I, Degen - Episode 13 - Open Source Audio Audit with Kevin Seagraves & Zach Herring from Niftyapes.money

Intro

On this special episode of I, Degen we chat with Kevin Seagraves and Zach Herring from Niftyapes. They recently came out of stealth mode to launch their NFT lending platform and bravely agreed to an open-source audio audit with us.

Welcome to I, Degen gentleman, and thanks for taking the time to chat with us. Before we jump into the audit, can you tell us a bit about yourselves and what NiftyApes is?

Intros Kevin Seagraves & Zach Herring:

Who are we talking to? Tell us about your background and how you built an NFT lending platform.

For KS: Can you tell us more about your work with ETHSecurity?

Hunt questions:

Intro NiftyApes:

1. What is NiftyApes?

   2. How does it work?
   3. Why did you build it?
   4. Who's going to use it?
   5. What is HARBERGER AUCTION?
   6. When is the release?

2. Let's talk about the "regen" side of Nifty Apes and the 1%? that goes to public goods. Why was it essential for you to do this?

Open Source Audit:

Security audits are expensive and rarely a priority for founders. This is especially dangerous when it comes to Defi apps and protocols, given the natural ability of an attacker to take something of value.

The idea for our Open Source Audit is to help others learn about securing a crypto project by asking some questions about how you've approached the security of the Niftyapes.

1. Can you give us a high overview of the tech stack? How does NiftyApes look from a zoomed-out view? What web2 components are at play, and what web3?

2. Can you talk briefly about your overall approach to securing niftyapes?

3. How have you approached the security of your web2 interface?

KS: we only store tx receipts in DB after a tx has taken place and been confirmed so the attack surface for us on Web2 is low.

3(b). Have you taken steps to ensure your DNS records are secure?

4. Contract audits - Can you give us an overview of your process with the contract audits?

   9. How did you find your auditors?
   10. What was the process like?
   11. What did they find?

5. You guys have gone out of your way to prioritize security for NiftyApes (from the front page):

   Image Not Showing Possible Reasons

   • The image was uploaded to a note which you don't have access to
   • The note which the image was originally uploaded to has been deleted

   Learn More →

6. Nocoiners and others have been all over a brewing problem at NFT lending platform, BendDAO. Specifically,

"The NFT lending platform BendDAO has collateralized almost 3% of the entire Bored Ape collection, and many NFTs have recently entered the "danger zone" of liquidation."

ZW: Would this kind of thing be a potential problem on Niftyapes too?

7. Game theoretical bugs are new and emerging class of attacks in DeFi that don't necessarily exploit bugs in code but instead bugs in the relationship between values of pools, balances, and the connected systems.

   In the coming years, we will likely look back at this as the golden age of on-chain hacks, where trivial bugs lead to massive payouts for blackhats.

ZW: Are you tracking any risks related to game theoretic bugs?, for example, Flash Loan attacks?

8. The unprecedented sanctioning of the Tornado Cash contract addresses by US Treasury in early August has added a new complexity for DeFi developers. What is your take on the sanctions at NiftyApes?

9. Any advice for crypto founders on how to develop and deploy more secure projects?

Outro Questions:

1. Top musical artist you're listening to right now?
2. Tech gadgets you can't live without?
3. Best book you've read recently? Or a book that has a notable impact on you?
4. Your preferred place for crypto news?

Contact Info for NiftyApes

You can find more info about NiftyApes on their website niftyapes.money or their Twiiter @niftyapes.

You can find Kevin Seagraves on Twitter [@captnseagraves] (https://twitter.com/captnseagraves) and Zach Herring @zherring