Smart contracts are the backbone of Web3, but let’s be real, they’re not as “smart” or as “secure” as we’d like them to be. With billions of dollars locked into decentralized applications, even the smallest vulnerability can lead to massive losses.
Also, as blockchain adoption grows, bad actors are getting more sophisticated, launching attacks that slip under the radar. So, how do we tackle this growing problem?
We caught up with Anoop, Co-Founder and CEO of Trugard, to break it all down. Anoop has spent years working on real-time distributed systems and security infrastructure, from his early days at Cisco and AWS to now leading Trugard’s charge in smart contract risk intelligence. His company is building cutting-edge solutions to detect threats faster, reduce risk for users, and make Web3 a safer place.
In our conversation, we dive into how secure smart contracts really are, why audits alone aren’t enough, and what new threats are emerging in the space.
Anoop also shares insights on AI-driven security, the future of “self-healing” smart contracts, and whether we’ll ever reach a point where blockchain security is truly ironclad. So, let’s get into it.
Tell us a bit about yourself and how you got into Web3?
I’m a hands-on practitioner with a background in real-time distributed systems engineering where I’ve been fortunate to be involved in many great projects, and a number of world first initiatives. I’ve worked in photonics, switching and routing design, been a chip designer, a video infrastructure architect, a security engineer, and then switched over to become an operator managing and leading teams from 10-400 people.
My first exposure to blockchain, before it was rebranded as web3, was in early 2009, when a then colleague told me about this thing called bitcoin, and how he just mined it. Of course, I told him that was nice, and then went about my day as we were in the midst of doing a major upgrade to customers’ video infrastructure.
I was then re-acquainted with bitcoin, and then later blockchain, in 2014 where at Cisco I asked the simple question of, “If Cisco powers 68% of the worlds internet today, and therefore by definition, every bitcoin transaction is seen by Cisco equipment before the counterparties, then is there a massive opportunity that Cisco can take advantage of in what could potentially be the most radical transformation of the internet itself?”
We posed this to Cisco’s board, and with unanimous consent, we started the blockchain work at Cisco. On that journey, we created the world’s first blockchain and IoT industry group, helped start the enterprise ethereum alliance as well as the Hyperledger project, and built our own L1 chain. After Cisco, I joined AWS, to run one of their blockchain businesses, and then later went on to launch Trugard.
How secure are smart contracts today? What are the biggest problems in the space?
In short, smart contracts are not secure. That said, neither are they smart or a “contract”. Smart contracts are simply codified business logic that operate on decentralized infrastructure. As with any codified business logic, the implementation is what determines safety and security, and as we all learned from the DAO attack, a tight understanding and enforcement of rules by the execution engine are the otherside of the security equation.
The real question is, can smart contracts be written so that they are secure? The answer to that question is obviously yes, but we need to take a deeper look into exactly what security means in this context, and consider all the touch points that a contract has while being utilized across a network. One of the biggest challenges we have today in web3 when it comes to smart contract safety, is the delay from when a contract is deployed to when potential risk insights are made available to users.
At Trugard, we have strived to reduce this delay down to about 5 seconds from the time we observe the creation of a new block, to when we have risk insights made available to our users. After an initial automated inspection, we routinely refresh our insights based on enhancements we may make to our detection suite, and have started pulling in partner data to further enrich our insights.
While this is pretty quick, we also believe we can do better, and have been exploring the notion of decentralizing our software stack to become co-resident with blockchain nodes, allowing for contracts to be tagged appropriately prior to the contract being formally committed to a block. We have validated this model somewhat and are exploring this more formally. However, we are also keenly aware of the perception of “surveillance” that an approach like this might offer, but I believe that for blockchain technology to be truly adopted at scale, we’ll need capabilities like this. What’s driving us to consider approaches like this, is the fact that less than 99.2% of all smart contracts deployed offer absolutely zero transparency.
Another way to put this, less than 0.8% of smart contracts deployed today, have source code available to review, or an audit report that is publicly available. This does not bode well for broader adoption of blockchain technology, or digital assets.
How would you define “risk intelligence” for smart contracts? Is it just security or more than that?
Risk intelligence is far more than just security. While a specific smart contract of interest might actually be ok, there may be an extended risk that many users might not immediately be aware of, or even know to ask about.
We’ve seen coordinated efforts by some bad actors spanning multiple networks deploying a combination of good and bad contracts. A user may come across a “good” contract and may have a false sense of security for a time for that contract and/or project. However, the contract or project may be one of only a small handful of “good” assets that a developer may have deployed out of potentially dozens for malicious projects that are set alongside.
Then of course, there are deployment metrics that can be leveraged to further provide intelligence signals on the efficacy of a smart contract and/or project. Metrics like deployment frequency, whether or not contracts are deployed in clusters, timelines of cross-chain deployments, etc. Simply know if a contract is written properly or not is not enough when trying to identify bad actors in our space.
What new security threats do you think will be a big deal in the next year or two?
We are definitely seeing an evolution of advanced persistent threats that now leverage web3 technologies. While many in our space are focused on identifying and defending against hacks that may result in 7, 8, or 9 digit losses, and rightly they should, we are seeing a sharp rise in what we call “death by a thousand cuts” campaigns.
These are characterized by campaigns of smart contract deployments that have been involved in sub $10K thefts, destruction of value, or the redirection of assets. These are generally unreported losses, or losses too small to pay the sometimes exorbitant recovery fees.
Over the course of 6, 12, or 18 months, these campaigns can result in massive losses. At Trugard, and along with one of our partners, we’ve uncovered one such campaign that has been active for almost 2 years, and affected more than $500M in value.
Many crypto projects rely on audits to find security issues. Are audits enough or do we need something better?
We’ve seen over the last few years that not all audit firms are created equal. This has resulted in many projects acquiring multiple audits, but sadly still no guarantees that an exploit or hack will not happen.
Audits serve as a good point of reference but are obsolete as soon as the contract is deployed. Of course there is also the risk that despite an audit, the final implementation might not fully consider all the recommendations that an auditor might suggest.
In a way, while an audit might serve as a guidepost, it will always be the developer’s responsibility to implement as contract to the best of their ability. While there are many great developer tools that can help good developers write safe and potentially risk-free contracts, we have to keep in mind that bad actors NEVER submit their contracts for audit and nor do they make their code available for public review.
This brings me back to my point earlier on providing an edge “sensor” that can tag a contract for risk prior to insertion into a block.
Hackers are getting smarter, and AI is making cyber attacks more dangerous. How is Trugard staying ahead of the game?
Whether it’s web3 or web2, there is still an open debate on whether AI can be used to combat AI. Instead of jumping on the LLM, Agentic, or other AI narratives, we instead chose to focus on understanding what is the size, scope, and virality of the problem statement. I would comfortably state that our platform contains the largest collection of labelled contracts in the industry.
Upon discovery of a new smart contract deployment, we immediately pass it through a detection suite containing over 5000 risk parameters. Naturally, we use a combination of machine learning and AI techniques to identify risk, but it is our vast data set to develop and discover new classifications of risk that sets us apart for the long term.
Will we ever have “self-healing” smart contracts that can fix security issues on their own?
I think this is where we will end up. The application of AI to continually fuzz agents for behavior and feature engineering will be important to help clean up contracts written by good actors. It’s great that we already have one of the key enablers in place to allow this, Metamorphic smart contracts, and using this class of smart contract construct, I can definitely see a time in the very near future where agents can be used to upgrade and “heal” contracts.
However, we still have a challenge on the efficacy of AI in general. Why should anyone trust what an AI agent is doing? Provenance of the efficacy of training data is still problematic, and LLM jacking is prevalent across many sectors. In short, I would say that AI poses more near-term risk to web3 than just about anything else.
In the long term, however, we will see a new class of holistic security practices, techniques, and procedures that take into account the prevalence of AI in the digital asset world. If we as an industry are genuinely serious about solving these problems, we need to treat web3 as next-generation critical infrastructure, and as such put in place all the checks and balances, observability, and metrics that users deserve so that we can help them stay safe using this technology.
What can we learn from recent high profile hacks?
It’s apparent to me that the one thing we continue to forget in this space, is that web2 is web3’s Achilles Heel. From 2015 to about 2020, we saw smart contract exploits, virtual machine exploits, hacks of chains themselves, but in the last 5 years, we continue to see a breakdown of proper cybersecurity hygiene, governance, and controls. Needless to say, this has nothing to do with the technology itself, but rather bad actors leveraging classical web2 approaches to steal or destroy value.
If you could change one thing about how the crypto industry handles security, what would it be?
Crypto is on a journey just like any other industry. We are launching ships while we are still building them, this is the very definition of innovation. Crypto will go through all the same growing pains as any other technical revolution that has ever been worth pursuing. What’s different between web3 and web2 digital assets, is the velocity that the assets can move. Technically, web2 can deliver similar performance to web3, but what sets the segments apart is market structure.
Web2 market structure has enough legacy procedural and operational baggage that keeps it from delivering on any of the promises of web3. I would like to see crypto evolve to where we are not waiting for regulators to define the path forward, I would rather we lead with our own best practices, hold ourselves accountable to the innovation and the potential we will unlock, and truly drive a positive impact to the human condition.
Where do you see smart contract security in 5 years? Will we ever be 100% secure?
Security is a constant cat and mouse game. We’ll never be fully 100% secure, but we can make it challenging for bad actors to commit fraud, theft, destruction of value, and socially engineer any of the above. Web3 is not unique here.
As a small segment of the internet industry, we have to keep in mind that where there is value, there will be someone there to steal, destroy, or manipulate that value. Again, this is not unique to web3, but this is where I believe the opportunity is, not just for Trugard, but for the segment as a whole.
Have you read?
Countries with the most gold reserves.
World’s Best Public Relations Agencies (Top PR Firms).
Countries with the highest human freedom.
World’s Safest & Most Dangerous Countries For Travelers.
Longest and Shortest Life Expectancies in the World.
Bring the best of the CEOWORLD magazine’s global journalism to audiences in the United States and around the world. – Add CEOWORLD magazine to your Google News feed.
Follow CEOWORLD magazine headlines on: Google News, LinkedIn, Twitter, and Facebook.
Copyright 2025 The CEOWORLD magazine. All rights reserved. This material (and any extract from it) must not be copied, redistributed or placed on any website, without CEOWORLD magazine’ prior written consent. For media queries, please contact: info@ceoworld.biz
