Devcon Archive logo
Devcon Forum Blog
  • Watch
  • Event
    Event: background logo
    • Devcon 7
    • Devcon 6
    • Devcon 5
    • Devcon 4
    • Devcon 3
    • Devcon 2
    • Devcon 1
    • Devcon 0
  • Categories
    Categories: background logo
    • Cryptoeconomics
    • Devcon
    • Developer Experience
    • Coordination
    • Core Protocol
    • Layer 2s
    • Real World Ethereum
    • Cypherpunk & Privacy
    • Security
    • Applied Cryptography
    • Usability
  • Playlists

Suggested

Loading results..

View all

About Devcon —

Devcon is the Ethereum conference for developers, researchers, thinkers, and makers.

An intensive introduction for new Ethereum explorers, a global family reunion for those already a part of our ecosystem, and a source of energy and creativity for all.

  • Watch
  • Devcon
  • Forum
  • Blog

Get in touch

devcon@ethereum.org

Subscribe to our newsletter

Crafted with passion ❤️ at the Ethereum Foundation

© 2025 — Ethereum Foundation. All Rights Reserved.

devcon 7 / merkle proofs when leaves leave you vulnerable

  • YouTube
  • Details

Merkle Proofs: When Leaves Leave You Vulnerable

Duration: 00:05:34

Speaker: Shufan Wang

Type: Lightning Talk

Expertise: Intermediate

Event: Devcon

Date: Nov 2024

A Merkle proof is a cryptographically authenticated data structure widely used to minimize on-chain data storage. The Merkle algorithm is neat yet non-trivial to implement correctly and securely; its leaves may leave you vulnerable if not handled properly.

Categories

AuditingBugmerkleAuditingBug
  • Related
How to steal $1.1M from lending market in 15 minutes preview
Devcon
Lightning Talk
09:27

How to steal $1.1M from lending market in 15 minutes

In may 2024 I found multiple bugs in lending market which allowed to steal $1.1 mln. The exploit itself was very complicated and required multiple steps, including exploitation of liquidation process of unhealthy loan which worked very similar to flash loan. I'll tell the story of how I decided to check this project source code to finding an issue, contacting with owners of platform and fixing it. I'll also share the best tips how to avoid and prevent such issues in other projects.

What don't we know? Understanding Security Vulnerabilities in SNARKs preview
Devcon
Talk
25:40

What don't we know? Understanding Security Vulnerabilities in SNARKs

Zero-knowledge proofs (ZKPs) have evolved from being a theoretical concept providing privacy and verifiability to having practical, real-world implementations, with SNARKs (Succinct Non-Interactive Argument of Knowledge) emerging as one of the most significant innovations. Prior work has mainly focused on designing more efficient SNARK systems and providing security proofs for them. Many think of SNARKs as "just math," implying that what is proven to be correct and secure is correct in practice.

Double entry point issues - From breaking Compound to Uniswap v4 preview
Devcon
Lightning Talk
09:09

Double entry point issues - From breaking Compound to Uniswap v4

A short explanation of a critical-severity vulnerability we found in the Uniswap V4 core contracts that would have caused a ~$15M loss in Uniswap's pools. The goal is to explain the risks of double entry points, from the $30M+ TUSD issue in Compound to the Uniswap V4-specific case where protocols use native tokens and operate on chains where the native token has a corresponding ERC-20 token, and how to prevent them.

Can we formally verify implementations of cryptographic libraries like the c-kzg library? preview
Devcon
Lightning Talk

Can we formally verify implementations of cryptographic libraries like the c-kzg library?

In this talk, we present our work on formally verifying the implementation of a cryptographic library key to the security of the Ethereum Data Availability layer: the c-kzg library. We will explore what we have been able to prove so far and what is ahead of us.

hevm or: How I Learned to Stop Worrying and Love the Symbolic Execution preview
Devcon
Talk
26:28

hevm or: How I Learned to Stop Worrying and Love the Symbolic Execution

hevm is a symbolic execution engine for the EVM that can prove safety properties for EVM bytecode or verify semantic equivalence between two bytecode objects. It exposes a user-friendly API in Solidity that allows you to define symbolic tests using almost exactly the same syntax as usual unit tests. In this talk, we'll present hevm, what it's useful for, and when and how to use it to help secure your digital contracts.

Transaction simulation, the good, the bad & the ugly preview
Devcon
Lightning Talk
07:38

Transaction simulation, the good, the bad & the ugly

Transaction simulation allows users to preview the outcomes of signing a transaction, enabling them to make informed decisions rather than fully trusting the dApp. However, several caveats and risks are associated with relying on simulated transaction outcomes. State changes, differing contract behavior between simulation and on-chain execution, and randomness can all affect the outcome. In this talk, I'll share my experiences and learnings from simulating user transactions over the past 2 years

Web3 Security is Embarrasing preview
Devcon
Talk

Web3 Security is Embarrasing

The explosive growth of Web3 has brought about innovation, decentralization, and financial opportunity. But let’s be honest—Web3 security is a disaster. In this talk, we’ll confront embarrassing truths: drainer attacks, weak wallet protections, and overlooked vulnerabilities. But we won’t stop there; I’ll share practical fixes to protect users and show how Web3 developers can raise the bar. If we want Web3 to thrive, we have to stop attackers beating us with low-effort attacks. We can do better!

How to Audit Smart Contract Languages: Brief Intro preview
Devcon
Lightning Talk
08:33

How to Audit Smart Contract Languages: Brief Intro

In this talk, we’ll dive into the unique challenges and considerations when auditing a smart contract language, as opposed to auditing individual smart contracts. We’ll cover: - Things to Look For: Key aspects of a smart contract language that need review. - Mindset Difference: Shifting from a contract-centric to a language-centric perspective, focusing on broader systemic issues rather than isolated contract logic.

Lazarus! How to stay safe from the biggest threat actor in crypto preview
Devcon
Talk

Lazarus! How to stay safe from the biggest threat actor in crypto

Lazarus has stolen by far the most funds in the blockchain space. They use the same or very similar attack vectors every time yet we see the biggest crypto companies falling victim to them one after another. In this talk, i'll go over some of the attack vectors used by Lazarus and how people can keep themselves safe from Lazarus.

The 10 Most Common Vulnerabilities Found in Audit Contests preview
Devcon
Lightning Talk
09:55

The 10 Most Common Vulnerabilities Found in Audit Contests

This lightning talk offers a quick survival guide for DApp developers and security experts, highlighting the most common vulnerabilities found in audit contests. As these contests are often the final step before mainnet, the identified vulnerabilities have typically been overlooked by multiple developers and auditors. The session includes a link to a guide on fixing each vulnerability and a 2-minute Q&A to explore any of the 10 vulnerabilities in more detail and discuss why they are often missed