Recently, we had a chance to sit down with Jason Dominique, the CEO of Embr and Web3 innovation leader, to talk about his thoughts on the crypto industry, cybersecurity in web3, and why so many projects fail or fall victim to hacks.
Hacken Representative Taras: Jason, could you please tell a few words about yourself? How did you start in Web3.0?
Jason: I’ve been an entrepreneur for the last 20 years. My first introduction to the blockchain was in 2015-2016 when I worked on a project which involved making micro-transactions between parties. At that time, there wasn’t any traditional payment processor that would do it in a cost-efficient way. We had to find something that would make moving money around easier and entered into a partnership with the Stellar Development Foundation. As one of their first partners, we started using their ledger. So that was the first time I interacted with the blockchain, but I didn’t even truly realize what it was. I thought it was an enabling thing as it worked for me in my use case.
In retrospect, we weren’t ready to do what we wanted to do, and neither was the Stellar blockchain. That project never realized itself. I didn’t stay in the loop regarding blockchain until last year when I really started getting more into decentralized finance (DeFi).
I’m the kind of person that goes into the rabbit hole quite fast. Going from a very web2-ingrained mindset and business personality, these experiences that I had in Web3, tokens, IDOs, DeFi, and anything that had to do with projects launching made me realize that the opportunity was massive, but the blockers were unparalleled. Since I’m the type of person that really loves challenges and seeks disruption, I took on the beautiful endeavor of fixing some of those problems. My journey started in November of 2021, and here we are today.
Taras: It’s great that you’re drawing parallels with going down a rabbit hole. I see web3 the same way. I’m always asking myself, what is this about? What will it be at the end of the day?
Jason: Yeah, there are a lot of things. If you think about entrepreneurship as a whole, there is always a moment where you go from ideation to launch, and then you operate for years and years. But there’s this specific moment where you’re in a process of ideation, market validation, and early adoption. If everything goes right, you have a great opportunity and you raise capital.
I’ve always been extremely passionate about this specific moment where as an entrepreneur, you identify an inefficiency, a blocker, a problem, a pain. If you’re on the right path, you’re not the only one who is experiencing this problem, and you want to fix it.
I absolutely love fixing things and making things better. So I’ve been very much involved in that aspect of the startup space for the last five or six years.
The opportunity, or at least what Web3 can resolve in that space, is in the timing. I’ve always been a big proponent of timing everything. When you launch a new business, time is your worst enemy. It takes time to connect with people, develop your first proof-of-concept or MVP, and raise the capital needed to develop something. You need such a perfect sequence of elements to be able to pass this initial stage. In Web2, this is where the graveyard is the biggest, this is where most people will fail because of a lack of knowledge, lack of support, or lack of everything.
Taras: Resources and resources. Yeah. Is it the main reason why so many projects fail?
Jason: Exactly. If you want to foster innovation and create more opportunity, this is where the biggest gain can be made. Let’s say you have a business and you want to increase your revenue. The classic option is to get more clients, right? You want increased revenue by getting more clients. Well, the thing that most people don’t consider is that you can generate more revenue from current customers. They’re already on board. They believe in your product. Either they’re not using your product at its full extent, or maybe you can improve the current offering with something new. And that’s easy money.
When I think of innovation, I think there’re already millions of people that are trying to create something, but they’re just not able to. So many projects fail, and not necessarily because they’re not good. It’s just that there are so many things in the way. My focus is, how can we increase conversion in that area? How can we increase the number of projects that are successful rather than letting them die in these first few months? And I think that web3 gives us the needed speed. Speed to market and speed to capital. This is where we try to focus. The true power of IDO is that you can take an idea and get it capitalized in such a short period of time. It’s because the technology is all decentralized and it’s trustless. There’s no red tape, the contracts are all immutable there. And it’s this environment where you can do things properly, you lay down the groundwork, create the best practices, and mold the journey in such a way that it’s well sequenced. So once all of that is done and you’re an entrepreneur who wants to create and have this clear path between ideation and launch, you can significantly reduce, not only the conversion time but the rate of failure as well. I think that web3.0 is very much about increasing efficiency. We’re removing so many of those extraneous steps by having the blockchain, the smart contracts, and this proximity between the project leaders, the community, and the potential investors.
Taras: Yeah, but aren’t volatility and risks the price we pay for this speed and efficiency?
Jason: Yeah. But there’re a lot of ways that you can mitigate them. I mean, the first wave wasn’t well organized. It was very chaotic. It was the Wild West. But I think that right now, we have identified negative elements and things that we should focus on. To make it better, we need to develop a mechanism for filtering out the bad actors and create an environment where you can blindly put your trust in it. And that comes from processes, verification, and lots of things that we want to do with you guys over at Hacken. But back in the day, when you started witnessing these payment gateways, you were like, wow, this is great, but how can I trust that? I barely started knowing what the Internet is, and now you want me to put my credit card details on this? So how do you cipher the difference between a place where you can blindly put your credit card details in a place where you’re going to get scammed?
That threshold was achieved with trust yields and other things that people can now rely on. But before this technology became established, brands had to get third-party validation. That’s when you saw the rise of Norton, Trustee verified, etc. Nobody talks about these things anymore now because it’s a status quo. If you enter a flow that you recognize like the Stripe flow, you don’t need those seals anymore.
Taras: But what about web3, isn’t it different in this respect?
Jason: Yeah, in Web3, we have to do it all over again. This trust needs to be earned. It needs to be shared. This is where we find the biggest problem but also the biggest opportunity. There are millions of people that want to get in, but it doesn’t feel like web2. The flow is different. There are these warning signs everywhere. We want web3.0 to feel like web2, it’s as simple as that.
Taras: What do you think about crypto winter, any predictions?
Jason: I think crypto winter is relevant to investors, but not to entrepreneurs. You can have a business model that relies exclusively on market behavior, but that is just suicide. It won’t work. This is why we have a token that behaves with the market and there’s nothing we can do about it. But, we’re a real business with a diversified revenue model. We have different ways of sustaining our business no matter what happens. So I don’t really care about crypto winter, crypto summer, crypto heat wave… I just need to make sure that my business is viable. And the way you do it is by not pumping your token and then withdrawing money and selling your token. The token is great. With it, we can create beautiful value. We can create great synergies between the technology, the experience, and the utility of the token. However, our business doesn’t run on the token. If yours does, then it’s very risky unless you have very good ways of moving your extremely volatile asset at the right moment. But even this is too dangerous. That’s my thought, at least in most of the business stages right now because they’re all in the launch mode and they’re all very early in their lifespan. This is another reason that most of them will not make it through winter. It’s not because they don’t have a great idea. It’s just that it’s so dangerous. When I went into it, I said, hell, no, I’m going to have a token, but I’m going to focus on revenue because this is what I can control.
Taras: How does the value of cybersecurity differ in web3?
Jason: When you look at Web2, cybersecurity is all about personal data. By contrast, in Web3 personal data is not an issue. It may happen when you have proper KYC on a chain and things like that, and maybe there will be ways to grab tons of data from these securitized companies that do on-chain KYC as a third-party provider. But right now, it’s really about money. If you’re ill-intended and you have no morals, the blockchain is really exciting for you. It’s a big money pit and you just go in there and take the money. It’s there. We only hear about the big scores, but I’m sure that there are millions of small scores. These guys are making way more money than those big hacks. I mean, big hacks are like a guy trying to steal the Mona Lisa. Of course, people are going to notice such an idiot.
Taras: Decided to be a hero.
Jason: Yes, like this. But this is so dumb. If you want to be smart, do one of those sandwich-like things. They siphon money out in between transactions and do it millions of times with automation, put it on autopilot, and get the fuck out, taking money here and there. Cybersecurity is a massive thing. I mean, your business opportunity is massive. You’ll have work cut out for the next 200 years or so.
Taras: How did you set the security processes in your company, how do they work?
Jason: Nothing is done in-house. Eventually, I would assume that it would make sense depending on the size and how much it started costing us. For us right now it’s pretty low hanging. We write our own smart contracts and we just want to make sure that people trust our processes. We want to create the equivalent of the web2 type of trust seal in the checkout process with Hacken and have Hacken be this trust seal. Our checkout process and our technology are a bit like Stripe. You’re starting to see it on a lot of projects’ websites and they’ll interact with it and they don’t know who we are. The project itself is pretty new. After a year or two, we may have the notoriety of Stripe and say, if I’m buying a token and I’m seeing this gateway and I’m like, well, that’s pretty good, it survived a few crypto winters, so it’s a pretty legitimate project. But until then, how can we mitigate this trust issue with the third party in this process? I think that will be the core of our business.
There’s also a great deal that we can create in doing something like a trust score. When we’re onboarding a project and letting them use our technology, we will have something that we qualify as a process called Embr Verified. This Embr Verified is a bit like PayPal verified. It’s like you can be normal, but you can also be Embr verified, which means that you pass KYC, and that you have audits on your smart contract. It means that if you have a token, you have sufficient liquidity, that you have more than a one-star audit, a really good audit.
It’s yet to be designed, but I feel that this type of trust seal with multiple stars on it that go beyond the contract itself and that creates trust in your project is the next step. Yes, audits are not a front-facing thing, but when are you thinking about looking at a cyber security audit report from this company in Web2? Nobody does that. It’s like an ISO909008. I think that now the audit needs to be a part of something bigger because there are other moving parts, and we want to create something bigger.
Taras: Good idea. I’ve heard about it because some projects have anonymous teams. But are people willing to give money to guys who don’t want to reveal their names?
Jason: If you want to use our tools, you’ll have to KYC with someone, not even us. I mean, as a third party, we don’t even know who you are. That’s not the point. The point is that, according to the worst-case scenario, if you’re not willing to back your project with your identity, then it’s not trustworthy. That’s my first opinion. And if you want to be like Wild West, be my guest, but that’s not going to work. That’s just not sustainable. When you think about mass adoption, you might get some level of attention and success, but you will always be limited by the style that you give to your business. It’s never going to become something.
Taras: I see that KYC and public background checks are a growing trend in Web3 cyber-security.
Jason: Yeah. KYC audits, I’ve seen plenty start to do it.
Taras: Is there a problem with transparency regarding this KYC audit trend?
Jason: It’s part of a grocery list. It’s not like there are other things that are more important. I’ll give you a simple example. They start using our Embr checkout. When they go through the onboarding, we check multiple things, the KYC, etc., and then they put it on their website. That’s great. But six months down the track, that’s irrelevant today. Mainly the liquidity has unlocked now. Why? Because your average lot liquidity is six months, and you have a seal from six months ago. It’s irrelevant. So what you need is a constant live thing that works all the time, that checks the chain all the time. And this is why we have the Embr checkout. It’s not like a widget.
Taras: Do you mean that the market needs some continuous approach? Like a bug bounty or similar.
Jason: Yeah, because you can’t trust them. Like these contracts. There’re so many things that are ways around it, whether it’s logging, you just look at SafeMoon like it was a big red flag.
Taras: Who do you think would stop companies from making audits? What kind of companies need security audits?
Jason: Well, it depends on your segmentation. You have this 100% serviceable addressable market that includes the good and the bad actors. If you ask a segment of entrepreneurs, like me, why they don’t do an audit, you’ll get a very different response than that from the segment of ill-intended actors who want to rug people. Most bad actors will get a crappy audit. Essentially, what they want is to have this paper that people will be able to see.
I think it’s all about awareness and education. It’s just potentially money that shouldn’t be a concern at a certain stage. The audit is usually required at a moment when money is extremely tight. We spent a lot of money with you, even before being able to get any money from anyone. So if you look at us, we build pretty intricate stuff. We built a staking contract, a crowd sale contract, a token contract, and a vault contract. All of these contracts cost 30, 40, and $50,000 USD. And we’re not even talking about the tens of thousands of dollars that we have in different areas. So cybersecurity and audits become this thing where you fight internally and you’re like, can we afford a pre-raise like pre-IDO to spend this money? So now you have to build the case on your brand to say, what? Having this will enable you to raise more. But raising more still doesn’t mean that you will have the money.
Taras: What are the reasons for certain segments to do an audit?
Jason: That’s why we debated it internally. It’s like, what will be the opportunity gain? And what will be the opportunity cost by allocating so much money into this rather than somewhere else? For us, it made a lot of sense because these contracts ended up being the product that we’re repurposing as the core of our business because we’re going to help people launch their projects on the tools and contracts that enabled our launch. Now, obviously, it’s not necessarily that I’m not interested in getting an audit. Can I afford it? And what’s going to be the return on this? Is it a soft or hard return? Is the return just an increased trust which is not going to give us any more money? And also remember that many people entering Web3 aren’t smart business people. They’re like, fuck that, watch it, and I’ll make money. And I don’t need that audit.
Taras: What are the major pitfalls of cyber security in Web3?
Jason: I think it’s education. I think it’s not inexperienced entrepreneurs who don’t necessarily know the value of what this can bring. It’s all stocks, things that you can mitigate, but that won’t happen overnight. These are things that take years.
Taras: Imagine a newcomer who is not familiar with this sphere. He understands that he’s going to choose the cybersecurity partner based purely on trust. What would you advise him? How do you identify a real expert whose audit report and certification will be worth something? How can you tell which auditor is a good one and who is just a guy selling all these reports and certifications?
Jason: It’s a good question. I’ll give you an example. CertiK is meant to be a really great auditor. Unfortunately, right now, in my opinion, they’ve gone on a path of making money.
If you’re coming from the outside, if you’re not really experienced, then ultimately you’ll do a Google search and whatever comes out, will come out. If you don’t do much research and take the first one that’s there, the one that has the best SEO and that pays the highest price for the ad will come out first. There’s great content out there that says that these auditing companies are great, but you need to seek them. If you’re driven by price, you by default are going to fall for those ad campaigns that get an audit for cheap.
It’s hard to say because none of you guys have sufficient brand recognition. So let’s say you become part of something that is front-facing, like your brand is on our checkout, with our checkout on thousands of projects. Now you will have mass market brand recognition. But if you don’t have something like that, there’s no way of achieving sufficient brand recognition in a B2B context. The only way I would consider one auditing company as better than the other would be based on how many legitimate projects have your seal. Then I would go to those legitimate projects looking for your seal. But the projects don’t necessarily put your brand on their website. Then I would need to dig deeper. I would need to say, okay, so next, I’m going to try to find their audience, open the audit document and look at who did it. That’s a lot of work involved.
Taras: There is the issue of what to do with newcomers. How do we help them to define what’s real and what’s not?
Jason: There’s the same issue with projects themselves. What is legitimate? I think the whole space needs ways to define what “legitimacy” is. It’s a trust issue. We don’t necessarily talk. It’s the press in general, it never talks about the good shots, only about the bad shots. In web3 right now there’re a lot of good shots, but that’s not newsworthy. What’s newsworthy is the bad shots. Everything you hear about crypto is like fucking Luna disappeared. Holy shit, that was supposed to be stable. I thought crypto was risky, and it’s much riskier than I thought. It’s like, oh my God, this is something that will last for years. You can’t run away from this. It’s there. You have to either work around it or make it your ally. And that’s what we want to do. By setting the standard and saying that what we do is indirectly better than anything out there. So it’s up to you. But if we’d be you, we’d be using us.
Taras: What are your thoughts when you see some projects hacked?
Jason: Everybody’s learning, and nobody’s perfect. We don’t pretend to know everything. No one’s immune to making mistakes, and you’re not either. So, as I said before. The thing broke by itself, someone broke it, or you wanted to break it. You’re not protected against any of that, really.
Taras: I see that yeah. Thank you so much for your time Jason, really appreciate it. Very insightful.
Enter your email address to subscribe to Hacken Reseach and receive notifications of new posts by email.