Yo Sub Kwon, CEO of Hosho: Crypto Newcomers Should Look for Audited Smart Contracts

Smart contract security is still a young sector, and Hosho is one of the companies dedicated to finding faults in smart contracts.

Yo Sub Kwon is the Co-Founder and CEO of Hosho, the leading blockchain security company that conducts smart contract audits and penetration testing of exchanges and blockchain protocols. Yo is also currently the Managing Partner of Pink Sky Capital, an investment fund focused on blockchain technology. As a early contributor to the blockchain and cryptocurrency space, Yo Sub Kwon was the co-founder of Coinsetter, one of the first US Based exchanges that was acquired by Kraken in 2016.

He went on to be the architect and co-founder of LaunchKey, a cybersecurity company focused on a multi-factor authentication platform, which was Pantera Capital's first non-blockchain investment and was acquired in 2016 by Iovation. In 2013, Yo was named in Inc. Magazine’s prestigious “30 Under 30” entrepreneur list. Cryptovest contacted him for a special Q&A session related to a recent discovery of a faulty ERC-20 contract with a backdoor to control the token.

How is a newcomer to the world of crypto coins and tokens able to see warning signs?

It's difficult for a newcomer to discern warning signs among the vast amount of projects and information available. How transparent a team is on their practices and security is a really good indicator to the legitimacy of a project. A company that actually intends on being around for the long term is going to value their security and want to protect the assets of their investors and users.

What are the red flags for a flawed project, a dishonest or faulty smart contract?

The largest red flag that a project may be dishonest about their smart contracts is that they haven't had them audited by a reputable firm, or that some parts were specifically excluded from an audit. An audit report should lay out security issues discovered and any disparity between the whitepaper or technical specification and the smart contracts.

Can you give, in simpler terms, examples on how smart contracts could divert funds?

A smart contract is just programming code and can be written do whatever the writer specifies. There are smart contracts in high-profile projects that already exist with absolute control including the ability to move money from any wallet, delete tokens, or create any quantity of new tokens. These would be great concerns for investors and exchanges if they were made fully aware of the implications.

In a rough estimate, what size is the market for smart contract security and audits? Projects are coming in all the time, and the landscape changes, but still, who will need those services in the future?

It's difficult to calculate the size of the smart contract security market because it grows so quickly. Right now it's heavily skewed towards new projects that plan on doing a token sale, but an increasing amount of the work is on established companies releasing applications that heavily make use of smart contracts. My prediction would be that large enterprise companies that build widely-used smart contracts will require smart contract  services the most.

Do you think investors may lose trust in tokens as a whole? What to do to prevent this?

The entire blockchain industry has an inherent bias towards trustless systems and that can actually be one of the appealing aspects of smart contracts. We have definitely seen a shift over the past year towards investors and exchanges demanding a much higher level of  transparency and security requirements before getting involved. These requirements will continue to increase as the industry becomes more educated and naturally adjusts.

In the end, does anyone benefit from stealing tokens, only to see them lose all credibility?

Hosho strives towards educating the industry and increasing the general security of the space as it really serves to damage the reputation of space as a whole when hacks happen so frequently. A hacker may be able to liquidate some of the tokens they steal or sit on them hoping the project survives and they can sell them later.

What is the most serious threat in smart contract security?

There are so many different kinds of critical level vulnerabilities that we've seen, that it's difficult to really declare a particular threat as the most serious. Being able to take ownership of an ERC-20 contract to steal all the Ethereum and tokens is one of the worst though.

How can a regular investor find protection? What research is needed?

This is still a highly risky space. Everything from protecting cryptocurrency in wallets, price fluctuations, and the security of the projects being invested in from all aspects. I would recommend that investors leverage the skillsets of those they trust for a more comprehensive understanding of a project before investing. At the end of the day though, there is always risk and it's important to be aware that even the best vetted projects can still have unexpected events occur that drastically affect the investment.

How does Hosho spread the knowledge about quality smart contracts that can be trusted?

As the premier auditor in the space, Hosho realizes that our audits signify to investors and exchanges that the smart contracts audited have been written securely. We allow our clients to use our logo to indicate they've been audited and encourage them to release the audit report with our GPG signature to be transparent and prove that the audit did in fact come from us.

Hosho is the global leader in blockchain security, specializing in enterprise-grade security services for Fortune 500 and early-stage companies alike. Entirely focused on the blockchain industry, Hosho is setting the standard for blockchain security, providing state-of-the-art smart contract auditing and penetration testing services.

With blockchain, the repercussions of a security hack are much greater than in traditional technology, making cybersecurity-related services of the utmost importance. Hosho plays an important role in the nascent blockchain industry by resolving issues that often lead to funds being lost or stolen.