Richard Ma, CEO of Quantstamp, on Blockchain Security, Web3 Audits, and Smart Contracts | Ep. 260

In an exclusive interview with cryptonews.com, Richard Ma, Co-Founder and CEO of Quantstamp, talks about ​​smart contract audits, the most common types of Web3 hacks, and the role security plays in helping Web3 achieve mainstream adoption. 

About Richard Ma

Richard Ma is the Co-Founder and CEO of Quantstamp, a global leader in blockchain security. Quantstamp has performed more than 500 audits and secured over $200 billion in digital asset risk from hackers. Prior to starting Quantstamp, Richard was involved in algorithmic and high-frequency trading as a trading fund manager and senior quantitative strategist, most recently with Tower Research Capital. He founded Quantstamp to improve security auditing after investing in the DAO and experiencing the aftermath of the hack firsthand. Richard graduated with a degree in electrical computer engineering from Cornell University.

Richard Ma gave a wide-ranging exclusive interview, which you can see below, and we are happy for you to use it for publication, provided there is a credit to www.cryptonews.com.

Highlights Of The Interview

• ​​Smart contract audits
• How web3 security has improved over time and the challenges that it still faces to this day
• The role security plays in helping Web3 achieve mainstream adoption
• Chainproof, the world’s first regulated smart contract insurer
• Security as it relates to different types of projects across web3 (Blockchains (L1s and L2s), bridges, wallets, DeFi, NFTs, AI)

Full Transcript Of The Interview

Matt Zahab 
Ladies and gentlemen, welcome back to the Cryptonews Podcast were buzzin as always, I'm super pumped to have a fellow Torontonian on the show today. The one and only Richard Ma, Co-Founder and CEO of Quantstamp, a global leader in blockchain security. Quantstamp has performed more than 500 audits and secured over 200 billion, yes, 200 big billions in digital asset risk from hackers. Prior to starting Quantstamp, Richard was involved in algorithmic and high frequency trading is a trading fund manager and senior Quantstamp, most recently with Tower Research Capital. He founded Quantstamp to improve security auditing after investigating in the DAO and experiencing the aftermath of the hack first hand. Richard graduated with a degree in electrical computer engineering from the one and only Cornell University, Richard, pumped to have you on my friend. How are you? 

Richard Ma 
Yeah, good. I really appreciate you coming on the show, Matt. And yeah, you know, happy to chat. 

Matt Zahab 
Pumped to have you on man. We were talking a little bit before, I was asking you, I'm like, you know, you went to Cornell, not a lot of people from Toronto go to Cornell. You know, we do have some pretty good universities around us. We have the UFTs, the Queens, the Westerns, the McGills, right? The UBCs, and a bunch of all the other ones, of course too. But I was asking you, why you live in Toronto right now of all places? 

Richard Ma 
Yeah, so a lot of our team is actually Canadian. So when I started the company, I started it in San Francisco and in Waterloo, Canada. And so a lot of our team, they went to Waterloo. And, you know, a lot of folks from Waterloo, they tend to drift to Toronto. And so about three years ago, I decided to like, you know, move to Toronto and sort of be with the team here. So, yeah, and it's been great. 

Matt Zahab 
So let's give us the whole background here. Obviously, you are CEO of Quantstamp right now, you guys are doing a heck of a lot, which we will get into, but give us your childhood all the way up to choosing to order Cornell, to discovering blockchain, being a Quant, being an HFT trader. Give me the whole nine yards. 

Richard Ma 
Yeah. So sort of like my own background is that I used to be a high-firmacy trader. I was basically building software, a lot of it was in C++ and it was, you know, handling hundreds of millions of dollars of trades a day. And when I was doing that, if it came like pretty clear that a lot of the financial system, it's kind of like very inaccessible, both in terms of just like the knowledge of how it works and also just like access. And so when I found Ethereum, I was really interested because like you could build something on Ethereum and it could just be available for anyone in the world to use. Like if you build an exchange, for example, if you build like Uniswap, anyone in the world can use that. And that was like very different from my experience on Wall Street where like you had to buy like special servers to put in the data center that talks to the other servers of the exchange. And there was this whole game of basically like, how do you communicate in the most efficient manner with the exchanges to do your trades the fastest? And so basically like when Ethereum came out, I bought some Ether pretty early and in 2016, I put money into the DAO. And it was like the first big project, you know, that a lot of the people in the community supported and about three weeks into that, it was hacked and you know, more than $50 million was hacked. And after the DAO incident, I decided that there definitely needs to be security companies in the space because people are going to be starting new projects and they're not going to know how to like protect these projects because the surface area is so much bigger because everyone in the world can access them. That was the reason I started Quantstamp is basically to help to like protect these new projects. And when we started, we were really fortunate in that there were really no projects when we started. So, you know, now audits are really complicated. You know, there's bridges, there's, you know, L2s, there's lots of different ecosystems like Solana and like Sui. You know, there's lots of different types of DeFi projects. It is really hard for someone to learn about the audit right now. But when we started, you know, people were just launching a few tokens here and there. And so we were able to basically work with sort of the early founders in the space, you know, learn what they were doing. And as people develop new things, we'd like learn how it works. And so over time, that's sort of how Quantstamp grew. It's like, as people built interesting projects, we would find out about them early. We would try to like help them out with like design and security. And eventually a lot of these companies became like billion dollar companies that had a lot of assets. And then, you know, then we sort of became bigger to help with that. 

Matt Zahab 
I love that. It's always nice to see when you are creating a product/service for a solution to a problem, even more so when you experience that problem firsthand. So we love to see that. Before we get into more Quantstamp stuff, I'd love to have you go over a high-level overview of audits and crypto as general. Just like you touched on, there are dozens of different types of audits. What are some of the most common? What are some of the most underrated? What are the most important? What are the biggest pain in the asses on your end of the side? What is the biggest pain in the ass on rather the end clients side of things? Give us the whole TLDR on Web3 audits. 

Richard Ma 
Yeah, the summary of audits is that whenever people make new code, so all these Web3 projects, they have lots of developers, and whenever they make new code, usually for every 100 lines of code, there's some sort of bug. Every time a project wants to launch something new, they usually get an audit. So that's basically what we help with. The most dangerous type of project today is probably around bridges, because bridges are where you take assets from one blockchain and you move it to another one. And a lot, you know, more than 60% of all the value that's been lost in the last couple of years has been from bridges. And so, you know, we've sort of become the experts in that area. But I guess to take a step back, usually when we do an audit, the customer, they are almost done and about to launch some feature or some project. They basically send us all their source code. We have a lot of software in-house that looks for different types of potential vulnerabilities. And then we have a team of PhDs that go through and tries to find adaptive vectors for the project. And so really common adaptive vectors is like, we find some way to basically get around the system and expose the user's funds so that anyone can just take out the funds from the project. Another really common attack vector is that for a lot of projects, there is a financial element to them where you can trade or borrow or lend. And it's possible on the blockchain to borrow $100 million for 12 seconds and then return it. And so a lot of the hackers, what they do is they use this concept of a flash loan, which is that you basically borrow a ton of money for a very short amount of time, like one block, and then return it and do a bunch of stuff in that one block. And that's sort of a really common way that a lot of these projects act, which is that they build some DeFi projects. And their DeFi project, it's built on top of, for example, Curve Finance. So they have some mechanisms and they leverage a liquidity pool from Curve. And so it's possible to basically manipulate prices. And in this very short amount of time, basically take out a bunch of money. And then once the money is taken out and the price is reset, all of a sudden the users are just short a lot of money. And so these are sort of the things we help to catch and basically every week for the last six years, we've been finding lots of bugs like this. And almost every week we have lots of calls with different teams to explain how to fix them. Like sometimes we have to explain how the bug works. And then we help them to explain, hey, like here's how you would fix that and like help change the design. And so that's really like security audits in a nutshell. From doing so many audits, we've gotten a lot of experience in like what types of attacks are possible and like how to fix them. And then mostly behind the scenes, we have calls with the teams that are, that have projects that are managing tens or hundreds of millions of dollars and use our funds. And we basically do these calls to explain like, okay, like this is really serious. You definitely don't like that, you should fix that. Or like a lot of times during holidays, people really like to launch projects right before holidays because these project teams, they have like a deadline, right? So before like Easter or Thanksgiving or the Christmas holidays, they really like to launch projects right before. And so we have a lot of calls with them. They like, hey, don't launch your really important feature between Christmas and New Year's. Like that's gonna, if something goes wrong, like it's gonna be really hard to fix it. And so that's sort of what we do like behind the scenes. 

Matt Zahab 
It's so interesting and on the actual audit side of itself, the process is manual if I did my research correct. Obviously, you guys have done it so many times that you've automated various parts of the analysis and various parts of the workflow and process. But I guess it's really just like anything else in life. You guys just keep showing up, keep getting at bats and keep getting better and better. And you are just more cognizant of what things to look for and the rest sort of takes care of itself.  

Richard Ma 
Yeah, I think that's pretty correct. A lot of times it's because we're like a repeat player. Like, so let's say like, it's the first time you played chess. And the first time you played chess, you have to figure out, okay, like, what the heck do all these pieces do? Like, how do you like try to like win the game? But if he plays chess a lot. You kind of just know, okay, like, well, here's sort of the situation where you're sort of what I'm supposed to do. You don't really like analyze it at the same level anymore. And the fact is that most projects are built by first time founders. And often they might have some engineers that have experienced, but often it's still the first time that team is releasing something that's going to have handle like tens or hundreds of millions of dollars. And so by virtue of just being a repeat player and seeing like whatever well else is doing and the mistakes that they're making, we try to like give good advice to the team so that they don't write the same things. And so often we'll have some intuition. Like often what will happen is that we'll look at the code base for a couple of days and we'll already have a really good idea of like how risky it is. And so we try to tell the teams like based on pattern matching, this is how risky we feel it is. And often, you know, we'll find like a bunch of bugs and say like here are the bugs we already found. And based on that, you should, you know, change your development a little bit so that you're like covering this stuff. That's really the most common thing. The thing that like the public sees is that they see the final audit report. Right. And so in the final audit report, there's issues, you know, often a lot of the issues have been fixed by the team. And so people are sort of reassured by the final audit report. But the thing that they don't see is like the process of getting there. So that's, yeah, that's sort of like, I would say the, how manual it is, is that like at the end of the day, these teams are run by people and they have deadlines, they want to like, you know, be successful in their projects. And that's really the fundamental driver because if they're, you know, if they have a really hard deadline, they're like, okay, like we want to push this out and like get 50 million of TVL before Thanksgiving.  

Matt Zahab 
Puts your guard Down. Yeah, you act abruptly and not analytically. In regards to the the mal actors, the bad actors, the hackers that are taking advantage of the protocols and pools so on and so forth, is it usually a singular gentleman or woman for that matter either or? But like is it one singular person or is it usually a group of bad actors coming together and trying to screw someone? 

Richard Ma 
Yeah, that's a really good question, actually. It's evolved a lot over the years. You know, like early on, it was usually one person. Yeah. And so actually, the identity of the DAO Hacker, that hacked the DAO in 2016, has more or less been revealed. It's most likely actually the founder of a project called TenX. And so it's a singular person that was actually really active in the Slack channel of the DAO. And was asking questions about this issue, and he wasn't really getting good answers, and sort of like, I think took matters into his own hands. You know, that's sort of where it started, where I think it was like, people were getting curious about different exploits. And they were sort of trying to like discuss with others. And often, I think in the beginning, there was really no way to get paid a bounty for having to find it. Because it's really hard to negotiate a buck bounty with a project, even when there's a bunch of money at risk. You know, there's the case with the DAO, and also early on, there was a case with a parody wallet, where actually a developer found a bug, and he didn't really know, so he just tested it, and he like broke the wallet, and basically $300 million was like, stuck forever. And still it's stuck there. And now it's worth more. Now it's like, it's still there. Now, I think now it's worth more than a billion dollars. It's just been stuck there because of this self-destruct function in the parody wallet. So that's really like where it started. Over time, you know, there's been a lot of hackers that have been trapped Down. And a trend is that they've become teams. So there's like, in the most recent hack that happened last month with Curve, a bunch of the people, they were still solo hackers, but there was two new groups of people. One of them were actually people that were running Mathbots, which are like, they're doing sort of like, hypo-miscellaneous training on the blockchain, and they're basically searching for profitable opportunities and front running the actual hackers. And this happened in the Curve case, where like an actual hacker figured out the exploit, and then they sent it to the blockchain. And this front runner, which is like, they actually don't really know what the heck the exploit is. They just like copied the transaction and basically performed the hack instead of the actual hacker. And so the actual hacker didn't really get any money from that. And this robots got the money. And so this is like a new group of people that's like, not really a team. Like they're kind of like, normally they're doing arbitrage, but they can detect these things. And then the other group that's really immersed over the last couple of years is Lazarus Group, which is the hacking arm of North Korea. And now like, you know, a lot of the major hacks in DeFi and in Bridges, they've all been tracked back to the Lazarus Group. And so that's like a really organized, extremely sophisticated group. 

Matt Zahab 
You said North Korea. 

Richard Ma 
Yeah, so it's been verified to be North Korea. The thing that made it really easy to verify was that the way after they steal the money, they actually, they just combined the wallets. They don't really care about covering their tracks in terms of people finding out that it's Lazarus Group. So they'll like combine funds from multiple hacks together. And then they'll just try to like do it really quick and launder as quickly as possible, sort of like this like kind of run tactic. That's really the most sophisticated like after that we've seen now, which is like, you know, we have, you know, a nation state with like probably a pretty huge team that acts not only smart contracts, they also, you know, they'll like have websites. They'll do like social engineering. So they'll like pretend to be someone on the team. They also, there's been attempts where they actually interview and become a developer on the DeFi team and then get insider information from passing the interview. Because in Web3, it's people are like really used to working remotely. And so there's been cases where these hackers, they've like passed the job interview because you know, a lot of times if the person can do the job and they can do it really good, then Web3 company is hard work. 

Matt Zahab 
You don't need to see the face. You don't need to get on the phone call. It's like, do they ship good code? Do they do it quickly? Are they a decent person online? Yes. Yeah, it's a darn good point. That's pretty. 

Richard Ma 
If they do a good job, they do it quickly. They could be interviewing one person, but maybe they actually have a couple guys doing the work. And so that's sort of like this arms race that has happened over time. Like when we started the company, it was kind of really easy. And I didn't feel like the difficulty level has been going up every single year because of this. But luckily, now like Quantstamp is a billion dollar company. We have been building lots of internal resources to handle all these things, like helping exchanges with their operational security, like tracking hacks live to make sure we can save some funds. But yeah, the landscape has really broadened in terms of the types of hackers that are out there. 

Matt Zahab 
Yeah, that's absolutely crazy. Richard, we got to take a quick second and give a huge shout out to our sponsor of the show that is PrimeXBT. When we get back, we're going to keep doing our deep dive into audits and talk about some of the work that Richard and his team have done with Ethereum, Arb, and many more. Until then, huge shout out to PrimeXBT, long time sponsors and friends of the cryptonews.com podcast. PrimeXBT offers a robust trading system for both beginners and professional traders. It doesn't matter if you're a rookie or a vet, you can easily design and customize your layouts and widgets to best fit your trading style. PrimeXBT is also running an exclusive promotion for listeners of the Cryptonews Podcast. After making your first deposit, 50% of that first deposit will be credited to your account. Again, the promo code is CRYPTONEWS50. That's CRYPTONEWS50. All in words, to receive 50% of your deposit credited to your trading account. CRYPTONEWS50, all in word, CRYPTONEWS50 now back to the show with Richard. Richard, you got to give me some actual, I mean, I don't know how much you can tell me. I'm sure you're probably, you know, NDA'd up at the yin-yang. But what kind of work have you guys done for ETH 2.0, MakerDAO, Compound, Lito, Polygon, Arb, Sandbox? You've worked with almost everyone. Do you have any crazy stories about finding a huge bug or finding a black hole, finding anything negative where you absolutely save their asses? What do you got for us? 

Richard Ma 
Yeah, so we actually helped to audit ETH 2.0. So we audited two of the major clients for ETH 2.0, which was like Prismatic and Teachoo. And that's all like sort of public. And so for those, we found, I think for Teachoo, we found maybe like 40 bucks for Prismatic. I think we found more than 50. The major learnings we had from that was that like it is really hard to develop a good client. And you know, props to like the team that made ETH 2.0 happen. Because I think for those teams, it felt like it was almost like their life's work to do that. Like they were really passionate about it. There's so many different ways to attack these clients. Like one of my like learnings that I keep having is that I think like on Twitter or like in the news, it's actually like fairly easy to have a good reputation. Like people start to trust this company pretty easily, actually. And often what we see is that there's a big discrepancy between like how much social capital the company has on Twitter and or in the news and the actual quality of their engineering and like how risky it is. And the thing I found is that I often like in like working in web3 security to being like inside of the sausage factory where the sausage is made. Like if you like see how the sausage is made, it makes it so hard to eat the sausage. Yeah, and so I've been living inside of the Sausage Factory for more than six years. And I've sort of gotten used to the Sausage Factory and the fact that it is just a fact that most projects are a lot more risky than they seem if you only look at the marketing or the influencers talking about them. And there's often a lot of inner rifts with them. And when we point out the inner rifts, the good teams, they tend to discuss with us how to fix these things. And often the teams that end up having issues, they don't really want to acknowledge all these inner rifts. You know, we're like, well, one really common risk is that one single person or two or three people have access to basically all of the funds. And there's a case I can talk about because it like recently happened. And it's like totally public, which is for multi-chain, which is this bridge that has been around for like three years now. It used to be called Anyswap and then they rebranded it to multi-chain. And recently it became clear that like a single person on their team who was the CEO had the only copy of the keys to the bridge and also to all their production environment. And it became clear because the person lived in Trida and they were arrested by the police. And so after they were arrested by the police, all of a sudden like the bridge stopped working and people were like really confused because it's supposed to be a decentralized bridge. And then as there was like more news that came out about the arrest, the remaining multi-chain team, they were basically figuring out what to do. And so they went to the founders like how's to try to see if they can get the keys. They couldn't log in. And then eventually what happened was that they had to shut the project down. And this was announced, I think like three weeks ago where they just publicly said on Twitter, like literally they couldn't access any keys for the bridge. They didn't have control of the assets. They actually didn't even have control of their website, like the domain for the website. So they could, so they like somehow their website got hacked and they couldn't get control of that. And so that's something that we bring up like all the time because when project launched, they say that they're decentralized and then when we look at it, it's really not like if the one guy and you know just like get hit by a bus, a lot of issue happens. I think just like as human beings, we always think like, okay, like we're gonna live forever. And he's like, we're gonna live for another for a long time, like another 50 years. And so especially like when these projects launch, they have so much external pressures, right? Like they don't really want to tell everyone how risky it is. You know, no one's incentivized to say how risky it is. And so I think like that's something to keep in mind for the listeners. It's like when you use a project, like look for some of the yellow flags where like I often see this where people at the Discord, they're like talking about how centralized something is and then Discord at home was sort of like threatened to use the bear hammer happens pretty often. Or it's like the token holders of the project, they're not really incentivized to have fun. And so when someone brings up like the legitimate issue, it sometimes can get conflated with other people that are actually causing, you know, fud for the project. So yeah, that's sort of what I see like from, you know, my seat inside the Sausage Factory where there are a lot of good teams that are like really idealistic, that are trying to build something good. And there's also teams that are like under a lot of pressure to release something, especially in the bear market. And so, you know, I think for users, always like be careful, like more projects that have been around for longer or way safer, because they've had the test of time. For new projects, you know, don't put all your money in. That's like, I just basically never do that anymore. Like, because from seeing so many of these cases happen. Hope that helps. 

Matt Zahab 
No, well said. That was huge. Richard, another thing I'd love to jump into is you guys working with Web2 companies, right? You have worked with Visa, Toyota, Siemens. What exactly did you do with those guys? 

Richard Ma 
Yeah, you know, for a lot of these like Web2 companies, they have teams inside that have been building in blockchain for like more than three years. And so for the big, like for the big companies, they have these teams that are like building a prototype. For example, for Toyota, they were trying to look at how they can do some of their parts tracking with blockchain. You know, like when you have a Toyota car, often people will buy like sort of a non official Toyota parts to put in the car. And so they wanted a way to like basically track the official parts, it's pretty cool. They incentivized people to use the official Toyota dealership. Cause if you use the official Toyota dealership, then the car companies make a lot of money from the aftermarket servicing of the cars. In fact, they don't really make much money selling the cars. A lot of it is more from the servicing. And so that's like something, you know, they were really interested in. For Siemens, the project never fully released. So I can't really talk about that one. For Visa, there's a lot that's been used recently for Visa because now they've gone pretty public with it. And so they, you know, they have a really active blockchain team. You know, they have like really good engineers. And so when we worked on those projects, it's always a lot easier actually, because there's, you know, there's existing security teams like at Visa or like at PayPal, they're like a lot slower in terms of how they're launching it. So there's, you know, time for like a lot of review and back to the board. For PayPal also recently, they launched a stable coin project called PIUSD, which is I think built on top of Paxos, like the financial infrastructure of Paxos. And so we, you know, we did the audit for PayPal for the predecessors of that stable coin project that they launched now. I think it could eventually be a significant competitor to USDC. I think USDT is kind of in a different category of being like a really OG project that a lot of people trust and like. But I think USDC and PayPal, they sort of operate with a similar model where it could be like a significant competitor. For Closetam, most of our customers are Web3 customers, but we also, you know, we do like really big offense for cryptocurrency exchangers when they have some important event coming up. And then there's always these like Web2 companies that are trying to like build something and get it to have traction. And so it's actually really easy to apply the knowledge to that because the Web2 companies are generally building things that are easier, like less complicated than the DeFi community. And so it's, yeah. 

Matt Zahab 
Very well said there. Richard, we are getting a little tight for time here, my friend, a couple more things, and then we'll wrap up. The last thing that I would absolutely love to discuss, before we get into some hot takes and some fun stuff, is Chainproof, the world's first regulated smart contract insurer. And it is reinsured by Munich RE, aka the world's largest re-insurer, and Chainproof offers both smart contract insurance and slashing insurance. So start off, tell us exactly what Chainproof is, and segue into that what exactly is slashing insurance as well. 

Richard Ma 
Yeah, so Chainproof is basically one of the world's first companies that offer insurance for Web3. The really common thing that we've seen from our customers over the last three years is that when they log to projects and they want to get more institutional money, they can't because the larger institutional money wants some more guarantees that if the project gets hacked, there's some recourse. They can get refunds. In the normal financial system, if you put money into, I don't know, like a credit card company, it's very rare that you can lose your money. And in Web3, it's pretty common from hacks. So basically, we decided to start this company because the existing insurance companies, they didn't really want to touch Web3. So at first, when our customers asked for recommendations for insurance companies, we tried to go around to all the existing insurance companies and none of them really wanted to provide insurance for these like new DeFi projects or bridges. So then we said, okay, like why don't we just start our own? And so we basically fundraised for it. We managed to get reinsurance, which is extremely difficult hurdle, which is that once we write the insurance, like there's a much larger entity that can basically take some of the risk. And so that's Chainproof in a nutshell. We've been providing insurance for like DeFi projects like Compound and Aave. And once Ethereum 2.0 came out, then there was a lot of money in stake Ether, like billions and billions of dollars in stake Ether. And so the providers of these services for stake Ether, they have risks like slashing and also just taps. And so we started to provide those types of insurance. Slashing is basically where when they're running the validator, they do something wrong or like their server goes offline. And so they can lose money from that. Obviously, like the institutional investors that are putting money to stake Ether, they don't want to like randomly lose money if a server went down. And so the insurance covers that. 

Matt Zahab 
Totally makes sense. Richard, what a treat. Really appreciate you coming on, man. Learned an absolute ton and definitely have some homework to do. Good God. Before you go, can you please let our listeners know where they can find you and Quantstamp online and on socials? 

Richard Ma 
Yeah, so you can find me, you know, I'm just basically using the Quantstamp Twitter, so it's at quantstamp.com @Quantstamp on Twitter. Every month we release a monthly hacks roundup where we go, you know, we have a really nice engineer that explains how all the hacks happen. We kind of try to do it for people that don't know a lot about security. They can also follow us. And yeah, really appreciate coming to the show Matt. 

Matt Zahab 
Thank you. Last thing we didn't discuss, blockchain futurist. You and I were just there. How was it? How did you, what did you think of the conference? I loved it. I thought it was lovely. You guys had a booth. You guys presented. What did you think? 

Richard Ma 
Yeah, I loved it. Like it's clear that we're in the early bull market. That's sort of the pattern matching I have. I think it was really high signal or a lot of good folks there. The thing I liked the most was the poker game. There was like a side poker game that happened at futurists and really good crowd for that. 

Matt Zahab 
Did you go? How'd you do? 

Richard Ma 
Yeah, it did pretty good. We also, like, one of our customers Parallel, which is an NFT game, they had a big launch there. So they had, you know, their first LAN party and it was like, amazing. So yeah, it was pretty cool to see, like, sort of the Toronto Canadian blockchain scene, you know, being reactive. 

Matt Zahab 
Yeah, I agree. Richard, what a treat, man. Appreciate your time. This was a blast. Excited to catch up in person and very excited for round two. Thanks for coming on. 

Richard Ma 
Awesome. Thanks, Matt. 

Matt Zahab 
Folks, what an episode with Richard Ma, Co-Founder and CEO of Quantstamp, the global leader in blockchain security. If you guys enjoyed this one and I hope you did, please do subscribe. That would mean the world to my team and I, speaking with the team. Love you guys so much. Thank you for everything. You guys are the GOATs. Justas, my amazing sound editor. Appreciate you as always, my man. And back to the listeners. Love you guys. Keep on growing those bags and keep on staying healthy, wealthy and happy. Bye for now. And we'll talk soon. Ciao.