💻

Aaron Li

Hours

15

Expertise

security, smart contract, wallet

Mentor
Ganesha Upadhyaya
Day ONE
May 1, 2021
End Date
May 31, 2022
Presence
Active
Telegram

image

Bio

Aaron built Qokka (crypto sentiment and analytics startup), 1wallet (a keyless smart wallet based on OTP), and is the technical mind behind multiple ambitious crypto projects where he oversees technical development and solves "impossible" problems. Previously, Aaron worked as a research engineer at Google AI and Scaled Inference, and is a recipient of Best Paper Award from ACM SIGKDD 2014 for his research in AI. Aaron has a research MSc in Language Technologies at Carnegie Mellon University, and a BSc with first class honors at Australian National University with quadruple majors in Computer Science, Computer Science, Mathematics, and Statistics. Aaron lived and studied in Beijing (China), New Zealand, Australia, Pittsburgh (USA), before moving to San Francisco Bay Area in California. He was attracted by the genius of Bitcoin in its early days, built several GPU mining clusters and intermittently dabbled in crypto since then. In his free time, he enjoys exploring innovations across law, AI, and crypto.

Links

👛Aaron Li: 1Wallet with Smart One-Time-Password Authentication

🍠Aaron Li: 1Wallet & Social NFT

Timesheet

Timesheet & Peer Bonus (with giv.one)

DateHoursTagsFeedback
1

Review strategies, polls, comments, do research and make votes

0.5

Sync on recovery address and guardian matters with Timeless

2.5

More granular stats histogram; Repeated runs for stats retrieval and verifications; Fix a bug with blank staking page caused by scientific representation of javascript numbers; Save output for stats histogram; Review suggested fix on tracked tokens (#314)

0.5

Include staked balance for stats histogram; Update key stats numbers

2

Backup APIs and verifyByEmail for users

3

Initial review and request for information on Horizon Bridge launch; Research on backup approaches and GCS implementations; Review on Timeless source code pull request related to loading EOTP in memory; Review Timeless proposed security diagram; Provide feedback and guidance on deficiencies and potential areas of improvements

1

(Continued) and research on best GCS approaches for backup services 

3

Review of Harmony offsite initiatives; Research, summary, and written plan for Security, Monitoring, Alert initiative

0.5

(Continued)

2

Debugging stats generator; Fix stats issues related to factory deployed address; Identify root cause of zero-balance issues; Address deduplication

4.5

(Continued) and deploy stats in production relayer; add api for stats in relayer; update client side stats retrieval and caching; More address and balance deduplication

1

Stats histogram script and improvements; Granular stats counter including overall counter and balance and those related to Timeless

1

(Continued)

2

(Continued)

2

Fix stats bugs with balance update and address caching; add scripts to refresh all balance

2

Resolve merge conflict; Debugging with zero balance issues; Sync with John; Factory deployed transaction extraction and address computation

1

Review v2 routes and components (#310)

1

Review stats generator first draft (#312); Revise and debugging stats generator, simplify implementation, and significantly optimize the performance; Research on fast statistics retrieval and computation methods

1

(Continued)

2

(Continued)

3.5

(Continued) and updating testing README; review dynamic custom theming (#301); Review recovery issue (#309)

1.5

Fix recovery issues (#309); v2ui review (#304)

1

Review and revise v2 routes and components (#310)

0.5

Response team briefing

1

Sync with John on testing, statistics generator, and web3 integration

4

Debug and fix set-recovery-address and general operation issue; Fix major cause of failures in relayer (upgrading from old versions); Sync with Brayden Ooi (propsective frontend development)

2

Review and debugging and fixing various issues with innerCore testing and adjustment of time in testing (#298); 

5.5

(Continued) and various implementations for minimizing of user frictions

4

(Continued) and extending signup to components where new verification code is set up; 

5

Experiment with OS-managed verification code; Backend for user signup; Data validation; Autofill OTP in all pages wherever applicable

2

Security AMA (Twitter Space)

1

Security Reddit AMA and Medium blog review 

2

Research and experiments with OS-managed verification code

5

(Continued) and fix buggy implementation of BATCH operation in contract; Feature request for staked-transfer; RPC Log review for theft investigation

1

Debugging and sync on InnerCore related tests

1

Security AMA written responses

4

v16 release notes and detailed updates and notes on several issues pertaining to v16; Require recovery address before upgrading; Integration with Transak USD gateway and Apple Pay; Security AMA preparation; USDC theft investigation

0.5

Sync with John

2

Fingerprint IP tracing manual review for theft investigation; Fix v2ui wallet header; Review new UI theming #299;

1.5

(Continued) Fix and simplify tests pertaining to upgrade, innerCore, security, and spending limit; Simplify test utilities

2.5

(Continued)

0.5

Review Timeless Proposal

0.5

Response team briefing

5

Review, debug, and fix Create component refactoring (#292)

10

Relayer analytics ElasticSearch setup, schema, persistence implementation, data capturing, fingerprint (user agent and IP) capturing, request parsing, debugging and testing; Fix Relayer early abort errors; Sync with John

3

(Continued) ElasticSearch setup and persistence; Add more QR code supported formats (#233)

2

Prompt warning about sending funds to exchanges; README update

0.5

Review Timeless NFT avatar proposals and provide feedback

3.5

Debugging panic issue of private RPC node; Experiment and tests with private RPC nodes in production and confirmation of working node

5

Relayer analytics API and private RPC health check API

1.5

(Continued)

1

(Continued)

2

(Continued) and experiments with GCP network SSD, local NVME SSD and mergefs

3

(Continued) conclusion of the experiments and confirmed final, stable RPC node / validator setup

4

Debug and fix an ambiguos method call in relayer that is present for older versions; Review and fix a bug with invoking contract call in web client (causing multisig authorization issue #291)

4

(Continued) Compile script bug fixes, debugging cross-compile and dependency issues, and others; Setup validator

2

Debugging and profiling RPC and validator node data sync issues

1.5

(Continued)

3.5

Harmony core / RPC node I/O issue debugging and experiments; Sync with John on testing

3

(Continued)

0.5

Response team briefing

0.5

Sync with John

1.5

Assist Timeless in meeting regarding NFT and its external partner; Sync with Timeless

4

(Continued) RPC node and validator setup and debugging; Produce more messages in relayer

0.5

Sync with John

1

Relayer stablity improvement

4

RPC node custom compiling, setup, data sync, and debugging

1

Debugging relayer issues; Manual restart and inspections; Sync with Timeless on RPC issue

1.5

Sync with Timeless

0.5

Response and investigation into Timeless inquiries related to RPC issues

0.5

Response team briefing

0.5

Upgrade failure issue debugging

0.5

Letter of Acknowledgement review and suggestions

0.5

Response to Timeless inquiries related to domain registration and pricing mechanisms

1

Continued Token Testing review (#274)

1

Continued Token Testing review (#274)

1

Recent major theft incident tracing, analysis, and TODO suggestions

0.5

Sync with John

2

Review of LittleSnitch safety and feasibilities of using VPN to restrict network connections for major asset transanctions

1

Response to Timeless inquiry of issues related to an NFT contract and review the contract

1

Token Testing review (#274)

0.5

Further review and response to Timeless NFT contract

1

Continued Token Testing review (#274)

3

(Continued) Final review and testing of v16. Release v16; Release testing and documentation of issues (#287)

1

Provide opinion and analysis to FBI follow-up questions

0.5

Response team briefing

0.5

Response and investigation to Timeless inquiry regarding wallet creation slowness on Android

0.5

Sync with Timeless on RPC issues and solutions

4

Simplify tests, fix issues and implementation errors; Validate all tests

2

Review of Ogre theft incident report; Dispatch report to FBI and provide comments

4

Further bug fixes and simplification of tests; Fix testing framework README and documentations (#273, #274, #282, #283, #279)

3

(Continued)

3

(Continued) and fixing red packet, upgrade core library for intelligently flow with commands, fix issues with core flow

5.5

(Continued) and debug, testing, live testing in production of key features related to command; Validate security patch and implications

1

Merge conflict resolution with testing branch; Validate and review tests and test framework

7

Ogre theft incident investigative report (report #4)

1

Use command library whereever applicable; Unify commit-reveal

2.5

(Continued) Implement command library in core flow

4.5

Security issue (#276); Event parsing library issue (#277); Command library issue (#278); Verifying Reliable Relayer (#259); Security Vulnerability (#253); Testing (#279); Test Framework (#282); Test Coverage (#283) Self-hosted RPC nodes (#281); Deliverable documentation and organization

1

Response team briefing

6

Command library design, implemetation, debugging

1

Manual querying and analysis of all possible DFK contract addresses for theft investigation

2

Sync with John on testing; Fix two security issues (#275)

5

Continued research and design on proxy mechanisms and same-address upgrade (#189)

1.5

Debug and fix issues with command; Add command tests; Finalize security patch #275

2

Relayer overall error handling improvements; Better handling of cases when a contract is already deployed 

5

Continued research and design on proxy mechanisms and same-address upgrade (#189)

2

Ogre theft incident investigation (establishing theft amounts and events)

1

Local testing and debugging, and documenting solution to Safari HTTPS issue

1

Sync with Tao on various PRs (WalletConnect, TransactionViewer, hotfixes) and frontend development issues

0.5

Response team briefing

2.5

Research and design on proxy mechanisms and same-address upgrade (#189)

2.5

(Continued)

3

(Continued) review and next steps for (#251)

2

Review and detailed feedback on Testing (#263)

1

Sync with John and resolve key testing development issues

1

Ogre theft incident investigation

2

(Continued)

4

More powerful and consistent log parser; Add message template and amount formatting capability in event library; Transaction viewer rendering fixes and use event library; Fix issues with parsing external payments; Update TODO; 

2

(Continued)

4

Review staking (#268) and detailed feedback on testing (#263)

1

Review of theft incidents related to Ogre and others

1

Transaction viewer: review, feedback, and planning (#251); Merge conflict resolution; new APIs for RPC methods 

4

Transaction viewer fixes, transaction log parser fixes, support multiple events per transaction, fix staking events; Show commit transactions; Fix display pagination errors; Zero-day vulnerability research and its relation to theft incidents

1

MetaMask Security Protocol Review

0.5

Response team briefing

1

Sync with John

0.5

Sync with Timeless regarding NFT and MADNFT

1

Review and debug testing issues (John)

2.5

Review of Timeless response to security issues; Review Timeless Merkle Tree creation implementation; Experimenting and debugging with different collect reward reveal implementations

0.5

Condensed Q1 assessment

1

Sync with Tao and discuss next steps of developments

0.5

Sync with cylim on next frontend developments

2.5

Transaction viewer (#251) review and cleanup

4

(Continued) Unstake functionalities, debugging, testing

1

Collect reward page for staking; Common components; Fix bugs related to collect reward; Simplify utility functions; Compute funds available for redelegation

5

(Continued)

1

(Continued)

1.5

2022 Q1 Summary and Assesment

0.5

Response team briefing

4

Simplify reveal calls; Remove dependency to Harmony JS SDK and providers; Fix provider setup for resolver contracts; Fix bugs related to operation code; Fix Enums.OperationType.UNTRACK executor logic; Event hash script update and new events related to staking; Working version of Staking from UI; Use websocket for truffle executions

3

Staking api and its own rpc base; Improved staking UI, Stake table and reward display; Integration into main UI; Review Timeless custom implementation of Red Packet

0.5

Theft investigation suspect finding review

0.5

Follow up meeting from Protego (Projext X)

1

Sync with Timeless regarding upgrade and tokens

4

Staking client-side implementations, contract improvement, and debugging

4

Relayer, deployment, scripts updates related to Staking; Sync with John; Sync with Timeless

1

Theft Incident Analysis, Continued

1

Relayer debugging, and retry and gas fees patch for more robustness 

1

Theft Incident Analysis, Continued

1

Sync with John

1

Staking functionalities in contract

0.5

(Continued)

2.5

Theft Incident Analysis

2

Chrome Extension Build and Review; Follow-up from Erfan (Projext X, NFT anti-scam project)

0.5

Response team briefing

4.5

Theft Incident Analysis, Continued; Sync with John (5pm)

5.5

(Continued)

3

Probablistics self-recover multi-account relayer implementation, experimentation, deployments

4

(Continued) and review, merge #265

2

Timeless initial source code review and initial security issue analysis

0.5

Meeting with code4rena (crowdsourced audit)

3

Testing PR review and feedback (#263); Chrome Extension hash review and debugging

1.5

Debugging, testing, and confirming Chrome Extension Build 1.2.7; Theft amount review

1

Relayer debugging; Manual resets and devops scripts; Experimenting with local setups and various RPCs

4

Theft incident cause analysis; Contract staking implementation review; Adding staking contract; Remove cached Truffle artifacts; Relayer issue analysis and feedback

1

Recent theft incidents review and follow-up

2.5

Experimentation with Ganache CLI setup and migration from UI version; README for env setup

4

(Continued) and produce findings and next steps; Remove Harmony provider and use of JS SDK

1

Chrome Extension buidling, review, and debugging

1.5

Further experimentation and deployment of using websocket providers; Review and merge #261

0.5

Chrome Extension further testing and debugging

1

Relayer and RPC debugging and experimenting

4

Relayer use managed nonce and overall improvements

3

Analysis of relayer logs and interactions between relayer and Harmony transaction pool

1

Chrome Extension building, build error fixes, and hash difference investigation; Celo incident research

0.5

Sync with John

1

Next generation UI review and planning (#260)

1

Relayer error analysis and debugging

2.5

Analysis and feedback on Shashank's Security Review Analysis

1

Sync with Shashank; Review of minor implementation flaw identified

1.5

Debug and fix constant variable references; Response team briefing; 

1

Sync with SilentAuth

5

Chrome Extension review, building and end-to-end testing; Relayer monitoring; Review and feedback on transaction viewer (#251), , truffle-removal changes (#240) and fix errors; Domain update functionalities Q&A

1

RPC reliability investigation and analysis; Sync with Timeless

0.5

Response team briefing

1

Briefing with John

2

Code review and testing of extension wallet patch #124

1.5

1wallet core / web edition planning and work organization for March

1

Response team briefing and discussion on next steps

1.5

(Continued)

0.5

Evaluation of Numisme (Project X) and discussions

1

Joint evaluation on Project X prospect "FDIC for Wallet"

0.5

Theft amount verification and correction

1

Response team briefing; Review of Quoc's extension wallet final report

0.5

Sync with Timeless: roadmap, planning, NFT, campains, adoption strategies, technology discussions 

0.5

Initial engagement with mycryptomine on 1wallet integration and feasibility evaluation

1

Joint evaluation on Project X prospect Panther Protocol

1

Preliminary evaluation on POQ (Project X) and its legal materials (SEC letter, conclusion and patent)

0.5

Term finalization meeting with C14; Scheduling with remaining Project X prospects; Term finalization with Protego

1.5

Preparation and joint evaluation of Project X prospect Cedar

0.5

Project X decision meeting and sync up

3.5

Research and analysis on Panther Protocol (for Project X)

2

(Continued)

1

Silent Auth detailed proposal additional feedback and questions

1

Diligence meeting with Deepwaters

0.5

Statement of Work clarification meeting with Coalfire 

1.5

Preparation and semi-joint evaluation of Project X prospect Shift

2.5

Diligence meeting with Project X investee C14; Research and diligence on C14 thesis

1

Research and technical diligence on Project X investee Deepwaters

1.5

Joint evaluation of Project X prospect HOPR

2

Research and independent evaluation on MetaLoop; Sourcing Project X leads; Analysis on Webacy

1.5

Joint evaluation of HexaTorch

1

Research and offline evaluation on Project X prospect Cytus

1.5

Preparation and joint evaluation of Project X prospect Protego

1.5

Joint evaluation of Project X prospect Deepwaters

1.5

Project X deal sourcing (Xoogler meetup #2)

0.5

Evaluation of Project X leads

1.5

Joint evaluation of Project X prospect Gryphon; 1wallet design sync with Darren

1

Joint evaluation of Project X prospect C14

1

Sync with FBI (with Merkle Science)

1

Project X deal sourcing (Xoogler meetup)

1

Evaluation of Project X prospect DSCAPE, meeting, and internal discussion

1

Sync with Merkle Science on Tornado Cash findings

0.5

Response team briefing

1

Evaluation of Project X leads (Xoogler Demo Day projects)

0.5

Evaluation of Project X leads

0.5

Sync with private investigator regarding suspect

0.5

Response team briefing

1.5

Sync with Timeless; Adjustment of 1wallet v14 RPC endpoint; Performance tests and analysis

0.5

Revisiting zero-day and UAE vulnerability; Internal discussions; Victim password strength review and analysis

0.5

Response team briefing

1.5

Response team briefing; Investigation on new victim (GU); Emergency response

1

Malware analysis and risk review

1

Silent Auth proposal evaluation and feedback

1

Onboarding Michael M and discussions

1

Anchain finding presentation and discussions

0.5

Malware investigation

1

Theft case investigation (lead from Binance related activities)

0.5

Response team briefing

1.5

Finalization of "Use Ethereum NFT on Harmony as Avatar"

1

Sync with Coalfire

1.5

(Continued)

1.5

Review and experimentation of Matthew's vulnerability report #1

0.5

Revision on "Use Ethereum NFT on Harmony as Avatar"

1

Receivng updates from AnChain and discussions of issues and next steps

2.5

1wallet, project document: Use Ethereum NFT on Harmony as Avatar

0.5

Response team briefing

0.5

3

New victim browser history analysis (BL, DD) and manual inspection of all common sites

1.5

Investigation and analysis of reported suspicious Ethereum trasanction and contract address that invokes Harmony bridge

0.5

Initial engagement with Merkle Science

0.5

Research and feasibility study on amount-matching based Tornado Cash tracing techniques and past success stories

1.5

Extension production deployment and hash-verification step-by-step guide; Quick analysis of new victim / incident

1

New hackathon victim interview, analysis, and recommendation; 1wallet - engagement with Meson team (cross-chain stablecoin bridge integration)

0.5

Victim interview and Q&A call (DD)

0.5

Response team briefing

1

Sync with Silent Auth

0.5

Response team briefing

0.5

Coalfire initial engagement and scope discussion

0.5

Onboarding Matthew for extension wallet vulnerability investigation

1

Reproduction and verification of Quoc's extension build; Review of private investigator preliminary report

0.5

Victim interview and Q&A call (BL)

0.5

Response team briefing

0.5

Response team briefing

0.5

Discussion Matthew for extension wallet code analysis

0.5

Experimentation with XSS vulnerabilities in Vue; NDA with SecureLayer7 / Cure53

0.5

Analysis of new victim profiles and priorities (unassigned code names)

0.5

VueJS injection vulnerability experimentation

0.5

Private investigator initial briefing and preliminary assignment of work

0.5

Response team briefing

3

Report #3 on theft incidents (New Victims, Perpetrator Tracing, Previous Victims, Suspect, Backend Server Log, Frontend Fingerprints, Total Economical Damage); Analysis of linkage between attacks on multiple victims 

1

Response team briefing

0.5

Sync with Sukanta and internal discussions

0.25

Secureworks second and final engagement (not to proceed)

1.5

Engagement with red teams and security firms; Review of all victim and perpetrator addresses, blacklisting states, and movements offunds; 

0.25

Secureworks initial engagement

0.5

Response team briefing

1

MyContainer incident review, analysis, and discussion

1.5

Engagement with private investigators and preliminary exchange of information

1

Chrome extension wallet PR 117 review and testing; Sync with Quoc

1

Sync with Anchain; Response team briefing

1

Response team internal discussions and planning

3

(Continued) Merged and launched v15; fix 6x6 restore failure after a wallet is upgraded and renewed from v14; Full release notes;

2

Deploying v14 and v15 relayers, setting endpoints and system services; Monitor network stability and debug related issues

4

Response team briefing; Victim counselling procedure consultation (MN); Further investigation into fingerprints and transaction patterns, based on new data collected from new victims;

0.5

SecureLayer7 / Cure53 engagement and initial briefing; Internal discussions; 

6

(Continued) check whether wallet hasSuperOTP; Fix issues with upgrade to v15 wallet; clear otp input only when it is nonempty; Restrict non-v15 wallets from adjusting limits; Blacklist some recovery addresses and make 1wallet DAO their recovery address during upgrade; keep react component loaded during restore to ensure wallet parameters are properly passed; Ensure worker parameter has seed; move debug message to debug mode only; Add innerRoots check on localExport; Add fallback params in Upgrade; Use api.harmony.one RPC by default; improve messages related to emitted events; fix metamask tool; remove Chrome extension wallet from readme; Improve renewal messaging; Fix an issue which may cause multiple workers to be created; 

1

Chrome extension wallet incident response: new victim profile (MN), investigation, internal discussions; Emergency responses; Tornado Cash tracing and matching patterns against known hackers and victims

9

(Continued); 1wallet: Fix some issues which may cause renewal to malfunction or incorrectly make wallet "expired". Fix worker spamming logs; More granular messages and instructions when user access functionalities that require renewed / upgraded wallets; Make upgrade box promptable; Fix a bug in renewal which causes the process to stall; Fix a bug on renewal which old core parameters are used, in lieu of new ones; Implement early terimination to enable much more efficient calls to deriveSuperOTP; Fix zero-valued effectivetime in renewal; 

4

abortion mechanism in event message; Core lib: EOTPDerivation; core util: genOTPStr (for efficient debugging when multiple OTPs are required); Add more verbose logging to relayer; use EOTPDerivation in relevant functions; Revamp spending limit prompts and checking mechanisms; fix bug in remaining limit display in balance page; Fix renew-now link

1

better organized renew page

6

fix truffle distinction between dev and ganache; core lib: add sanity check of parameters to makeCore; CoreDisplaced and CoreDisplacementFailed error handlings; use oldInfo's (i.e. previous security parameters / OTP roots on contract) effectiveTime on deriveSuperEOTP; More structured frontend infrastructure utils (useSuperOps, useOpsBase); Fullly functional renewal for v15

2.5

AnChain sync; Response team briefing; Sync with Quoc; Analysis of possible scammer/imposter and linkage of hacks

6

1wallet: core flow util: deriveSuperOTP; use deriveSuperOTP in RestoreByCodes; fully functional spend limit adjustment component; 

1

Response team briefing; New victim analysis and next step recommendations (MC); Formulation of special process for large accounts at risk; Internal discussions

0.5

(Continued) Interview with owners of large accounts at risk

3.5

Review and debug 1wallet #228 (bundle size reduction), #241 (hotfix of missing styles); Fix bug in core processing util (missing array initialization); Increase timeout in response to RPC instability; Utilities for intelligently producing wallet name hints and make use in every place where names are referred; Create wallet component shared functions regarding before/after commit and preparing proofs; Rearrange balance and spend limit components; Spend limit adjustment components; 

6.5

(Continued)

0.5

Response team briefing

Cultural Self Assessment

Cultural
Values
Read More
Self Assessment + Personal Story
Empathy
Communicative
conversation turn taking
Rate 1 - 10 with 10 being the best
disconfirm own beliefs
self-aware & articulate
Personal
share a drink
spend 10 hours daily together
nurture & mentor
Collaborative
make everyone shine
people over process
dare to disagree
Passion
Devoted
long-time craftsmanship
obsess over details
hungry & foolish
Aligned
share the mission
optimistic about flying off a cliff
your 50-year dream
Authentic
consistent with own actions
make tough decisions
admit mistakes
Excellence
Technical
top 1% superstar
effective tooling
relevant to our needs
Potential
10x growth
voracious learner
contrarian thinker
Impact
accomplish important work
activity < productivity
thrive in chaos

July: NFT Wallet

April 2022

1wallet core and web edition (and completion status):

2022 Q1 self-assessment

  • 💻 With the team, completed theft investigation of Chrome Extension Wallet, prevented 8M loss (in ONE), 50M potential loss, patched >5 security bugs, improved processes, and stopped further incidents. Gathered team of experts and provided ongoing forensic evidence for FBI
  • 💻 Made 1wallet core and web edition production-ready with:
    • the release of v15: adjustable spend limit, 4 new ways of recovery, predictable address and verifiable code.
    • horizontally scalable relayer that eliminated >99% errors, comfortably supporting offline events and high concurrent use, made future-proof for arbitrarily large user base
    • New improvements in v16 (underway): staking, multi-device sync, Apple’s built-in authenticators (auto-fill with FaceID / fingerprint), security patch for multisig use cases, and developer guides
  • 💻 Through Project X, made 4 investments (with Jack) based on proven track record that will provide infrastructure and cross-chain services on Harmony and other blockchains (in DeFi, fiat-payment, data transport privacy, and NFT risk assessment)

March 2022

1wallet core and web edition (and completion status):