devcon 7 / from web2 security with love
- YouTube
- Details
From Web2 Security With Love
Duration: 00:00:00
Speaker: Joe Dobson
Type: Talk
Expertise: Beginner
Event: Devcon
Date: Nov 2024
Web3 organizations often rely on Web2 for infrastructure, communications, and development, yet their Web2 security posture is often neglected. This leaves them vulnerable to a wide range of adversaries, from well-funded sophisticated attackers to opportunistic script kiddies. In this talk,Joe Dobson will share hard-earned lessons from the Web2 trenches that can help secure Web3.Don’t make it easy for the adversary. Learn from the past: strengthen your Web2 security to safeguard your Web3 future.
Categories
- Related
Devcon
Talk
30:18
CBC Casper Design Philosophy
Consensus protocols are used by nodes to make consistent decisions in a distributed network. However, consensus protocols for public blockchains should satisfy other requirements, by virtue of the protocol being open. For example, they need to be incentivized, in that people will be incentivized to run consensus forming nodes in the first place, and in that following the protocol should be an equilibrium for consensus forming nodes.The CBC Casper family of consensus protocols has been designed to fit design criteria necessary for secure public blockchains. In this talk, we will explore the design goals and methodology used in CBC Casper research: economically motivated properties of the consensus protocol, the correct-by-construction approach to protocol specification, and the resulting rapid iteration.
Devcon
Talk
14:39
Scaling Ethereum with security and usability in mind
In this talk, I will go through scaling mechanisms and their disadvantages at a user and developer perspective. With our approach at Matic https://matic.network, plasma-fied sidechain, I will explain how we are tackling security using plasma, predicates, and normal state computation on the sidechain. Having specialized DApp specific fraud-proof using predicates, partial confirmations, different fee models allow us better usability for end users. Then will talk about how we are addressing the issue for users when they interact with multiple chains - Ethereum and Plasma sidechain using walletconnect protocol. Overall, it explains how connecting some important dots on Ethereum landscape can help us achieve scalability and usability, and clears our path to mass adoption which we all are aiming for.
Devcon
Breakout
07:40
Store your keys safely offline - never get online to sign transactions
The best way to keep your private key safe, is to keep it disconnected from the internet. This is usually done in hardware wallet, however most of those wallets are directly connected to a computer, either via usb or bluetooth. What if the wallet was never online and never ever connected to an online device. This is achievable using QR code. We did it with Parity Signer. I will present why we built it, how, do a short live demo, and what we will do in the future.
Devcon
Talk
05:40
The Gas Siphon Attack: The Technical and Economic Realities Behind Hacking Exchanges
The Gas Siphon Attack allows anyone to siphon value from many exchanges in the form of gas refunds, a mechanism built directly into the Ethereum protocol. Users can write a simple script that continuously drains unprotected exchange hot wallets of all of their ETH. Until this was responsibly disclosed, many exchanges were affected with varying degrees of severity. How it happened, who was affected, and the technical details behind the attack are discussed during the presentation. The talk dives into the details of the refund mechanism built into the Ethereum network, and how it can be maliciously abused. The presentation explains who is vulnerable and what they can do about it. A number of these types of technical exploits exist on both centralized and decentralized exchanges, and one may find that responsibly disclosing these attacks are harder than the actual exploit itself. Getting in touch with exchanges, continuous communication with services, and helping fix different systems may be a month-long journey that yields very little in return. Hacks, front-running, misaligned miner incentives, and economic disparities are all issues for exchanges and services that are discussed in this presentation. Finally, the talk covers different ways to protect yourself and your dapp from both known and unknown exploits. Preventative measures are presented that will allow for protection from these types of attacks.
Devcon
Lightning Talk
A Playbook of Secure Smart Contract Development
One-off audits can provide a good security baseline but fall short in continuous security assurance, especially for upgradeable and actively developed protocols. We'll cover how to set up the smart contract development processes to ensure the top level of security guarantees, including design review and property specification stages, as well as the integration of security tooling, including testing, fuzzing, and formal verification, into the CI pipeline and development lifecycle of a protocol.
Devcon
Talk
Lazarus! How to stay safe from the biggest threat actor in crypto
Lazarus has stolen by far the most funds in the blockchain space. They use the same or very similar attack vectors every time yet we see the biggest crypto companies falling victim to them one after another. In this talk, i'll go over some of the attack vectors used by Lazarus and how people can keep themselves safe from Lazarus.
Devcon
Talk
Security Frameworks by SEAL
Comprised of dedicated security specialists, SEAL aims to spread awareness and educate the community about Web3 security best practices and pitfalls. We address various challenges, compile accessible resources, and create new content. Open to all backgrounds, our guidelines provide comprehensive security frameworks for Web3 projects, offering best practices and practical solutions throughout their lifecycle. We aim to make Web3 a safer space for developers and users alike.
Devcon
Talk
The Long Con: Pig Butchering, Drainers, and Job Scams
I'll discuss the different types of malicious actors from low-skilled script kiddies to government-sanctioned advanced persistent threats. This presentation will include an overview on drainer groups and how sophisticated scammers string along their victims, fattening them up before extracting as much value as they can, as well as the nefarious practices these operations employ. Finally, I'll focus on the recent rise of job scams that have been targeting builders and employers alike.
Devcon
Breakout
04:54
The magic of ethereum addresses
More often than not, people get messed up when writing or copying ethereum addresses. The ENS is supposed to solve that but is not adopted by everyone yet. These errors can have spectacular consequences. Some end up with a happy end.- https://medium.com/bitclave/how-we-sent-eth-to-the-wrong-address-and-successfully-recovered-them-2fc18e09d8f6- https://twitter.com/drew___stone/status/1135703041997516801With the adoption of wallet smart contracts, this issue is only going to grow. This talk will describe where ethereum address comes from, how you could exploit knowledge of these mechanisms, and how you could protect yourself and your users using create2 based factory like the one deployed at 0xfac100450af66d838250ea25a389d8cd09062629.
Devcon
Talk
25:40
What don't we know? Understanding Security Vulnerabilities in SNARKs
Zero-knowledge proofs (ZKPs) have evolved from being a theoretical concept providing privacy and verifiability to having practical, real-world implementations, with SNARKs (Succinct Non-Interactive Argument of Knowledge) emerging as one of the most significant innovations. Prior work has mainly focused on designing more efficient SNARK systems and providing security proofs for them. Many think of SNARKs as "just math," implying that what is proven to be correct and secure is correct in practice.