GRTiQ Podcast: 179 Goncalo Sa

Today I am speaking with Goncalo Sa, Co-founder & Security Researcher of ConsenSys Diligence, a comprehensive smart contract audit service that helps everyone from startups to enterprises launch and maintain their Ethereum blockchain applications. Goncalo is also a Co-founder at Creed, a collective of security professionals that work together to improve the security of the web3 ecosystem, and Technical Partner at Ethereal Ventures, a team of global investors who invest in crypto platforms and protocols.

Goncalo was a lot of fun to interview. As you will hear, he’s got a lot of positive energy and that unmistakable entrepreneurial drive. During our conversation, he talks about his upbringing in Portugal and Lisbon’s emergence as a prominent web3 hub. We also talk about his entry into tech, the valuable lessons he’s learned over the years, the amazing backstory for how he got started with ConsenSys, his passion for music, and a lot more!

The GRTiQ Podcast owns the copyright in and to all content, including transcripts and images, of the GRTiQ Podcast, with all rights reserved, as well our right of publicity. You are free to share and/or reference the information contained herein, including show transcripts (500-word maximum) in any media articles, personal websites, in other non-commercial articles or blog posts, or on a on-commercial personal social media account, so long as you include proper attribution (i.e., “The GRTiQ Podcast”) and link back to the appropriate URL (i.e., GRTiQ.com/podcast[episode]). We do not authorized anyone to copy any portion of the podcast content or to use the GRTiQ or GRTiQ Podcast name, image, or likeness, for any commercial purpose or use, including without limitation inclusion in any books, e-books or audiobooks, book summaries or synopses, or on any commercial websites or social media sites that either offers or promotes your products or services, or anyone else’s products or services. The content of GRTiQ Podcasts are for informational purposes only and do not constitute tax, legal, or investment advice.

SHOW NOTES:

SHOW TRANSCRIPTS

We use software and some light editing to transcribe podcast episodes.  Any errors, typos, or other mistakes in the show transcripts are the responsibility of GRTiQ Podcast and not our guest(s). We review and update show notes regularly, and we appreciate suggested edits – email: iQ at GRTiQ dot COM. The GRTiQ Podcast owns the copyright in and to all content, including transcripts and images, of the GRTiQ Podcast, with all rights reserved, as well our right of publicity. You are free to share and/or reference the information contained herein, including show transcripts (500-word maximum) in any media articles, personal websites, in other non-commercial articles or blog posts, or on a on-commercial personal social media account, so long as you include proper attribution (i.e., “The GRTiQ Podcast”) and link back to the appropriate URL (i.e., GRTiQ.com/podcast[episode]).

The following podcast is for informational purposes only. The contents of this podcast do not constitute tax, legal or investment advice. Take responsibility for your own decisions, consult with the proper professionals, and do your own research.

Goncalo Sa (00:14):

To be honest, I think The Graph’s pretty traversal. I think The Graph is important for all sides. I’m going to risk and say that 99 of the people that we worked with, that I’ve advised, that I’ve seen, projects that I’ve seen, 99% use subgraphs.

Nick (01:06):

Welcome to the GRTiQ Podcast. Today I’m speaking with Goncalo Sa, co-founder and security researcher at ConsenSys Diligence, a premier smart contract audit service that assists start-ups and enterprises in launching and maintaining their Ethereum blockchain applications. Goncalo is also a co-founder at Creed, a collective of security experts dedicated to enhancing web3 security and a technical partner at Ethereal Ventures, which invests in crypto platforms and protocols.

Goncalo was a lot of fun to interview, and as you’re about to hear, he’s got a lot of positive energy and that unmistakable entrepreneurial drive. During our conversation, he talks about his upbringing in Portugal and Lisbon’s emergence as a prominent web3 hub. We also talk about his entry into tech, the valuable lessons he’s learned over the years, the amazing backstory for how he got started with ConsenSys, his passion for music, and so much more. We began the conversation talking about Goncalo’s background.

Goncalo Sa (02:08):

Thank you, Nick. Great to be here. Thank you for the invitation. My background, I started off as an aerospace engineer or at least studying to be one, but I quickly found out that physics was not my thing and ended up dropping out of school. So I guess that is my background, but practically since I remember the first time I touched the computer, I’ve been completely fazed by how people would crack games to begin with. So back in, I don’t know, ’98, ’99 was my first contact with DRM protection cracks and stuff like that. And that has spiked an insane interest into being a digital burglar, if you will.

Nick (02:58):

It’s an amazing background. And you’ve shared before that your parents sort of helped shape or steer some of your early interest in technology. Is that right?

Goncalo Sa (03:06):

Yeah. Yes, somewhat. I was decently surrounded with the digital world since I was a kid. The first contact though was not a computer, to be fair. It was like a Casio calculator, one of those that you could program with BASIC. And from there on out, I just fell in love with everything that was hardware or software or anything.

(03:30):

From that point that I was just talking about earlier, from that point onwards, the first time that a friend gave me a CD with a cracked game, which I do remember was Robot Arena 2, I just started firing up the modem, still old noises, old dial-up noises, and just hanging out in a bunch of forums. The first of which or one of the first few contact with these hacking forums or CTF-like forums was Hack This Site and then from there on out, just a bunch of, diversified into a bunch of these.

Nick (04:05):

When you think back to being a young person who’s interested in tech and games and kind of like you said, cracking games and stuff, what drew you to that? I mean, if you had to kind of think back, because lots of young people are interested in a lot of different things, but for some reason tech and games sort of caught your attention. Have you ever thought about what it was about it that made you interested?

Goncalo Sa (04:27):

I have, but I think this was all due to what I now have been perceiving as like undiagnosed ADHD, because I think all of these things came from the need of the adrenaline rush, if this makes sense, right? Anything from peeking glocks to cracking games or making something malfunction in a way that I get rewarded, not financially, but rewarding, getting that adrenaline rush, I’d love it basically. So I think that is part of it. I think it’s brain morphology at play here.

Nick (05:07):

And for listeners that aren’t sure what you mean by cracking games, what does that concept mean or what do you mean when you say you would crack games?

Goncalo Sa (05:15):

Back then cracks would proliferate across the scene. The scene was just like this underground hacking, I don’t even know what to call it. It’s just like, it’s this scene, I guess it’s just a collection of forums where people would hang out. They would do all these gray hat-ish things, sometimes pure black hat. The distinction between those being that some people do good and some people do bad things, and cracks would proliferate.

(05:43):

Cracking a game back then basically meant that you would bypass the DRM protection because these things would be distributed on physical media and you’d buy a game in the store. For the younger listeners, I’m sure this sounds crazy, but you’d buy a game in a store, you’d get it in a physical medium. Typically back then it would be CDs, later on DVDs.

(06:05):

And the publishers had to make sure that you could not just take the content of that CD or DVD out, the bits from there, and just replay it elsewhere. And so that was DRM protections or digital rights media, something along those lines. I’m not entirely sure if I’m saying the acronym right. But cracking a game would mean stripping out that part of the bits and bytes and making it run regardless of you owning the physical thing.

Nick (06:39):

Got it. Where did you grow up? What part of the world were you growing up and living in as a young person?

Goncalo Sa (06:45):

Portugal, Portugal, north of Portugal, later on moved to Lisbon.

Nick (06:49):

And as somebody who’s from Portugal, how would you explain what seems to have happened over the last couple of years, which is Lisbon becoming a web3 hub? I mean, you grew up there. You’ve seen since being a young person, kind of the evolution of this thing. What’s going on there? How would you explain that?

Goncalo Sa (07:08):

I think Portugal is a beautiful country, and people finally found that out, being honest about it. I think it was the NHR status, so the Non-Habitual Residennt status that actually put us on the map, which was a decent move from the government and also the Golden Visa. Since, I don’t know, maybe 2014 when Bitcoin started having way more liquidity than before, and then Ethereum came along and there was a lot of wealth creation, and there was a lot of people from all over the world that found immediate wealth that really wanted a Schengen Area of passport, and Portugal provided that.

(07:46):

So that makes sense from an incentives perspective. But nowadays, I think that there is indeed, there wasn’t before, but with the flux of people that flocked to Lisbon, I think we now do have a burgeoning web3 ecosystem there. You can actually meet a lot of cool projects and cool people working in the space.

Nick (09:11):

So if you go back in time then and think about when you first became aware of blockchain and interested in this type of tech, what were you thinking at the time and when did you first encounter it?

Goncalo Sa (09:22):

So I did drop out of school. I was doing startups before during school, but afterwards I was doing this ad tech company called Clickly, terrible name, terrible SEO. But we did get a seed round and we were trying to build cool things. We built an ad service. I built a full on ad server from scratch in PHP, which was actually decently performant. We built all these things, but the industry was awful, awful experience all around. We’d visit Google headquarters and people were nice, but when you start talking about business and grabbing data from the data platforms, the data providers, the PSPs, things just went south ways. People are sharks, honestly.

(10:07):

Well, it tracks because it’s a super low margin business and they need volume. And so I feel that innovation in the ad tech space, and by ad I mean advertisement, innovation in the ad tech space I feel like is only performance based. And it was back then, and we were trying to do something different. So we were scraping websites, doing NLP on the websites and trying to place ads in the DOM, like on the HTML page, placing it right where things were being mentioned.

(10:39):

Now, this is not a good thing in advertisement because people just want volume. They don’t want to pay more for a specific ad because it’s really hard to measure or track how well these are doing.

(10:53):

While this was happening and me growing disillusioned with what we were doing, having learned about Ethereum while at Clickly, I thought that that could be our holy grail. So in my mind, I just thought there must be something that we can do in a permissionless manner, like some sort of escrow mechanism that we can think of that actually solves the problem with these very perverse incentives that our ad play in the advertisement industry.

(11:30):

Honestly, that’s how I started looking more into it. That was probably the reason. I already liked the premise of Bitcoin and cryptocurrencies, but I think that was the click moment for me about what we could do with Ethereum.

Nick (11:45):

So then did you actually end up using Ethereum? I mean, you said it might be the thing that sort of helps you address this problem. Did you lean into it and try it?

Goncalo Sa (11:56):

Yeah. So we started looking heavily into it as a way for us to do something about those incentives. Unfortunately, our seed investors were not the best people. I was part of the founding team. At that point we had more people, but basically I had some decision power. When I started pitching this to the team, it was met with light resistance, but when I started pitching this to the investors, that’s when I got a hard no. And so at that point, that was exactly when I quit Clickly and forfeited all my equity and leaned in fully into Ethereum and with some of my friends from school or friends that I had kept along the years, we started building just Ethereum mining rigs. That was it.

(12:52):

That was the gateway. Since I hadn’t crystallized any or formalized properly what I wanted to do with Ethereum, the gateway was just like, “Hey, we’re going to build hardware to mine and we’ll figure it out from here.”

Nick (13:05):

You’re not the first person I’ve had the opportunity to interview that did that, that got started doing some early mining. What was that experience like and what sort of memories or anecdotes do you remember from that time?

Goncalo Sa (13:16):

It was super fun. It super, super fun. One of the fondest, probably also most painful memories was that we were so broke that we were selling hundreds of ETH every month to pay the bills, the electricity bills. So it was weird. It was weird times, but it was super fun. I had an insane amount of fun.

Nick (13:41):

So Goncalo, you’ve said in other interviews that you had an experience at a DAO hack in 2016 that really influenced the way you approached blockchain and your career in this space. Can you talk to us about that experience and what impact that had?

Goncalo Sa (13:58):

Yeah, absolutely. So we had been mining for a while. We’d built the mining rigs. It was super fun. But as I got into the Ethereum ecosystem more and more and I was always perusing the forums and anything that the EF or ConsenSys talked about or put out or all the projects that were incubating, I found out about the DAO. And at that point, I think it was the one out of the three friends that were mining that was most invested into the ecosystem. I genuinely cared. I was pretty sure that at some point in my life I was going to do something within that ecosystem.

(14:39):

And so when I found out about the DAO, I convinced both of them to put basically all the, that we had invested so far into the DAO, which as we know now was not such a great idea and well hindsight 20/20 I guess. But I did read the forum posts talking about the possibility of reentrancy attacks, and I still did nothing about it.

(15:06):

So at that point when the DAO hack started happening and I realized that I had costed not me but them, that was the harsh part, that I had costed them basically everything that we had saved so far, I got really mad at myself and I promised that I would never do anything like this again. And so having had some prior experience hacking and cracking and exploiting stuff, I promised myself that I would always take a look at the code that I was putting my money into.

Nick (15:37):

And so this sort of set you in the direction of smart contracts and auditing and would you say kind of white hat hacker approach to smart contract security? Is that correct?

Goncalo Sa (15:49):

Yeah, yeah, absolutely. That is actually the way I got into ConsenSys, which is a somewhat fun story. Back then, ConsenSys used to have this project called Variable, which was a stable coin. So at that point we’re full on three ICO craziness. This is late 2016 or second half of 2016. And people, everybody and their cousin was going to do an ICO. And so I was like, “Okay, I might as well start looking into these code bases earlier because they’re all going to launch practically at the same time. I’m not going to have time to review them all.” Just started review them early on.

(16:33):

I got in touch with the Variable people because out of all the projects they were going to launch in 2017, they were the only ones that had a closed source code. And so I hopped into their Slack. There was an invitation link somewhere hidden in a forum somewhere. I hopped into their Slack and I immediately offered to help, “Hey guys, can I take a look at your code? I just want to do a security review on it, make sure there are no problems because I lost a bunch of money in the DAO.”

(17:02):

Now they immediately shut me off of Slack. They thought I was trying to hack them. They thought this was some social engineering type attack where I was trying to gather a lot of information from their team, but it wasn’t. I was honestly just trying to help. I immediately realized how it sounded. I actually messaged Joe Lubin about it saying, “Hey, I like everything that you guys are doing at ConsenSys. By the way, can you please tell the Variable team that I’m just trying to help?” And Joe said, “Why don’t you come do it at ConsenSys?” So that was the origin story of my path to ConsenSys Mesh.

Nick (17:42):

And that leads us to ConsenSys Diligence, which is one of the things that you’ve been working on in the space, and we’re going to talk a little bit more about that. But Goncalo, I’m sure I’m not the first person to connect the dots here of a young you who’s interested in cracking games and kind of exploring that growing up to become somebody that does somewhat white hat hacker and smart contract auditing. I mean, those dots connect. That’s pretty serendipitous, don’t you think?

Goncalo Sa (18:13):

Yeah, absolutely. Absolutely. The way my brain works is that I’m very anti-system and I do a lot of things for the adrenaline rush, which means that if I’m passionate, I’ll just dedicate an insane amount of time to it. So I think it was both serendipitous and unavoidable.

Nick (18:35):

How would you explain how important ethical hacking is to maybe the early days of the industry, but the role it’ll play in the growth of the industry? Do you ever think about that?

Goncalo Sa (18:49):

Yeah. Right now we’re definitely not at a young age anymore. We’re decades into this almost, but we’re definitely double digits. The structure there is around security for the entire, not only Ethereum, but for the entire web3 ecosystem, it’s completely different from what we had eight years ago when ConsenSys Diligence started or when we got together inside ConsenSys and very organically grew the team. Things look insanely different.

(19:25):

Right now we have a bunch of good people supporting bug bounty platforms. We have a bunch of insanely good talent just paying attention to everything web3 related, which back then was not the case at all, right? So we had to rely a lot more on the goodwill of certain actors. I’ll name two, which I know did an insane amount of work security-wise for Ethereum, which was Nick Johnson from ENS and Piper Merriam who was at ConsenSys, and then later on at the EF for the Python client work. But both these people, both of them did a lot of free, completely uninterested work for specific projects. So they would help specific projects with absolutely pro bono work just for the sake of the wellbeing of Ethereum, of Ethereum as a whole.

(20:32):

And so I think their ethical hacking, well, we can call it ethical hacking, that their work initially was insanely valuable and important. Probably nowadays we are so much more structured that we don’t need to rely on the goodwill of individuals and we can pay for that type of work basically.

Nick (20:53):

So Goncalo, you talked a little bit about the origins of ConsenSys Diligence and how you sort of volunteered to support and help and it grew into something much bigger. Let’s talk about what it’s become. What can you tell us about ConsenSys Diligence, the team and the types of things you’re working on presently?

Goncalo Sa (21:11):

Diligence has grown decently and our numbers have hovered around the 25 people mark over the years. I think that Diligence itself, we’ve always considered ourselves like a boutique firm of sorts. The idea was never, it’s not scalable what we do, or at least the way we do it is not scalable. So we would never become a CertiK or something. If the listener knows this name, you probably know that this is a huge firm, a huge security firm that just grew way too fast and is not known for the best security work all around. There has been some Twitter drama recently around some things that CertiK has done. So they are an example of a security firm, like a consulting business basically, that grew to that scale.

(22:05):

It was very apparent to us since the beginning that both the founders and the people that we were attracting culture-wise were not the Deloitte type people, not the big four type people. And so it was purposeful that we never grew too large. Even apart from getting talent back then being extremely difficult to do this job, it’s still being, right? I don’t think it’s gotten much better. It’s gotten a little bit better, but it hasn’t gotten marvelous. But we never grew purposefully.

(22:41):

But what we did was always having very present that hopefully one day we would be able to substitute ourselves for machines entirely. So this has always been the goal. And since early on, so we got Bernhard Mueller into the team who built Mythril, which was a symbolic execution engine. And so that was our first foray into building security tooling, right? First things that would help the manual work that we did, but hopefully and eventually actually replacing all of us.

(23:21):

That has never happened. I don’t think, it won’t happen anytime in the future, but we have built an array of cool tools. So Mythril being one of them, MythX, the SaaS version of that. We also have a Fuzzer is a really well-built gray box. Fuzzer for those of you listening that don’t know what a fuzzer is, a fuzzer is something that throws random inputs at a program and some of these treat the program as a black box and see if it fails at some point, if there’s a failure mode that is triggered. Ours is like gray box because it somewhat has knowledge about the code.

(23:55):

So we’ve built that fuzzer, which is one of the best around for AVM coding. We’re now expanding getting to ZK, the circuits, and it has caught a lot of cool stuff on Linea already, and a lot of VS code extensions. I myself built some visualization tools for smart contracts. We’ve done a lot of things.

(24:15):

Most of our tools, practically all except the fuzzer are open source. So we’ve given all of these things away to the community. And again, I think that was our gift too. It was us trying to give back to Ethereum as well.

Nick (24:31):

And does AI play a role in tooling for these types of things into the future, and how’s the team thinking through that?

Goncalo Sa (24:38):

Yes. The answer there is yes. We have done extensive research on how we could integrate AI into our processes. I don’t think AI is going to replace us anytime soon. We’re not in a stage where AI can reason about novelty problems. So in that sense, bug hunting is more like art than some deterministic process. It’s not a checklist. That’s why we’ve tried to stay away from calling what we do audits, because audits are typically a checklist or counting items, and it’s something that is finite in time span.

(25:16):

I don’t think we’re going to get there anytime soon where AI is going to replace us, but we are building tools to help us reason about the code. So AI does have a place already. We have built some tools to aid us, and those are closed source because they’re trained on a bunch of our data, which we just don’t want to be public and sometimes cannot even make public. So we cannot really open source these tools, but we do use them to help us reason about code and help us find the same type of issues that we found before, if this makes sense.

Nick (25:51):

As I mentioned earlier, you’re working on other things in addition to the contributions at ConsenSys Diligence, and one of the things is Creed. What’s the backstory behind Creed and how would you describe how you got involved in that?

Goncalo Sa (26:05):

Yeah, I’m excited to talk about this because we have literally just kickstarted this adventure. So Creed has been an ideation phase for quite a while. So the idea I think is probably almost two years old. And it has come from the fact that Diligence as a team, I love those people. I think we’ve always had the most amazing culture. Some people have called us a dysfunctional family instead of a professional team. And I do think that it’s true in a way. But I truly do think that this might actually be the most thing about Diligence might be the culture if I’m being honest. Even though we’ve ever had an amazing culture and we all very much liked each other. Like the Dili Mafia has kept strong over the years, it really annoyed me that we had basically we had a leaky bucket of talent, I think for a myriad of reasons.

(27:05):

For once the job is high risk reputationally and somewhat low reward for the risk you’re taking. It’s very stressful because of that, so you have to be really passionate about it. But when you are inserted in a bigger machine, so if you’re under a wider umbrella, which has happened to Diligence. So back then ConsenSys was an incubator. To give some context, back then ConsenSys was an incubator, but we spun into ConsenSys Software, what is now the main version of ConsenSys, and the incubator was renamed to Mesh. But we are part of a bigger company. So everything that we do goes up to the mothership and is then redistributed.

(27:54):

Basically what I’m trying to say is that we had as a security company, we had a little bit less autonomy. And that lack of autonomy sometimes leads to people wanting to working solo. When you think that what you’re worth does not match what you’re getting, your logical answer to that is to go work on your own.

(28:19):

This is especially true for consultancy businesses where you have people do deals alone or doing account management alone, which wasn’t happening at Diligence, but it made me sad that people felt the need to leave because of that. It hurt more even because we were that dysfunctional family, right? Because I think everybody wanted anyone else to be happy and to be able to call Dili their home for a longer period of time, but sometimes it’s just didn’t work that way.

(28:53):

And so Creed is exactly what I thought Spearbit was going to be. For example, again, this is another security company in this space that has created a marketplace for auditors. Not like Fiverr, but like a permissioned marketplace and a managed one, but that’s how kind of what it works. And I thought they were going more the Creed way. The Creed way is a midway through between just building your own team and being part of the Spearbit marketplace and being in a security firm where you have less autonomy.

(29:28):

So Creed is built, first we called it a DAO, but it really isn’t a DAO. It’s a cooperative. And cooperatives are built in a way. Basically the reason people do cooperatives, the best example that I give is one that is close to me or that was close when I was growing up, which is the winemakers in the Douro Valley in Portugal. So there is a cooperative of winemakers in the Douro Valley. Typically, they’re the small winemakers, not the big ones. We’re not talking about Sandeman or Graham’s where they have an insane amount of structure and money to do things by themselves. But the smaller ones, they don’t have a lot of money, they don’t have a lot of structure and they don’t have a lot of bargaining power.

(30:18):

And so they get together in a cooperative which has a shared treasury. They still operate their businesses individually, but they have a shared treasury above that is able to pay for centralized services. So this means anything from getting more bargaining power to weather insurance. If there’s 10 of these small businesses together getting insurance for all of them, they’re probably going to get a better deal than they would if they went to the insurance company alone.

(30:49):

They also pool up money in order to send all of their wines to wine contests around the country and around Europe. So instead of paying for a booth themselves and having to choose one event to go to, basically they now have the Douro Valley Cooperative yada, yada, yada booth where they all showcase their products.

(31:15):

So translating this to what I hope will be helpful to people that want to leave the security firms they’re on because they feel they’re worth more, but they don’t want to go through the trouble of just first working alone, which is really, really lonesome. And so I think it’s hard, but some people do better than others. So there’s that. There’s the part where they need to work on their personal branding. So the same thing as the booth, going to events alone versus going to events with a bunch of your friends. So they need to work on their personal branding. They need to have strong Twitter game. And some people do. Some people do really well here, but I bet you for every one that does, there’s nine that don’t do that well. We only see the ones that do well versus the ones that don’t. So they need to worry about branding, they need to worry about maintaining a portfolio of clients, so account management on all of that. And Creed does that for them basically.

(32:22):

So I think people have already got the picture. I’ll just do the final brushes on the painting, which is like Creed is meant to be that cooperative where there’s revenue share for people, but there are no employees. So you need to have your own business. You’re still the solo auditor that you wanted to be, but you basically are signing up to be part of a cooperative where you get revenue share and you leave some part of it in a treasury.

(32:50):

Something that we are doing that is not very easy to do in oral cooperatives, but it is easy to do in a medium where you can issue tokens programmatically, and hopefully this is a better version of a cooperative, which is also exciting to us, is that as you do work, you get revenue share and you don’t just pool up money in the treasury, so you’re giving some of it to the treasury, but we are now able to award you ownership in a streaming version of it.

(33:24):

So the ownership of the entire cooperative is diluted a certain amount per year, and every time you do work, you get part of it in just a pass through. The money, let’s say 60% goes to you directly, the other 40 stay in the treasury, but we will award you more ownership since you’re contributing to the treasury. So this is a little spin on normal cooperatives, but yeah, it’s a cooperative. So I think the more appropriate name to be for Creed would be Creed co-op rather than Creed stuff.

Nick (33:54):

Amazing. And so what can you tell us about membership in Creed and the response from the industry for a solution like this?

Goncalo Sa (34:02):

The way into Creed, so it works as a normal cooperative. Member inclusion and member exclusion are one person, one vote. In orgs like this, I think there’s high levels of trust required. A bad apple can really spoil the bunch here. So we still haven’t admitted any one into the co-op that was an ex-Diligence. So so far the Creed team, as we’re spinning it up, the current team and the hunting team is all ex-Diligence people. We will need to open the floodgates and let people in, but it will be one person, one vote with whomever is inside at any point. We want to expand very carefully, so this will be a very permissioned thing, at least for the next three, four, five months. We want to open the gates, but we’ll be very careful about it.

(34:55):

As for the industry, I think people like it because also as part of this shift, we’re doing something for clients as well, which is something that I noticed that Diligence didn’t, and in later years, most of my work was business development of sorts, just talking to people, I guess, getting clients and just managing more than the ops side to be honest. And what I found out is that doing one-off type engagements is very wary operationally. There’s a lot of drag that happens if you are constantly getting in and out of engagement.

(35:39):

I wanted to change that and make things a little bit more automatable in a way, which meant … Well, I guess automatable is not the right word because CertiK for example, is everything automated and they charge a little for their audience and they do a lot of them. But in very high touch type work, I think that doesn’t work as well.

(36:01):

And so what we’re trying to do with Creed is that we’re trying to … So this is a mean in security where you shift security left. So instead of going in at the end of the development lifecycle, you get in earlier and you try to help from the get-go so that the devs don’t get as mad at you when you ask them to change something or that if you say something is wrong, you haven’t wasted two weeks of engineering effort.

(36:30):

So shifting security left is a mean and we’re taking that very seriously at Creed. And so I think everybody’s very aligned in the type of work that we’re trying to get, and so we’re trying to align ourselves more with clients and basically getting into their cap labels or taking tokens, taking outsized token positions versus fiat payments and doing longer engagements.

(36:52):

So we want to get in as early as possible, even during the architecture phase. If they’re doing design whiteboarding exercises and stuff like that, we want to be there and we want to have a say. And honestly, I think that the clients have been responding really well to this. We love the Connex team. So we have been working with them for quite a while and now One Balance which is the new Stefan Project X Flashbot, and I think people have been loving it.

(37:20):

So far I think the model has proven itself, but we’ll see. It’s only been three months, so still early.

Nick (37:29):

And for any listeners who want to learn more and maybe engage the Creed community, what’s the best way to get started?

Goncalo Sa (37:35):

You should go to https://thecreed.xyz. You have all our links there. To be honest, the team is still very nimble, so we don’t have a lot of tutor presence, but you can find us on Telegram as well. I think we have a link on our website. That is the most active of our channels, so that’s where we’re building community there. This might change in the coming months, but that’s where you’ll catch most of us.

Nick (38:04):

And I’ll put links in the show notes for anybody that’s interested in clicking in and learning more. So be sure to visit the show notes for more information.

(38:12):

The other venture you’re involved in, and I just wanted to get your thoughts on, something that you’re working on, Ethereal Ventures. Talk to us about where Ethereal Ventures came from and some of the work you’re doing there.

Goncalo Sa (38:23):

Yeah. So Ethereal Ventures is the team formed by ex-ConsenSys Ventures people, so Min Teo and Praneeth Srikanti. They were amazing at what they did for ConsenSys Mesh, which was the incubator side of ConsenSys, and they incubated amazing projects. They managed their assets really well and they’re overall just amazing people, which meant that at some point it just made sense for them to start their own fund and they brought along some of their friends and also cool people, which not being how I would like to include myself in, and they just brought along some of their friends to build this new fund called Ethereal Ventures, but everybody was old friends from ConsenSys.

(39:18):

Now the team has grown, obviously. It’s not just ex-ConsenSys people, but back then that was the vibe and it was insane amounts of fun as well. I still love it. I still love it to this day, but back then having the experience, so I had never worked in any VC setting at all. Even though I was already helping to do diligence at ConsenSys just out of spite, I just liked to be involved with these things, but I had never been in a proper VC setting and it was a lot, a lot of fun.

Nick (39:51):

If you put on your VC cap and kind of think about the market presently and the cycle that we’re either in or entering, what are some of the top level themes that you’re paying attention to? I mean, I’m hearing things like modularity, composability, AI. Are there any things that you or maybe the team at Ethereal Ventures are sort of paying attention to?

Goncalo Sa (40:12):

Yeah, there’s a lot. There was a resurgence of Bitcoin Layer 2s, which was fun because I have an Ethereum tattoo, so I could be perceived as an Ethereum maxi, which I mildly regret now because I feel like on comic scripts sometimes. It was surprising to me that Bitcoin had this comeback of Layer 2s because we had tried that before. Even though we’re calling them Layer 2s, they’re not really Layer 2s, they’re more like side chains, what we would call side chains, but it was fun to see that resurgence. So we’re taking a look into that.

(40:51):

ZK has this cycle, has been abundant all around. It’s not as novel anymore. So I think that it’s not this shiny new thing. We’re also paying close attention to anything privacy related, to anything that is hovering around the ZK space. I personally, even though we don’t do a lot of it within Ethereal, I always pay close attention to consumer apps because I think we need an insane amount more than what we have today. I think that we’re lacking a lot of consumer apps. And even though that’s not really Ethereum’s jam, I always try to push for more of these deals, but it’s been hard.

(41:40):

If the deal flow that goes through EV is representative of anything, I do not think that at the stage we’re in right now as Ethereum as a whole, that we are seeing nearly as many consumer apps as we should.

(41:58):

Besides that, we also take a look at other ecosystems. So Solana being the other ecosystem that are most active on deal-wise, and sometimes there are things that come through that makes a lot of sense in lately. So anything that is related with the Eigen ecosystem, so restaking. So Ethereum led Eigen’s round, and so everything that stems from the Eigen ecosystem were very interested in taking a look at, so AVSs, any of those things.

Nick (42:27):

Goncalo, as you know, a lot of my listeners are enthusiastic about The Graph and more broadly about blockchain data and how this factors into the web3 story. I’d be curious to know, given all your experience and work in web3 and on blockchain tech smart contracts, have you come across The Graph and do you have sort of an opinion or a perspective on the problem it’s solving?

Goncalo Sa (42:51):

Absolutely. Yeah, I did. I did. So even though we as a security company, we don’t build products, we don’t really have a use for The Graph because again, we don’t even build products on chain. Our stuff is meant to work for the chain, for Ethereum, but it’s all tools that run on your machine. We don’t really need to decentralize them.

(43:16):

Even though we don’t need The Graph, what I was going to say is that back then when The Graph was just launching when talked a bunch with Jannis, even the team, and we ended up doing audits for the team, and this is just really pleasant. I remember the last one of which was already a couple years probably into The Graph’s existence, and we worked a bunch with the Nitro team for state channels.

(43:42):

The Graph ended up not using them I believe, but we were all exploring the usage of state channels within The Graph’s system, and it was every, every touch point with The Graph team was extremely pleasant and I enjoyed the Nitro review specifically very much.

Nick (44:01):

Given your perspective of the industry, how important is a data indexing and querying layer like The Graph provides? I mean you’re talking about a gap in consumer apps. We need more of them. We’ve got plenty of infra. Does something like The Graph play a role in sort of driving more consumer apps, more access to blockchain data?

Goncalo Sa (44:26):

Probably. To be honest, I think The Graph is pretty traversal. I think The Graph is important for all sites. I’m going to risk and say that 99 of the people that we’ve worked with, that I’ve advised, that I’ve seen, projects that I’ve seen, 99% use subgraphs, right? So I think it’s pretty traversal. I think more consumer apps, it also makes sense, but most projects could make use of The Graph.

Nick (44:54):

And so I only have a couple more questions for you before I ask you the GRTiQ 10. These are 10 questions I ask every guest of the podcast every week. They’re a lot of fun. They give us the opportunity to get to know you a little bit better and to learn some new things.

(45:07):

But in addition to all the work you’re doing professionally and you’re doing a lot of stuff, you also have an interest in music and you have this alter ego where you do some cool music stuff. What can you tell us about that?

Goncalo Sa (45:20):

That is literally just a hobby. I am terrible at producing music, but I enjoy it so much, so it’s very therapeutic to me. I did play the flute when I was younger for eight years. I did nine years of music school, one for violin, eight for flute, and I wasn’t very good at it, to be honest. I made first chair in the orchestra because the other guy had to leave. It was not the easiest thing for me to go through those eight years, but I did enjoy music. I’ve always enjoyed music. I’ve always enjoyed listening to music.

(45:56):

And as of late, I think 2017, if I’m not mistaken, I was like, I feel like I’d enjoy making electronic music. I love techno and I’m definitely a raver. I enjoy going to techno raves. And I thought that I’d take a step at making techno sounding music and I found it out to be super therapeutic. So sometimes if I’m super overwhelmed, I’ll just take one full day and just hack on Ableton for a while.

Nick (46:28):

Is it too naive to connect the dots that being in security and working on smart contracts and kind of getting to know the details and how things work within systems is a great bridge into creating and writing music?

Goncalo Sa (46:42):

Funny that you asked that. I do not know why, but I do think that hacker culture is somehow connected to raver culture. This is weird. I do not have a good explanation for this probably because early on, very cypherpunk movements, like the hacking movements were very tied to cypherpunk stuff, very anti-system. People would just go to abandoned warehouses and listen to hardstyle music and do drugs.

(47:17):

I don’t know, probably all of these things were connected at some point. They stem from the same anti-system culture that we saw early on after the ’70s and stuff like that. So they probably stem from the same place. And there are indeed a lot of hackers that do music and that enjoy techno music, so there’s something there for sure.

Nick (47:39):

Well, the last question I want to ask you before we do the GRTiQ 10 is this. You’ve seen a lot of things during your time entering into the industry, but a subtle clear thread in your story is that you’re an entrepreneur. You enjoy sort of that startup environment. You’ve launched companies. You’ve built them. You examine things like scale, market growth, all of these important things that you’ve been talking about. What’s your advice to any listener who wants to be an entrepreneur, wants to get started in web3, and has questions or reservations about what they should do first?

Goncalo Sa (48:12):

Not an easy question, but a piece of advice I think could be finding the problem first. This probably sounds dumb and I’m not sure it tracks, I’m not sure this translates well from what I have in my mind. I think that people sometimes just create a problem out of nowhere. Sometimes you need to find the problem. I think the biggest part of it is finding the problem.

(48:43):

So I did a bunch of startups before. I had this thing called Share, which was like a blood pressure estimator from an ECG sensor and an oxygen metering one, went nowhere for a myriad of reasons. Then I did a mobile app to find nightlife events, was also probably catering to people that did not care about that. You just go to the club or you just go to the bar, right?

(49:11):

Then the EdTech one, I found out that we were building something that the ESPs did not want. And with Diligence what happened was I was hacking away. There was a problem. There was not enough security work being done. I got into ConsenSys because I just wanted to help. And Diligence grew very organically from there. Three of us that liked security got together and we just started charging money because people wanted what we were selling. And that to me was a very aha moment. It was like an epiphany where I was like, okay, I was doing this wrong the entire time, the entire time.

Nick (49:54):

It’s an amazing insight. I appreciate you sharing that, and I think a lot of listeners will find that valuable. So now I’m going to ask you those GRTiQ 10 questions I ask each week. And as listeners know, I ask these questions. It gives us a chance to get to know you a little bit better. But also, I always hope listeners will learn something more, try something different or achieve more in their own life. So Goncalo, are you ready for the GRTiQ 10?

Goncalo Sa (50:19):

Yes. Let’s go.

Intro (50:21):

The GRTiQ 10.

(50:23):

This is the way.

(50:23):

10 questions for astronauts floating in space.

(50:30):

This is the way.

(50:30):

Roger that.

(50:30):

This is the way.

Nick (50:32):

What book or article has had the most impact on your life?

Goncalo Sa (50:39):

Probably Reversing Hacking, which was a very, very technical Windows DLL system libraries hacking book.

Nick (50:50):

And how about this, is there a movie or a TV show that you would recommend everybody should watch?

Goncalo Sa (50:56):

Kill Bill. I absolutely adore Kill Bill for not for any reason professionally related, but just it’s such an amazing movie.

Nick (51:09):

And I’m sure this will be a tough question for you, but if you could only listen to one music album for the rest of your life, which one are you going to choose?

Goncalo Sa (51:17):

Extremely tough question. Torn between two. So Stadium Arcadium was the first album I bought with my own money, so I listened to it like an insane amount of hours. But I’d probably have to go with Queen’s Greatest Hits because it’s like a lot of their work crammed into a single CD album so you can get more music. If that was the only one, I’d get more hours of music inside a CD case, that would probably be the one.

Nick (51:51):

And Goncalo, how about this one? What’s the best advice someone’s ever given to you?

Goncalo Sa (51:56):

When I decided to drop out of school, I know these are rapid fire, but I’ll give some context. When I decided to drop out of school, my parents weren’t very happy with me. They actually stopped talking to me for a while, or my mom did, because I get it, I get it. You have certain expectations. I’m an only child, so that was even worse. That made it even worse. I think hearing from them afterwards that it took a lot of courage to do that, it’s not proper advice because this is after the fact, but I think it validates a lot of my world views.

Nick (52:27):

Well, thank you for sharing that.

(52:27):

And the next question is, what’s one thing you’ve learned in your life that you don’t think most other people have learned or know quite yet?

Goncalo Sa (52:35):

Yeah, generally speaking, I think people are not, or if they are aware, they do not give this as much weight in their life as they should, which is the incentives that are around us. I think going into blockchain. So I read up a lot on game theory when I started learning about Bitcoin and Ethereum, why people did this and how is it centralized network maintainable. And I became more and more aware as I read about all of these, the classical games of game theory and how they can be applied in multiple situations around your own life. I became fully aware that people’s behavior is very predictable sometimes, and I don’t think people give this the importance they should in their own life.

Nick (53:24):

And now this is a fun question to ask somebody who’s a hacker, but what’s the best life hack you’ve discovered for yourself?

Goncalo Sa (53:31):

Oh, I probably have to say putting a wooden spoon on top of a pasta pot so that it doesn’t go over so that the foam just doesn’t fall off of the pot, which is pretty dope and it works. So that’s probably the best one.

Nick (53:56):

I didn’t know that, but that’s something I’m definitely going to try.

(53:59):

And then Goncalo, based on your own life experiences and observations, what’s the one habit or characteristic that you think best explains how people find success in life?

Goncalo Sa (54:12):

Kindness. I think kindness is the best long-term strategy. People also do well if they’re somewhat exploitative and if they chase short-term gains in favor of treating others well. But you need high levels of sociopathy or to be able to operate in that manner your entire life.

(54:34):

I do think that for most people being kind is the best long-term strategy. And there’s a really cool video that I saw the other day also about game theory where one of the lead, I forget his name, one of the leading game theorists back then actually did a tournament on prisoners’ dilemma. And after two rounds of this tournament, they actually found out that the best strategy was probably one of the most simple ones that always won both trials over any other was the tit-for-tat one.

(55:04):

And that strategy is so you’re basically playing a prisoner’s dilemma game over and over again over a certain number of rounds. And the tit for that strategy says that if someone does something wrong to you, you respond in the same way the next time around, but then you forget about it.

(55:21):

So you start off as doing good, good, good, good, good, choosing always to cooperate until someone doesn’t. And then you also don’t, but then you reset your knowledge of them and then you give them a second chance. It’s tit-for-tat basically. You always do what they have done previously or in the previous round, but you assume goodness. Kindness, but don’t be a pushover.

Nick (55:45):

And then the final three questions are complete the sentence type questions. The first one is, the thing that most excites me about the future of web3 is …

Goncalo Sa (55:54):

Privacy, for sure. I want coins that I can send to my friends in a private manner, but that are usable. I want like clients and I want them on my phone, and I want all of this to be usable and for things to be untraceable. I hope we get to a point where we can opt into governments and not be born into them.

Nick (56:16):

And how about this one? If you’re on X, formerly Twitter, I still call it Twitter, you should be following …

Goncalo Sa (56:22):

You should be following Seal, which is something that SEMC has started recently. I’m part of Seal. It’s Seal as in S-E-A-L because it’s the acronym for Security Alliance, but it also has a cute seal as the avatar. And they’re doing an insanely, insanely good job at putting public goods out. Well, we’re doing, I guess. I’m part of some of the initiatives, the most important of which being Seal 911. And if you don’t know what that is, you should check it out.

Nick (56:53):

And then the final question, Goncalo, I’m happiest when …

Goncalo Sa (56:58):

When I’m making music, I think actually, and when I’m hacking stuff.

Intro (57:04):

The GRTiQ 10.

(57:06):

And I show you how deep the rabbit hole goes.

(57:11):

[inaudible 00:57:12].

Nick (57:11):

Goncalo, thank you so much for joining the GRTiQ Podcast. It was a thrill to be able to meet you and talk to you about your career and some of the experiences you’ve had. But to learn on the things that you’re working on and the contributions you’re making in web3. If listeners want to stay up to date on you, follow the things that you’re working on, what’s the best way for them to stay in touch?

Goncalo Sa (57:32):

GNSPS on Twitter. Just find me there. That’s where I’m most active.

YOUR SUPPORT

Please support this project
by becoming a subscriber!

CONTINUE THE CONVERSATION

FOLLOW US

DISCLOSURE: GRTIQ is not affiliated, associated, authorized, endorsed by, or in any other way connected with The Graph, or any of its subsidiaries or affiliates.  This material has been prepared for information purposes only, and it is not intended to provide, and should not be relied upon for, tax, legal, financial, or investment advice. The content for this material is developed from sources believed to be providing accurate information. The Graph token holders should do their own research regarding individual Indexers and the risks, including objectives, charges, and expenses, associated with the purchase of GRT or the delegation of GRT.

©GRTIQ.com