devcon 7 / ens war stories securing web3 from web2 based attacks
- YouTube
- Details
ENS War Stories: Securing Web3 from Web2-Based Attacks
Duration: 00:13:01
Speaker: Alexander Urbelis
Type: Lightning Talk
Expertise: Intermediate
Event: Devcon
Date: Nov 2024
Web3 is not an island. Every day, threat actors try to exploit web2 domains to target web3 entities. This talk recounts ENS' war stories / lessons of battling threats in the DNS, including:
- Detecting early-stage attacks on web3 entities in the DNS
- How we unraveled a campaign of over 2,500+ web2 domains targeting web3 and defi entities
- Legal and technical remedies to combat web2-based threats (and their limitations)
- Why the ecosystem must come together to share intel and resources
- Related
Devcon
Talk
25:41
Using Solidity's SMTChecker
Solidity's SMTChecker is a formal verification module that automatically tries to prove safety properties in Solidity smart contracts. These properties include checks for underflow, overflow, trivial conditions, unreachable code and user defined assertions. The checks are performed statically during compilation time, and the properties are either proved correct or a counterexample representing a bug is given to the user. Formal specifications for user defined properties are written using constructs already available in the language, therefore not requiring learning a new verification language/framework. If the formal specification is inaccurate or wrong, proofs are useless to the developer. Therefore, it is important to write specifications in a way that the target properties do represent the program logic. For the advanced user, some understanding about the SMTChecker may lead to specifications that also increase the module's efficiency and proving power. This talk gives an overview of the available features in Solidity's SMTChecker, and presents some insights on writing better formal specifications.
Devcon
Lightning Talk
07:38
Transaction simulation, the good, the bad & the ugly
Transaction simulation allows users to preview the outcomes of signing a transaction, enabling them to make informed decisions rather than fully trusting the dApp. However, several caveats and risks are associated with relying on simulated transaction outcomes. State changes, differing contract behavior between simulation and on-chain execution, and randomness can all affect the outcome. In this talk, I'll share my experiences and learnings from simulating user transactions over the past 2 years
Devcon
Talk
17:48
Ethereum Security
Martin Swende gives their talk on Ethereum Security.
Devcon
Talk
19:41
Evolution of Smart Contract Security in the Ethereum Ecosystem
A lot has changed in the smart contract development ecosystem in the year since DEVCON2. Our perspective as leaders of the smart contract security community OpenZeppelin shows us that the industry is maturing. We give a brief overview of how security patterns and practices have evolved in the past months, dive into some details of recent developments, and talk about promising projects and their plans for the future.
Devcon
Talk
21:00
The Melon security approach
Melonport is striving to build a vibrant and successful developer ecosystem of Melon module builders. An important part of that ecosystem is the security and behaviour of smart contracts that make up Melon modules as well as how they interact with the Melon core and each other. In this presentation, we’ll demonstrate our ongoing technical efforts to assist Melon module developers in creating safe, secure smart contracts and touch on the importance of getting the auditing process right and how others can learn from our experience.
Devcon
Breakout
24:32
Vulnerability Coordination and Incident Response in a Decentralized World
There’s one question that every team of core blockchain developers has discussed at least once: what are we going to do when a critical vulnerability in our software is surfaced? By definition, everything we create is likely to include a vulnerability or code flaw and the difficult legal, ethical, and business issues arise when bugs show up in code. While decentralization does not require us to reinvent the first principles security, it does force us to challenge ourselves to manage significant complexity to reduce harm to those who depend on our code. This talk will discuss the CosmosCERT as a model for how teams can successfully coordinate vulnerabilities and respond to incidents in decentralized environments using on-chain governance mechanisms in a way that ensures stakeholders have a dedicated emergency response capabilities ready to go when the worst happens.
Devcon
Lightning Talk
07:04
Debug First, or Regret Later: an Arsenal of Tools can Build Solid Ethereum Foundations
Building secure and reliable smart contracts requires a robust testing and debugging arsenal. This talk provides a comprehensive and up-to-date overview of essential tools in the Ethereum ecosystem. Learn how to effectively integrate these tools into your development workflow from the start. We'll explore popular options, their strengths, and how to combine them for maximum efficiency. Discover best practices for writing comprehensive tests, identifying and fixing bugs, and ensuring code quality
Devcon
Talk
Lazarus! How to stay safe from the biggest threat actor in crypto
Lazarus has stolen by far the most funds in the blockchain space. They use the same or very similar attack vectors every time yet we see the biggest crypto companies falling victim to them one after another. In this talk, i'll go over some of the attack vectors used by Lazarus and how people can keep themselves safe from Lazarus.
Devcon
Breakout
23:05
Batched Bonding Curves: Grieving DEX Frontrunners
It's been widely publicized that front-running is rampant across decentralized exchanges. Billy Rennekamp describes the technique developed to stop the parasitic behavior by using batched orders in tandem with bonding curves and how it's being used in a new fundraising app by Aragon Black.
Devcon
Breakout
27:10
(Defense Against) The Dark Arts - Contract Runtime Mutability
Smart contracts are no longer guaranteed to have immutable runtime code, and can be redeployed with new code using a variety of methods involving the CREATE2 and SELFDESTRUCT opcodes. In this presentation, we will investigate how this is done and how to protect against malicious mutable contracts. We will also explore ways these new techniques can be applied in order to enable new use-cases and to improve the user experience.