in two points. The first point is that we have strong technical capabilities, right? We have a deep technical accumulation and rich industry experience. For example, we have a product called on-chain attack monitoring and interception, and we will conduct continuous monitoring on a Web3 project.
Lunaray:
When we detect a suspected attack, we can intercept this attack. I think there are not many security companies that can do this, right? Of course, this is based on our deep cultivation in the Web3 field, and we have invested a lot of resources in research, right?
The second point is that we can provide a full life cycle security service, right? As I just said, many Web3 security companies are currently only at the level of security audits, but security audits alone are not enough, because security is actually an industry that is very applicable to the barrel principle, that is, security is actually a barrel, and only when all points are done well can you raise your security level, but as long as you have one point that is not done well, your security level is determined by the lowest point, so we provide this kind of full-chain, full life cycle security service, right?
Lunaray: We participate in Web3 projects or provide services to customers in the form of security consultants, right?
Starting from the customer's program design, project design, or economic model design, we provide security training, user education, and security promotion, to code security audits and some modeling, and finally to the security of operations and deployment, including security monitoring, intelligence, and post-incident response, to integrate security throughout the entire chain and comprehensively enhance the security level of users or enterprises or projects, so as to make each board of the barrel longer and empower the security of the entire project to improve its resilience.
Jucoin Labs: Okay, that's great. I feel very excited after listening, that there is such a team truly making a great contribution to providing security services for Web3 projects or individuals.
Looking to the future, we can see that the Lunaray team has great advantages in both R&D capabilities and the technical team. In terms of community building, do you have any plans and goals to ignite more of our users or projects to participate and understand their security issues, while also supporting Lunaray to become a leading force in the Web3 security field?
Lunaray: Lunaray is still a technology-centric company, right? We will still focus our main efforts on the technical level, just like before. We will invest a lot of energy and resources in confronting the attackers, and of course we will also devote some energy to packaging our research results, right?
As we just mentioned, we will put a lot of energy into confronting the attackers, then we will analyze the latest attack methods on the attack and defense side, and then we will research how to defend against these attack methods, right? Research the engineering mitigation measures and form our security solutions, and output them to our customers or our projects or our individuals, right?
Lunaray: Secondly, we will also summarize the frequent security incidents in the Web3 field, analyze the main reasons and attack methods, and form educational materials, which we will input to the community, right?
On the one hand, we will package our research results into our R&D solutions and output them to projects, exchanges, enterprises, etc. We will also study the security defense methods for individuals, and input them to the community to help more Web3 users improve their security awareness, stay away from security attacks, and ultimately achieve our vision of making the Web3 world more secure.
Jucoin Labs: Okay, today we have all gained a lot of valuable experience and knowledge, especially in the field of asset security, which is the most important aspect. I believe our audience friends have also gained a deeper understanding of blockchain security knowledge and personal asset protection.
We also look forward to everyone being able to apply the knowledge learned today to practice. Finally, I would also like to remind everyone again to follow our and Lunaray's official accounts, and look forward to our future activities and plans. We'll see you next time, thank you all.
