Company news
go back

Why we’re building Cubist

January 10, 2023
written by
Riad Wabhy
Co-Founder & CEO
Ann Stefan
Co-Founder & COO
Fraser Brown
Co-Founder & CTO
Deian Stefan
Co-Founder & Chief Scientist
Company news
The future of Web3 is applications, not speculation. That's why we're building Cubist: to let developers create the future of Web3 safely and productively---without repeatedly reinventing the wheel.<br> <br> This post will outline some of the problems with today's Web3 dev status quo---from broken security to lock-in---and how Cubist addresses those problems with tools built on better abstractions.<br> <br> # The problem<br> <br> Today, building Web3 applications is difficult and dangerous. Developers need tons of esoteric knowledge spanning the entire Web3 tech stack, and critical errors are expensive, easy to make, and hard to fix. The situation is so dire because there are no unifying abstractions. Instead, Web3 developers must cobble together incompatible point solutions, especially if they're building multi-chain dapps or sharing access to credentials with other engineers.<br> <br> Right now, most teams resort to creating custom, per-app tooling and infrastructure; developers spend time worrying about the low-level details of where and how their dapp operates, as opposed to spending that time on their application. Beyond the fact that this is a **massive, industry-wide drag on developer productivity**, the current state of Web3 tooling and infrastructure has other devastating effects:<br> <br> - **It torpedoes security.** Repeatedly building the same tools from scratch means repeatedly making the same security mistakes; haphazardly gluing together off-the-shelf tools invites even more mistakes. Any single bug is harder to find, any single fix protects fewer people, and each project contains more---and more verbose---code. In the news, we've seen hard-to-test interfaces frequently exploited by attackers, and audits continue to be slow and expensive (if you make it off the waiting list).<br> <br> - **It encourages "worst practices."** Building secure foundations is a long-term investment at odds with shipping fast. In practice, the Web3 tooling landscape forces developers to take the kind of short-cuts they wouldn't in Web2. It’s common for applications to carry enormous balances in hot wallets, for contract deployments and upgrades to be tied to individual developers' laptops, and for projects to go live without software engineering best practices like Continuous Integration and Continuous Delivery (CI/CD).<br> <br> - **It builds a high barrier to entry.** Developers get excited about Web3. Then they dive in, and they face a jumble of incomprehensible buzzwords, snake-oil promises, and disjointed documentation---all while trying to develop the broad expertise required to make any headway. Even seasoned developers end up discouraged, which is a real risk to the available talent pool and the overall quality of the Web3 ecosystem.<br> <br> - **It drives lock-in.** Today, most tooling is built for specific blockchain ecosystems. As a result, developers choose protocols and providers at the start of a project, and then invest months building their app (and often, their custom infrastructure). By the time the app is ready to deploy, the fast-changing Web3 landscape has shifted---say, because of skyrocketing gas costs or changes in blockchain popularity---but it's too late to react. This lock-in status quo increases the technical risk for every project, incentivizes conservative decision making, and stifles innovation.<br> <br> # Introducing Cubist<br> <br> Cubist's founding team include a former fintech COO, a repeat founder, and computer science professors from Carnegie Mellon and UC San Diego who have collectively published over 80 research papers on computer systems, compilers, programming languages, verification, security, and cryptography. We’ve deployed production tools that retrofit security for messy, real-world systems like Web browsers and runtimes—and now we’re excited to turn our focus to the blockchain.<br> <br> Our journey started the way many projects do, with a kitchen table conversation and a "Hey, we could really build this!" moment. After a few weeks hacking on a prototype and a few months of conversations with Web3 thought leaders, we were convinced that Web3 tooling could be amazing---and that **good tools have the power to make Web3 development faster and safer.**<br> <br> We set out to create _nothing short of the best dev tools around_. Here's what that means to us:<br> <br> - **First-class security that makes developers more productive.** Cubist's tooling proactively limits the damage from key compromise and protects against insider threats. It rules out easy-to-make, hard-to-find mistakes by automatically generating cross-chain ABIs and other tricky (and risky) parts of your codebase. And it gives you peace of mind knowing that security-critical portions of Cubist's infrastructure will be thoroughly audited and/or formally verified.<br> <br> - **Best practices by default.** Cubist's credential management lets you instantly grant and revoke developer and CI permissions, monitor your applications for abnormal behavior, and define flexible policies about who can do what when. Cubist's testing tools make it painless to test locally, or to incorporate public or private testnets into your test suite. You can put your application through its paces by simulating a bad day on mainnet or running thousands of trials under randomized conditions, then automatically deploy or upgrade using Cubist's cross-chain--native CI/CD tooling.<br> <br> - **A development environment that lowers the barrier to entry and frees developers from lock-in.** Cubist provides a single, modular development environment---even for applications that span multiple chains or programming languages. Cubist's SDK takes care of the low-level bits and bytes, letting you focus on building Web3's Next Big Thing. And because you write your application using cross-chain--native abstractions, you won't be locked into a fixed set of L1s, bridges, and other providers. (You won't be locked into Cubist, either; almost all of its features are standalone and composable with other tools.)<br> <br> Web3 will not become mainstream until it's possible for developers to build and deploy dapps safely and at scale. We’re committed to making the mainstream dream a reality---by creating secure-by-design tools that unlock the full potential of Web3. <br> <br> If you share our vision for Web3 development, [give our cross-chain SDK a spin!][sdkgithub]<br> <br> [sdkgithub]:<br> <br>

Read more

Cubist & EigenLabs anti-slasher collaboration

Cubist is excited to announce a new partnership: we are working with EigenLabs to build anti-slashers that will help honest operators avoid getting slashed on EigenLayer.

September 19, 2023

Hardware-backed signing for MetaMask developers

Our Snap lets Snap- or dapp-developers use CubeSigner, our hardware-backed key management system, to safely sign transactions on behalf of their MetaMask users.

September 12, 2023

Intel SGX is broken (again)

Last week, security researcher Daniel Moghimi publicly announced the new Downfall attack that can steal private keys from Intel SGX hardware. In this post, we review the SGX architecture and discuss its underlying security problems. Then, we describe the process we used for evaluating which secure hardware to use in our key manager.

August 15, 2023