Riyaz Faizullabhoy
@riyazdf
Followers
4K
Following
1K
Media
16
Statuses
389
vp security @NexusLabs // prev co-founder @bastionplatform, cto @a16z crypto, sec infra @novi, founding engineer @anchorage, & sec @docker // work hard, be kind
Joined December 2012
In web3: security is not only of utmost importance, but also cannot be over-simplified to a checkbox for audit. To help, @ajbeal, @nassyweazy, @cseifert, and I put together the following guide for thinking about smart contract security at every step 🧵.
13
94
264
I could not be more excited to announce that I'm joining @a16z Crypto as CTO along with my close colleague and friend @nassyweazy (CISO)! Can't wait to get started with this amazing team.
As web3 expands, even the most crypto-native projects will have a hard time keeping up with the latest security best practices. We’ll help with that. I’m thrilled to announce @riyazdf and @nassyweazy have joined @a16z Crypto as our new CTO and CISO!
15
5
215
when thinking about security threats, it’s important to identify classes of attacks to address and defend against them in a systematic way. @mg_486662 and I survey web3 attack types here:
10
50
150
Today, we welcome @BastionPlatform to the world. We believe companies building in web3 need more than just a wallet to deliver the best products for their users. So @nassyweazy and I have been hard at work with the Bastion team to build that holistic platform. 🧵 (1/7).
14
14
79
docker trust released with 17.10 edge today! Give it a spin:
@riyazdf @_ashfall_ 'docker trust view' allows you to see what teams, engineers, or systems signed the image
1
30
43
I echo what Nass says here. Thank you again to our friends and colleagues for your support yesterday - it means the world to us. I am so proud to say that we are finally live! We can't wait to show you what @BastionPlatform can do 💪.
We are blown away by yesterday's response to our announcement. Thank you again for all of your support and warm reception of @BastionPlatform. For a recap of all yesterday's announcement and our $25M fundraise👇.
2
0
27
a reminder that security threats in web3 systems can span widely across infra, opsec, etc — strong security in web3 requires comprehensive threat modeling, defense mechanisms, and incident response beyond solely securing smart contracts.
1/.Update: . Initially we thought the issue may have been with AWS, however after further diagnosis, we have identified that the hacker has managed to exploit Godaddy, essentially they have hijacked our domain and copied our codebase and in the process changed the swap parameters.
0
5
19
We’re laser focused at @BastionPlatform to enable the next generation of web3 interactions for businesses, that feel like web2. If you’re excited by our mission and ready to build secure and robust infrastructure, we are hiring
Former a16z execs launch Bastion by @christinemhall.
2
0
22
Excited to have @CFriedman00 take on the COO role at @BastionPlatform!. Her leadership has been instrumental to our success so far and I'm confident she will continue to excel in her expanded role as we empower more businesses to unlock web3 use cases.
4
0
21
Secure your updates! Lily Guo and I are going to prove to you need TUF security! Come to our talk at #LinuxCon and #ContainerCon!.
0
9
20
Today at Bastion, we're proud to announce the acquisition of Money Transmitter Licenses in New Hampshire and Arkansas. We're committed to providing enterprise-grade web3 to our customers, and this marks a critical step on that mission, just one month after launch. /1
1
3
21
Non-custodial != full control of keys. @nassyweazy and I break down the not so obvious trust assumptions, tradeoffs, and best practices for wallet security:
2
6
18
so excited to continue collaborating with @moshaikhs, @AveryChing, and the many familiar faces at @aptoslabs! 🔥.
0
0
17
if you’re using EdDSA in prod please take a look! Incredibly impactful work from @kostascrypto et al 👇.
Preliminary juicy impact report for the recent EdDSA Double PubKey Sign Oracle misuse exploit. community owes thanks to the following crypto experts: @FBaldimtsi @lera_banda @hdevalence @bascule @riyazdf for their recommendations and co-brainstorming.
2
4
17
This is one of the first opportunities we’ve had to talk about our Smart Transaction Routing system in great detail. It is also one of our hottest takes on the future of web3.
1
1
13
New content 🚨: In this talk, @nassyweazy and I outline a (non-exhaustive) framework for thinking about security in web3 more holistically — rooted in real world examples. Check it out!. And thank you @a16zcrypto for hosting us 🫡.
@NoahCitron @nassyweazy @riyazdf @PrimordialAA @dwr @alive_eth How to not get hacked and other security lessons learned w/ @nassyweazy & @riyazdf .
0
2
13
World, meet @Anchorage! It's been a privilege building our team and product from the ground up, and I'm incredibly proud of what our team has achieved. Stay tuned!.
Today we are excited to introduce Anchorage, the most advanced digital asset custodian for institutional investors. Read more here:
1
2
13
Thanks for having us @LoganJastremski!. Definitely a fun conversation digging into to the pragmatism web3 needs.
It's my distinct pleasure to be releasing a podcast with the Former A16z CTO & CISO on their New Startup @BastionPlatform . The Founders @Riyazdf & @Nassyweazy share their experience building companies at scale and the ruthless pragmatism required. We speak to:.- Off-Chain
0
2
15
amazing progress by @EvanWeb3 @b1ackd0g @EmanAbio @GDanezis @kostascrypto and the @Mysten_Labs team! 🚀.
Today, we announce Sui to the world -- the 1st permissionless Layer 1 blockchain designed to enable creators & devs to build experiences that cater to the next billion users in web3! Read about it here:
0
0
14
listen in on an introspection on the series of security events last week with @mg_486662 @nassyweazy — so many lessons learned for web3 security!
0
4
12
an excellent deep dive on the sorcery @mg_486662 and @NoahCitron pulled off on the IAmOptimizor Challenge.
Last week @NoahCitron and @mg_486662 submitted a winning smart contract in the gas-golfing IAmOptimizor Challenge. Here's how they did it (including some unconventional optimizations, and learnings from other wildly efficient contracts). 🔗:
0
0
14
come to "Secure Substrate" this afternoon to learn more about linuxkit and security with @diogomonica and me #DockerCon.
1
6
9
it's time for experiences in web3 to feel like web2, without compromising on security. thank you @bchaininsider, @0xmauricio, and @catgu_ for hosting me & @maikaisogawa!.
What is wrong with UX in crypto? And what can be done to fix it? 🤔. This week's pod is out now!. Hosts @0xmauricio and @catgu_ are joined by:. 🎙️ @maikaisogawa // @mywebacy .🎙️ @riyazdf // @BastionPlatform . 🎧 Full episode:
2
4
9
we have more trust commands in the pipeline to add signers and manage keys, keep your eyes peeled for it coming soon!.
0
2
8
When was the last time you thought about what happens after you insert (or tap) a credit card?.
4
1
8
We are just getting started. If you are passionate about user-experience, security, and supporting the next generation of consumers into web3, we encourage you to apply to one of our open roles. Join us: (6/7).
3
0
9
Our mission is to remove the hurdles of building products in web3 today and put user-experience first, backed by security and compliance. Bastion features three core components to start:.- 🔐Custodial Wallet API.- 🧠Smart Transaction Routing.- 💡User Analytics & Insights. (3/7).
1
0
9
After years of building in web3, we’ve had enough of complicated crypto wallets and siloed payment platforms. So we built Bastion, a web3 orchestrator that enables organizations to offer the next generation of on-chain and off-chain products. (2/7).
1
0
9
big step forward for financial inclusion and exposing the masses to a new asset class. Congratulations to the @novi team!.
Remittances are a critical way to achieve financial inclusion. Today, we’re rolling out a small pilot of the @Novi digital wallet app in two countries — the US and Guatemala. People can send and receive money instantly, securely, and with no fees. 1/8.
1
0
9
crypto’s come a long way, and there’s still more to come. It’s a great time to build!.
This morning @a16z crypto published our first annual State of Crypto report. 📊. It shows how far crypto has come — and how early we still are — in building the next generation of the internet. Here's a 🧵 of some highlights.
0
0
7
That said, web3 presents unique security challenges that must be addressed accordingly. One important example is monitoring on-chain data, where @FortaNetwork can enable customizable alerting and action on suspicious activity.
1
0
6
.@cyli and @Endophage securing your software supply chain and showing off impressive security by default #DockerCon
0
3
7
timely to revisit this piece today, a reminder that custody is much more nuanced than “custodial” vs “non-custodial”.
"Not your keys, not your crypto" doesn't really reflect the reality. Wallet security is a multi-dimensional spectrum that is far more complex than the custodial vs non-custodial dichotomy so @riyazdf and I wrote a guide to web3 key management.
1
1
5
We’re incredibly thankful to be backed by the best for our seed round, led by @a16zcrypto along with participation from other amazing firms and angels. We’re also grateful to be advised by @davidmarcus and @danboneh. (5/7).
1
0
7
Not every interaction needs to be on-chain. In fact, we believe that 70 - 90% of user actions should take place off-chain.
1
0
7
great work and excited for the write-up 💪 @mg_486662.
I’d also like to thanks @nassyweazy and mattgleason.eth from @a16z for finding an even more critical issue in the push2ens contract than Samczsun found. I rewarded them with a bounty and they agreed to take a look at the final project before the next deployment.
0
0
7
Secure your spot at @DockerCon, and come learn about #Docker security!
We're excited to announce #DockerCon 2017 speakers and sessions:
0
1
6
We strongly believe that these components add up to more than the sum of their parts and truly enable organizations to unlock the potential of web3. 🔓. And this is just the beginning of what’s possible with Bastion. (4/7).
1
0
6
a great event, really excited to present this time with Tycho on #linuxkit security happenings and goals
The 2017 #linuxsecuritysummit schedule is now published!
1
1
5
like with most crypto(graphy) – it's probably not a good idea to roll your own unless you deeply understand what you're getting yourself into!.
Many companies mention "MPC" when building a wallet without realizing that there are over twenty capabilities that may or may not be available to their specific implementation and will directly define their product's UX and infra (shard refresh, pre-computation, trust boostrap. ).
0
1
6
impressive NFT / blockchain scam forensics analysis. Receipts included🧾.
A big Twitter page was scamming people pretending to be my NFT project, Rebels. Well. I followed the scammers. Get ready! 🧵
0
0
6
Overall, we believe that security considerations are an integral part of successful development which lead to a secure software supply chain – not a single step or an add-on. For more please reach out to me and my co-authors! Our DMs are open 🙂.
0
0
4
1/ Recent events had @nassyweazy and I revisit the security of crypto deposits 💸. The topic usually takes a backseat to the security of key storage and access, though it can be just as complex and issues can quickly cascade when combined with blockchain’s irreversibility 👇.
1
0
4
Our platform is live today and we are ready to support your current and future products. Please reach out at: to see what Bastion can do. (7/7).
0
0
5
@diogomonica was so much fun devising the theme with you! In particular, making that last slide was 💯.
0
0
5
For example: in the design phase, beyond describing expected features and use-cases, it is critical to perform a threat modeling exercise. This sets the tone for designing security for the system: who are we defending against and what are their capabilities (and funding 🤑).
1
0
4
Before releasing a smart contract (or any code) there are several steps: design, develop, test/review, deploy, maintain. These steps need not be sequential, though all are essential on the road to production. Each presents its own unique challenges. Especially for security 🔒.
1
0
4
You can read more about how we approach Smart Transaction Routing here:
2
1
4
Actions like entering a token-gated experience, or delivering an airdrop to a loyal customer, does not have to take place on-chain. Why?.
1
0
5
welcome! Can’t wait to work together 🚀🚀.
1/ OK. So I have an exciting career update – after nearly 8 (!) years building a16z’s editorial operation (newsletters, websites, countless pieces & packages + ofc, my beloved podcast 💕) – I am joining the a16z crypto team (!!) to lead content.
0
1
4
the more accessible web3 becomes, the more we’ll see the influx of talent like this👇.
One real issue for FAANG style companies with web3 is retaining talent. Very simply: the smartest engineers/designers are working on crypto definitely on the side and are interested in moving fulltime. Has come up with multiple exec conversations.
0
0
5
welcome aboard, Michele! 🚀.
After 27 years in government and law enforcement, most recently as the Chief Digital Currency Advisor at FinCEN, I’m joining @a16z crypto as Head of Regulatory.
0
0
4
With this in mind, we dive into important considerations at each stage. Some are unique to web3, though much of these considerations overlap with known security best practices that have been acknowledged before web3’s existence.
1
0
3
@milesjennings @joandthezhus @nonfungibletara @ChrisLyons @janehk @eddylazzarin @meigga @lordvolth @0xMasonH @MelissaKaspers @Mclader nonsense, and of course @nassyweazy is here too 🥸
0
0
3
I just made contribution #82 (9h 34m 23s) to @AleoHQ's setup ceremony to power private applications. My address: aleo1k3a954e9wqp2clura5edt93u6lkx0z5n2ykdjpw8utpkt465q5xsxzfxn2. #AleoSetup.
0
0
1
Enterprise organizations are being left out of the web3 usability conversation. We hope to change that. If you are a product or engineering professional exploring web3 for your enterprise organization or legacy brand, this podcast is for you 👇.
1
0
3
Because not every user action is a transaction. Most-often, it is a conversation between a user and a brand, or an interaction between two users in the same ecosystem.
1
0
4
congrats to @ralucaadapopa @podcastinator @tobiasboelter on pulling this all together, really cool paper!
Excited about Arx, the new CryptDB successor, using only strong encryption schemes! Feedback appreciated! #cryptdb.
0
0
3
@nassyweazy @AriannaSimpson @BastionPlatform @a16zcrypto ditto — we’re thrilled to be supported by you and the incredible @a16zcrypto team 🙂.
1
0
4
@diogomonica definitely can't take nearly half of the credit - @diogomonica is a slidedeck and language perfectionist.
0
0
3
#LinuxCon folks: come to Frontenac this afternoon for a fun discussion on software update security!
#DockerSecurity eng @riyazdf speaks at 4:35pm on "When the going gets tough, the TUF get going" @docker #LinuxCon.
0
1
4
0
0
3
love seeing more and more security-minded tools like this in the web3 ecosystem👇 great work @blauyourmind 💪.
Finally, if you want to check out the agent code, it's here:
1
2
2
great deep dive of the details and rigor of the CVE process with @crosbymichael, featuring the @tonistiigi factor #DockerCon
0
4
3
0
0
3
Point is, we think there is a better way to have both. A world where blockchain is a settlement layer and off-chain is a place where the rest can happen securely and at scale.
1
0
3
@nassyweazy @Adina_S_Fischer @BastionPlatform ditto! Thankful to still be in the a16z family with you and team 🙂.
0
0
3
great in-depth analysis on the dynamics of NFT mint prices and correlation to longer-term outcomes.
When minting NFTs, creators face a number of decisions that can affect the performance of their projects. I dug into the data to help inform people’s choices. 🧵👇.
0
0
3
My co-founder @nassyweazy and I were excited to talk about it with Brave New Coin and we are excited to talk about it with you. Our DMs are open.
1
0
3
#Docker is secure by default - @diogomonica reflects on the past year in #dockersecurity via @docker.
0
0
2