“I was interested in
He was right about there being a lot of things to do. As ICONLOOP’s CTO, Ryu leads and coordinates a very busy development team hard at work growing and strengthening the musculature powering the ICON network. He also plays a public role in explaining and promoting blockchain to potential clients.
He’s a problem solver at heart, though.
“Personally, I like the process of fixing problems when they occur.”
A bigger gap
The veteran developer helms ICONLOOP’s technical operations as blockchain begins to emerge from its infancy. Because the technology is so new, Ryu sees a chasm between the platform and its users. “The technology is in its base stage,” he says. “There aren’t yet many services that customers can use. I think this is why blockchain isn’t that widespread yet.”
This contrasts with his previous experience working with other platforms. “Compared to other platforms I built on such as Android or Java, the gap between the platform and user is much larger in
As the ICON Foundation’s main technology partner, responsible for building the blockchain engine that powers
Drawing a roadmap is no easy task, especially for a project with a lot of moving parts. Conditions change on a daily basis. This is why many blockchain projects – ICON included – don’t even bother making their detailed-but-very-much-subject-to-change internal timetables public. “We only post a timetable for important milestones,” says Ryu. “For the details, we have an internal timetable, but we don’t make it public.”
Ryu’s ministerial portfolio, so to speak, includes making sure the internal machinery of ICON operates smoothly. This means finding vulnerabilities before bad actors find them for you.
Fortunately, Ryu and his team don’t have to do this alone. “Everything is open source,” he says. “It’s an invitation for anyone to see the code and help us if there seems to be a problem so we can fix it.”
To wit, the ICON Foundation announced last year a bug bounty program with HackerOne, a global cybersecurity network of more than 100,000 registered hackers and a list of clients that includes the Pentagon, Google, Microsoft, Facebook, Starbucks
“They find the weaknesses that we hadn’t thought of,” says Ryu. “We’ve been working with HackerOne for about three months, and they’ve reported about 14 vulnerabilities.”
He explains that though most of those 14 were nothing, three were significant enough to earn bounties. One involved the Pickle third party library – but more on that a bit later. Another involved personal data such as private keys sometimes being hardcoded into the source code. The third fixed a vulnerability that could have led to denial-of-service attacks.
ICON has gotten some unsolicited help from outside HackerOne, too. Conducting its own survey of local blockchain projects, the Korean R&D group Adevt released the results of its analysis of ICON in January.
It announced it had found the vulnerability in using Pickle, a third party library used to send and receive data.
ICON responded at the time that it already knew about the vulnerability, discovered through the HackerOne bounty program in December. It also said the problem module wasn’t actually in use, and that the Pickle library would be removed before the election of the P-Reps.
“The Pickle library is used in several of Loopchain’s modules. So what ADEVT found may be different from what HackerOne found,” responds Ryu. “The important thing is that Pickle may be a problem only if Loopchain receives pickled data from untrusted external parties, but this never happens in the
As for the sandboxing, well, that’s another issue, Ryu explains. “We’re currently doing audits so that bad contracts don’t enter the network,” he says. “So it doesn’t look like there will be a problem.”
Nonetheless, ICON is considering erecting a sandbox, he says, should the growth of the network make its system of audits prohibitively expensive.
What about the DEX? And what’s this DID thing?
Ryu spoke at the Korea Blockchain Game Show in January, introducing
The DEX requires no introduction. “It’s under development,” he says, explaining that they’ve crafted the contract that would allow them to exchange ICX or IRC2 tokens in accordance with the Bancor Protocol.
The DID, meanwhile, provides users with some data sovereignty by breaking with centralized identification systems prone to abuse and security violations. The idea predates blockchain, says Ryu, but blockchain has helped bring it closer to reality. “The reason,” he says, “is that you need to be able to confirm that a DID hasn’t been forged or changed after it has been issued.” ICON’s DID will be based on CHAIN ID, which the network released last year as the world’s first blockchain joint authentic action service.