devcon 6 / usable security in web3
- YouTube
- IPFS
- Details
Usable Security in Web3
Duration: 00:24:04
Speaker: Antonela
Type: Talk
Expertise: Intermediate
Event: Devcon
Date: Oct 2022
Self-custodial wallets are the most powerful expression of autonomy we can aspire to in web3, but can people actually keep their EOA accounts safe? Balancing security and usability is critical for onboarding the next billion to web3. During this talk, we will explore how both can converge to give users a usable, secure experience.
- Related
Devcon
Talk
21:22
Protecting The Baselayer - from Shanghai to Osaka
Most people know that Ethereum runs smart contracts and move ether around. However, "Ethereum Security" involves a lot more than only smart contracts, mining difficulty and managing private keys. This is a talk about the base layer security. There is a peer-to-peer stack, with it's own separate discovery protocol and p2p protocol, which can be used for eclipse-, DoS- and amplification attacks. There's a consensus engine which encompasses a lot more than only the EVM. In this talk, Martin Holst Swende will talk about vulnerabilities, attacks and hotpatching the mainnet -- lesser known incidents, hiccups and close-calls that have occurred on the road from Shanghai (Devcon2) to Osaka (Devcon5).
Devcon
Talk
24:07
Securing Cross-chain Communication
The last year witnessed several cross-chain bridges being hacked and millions of dollars stolen by hackers. Despite the bridges having gone through several audits, we still see them getting exploited because hackers were able to get access to authorized private keys, signature replay attacks, etc. Let us see what a secure cross-chain bridge architecture should look like and what are the possible attack vectors and mitigation techniques.
Devcon
Talk
17:48
Ethereum Security
Martin Swende gives their talk on Ethereum Security.
Devcon
Talk
19:41
Evolution of Smart Contract Security in the Ethereum Ecosystem
A lot has changed in the smart contract development ecosystem in the year since DEVCON2. Our perspective as leaders of the smart contract security community OpenZeppelin shows us that the industry is maturing. We give a brief overview of how security patterns and practices have evolved in the past months, dive into some details of recent developments, and talk about promising projects and their plans for the future.
Devcon
Talk
21:00
The Melon security approach
Melonport is striving to build a vibrant and successful developer ecosystem of Melon module builders. An important part of that ecosystem is the security and behaviour of smart contracts that make up Melon modules as well as how they interact with the Melon core and each other. In this presentation, we’ll demonstrate our ongoing technical efforts to assist Melon module developers in creating safe, secure smart contracts and touch on the importance of getting the auditing process right and how others can learn from our experience.
Devcon
Breakout
24:32
Vulnerability Coordination and Incident Response in a Decentralized World
There’s one question that every team of core blockchain developers has discussed at least once: what are we going to do when a critical vulnerability in our software is surfaced? By definition, everything we create is likely to include a vulnerability or code flaw and the difficult legal, ethical, and business issues arise when bugs show up in code. While decentralization does not require us to reinvent the first principles security, it does force us to challenge ourselves to manage significant complexity to reduce harm to those who depend on our code. This talk will discuss the CosmosCERT as a model for how teams can successfully coordinate vulnerabilities and respond to incidents in decentralized environments using on-chain governance mechanisms in a way that ensures stakeholders have a dedicated emergency response capabilities ready to go when the worst happens.
Devcon
Talk
20:44
Designing Smart Contracts With Free Will
A range of bribery attacks, collusion possibilities, and other economic vulnerabilities plague our smart contract design. Unlike with simple anti-patterns like recursion, these security vulnerabilities have no obvious fix. Join us for a deep dive into the state of the art bribery attacks that are technically feasible on cryptocurrency today, and their countermeasures. We will introduce and explain new signature schemes that resist the ability for users to be bribed on Ethereum-based smart contracts. We will teach developers of smart contracts how to build contracts that are maximally resistant to bribery, and provide practical tips for the protection of your users.Lastly, we will show and launch a toolkit that provides signatures with protection from an advanced form of bribery known as the Dark DAO, in which users are bribed undetectably. Our toolkit provides a simple API for any Ethereum contract to ensure the free will of their users through an easy to use library.Building bribery resistant smart contracts is of critical importance for voting schemes, oracles, prediction markets, proof of stake and other consensus protocols, randomness generation, and more. Join us in ensuring the protection
Devcon
Breakout
23:05
Batched Bonding Curves: Grieving DEX Frontrunners
It's been widely publicized that front-running is rampant across decentralized exchanges. Billy Rennekamp describes the technique developed to stop the parasitic behavior by using batched orders in tandem with bonding curves and how it's being used in a new fundraising app by Aragon Black.
Devcon
Breakout
27:10
(Defense Against) The Dark Arts - Contract Runtime Mutability
Smart contracts are no longer guaranteed to have immutable runtime code, and can be redeployed with new code using a variety of methods involving the CREATE2 and SELFDESTRUCT opcodes. In this presentation, we will investigate how this is done and how to protect against malicious mutable contracts. We will also explore ways these new techniques can be applied in order to enable new use-cases and to improve the user experience.
Devcon
Breakout
18:25
Fuzzing the Solidity Compiler
Since the Solidity programming language does not have a formal specification, testing the compiler implementation is an important way to obtain assurance about the correctness of code generated by the compiler. Fuzz testing is well-suited for this setting. However, applying fuzzing in the traditional manner (random input generation that is coverage-guided) is inefficient for testing compilers because a significant fraction of randomly generated code is syntactically invalid. If the fuzzer does not generate syntactically correct Solidity programs, the compiler will simply reject it. As a consequence, code optimization and generation subsystems of the compiler will not be tested. The approach adopted by us is to define a grammar for the Solidity programming language and automatically generate inputs based on this grammar. Grammar based fuzzing ensures that generated programs are successfully parsed by the front-end parser. We make use of libProtobuf and libProtobufMutator for defining the grammar and performing grammar-based mutations, and libFuzzer as the underlying fuzzing engine.