When ICONLOOP Chief Technology Officer Edward Ryu joined the ICON family four months ago, the network was looking to scale up and needed people to make it happen. Ryu thought it was a good opportunity, too.
“I was interested in blockchain, and I thought it would be a good opportunity,” he recalls. “I thought there would be a lot of things to do in blockchain, that it was a new technology, that it would be exciting.”
He was right about there being a lot of things to do. As ICONLOOP’s CTO, Ryu leads and coordinates a very busy development team hard at work growing and strengthening the musculature powering the ICON network. He also plays a public role in explaining and promoting blockchain to potential clients.
He’s a problem solver at heart, though.
“Personally, I like the process of fixing problems when they occur.”
A bigger gap
The veteran developer helms ICONLOOP’s technical operations as blockchain begins to emerge from its infancy. Because the technology is so new, Ryu sees a chasm between the platform and its users. “The technology is in its base stage,” he says. “There aren’t yet many services that customers can use. I think this is why blockchain isn’t that widespread yet.”
This contrasts with his previous experience working with other platforms. “Compared to other platforms I built on such as Android or Java, the gap between the platform and user is much larger in blockchain,” he says. “Because the platform just started.”
As the ICON Foundation’s main technology partner, responsible for building the blockchain engine that powers ICON’s public network, ICONLOOP is striving to bridge the gap by helping build out the platform. As part of this process, Ryu took part in drawing ICON’s most recent roadmap. “Everything is currently fixed around electing the P-Reps,” he explains, referring to the recently commenced campaign to select the main nodes that will run ICON’s decentralized network.
Drawing a roadmap is no easy task, especially for a project with a lot of moving parts. Conditions change on a daily basis. This is why many blockchain projects – ICON included – don’t even bother making their detailed-but-very-much-subject-to-change internal timetables public. “We only post a timetable for important milestones,” says Ryu. “For the details, we have an internal timetable, but we don’t make it public.”
White hats
Ryu’s ministerial portfolio, so to speak, includes making sure the internal machinery of ICON operates smoothly. This means finding vulnerabilities before bad actors find them for you.
Fortunately, Ryu and his team don’t have to do this alone. “Everything is open source,” he says. “It’s an invitation for anyone to see the code and help us if there seems to be a problem so we can fix it.”
To wit, the ICON Foundation announced last year a bug bounty program with HackerOne, a global cybersecurity network of more than 100,000 registered hackers and a list of clients that includes the Pentagon, Google, Microsoft, Facebook, Starbucks and GM. Under the program, external researchers – i.e., white hat hackers – can earn rewards for discovering vulnerabilities and reporting them to ICON.
“They find the weaknesses that we hadn’t thought of,” says Ryu. “We’ve been working with HackerOne for about three months, and they’ve reported about 14 vulnerabilities.”
He explains that though most of those 14 were nothing, three were significant enough to earn bounties. One involved the Pickle third party library – but more on that a bit later. Another involved personal data such as private keys sometimes being hardcoded into the source code. The third fixed a vulnerability that could have led to denial-of-service attacks.
ICON has gotten some unsolicited help from outside HackerOne, too. Conducting its own survey of local blockchain projects, the Korean R&D group Adevt released the results of its analysis of ICON in January.
It announced it had found the vulnerability in using Pickle, a third party library used to send and receive data. Adevt reported that a hacker could use this vulnerability to infect the entire network with malicious code. It also took ICON to task for failing to properly sandbox its network.
ICON responded at the time that it already knew about the vulnerability, discovered through the HackerOne bounty program in December. It also said the problem module wasn’t actually in use, and that the Pickle library would be removed before the election of the P-Reps.
Adevt countered that, among other things, the vulnerability they found was in one of Loopchain’s functioning modules.
“The Pickle library is used in several of Loopchain’s modules. So what ADEVT found may be different from what HackerOne found,” responds Ryu. “The important thing is that Pickle may be a problem only if Loopchain receives pickled data from untrusted external parties, but this never happens in the current controlled environments. Adevt’s entire hacking demonstration is based on the assumption that one node is hacked.”
As for the sandboxing, well, that’s another issue, Ryu explains. “We’re currently doing audits so that bad contracts don’t enter the network,” he says. “So it doesn’t look like there will be a problem.”
Nonetheless, ICON is considering erecting a sandbox, he says, should the growth of the network make its system of audits prohibitively expensive.
What about the DEX? And what’s this DID thing?
Ryu spoke at the Korea Blockchain Game Show in January, introducing ICON’s reward system and fee structure for DApp developers. He also provided a teaser for two upcoming services, the decentralized exchange (DEX) and decentralized identification (DID).
The DEX requires no introduction. “It’s under development,” he says, explaining that they’ve crafted the contract that would allow them to exchange ICX or IRC2 tokens in accordance with the Bancor Protocol.
The DID, meanwhile, provides users with some data sovereignty by breaking with centralized identification systems prone to abuse and security violations. The idea predates blockchain, says Ryu, but blockchain has helped bring it closer to reality. “The reason,” he says, “is that you need to be able to confirm that a DID hasn’t been forged or changed after it has been issued.” ICON’s DID will be based on CHAIN ID, which the network released last year as the world’s first blockchain joint authentic action service.