DSS Careers: Discover top opportunities and connect with leading protocols at DSS

DeFi Security Summit

November 7-9 2024 @Devcon

Queen Sirikit National Convention Center | Bangkok, Thailand

DeFi Security Summit (DSS) is a unique, marketing-free annual event for education and technical advances in securing decentralized applications on top of blockchain technology. The forum brings together hackers, protocol builders, and tool providers who are interested in technologies and disciplines to make blockchain applications safer, both off-chain and on-chain components. The summit is inspired by security meetings like CCC and Defcon, which focus on security researchers, bringing together security providers and consumers. DSS 2024 is our third annual conference following two successful events in 2022 and 2023.

Speakers

Emilio Frangella ,
VP of Engineering,
Aave Labs

Sara Reynolds, Smart Contract Engineer, Uniswap
Peter Kacherginsky, Unit 0x team manager, Coinbase

Wolfgang Grieskamp, Head of Move language and tools, Aptos Labs

Michael Lewellen, Head of Solutions Architecture, OpenZeppelin
Hudson Jameson, VP Governance and Community, Polygon Labs
Ernesto Boado, Co-founder, BGD Labs (Aave)
Erik Arfvidson, Head Of Cyber Security, Euler

samczsun, Research Paradigm, Founder SEAL_Org

0xRajeev, Founder, Secureum
Mehdi Zerouali, Founder & Director, Sigma Prime
Tarun Chitra, Founder & CEO, Gauntlet
Igor Konnov, Independent security researcher

José Montero, Blockchain Security Researcher, OpenZeppelin

Anto, Principal Security Engineer, EigenLayer

0xmonsoon,
DeFi Security Researcher, OpenZeppelin

Garand Tyson,
Senior core engineer,
Stellar

Raoul Schaffranek, Formal Verification Engineer, Runtime Verification
Pablo Sabbatella, OpSec & Blockchain Security researcher, SEAL

Pamina Georgiou,
Formal Verification Engineer,
Certora

Nenad Vitorović, Developer Relations, Tenderly

David Grantham, Community architect and Founder of Paper Aviation

Desmond Ho,
Independent Security Researcher

Joran Honig,
Security Researcher,
Consensys

Nat Chin,
Independent Security Researcher

Matta,
Security Nomad
The Red Guild

Valerian Callens,
Blockchain Security Auditor,
Quantstamp

Jakob von Raumer,
Security researcher,
lindy_labs

Jota Carpanelli,
Head of Security Research,
OpenZeppelin

Juan Conejero,
Auditor & verification engineer,
Runtime Verification

Kelsie Nabben,

Jonatas Martines,
ASR at Spearbit

Josselin Feist,
Engineering director,
Trail of bits

Arbaz Hussain,
Web & Smart contract Bug Triager, Immunefi

Qi Su,
Software Engineer,
FuzzLand

Isaac Patka,
 Founder, Shield3,
Wargames SEAL

Jack Sanford
Co-Founder
Sherlock

Lucas Manuel,
Senior SC Engineer,
Phoenix Labs

Viktor Yurov,
Senior smart contract auditor,
MixBytes

Kirk Baird,
Security Assessments Manager,
Sigma Prime

Luis Quispe Gonzales,
Senior security Architect,
Halborn

Dacian,
Security researcher,
Cyfrin Audits

Assaf Eli,
Co-founder & CTO,
Ironblocks

Markella Gioka,
Software Engineer,

Thibault de Lacheze-Murel,
Head of Security,
Dfns

Andrew MacPherson,
Principal Security Engineer,
Privy.io

Shahar Madar,
VP, Security & Trust

Dmitry Zakharov, CTO, MixBytes

Jonas Surmann,
COO & Co-Founder,
TrustBytes

John Toman,
Chief Scientist,
Certora

Victor Petrenko,
Senior Software Engineer,
Lido

Eugene Kolpakov
Software Engineer

Schedule

Nov 7. DeFi 101

📍 Main Stage

09:00 - 10:00 - Teaching Smart Contract Security Through Damn Vulnerable DeFi v4 | Tincho (The Red Guild)

Speaker:

Tincho

Abstract:

This workshop uses the latest Damn Vulnerable DeFi v4 challenges to teach smart contract security. Attendees will work through new scenarios to uncover vulnerabilities and explore step-by-step solutions. Each exercise offers insights into identifying and addressing security flaws in DeFi protocols, making this a practical session for anyone looking to strengthen their skills in smart contract security.

10:00-10:10 – Break

10.10 - 12:10 - Finding Bugs: 42 Tips from 4 Security Researchers | Desmond, Joran, Nat, 0xRajeev

Speakers:

Desmond, Joran, Nat, 0xRajeev

Abstract:
Billions of dollars are at risk, and protocols spend millions on security through audits and bug bounties. Have you ever wondered how you can become a top security researcher securing these billions? In this workshop, 4 recognized security researchers share their experiences on smart contract security with practical tools & techniques to find & report vulnerabilities. Security researchers, even aspirational ones, can take away some key advice to improve their smart contract security skills.

View presentation

12:10-13:10 – Lunch

13:10 - 14:10 - Kontrol Unlocked: Foundry-based Formal Verification for 10x Devs and Auditors | Juan Conejero (Runtime Verification)

Speakers:

Juan Conejero

Abstract:
Join us to formally verify real-world code in our Kontrol-by-example workshop! We share insights and techniques used by Runtime Verification to achieve top-notch smart contract security. Learn to write symbolic Foundry tests with Kontrol, all within Solidity. This hands-on session covers tips and tricks for using Kontrol on large-scale projects, math functions, and common smart contract code. Attendees will get actionable knowledge of using formal verification for the best security guarantees.

View presentation

14:10 - 15:10 - Workshop on secure development of smart contract systems | Elliot Friedman (Solidity Labs)

Speaker:

Elliot Friedman

Abstract:

In this workshop, participants will explore secure development practices for building robust smart contract systems. We’ll start with a high-level overview of the security stack and move into hands-on coding by building an example application. This process begins with intentionally buggy code containing subtle vulnerabilities, giving attendees the chance to identify and resolve issues step-by-step.

The workshop will cover a range of security tools, starting with unit and integration testing for easily detectable bugs, and progressing to advanced techniques like fuzzing, symbolic execution, and formal verification for harder-to-find vulnerabilities.

View presentation

15:10-15:20 – Break

15:20 - 16:20 - Leveraging knowledge to transition between blockchain stacks | Jonatas Martines (Spearbit)

Speakers:

Jonatas Martines

Abstract:

As blockchain ecosystems diversify, developers are often faced with the challenge of learning new stacks to stay adaptable. This talk will explore how a Solidity and Ethereum background can be leveraged to quickly master a new blockchain stack, specifically Rust and Solana, while laying a framework that can apply to other chains as well. Attendees will gain a foundational understanding of Rust and Solana’s principles, illustrated through direct connections to Solidity and Ethereum. By focusing on core concepts that translate across chains, this session offers a practical roadmap for developers looking to expand their skills beyond Ethereum.

View presentation

16.20 - 17:20 - Intro to the Lean Theorem Prover | Jakob von Raumer (Lindy Labs)

Speaker:

Jakob Von Raumer

Abstract:

We’ll walk through examples that showcase Lean’s potential, especially in formal verification.

View presentation

17:20 - 17:40 - Capture the Spec (Competition) | Tomer Ganor (Certora)

Speaker:

Tomer Ganor

Details:

Are you ready to showcase your skills in writing secure, correct Solidity smart contracts and get rewarded for it?

Join our three-day competition, starting November 7, to deepen your expertise in Solidity and formal verification, either in person or remotely.

In this challenge, you’ll receive a smart contract interface, a multi-sig wallet, and a formal specification in the Certora Verification Language (CVL), containing rules and invariants that define the contract’s behavior. Your task is to reverse-engineer a Solidity contract that efficiently satisfies the specification. Run the Certora Prover to ensure all rules and invariants are verified in your implementation.

This competition is an opportunity to sharpen your skills and dive deeper into formal methods for Solidity.

Start Date: Nov 7

End Date: Nov 9

Rewards:

  • The first 3 submissions that verify all rules and invariants will be rewarded $1000.
  • If no person or team manages to verify all rules, the person or team satisfying the highest number of rules and invariants will be rewarded $1000.
  • If multiple people solve the highest number of rules using different original solutions, they will all be rewarded.

Github Repo: https://github.com/Certora/CaptureTheSpec/tree/main

View presentation

Nov 8 . DSS Day 1

🎟️ 7:30-08:00 – Registration

📍 Main Stage

Session 1
8:00 – 08:45
Moderated by Rajeev – Secureum

08:00-08:15 - Why DeFi Security Matters | Mooly Sagiv (Certora)

Speaker:

Mooly Sagiv

Abstract:

DeFi Security Summit was born from a need to address critical security gaps in decentralized finance. This talk explores the origins of DSS, the challenges we set out to tackle, and how the summit has evolved to foster collaboration and innovation in DeFi security.

Join us to learn the story of DSS and its mission to build a safer, more resilient DeFi ecosystem.

View presentation

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
08:15-08:25 - Enhancing L2 Security with Sequencer-Level Protection: Insights from the Zircuit Network | Phillip Kemper (Zircuit)

Speaker:

Phillip Kemper

Abstract:

Sequencer-Level Security” is a concept that can prevent hacks on L2s. A sequencer enabled with this architecture analyzes transactions before their inclusion in blocks, and actively blocks those that are malicious. In this talk, we share learnings and experiences with building and operating such a sequencer from the Zircuit network. We will discuss challenges, design choices, successes, as well as failures, and focus on the practical impact on the L2 equipped with such a sequencer.

View presentation

08:25-08:35 - Hooks: Security considerations when building Hooks in Uniswap V4 | Jota Carpanelli (OpenZeppelin)

Speaker:

Jota Carpanelli

Abstract:

In this session, we’ll dive into Uniswap v4 hooks, focusing on the key security considerations developers need to keep in mind. We’ll discuss common mistakes, explore potential attack vectors, and share tips on how to avoid scams and vulnerabilities. Whether you’re building or auditing, this talk will give developers with practical knowledge to enhance the security of their projects using that integrate with Uniswap v4.

08:35-08:45 - The Bug Hunter’s Guide to High-Quality Reporting | Arbaz Hussain (Immunify)
Speaker:

Arbaz Hussain

Abstract:

The agenda of the talk is to guide whitehats in submitting better bug reports by enhancing the quality and impact of bug submissions in bug bounty programs. We’ll draw on real-life examples from our Immunefi platform to learn how to create detailed reports that facilitate faster triage and higher rewards.

08:45-09:00 - Break

Session 2
9:00 – 11:00
Moderated by Jota Carpanelli (OpenZeppelin)

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
09:00-09:15 - Introduction to SEAL | samczsun
09:15-09:40 - Story time! A Year of SEAL War Games | Kelsie Nabben & Isaac Patka
Speaker:

Kelsie Nabben & Isaac Patka

Abstract:

Hear from SEAL’s Wargame team with a year’s worth of hands-on experience and ethnographic observation wargaming cyber attacks on cryptocurrency and blockchain projects. Our incident response experts will share critical insights into the vulnerabilities and defensive strategies that have emerged through rigorous simulated attacks. We’ll combine a technical perspective with a unique lens on the human and organizational dynamics observed during these exercises, highlighting the interplay between technology and culture in crypto. You’ll get a comprehensive analysis of the lessons learned and actionable recommendations to enhance resilience for crypto and blockchain security.

09:40-10:20 - PANEL | What your auditor REALLY thinks but is afraid to tell you... | Yannis, Josselin & Mehdi Zerouali. Moderator: Michael Lewellen.

Speakers:

 Yannis, Josselin & Mehdi Zerouali.

Moderator:

Michael Lewellen.

Abstract:

This panel brings together seasoned smart contract auditors for an unvarnished look at the realities of blockchain security reviews. Moving beyond polite audit reports, our speakers will address persistent issues they encounter: from developers pushing unrealistic timelines that compromise security, to projects treating audits as marketing checkboxes rather than crucial security processes. The discussion will explore how incomplete specifications and documentation create hidden vulnerabilities, why some common architectural patterns are fundamentally risky despite their popularity, and what actually keeps auditors up at night about the projects they review. Through specific examples, panelists will illustrate how communication gaps and misaligned incentives contribute to security failures, and propose practical ways to improve the audit process. Join us for an honest (and maybe spicy!) conversation about strengthening the relationship between development teams and their auditors.

10:20-11:00 - PANEL | The White Hat Safe Harbor: A deep dive in protecting white hat rescue ops. | Taylor Monahan, Robert, Alice Charm. Moderator: Hudson Jameson.
Speakers:

Taylor Monahan, Robert, Alice Charm.

Moderator:

Hudson Jameson

Abstract:

Among the many initiatives spearheaded by the cross-ecosystem Security Alliance (SEAL), one of the most ambitious has been the White Hat Safe Harbor. SEAL worked for over 24 months with dozens of lawyers and security experts from across the ecosystem to create a legal document that aims to protect white hat hackers from legal repercussions from white hat rescues and allows for projects to quickly and verifiably recover rescued funds. This panel consists of those who were deeply involved in the legal, technical, and implementation work of the White Hat Safe Harbor.

 

Session 3
11:00 – 12:10
Moderated by Ernesto Boado – BGD Labs

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
11:00-11:20 - Enhancing Test Coverage: A Framework for Effective Protocol Security | Dmitry Zakharov (MixBytes)
11:20-11:45 - Security Considerations when using Pull Oracles | 0xmonsoon (OpenZeppelin)

Speaker:

0xmonsoon

Abstract:

Defi has slowly been moving towards pull oracles like Pyth, RedStone and more innovative solutions like Oval. These oracles provide more recent price for a whole lot more pairs. But is it all roses and butterflies?What additional risks do these oracles bring for the integrating protocols, from integration errors, price manipulation or bad data altogether. This talk will dive deep into it. And can push oracles be simply replaced by pull oracles in old protocols like Compound without code change?

View presentation

11:45-12:10 - Enhancing Protocol Security With ZK-Oracles | Victor Petrenko (Lido)

Speaker:

Victor Petrenko, Eugene Kolpakov

 

Abstract:

Off-chain oracles pose risks due to permissions, trust and security. ZK-based oracles provide a solution, but they are complex and costly.

Solving this problem required efforts from Lido contributors, ZK Oracle providers and independent developers. Finally, the mainnet launch of the first ZK Oracle for the Lido protocol is scheduled for November 2024.

This talk explores the potential of ZK Oracles to be trustless, permissionless, robust, and cost-effective — the hiking challenges in the search for improving protocol security and the road ahead (using Lido’s oracle as an example).

View presentation

12:10 - 13:10 - Lunch

Session 4
13:10 – 14:55
Moderated by Jack Sanford – Sherlock

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
13:10-13:35 - The State of DeFi Security - 2024 | Peter Kacherginsky (Coinbase)
Speaker:

Peter Kacherginsky

Abstract:

Despite the wider adoption of code audits, 2024 saw a staggering increase in security breaches, with four times as many compromises and twice as many losses compared to the previous year. To address this alarming trend, we will explore how the DeFi threat landscape evolved in 2024, focusing on the most dangerous threat actors and their successful exploitation techniques. Next, we will adopt an intelligence-driven approach to build a resilient DeFi security program that extends beyond traditional code security measures. DeFi developers and security practitioners will gain not only practical advice they can implement immediately but also insights into the future of DeFi security over the next 5-10 years.

13:35-14:00 - Professionals hack people, not systems | Pablo Sabbatella (Opsek)

Speaker:

Pablo Sabbatella

Abstract:

80% of the funds lost during the last twelve months was not due to hacking smart contracts. It was about hacking people. A wave of web2 criminals are coming to Web3 and we are not prepared to deal with it. I will show how Web3 projects are being hacked using web2 hacking techniques and how this attacks can be avoided. I will talk about attack surface, social engineering, 0-day exploits, dns hijacking, simswaps, malware, private keys leakage and much more. I will show real cases and stats.

View presentation

14:00-14:40 - PANEL | The challenges of building, scaling and securing DeFi protocols | Sara Reynolds, Ernesto Boado, Erik Arfvidson, Merlin Egalite Moderator: Hari Mulackal
Speakers:

Sara Reynolds, Ernesto Boado, Erik Arfvidson, Merlin Egalite

Moderator:

Hari Mulackal

Abstract:

Building and maintaining a successful DeFi protocol is incredibly challenging. Billions of dollars are on the line with absolutely zero tolerance for mistakes. The panel will bring 4 security-minded engineers from top DeFi protocols to share their thoughts on building and securing a successful crypto protocol. They’ll be asked to share practical tips and challenges they faced.

14:40-15:05 - The Current State of Audit Contests | Jack Sanford (Sherlock)
Speaker:

Jack Sanford

Abstract:

The audit contest space looks very different than it did one year ago. Conditional pots are the norm instead of the exception. Many different approaches to judging are taking place. And two distinct types of contests have emerged.

Session 5
15:10 – 16:30
Moderated by Emilio Frangella – Aave

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
15:10-15:40 - PANEL | Battle of the Languages
15:40-16:05 - A cat-and-mouse game: how to frontrun a transaction in the future | Qi Su (FuzzLand)

Speaker:

Qi Su

Abstract:

This talk will describe the attack-defense game in the MEV world. First it will briefly discuss MEV transactions and how it can protect projects from hackers. Then it will delve into attack-defense games between MEV bots. Finally it will discuss our latest observations and direction in this cat-and-mouse game.

View presentation

16:05-16:30 - 500 days of Security Summer | Sara Reynolds (Uniswap)
Panel with:

Sara Reynolds

Abstract:

Well not really 500 days… As we end 6 months of intense security work on Uniswap v4, we plan to do an overview of the security processes we used to secure Uniswap v4 (we hope), and the bugs that we uncovered at each stage.

Including: community contributions, fuzzing, ffi testing, SEAL wargames, formal verification, 8 audits, a competition, and a bug bounty.

16:30 - 16:40 - Break

Session 6
16:40 – 17:30
Moderated by Yannis (Dedaub)

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
16:40-16:50 - Security Lifecyle for DAO Proposals | Michael Lewellen (OpenZeppelin)

Panel with:

Michael Lewellen

Abstract:

In this talk, I’ll speak about the security processes being utilized in securely passing proposals on multiple DAOs including Compound and Arbitrum. We’ll cover the types of proposals that require security review, how each type of proposal should be reviewed and the different strategies employed to enforce a QA process while maintaining decentralization throughout the lifecycle of a proposal.

This is a follow-up to a prior talk from DSS 2022 that covered DAO security. This talk will cover more recent updates and dive deeper into the technical processes that are utilized and can be used by others: https://www.youtube.com/watch?v=RGhedegBejE&t=23s

View presentation

16:50-17:00 - A deep dive into DeFi liquidations | Viktor Yurov (MixBytes)
Speaker:

Viktor Yurov

Abstract:

In this presentation, I will discuss the complex mechanisms of liquidations in various decentralized finance (DeFi) protocols. Liquidations play a crucial role in maintaining the stability and solvency of DeFi platforms. I will address challenges such as market liquidity constraints, cascading liquidations, and high market volatility. Additionally, the focus will be on cross-chain swaps, different oracle architectures (Chainlink, PYTH network), transaction execution delays during network congestion, and the handling of bad debt.

Using well-established protocols like AAVE, Compound, and Gearbox as examples, I will first examine typical liquidation module architectures, before moving on to modern innovative approaches. I will start by discussing the partial liquidation mechanism of Curve’s crvUSD and then delve into the architecture of Fluid Vault, which implements position grouping into ticks and bad debt absorption.

In the final part of the presentation, participants will be introduced to some of the most interesting vulnerabilities identified in real-world audits.

This session will be valuable for auditors, developers, and DeFi enthusiasts.


17:00-17:10 - Risk isolation - Building Single Purpose Protocols | Merlin Egalite (Morpho Labs)
Speaker:

Merlin Egalite

Abstract:

This talk will explore strategies for isolating risk in decentralized finance, focusing on both architectural and code-level approaches to managing smart contract and economic risks.

In the first part, we’ll delve into protocol architecture: simplifying design, separating components, and externalizing risk management to improve resilience. We’ll analyze examples from protocols like Symbiotic and Morpho, highlighting their approaches to mitigating risk.

The second part will cover secure coding practices, such as scoping variables, managing external interactions, applying timelocks, and structuring roles to limit edge cases. Using examples from Morpho vaults, we’ll discuss practical ways to reduce vulnerabilities at the code level.

17:10-17:20 - Money Ain't a Thang (When It's Gone): How to Find Attackers and Improve Your Security Posture | Heidi Wilder (Coinbase)
Speaker:

Heidi Wilder

Abstract:

Join us for a practical session on using blockchain analysis to:

  • Detect and investigate exploits – Strengthen preventative measures
  • Improve incident response
  • Protect your users and your project
  • Safeguard your own security
17:20-17:30 - Common Vulnerabilities in Bridges | Kirk Baird (Sigma Prime)
Speaker:

Kirk Baird

Abstract:

The talk is aimed to explore commonly found bugs in bridges. This would include bridge implementations themselves as well as protocols which utilise bridges. The focus of the talk would be on the solidity /smart contracts side of the bridge but may be expanded to include offchain code if there is sufficient time. The talk would cover iterate through bugs in a sufficient level of detail for listeners to fully understand and hopefully identify in the wild. Therefore, the target audience would be proficient in programming with a preference of solidity. Some examples of vulnerability classes are

  • message replay attacks
  • message validation
  • signature issues
  • access controls
  • external function calls
  • token manipulation
  • DoS vectors

📍 Workshop Stage

Spacer
Text
09:00 - 10:00 - Building Custom Protocols with js-libp2p | David Grantham
10:00 -10:10 - Break
10:10 - 11:10 – Using inductive reasoning to secure smart contracts | Pamina Georgiou (Certora)
Speaker:

Pamina Georgiou

Abstract:

Join us for an engaging workshop on the Certora Prover, a cutting-edge formal verification tool designed to uncover bugs in DeFi smart contracts. We will begin with a brief lecture introducing the fundamentals of formal verification, its underlying principles, and its unique advantages. The primary focus of the workshop will be a hands-on exercise, where participants will learn to write specifications in CVL, the Certora Verification Language. The participants will test smart contract code against their specification using the Certora Prover. This session is ideal for those looking to deepen their understanding of formal verification and smart contract security.

11:10 - 12:10 - Streamlining CI and staging in dapp development | Nenad Vitorović (Tenderly)
Speaker:

Nenad Vitorović

Abstract:

In the fast-evolving world of DeFi, security and reliability are essential. This is a hands-on workshop where participants will get a chance to learn how Tenderly’s cutting-edge Virtual TestNets are revolutionizing dapp development by providing a secure and efficient testing environment tailored to any existing workflow. As a dapp-first development infrastructure, Virtual TestNets make dapp staging possible in Web3. Synced with the latest mainnet state, Virtual TestNets allow building and testing dapps on top of real-time data, opening new testing capabilities for Web3 teams.

12:10 -13:10 - Lunch
13:10 – 14:10 – Hardening dev environments against backdoor attacks | Tincho & Matta (The Red Guild)
Speakers:

Tincho Matta (The Red Guild)

Abstract:

In this workshop, we share techniques to protect against weaponized dev tools commonly used to deceive, phish and attack web3 devs and code reviewers with poisoned repositories. Through practical exercises & real-world examples, attendees will learn to avoid getting rekt while building and/or code-reviewing a web3 system. Some of the topics we can cover: git features and bad practices (hooks, signing, impersonation, code execution), IDE misconfigurations and weaponized extensions, backdoored repositories with Foundry, malicious dependencies (npm squatting), obfuscated code, secret leaks, evil github actions, weaponized Docker containers, and more. After sharing real and practical examples of these attacks, we teach attendees best practices to harden their development environments that should help detect and protect against these threats.

14:10 – 15:10 – Solidity under the hood | Raoul Schaffranek (Runtime Verification)

Speaker:

Raoul Schaffranek

Abstract:

Join us for an in-depth exploration of Solidity, delving into its inner workings. We’ll examine compiled smart contracts and dissect the generated code, focusing on ABI encoding, jump tables, and variable allocation strategies. Our session will cover essential EVM data structures, including storage, memory, and the stack. We’ll also analyze calldata, returndata, invalid opcodes, and overflow checks, providing a comprehensive understanding of Solidity’s mechanics. This workshop is ideal for developers eager to deepen their knowledge of Ethereum’s underlying architecture.

View presentation

15:10-15:20 - Break
15:20 – 16:20 – Find Highs Before External Auditors Using Invariant Fuzz Testing | Dacian (Cyfrin Audits)

Speaker:

Dacian

Abstract:

Many critical bugs found in security audits could have been identified earlier by developers with targeted fuzz testing. This workshop highlights the importance of bringing security closer to the development process, raising the standard across the space. Through simplified examples from real audits, participants will see how developers—or auditors—can create effective fuzz tests that reveal these vulnerabilities. By showcasing real-world vulnerabilities and the fuzzing approaches that catch them, this session provides a hands-on learning experience for developers aiming to strengthen their code. The workshop will utilize the Chimera framework, enabling attendees to write fuzzing tests compatible with various fuzzers, offering a robust and versatile approach to fuzz testing.

View presentation

16:20 - 17:20 - Decompiling EVM bytecode (Certora)
Speaker:

John Toman

Nov 9 . DSS Day 2

🎟️ 8:00-08:30 – Registration

📍 Main Stage

Session 1
8:30 – 10:15
Moderated by Peter Kacherginsky – Coinbase

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
08:30-08:40 - Solving State Bloat with State Archival: Risks and Mitigations | Garand Tyson (Stellar)

Speaker:

Garand Tyson

Abstract:

State Bloat, the uncontrollable growth of on-chain data, is one of the major hurdles for long term sustainability of blockchains. State Archival is the solution to this issue, where arbitrary ledger state is automatically deleted from validators. Many major networks are already either planning to or have made steps towards the implementation of State Archival, such as Solana, Ethereum, and Stellar. In this talk Garand, a senior protocol engineer at the Stellar Development Foundation, will present the State Bloat problem, the novel attack surface introduced by State Archival, and the solutions being implemented on Stellar. The risks discussed will include double create, double restore and malicious non-restore of deleted state.

View presentation

08:40-08:50 - Hacking on Solana | Robert Reith
Speaker:

Robert Reith


08:50-09:00 - Balancing usability and security: the challenges of non-custodial embedded wallets | Thibault de Lacheze-Murel (Dfns)

Speaker:

Thibault de Lacheze-Murel

Abstract:

As web3 adoption grows, integrating embedded wallets into dApps streamlines user onboarding. These wallets offer web2-like ease of use with one-click account creation and recovery options while upholding web3 principles of ownership, trust minimization and decentralization. However, designing such wallets introduces novel security challenges and attack vectors.

This talk explores these challenges and mitigation strategies for wallet providers and dApps to safeguard against key security risks.

View presentation

09:00-09:25 - AI-Driven Detection and Prevention of Malicious Blockchain Transactions | Carlos Salort Sanchez (Forta)
Speaker:

Carlos Salort Sanchez

Abstract:

To stop exploits from happening, we need to detect automatically when a transaction is malicious. We will present a couple of AI approaches to tackle this problem: Using deep learning to analyze the traces of a transaction, and using unsupervised learning to identify anomalous transactions within a protocol. These methods, when paired with a transaction delaying mechanism, are fast enough not to disrupt the normal operational flow of the blockchain, and can stop protocol exploits.

09:25-09:50 - Dynamic Restaking Security | Tarun Chitra (Gauntlet)
Speaker:

Tarun Chitra

Abstract:

As restaking networks grow and generate fees, a natural question is how their dynamics evolve. Recent research from Durvasula and Roughgarden, as well as from Chitra and Pai, demonstrates that there is a natural graph structure between restaking services (such as EigenLayer AVSs or Symbiotic Networks) that controls the security of the network. This talk will demonstrate an empirical analysis of the true amount of security held within live restaking networks and compare live network security parameters to theoretical bounds. Our work will demonstrate how active rebalancing from node operators is crucial to practical restaking security.

09:50-10:15 - The 2016 Shanghai Attacks: History and Technical Deep Dive | Hudson Jameson (Polygon Labs)
Speaker:

Hudson Jameson

Abstract:

The Shanghai Attacks were a series of attacks against the Ethereum network during Devcon2 in Shanghai. I will retell a first hand account of those harrowing nights where the power of client diversity saved the Ethereum network from halting. I will go over a timeline of the attacks and explain the technical details of the exploits and the 2 network upgrades that had to be executed to remedy the damage.

Note: I was coordinating the response to these attacks in-person and co-running Devcon2 in China during the attacks so I have special insights and resources I can offer to provide a very entertaining and informative talk on this subject 🙂

10:15 -10:30 - Break

Session 2
10:30 – 12:10
Moderated by Tomer Weller – Stellar 

Spacer
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
10:30-10:55 – Aave: evolving slow systems in the age of speed | Ernesto Boado (BGD Labs)
Speaker:

Ernesto Boado

Abstract:

DeFi systems are ever-changing, including the infrastructure they live in (L1s, rollups). However, the size of financial software living in them like Aave, seem to require slower pace of progress.

In this talk, from our perspective as core maintainers of the Aave protocol, will present practical examples on how decision-making is done in a daily basis, touching aspects like:

  • When/how new features are added into a multi-billion production system? Practical examples.
  • Balance security considerations (and development) with time-to-market.
  • Redirect innovation to “boring” parts of the tech, with underlying quality as an important target.
  • Defense-in-depth on the application layer, with Aave virtual accounting as an example
10:55-11:20 – Approaching security with Aave V4 | Emilio Frangella (Aave Labs)
Speaker:

Emilio Frangella

Abstract:

The talk will highlight security practices adopted with the development of Aave V4 and provide comphrensive development update on the new protocol iteration.

11:20-11:45 – Specification and Model-checking of the ZKsync Governance Protocol | Igor Konnov

Speaker:

Igor Konnov

Abstract:

This talk presents a joint effort by Matter Labs and Igor Konnov to formally verify the ZKsync Governance Protocol, which is central to the decentralized management of ZKsync. Alongside traditional security audits, we developed a formal specification using the Quint language to model key governance elements, ensuring protocol security through methodical threat modeling and compliance with governance procedures.

We’ll discuss our approach to validating critical mechanisms like multi-sig operations and cryptographic signatures with model checking and SMT solvers. Real-world examples will illustrate how governance rules, from emergency upgrades to protocol freezes, were captured in formal invariants to detect and resolve vulnerabilities.

View presentation

11:45-12:10 – Web3 Security is Embarrassing: Why We Can and Must Do Better | Andrew MacPherson (Privy)

Speaker:

Andrew MacPherson

Abstract:

The explosive growth of Web3 has brought about innovation, decentralization, and financial opportunity. But let’s be honest—Web3 security is a disaster.

From drainer attacks to wallets that force users to bear the burden of near-impossible security practices, we are failing the very users we aim to protect. And worse, the barrier to exploitation is so low that attackers are beating us with the dumbest attacks!

In this talk, I will look at some of the most embarrassing aspects of Web3 security today, from how wallets should protect users to the infrastructure that enables attacks. I’ll walk through real-world examples of the flaws in the system—like the widespread use of seed phrases, the dangers of lookalike addresses, and the gaps in social media and domain takedowns. But I won’t just point fingers. I’ll offer actionable solutions for developers, security engineers, and the broader crypto community.

From WebAuthn/Passkeys to eliminate phishing attacks, holding wallets accountable and ways to strengthen dApp validation with modern security practices.

If we are serious about bringing the next billion users into the decentralized world, we need to create safer systems that are intuitive and defend against low-effort but high-impact attacks. This talk will challenge Web3 builders to stop accepting the status quo and embrace the tools we already have to make a real difference in user security.

View presentation

12:10 -13:20 - Lunch

Session 3
13:20 – 14:55
Moderated by Anton Permenev – Chainsecurity 

Spacer
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
13:20 - 13:30 – Paradigm Shift: Building Invariant-focused codebases | Nat Chin
Speaker:

Nat Chin

Abstract:

Instead of debating between formal verification or fuzzing, this talk introduces a paradigm shift: building invariant-focused codebases to streamline the integration of both methods. While each approach has strengths—formal verification for rigor and fuzzing for speed—the real goal is maximizing bug discovery, minimizing attack surface, and reducing vulnerability to exploits.

I’ll share insights from building robust invariant-driven testing suites, such as a 216-invariant fuzzing suite for Curvance and a 50+ suite for Primitive Finance, drawn from over four years of experience. This talk covers practical guidelines for embedding invariants from the beginning of the software lifecycle, ensuring a smooth transition to comprehensive testing that combines the best of both worlds. Together, we’ll explore how the industry can reduce friction around testing tool debates and instead make testing a seamless and powerful part of code design.

13:30-14:05 - PANEL | Web3 Security: Revolution or Evolution of Web2 Security Principles?
Speakers:

Mehdi Zerouali, Pablo Sabbatella, Peter KacherginskyAnto, Andrew MacPherson

Moderator: 

0xRajeev

Abstract:

Web3 security is typically associated with smart contract security. The biggest Web3 hacks have however involved traditional Web2 vulnerabilities and attack vectors. So is Web3 security really a revolution or repackaging of Web2 security principles? This panel proposes to debate on the similarities and differences between Web3 vs Web2 security with some leaders in this space towards the goal of highlighting the current status, historical lessons from Web2 security and future challenges for a safer Ethereum ecosystem.

14:05-14:30 – Rust in Peace: Breaking Rust-based blockchains | Luis Quispe Gonzales (Halborn)
Speaker:

Luis Quispe Gonzales

Abstract:

In this talk, we’ll explore how hackers approach Rust-based blockchains, the common vulnerabilities they target, and the surprising ways things can go wrong.

If you’ve ever wondered how even the most robust code can be broken, this session will shed light on that… and what can be done to stop it. It’s a journey into the hacker mindset, packed with real-world insights and stories!

14:30-14:55 – Formal Verification of the INTMAX2 Protocol | Denisa Diaconescu (Nethermind)
Speaker:

Denisa Diaconescu

Abstract:

INTMAX2 is a blockchain scaling solution for payments that uses a fixed 4-6 bytes of data on-chain, giving an upper limit of 7500 transactions batches per second on Ethereum, where each transaction batch can transfer an unlimited number of tokens to an unlimited number of recipients. INTMAX2 enables stateless and permissionless block production, and provides privacy properties using zk-proofs. The censorship problem is solved intrinsically by INTMAX2 as any user can be an aggregator. In this talk we discuss how we formalised the INTMAX2 protocol in the Lean proof assistant and mechanically proved the security theorem that guarantees the key economic safety property of the protocol.

14:55 -15:10 - Break

Session 4
15:10 – 16:25
Moderated by Nat Chin 

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
15:10-15:35 – Securing Crypto-Economic Systems - Anto (EigenLayer)
Speaker:

Anto

Abstract:

AVSs, or Actively Validated Services, use crypto-economic networks like EigenLayer to establish credible commitments. In this talk, we will explore the following topics that will help you build a Secure AVS:

1. What are credible commitments, and how do they work?
2. The roles of stakers, operators, and AVSs in credible commitments.
3. What is slashing, How does it work and how to secure your slashing logic.
4. Crypto-economic attacks against AVSs
5. Essential Web2 security for your AVSs.

15:35-16:00 – Firewalling Decentralized Protocols | Assaf Eli (Ironblocks)
Speaker:

Assaf Eli

Abstract:

We will present findings from a study that examined how execution layer protection can prevent financial losses in decentralized systems. The study analyzed 60 incidents from the Ethereum mainnet, reflecting diverse financial impacts and project types. Each attack was simulated to replicate blockchain states at the time of exploitation, assessing the system’s capacity to block malicious transactions without interfering with normal operations. The experiments, repeated under varying conditions, offer insights into how combining off-chain detection with on-chain intervention enhances security by addressing vulnerabilities in real-time without disrupting system

16:00-16:25 – Smart Contracts to Embeddings: Using off-the-shelf LLMs for Fun and Profit | Markella Gioka (Dedaub)
Speaker:

Markella Gioka

Abstract:

We discuss how we use off-the-shelf large language models for various smart contract analysis and automated comprehension tasks. An important element concerns the level of abstraction of the LLM input. We have found that excellent results can be achieved (for tasks such as public function similarity) by normalizing the input through decompilation up to an almost-Solidity-like level, together with simple tree-shaking algorithms. The resulting normalized code can be used both as training input and as input for computing embeddings.

16:25 -16:40 - Break

Session 5
16:40 – 17:30
Moderated by Joran Honig – Consensys

Spacer
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
16:40-16:50 – Deobfuscating Angel Drainer JS Kit | Shahar Madar (Fireblocks)
Speaker:

Shahar Madar

Abstract:

Angel Drainer, a notorious Drainer-as-a-Service kit, has stolen millions of dollars through its highly effective obfuscation techniques, making reverse engineering and detection challenging for researchers and security tools. In response, we developed automated deobfuscation and detection toolkits by analyzing common patterns and identifying known obfuscation methods. These toolkits allow for a deeper understanding and improved mitigation of Angel Drainer’s techniques. This presentation will explore our research process, the obstacles faced, and the key takeaways from tackling this evolving threat.

16:50-17:00 – Not a Walk on the Block: A CISO’s Journey from Web2 to Web3 | Haim Krasniker
Speaker:

Haim Krasniker

Abstract:

Drawing upon two decades as a cybersecurity leader—including many years in Web2 Security and the past two years navigating the “”crypto-sphere””—I share personal insights into the challenges that make securing organizations in the decentralized era anything but a “”block party.”” This presentation explores the strategic and tactical tasks essential for a CISO in the blockchain-powered world of Web3.

17:00-17:10 – Bug bounty horror stories | Joran Honig (Consensys)
Speaker:

Joran Honig

Abstract:

You’ve probably read about bounty hunters becoming millionaires on Immunefi, the billions of dollars secured. The millions of $$$ whitehat rescued. This is just half of the story!

In this talk we’ll avoid those successes and look at what can and will go wrong in crowdsourced security. After this talk you’ll walk away with some of the hard lessons learned by both security researchers and product teams.

17:10 – 17:20 – Transient storage, a transient trend? | Valerian Callens (Quantstamp)
Speaker:

Valerian Callens

Abstract:

EIP-1153 introduced a new form of storage to the EVM: transient storage. Any update to this storage persists until the end of the current transaction. Also, using it costs less gas than the standard storage. It has been live since the Dencun Upgrade. We present use cases, adoption metrics, and security considerations, especially with the current rise of Account Abstraction. We will also suggest security design patterns leveraging transient storage.

📍 Workshop Stage

Your Title Goes Here
Your content goes here. Edit or remove this text inline or in the module Content settings. You can also style every aspect of this content in the module Design settings and even apply custom CSS to this text in the module Advanced settings.
09:00 - 10:00 - EigenLayer protocol deep dive | Anto, EigenLabs
Speaker:

Anto

Abstract:

Attend an immersive, hands-on workshop that delves into the fundamental EigenLayer protocol. The workshop will guide participants through deploying a rudimentary “Hello World” Actively Validated Service (AVS) on a local development network.

The session will commence with an introduction to the EigenLayer protocol, followed by a practical session where participants will deploy and validate their own AVS. Throughout the workshop, essential security best practices will be covered, including the integration of off-chain and smart contract code, secure key management, and AVS upgrades. This workshop is tailored for developers and security researchers.

10:00 -10:10 - Break
10:10 - 11:10 - Mapping the Unseen: New Visual Techniques for Smart Contract Vulnerability Analysis | Jonas Surmann (TrustBytes)
Speaker:

Jonas Surmann 

Abstract:

Each security review starts with a deep dive into the project and it’s smart contracts. While the documentation often is not sufficient, this is the first opportunity where SRs can benefit from visual mental models and diagram to fully grasp the reviewed project.
Depending on the size/LoCs of the reviewed project, today SRs often need days to get a full understanding and many draw manual maps or create a mental model of the contracts and its interdependencies.This practical workshop is aimed at learning new mapping techniques as we navigate different projects and contracts and map them visually to pinpoint and identify security issues effectively in a matter of minutes.
We will delve into advanced visualization techniques in an interactive LIVE analysis while we conclude with a challenge, which will include spotting vulnerabilities by means of mental models/diagrams.
Pls don’t hesitate to reach out for any questions. 

11:10 - 12:10 - Mastering Smart Contract Audits: A Comprehensive Walkthrough | José Montero & Jota Carpanelli (OpenZeppelin)
Speaker:

José Montero & Jota Carpanelli

Abstract:

In this talk, I’ll walk you through how I audit smart contracts, using real examples from my work at OpenZeppelin. I’ll pick a set of contracts with known bugs and show you how to review code, spot potential attacks, follow common patterns, and test for vulnerabilities. This session is about practical tips and techniques for efficient smart contract auditing, helping you improve security in the DeFi space.

12:10 -13:20 - Lunch
13:20 – 14:20 – Checking Protocol Invariants in Go | John Toman (Certora)
Speakers:

John Toman

Abstract:

Even with best practices, pre-deployment security checks remain imperfect. Thus, projects are complementing these audits with post-deployment monitoring. We describe intrinsic monitoring; i.e., monitoring directly within the EVM. We show how complex invariants of protocols can be encoded into fast, efficient checks that execute on every state transition. We discuss optimization opportunities enabled by integrating directly with the EVM, and tradeoffs/benefits vs traditional monitoring.

14:20 – 15:20 – Move Security Workshop | Wolfgang Grieskamp & David Wolinsky (Aptos)

Speakers:

Wolfgang Grieskamp & David Wolinsky (Aptos)

Abstract:

Join us for a walkthrough of the security aspects of Move on Aptos. We plan to cover Move’s type ability system, bytecode representation and runtime verification approach, formal verification with the Move prover, asset based programming model and frameworks, and new features in Move 2 like permissioned signers and resource access control. No particular knowledge of Move is expected, but familiarity with general concepts of smart programming will be helpful.

View presentation

15:20-15:30 - Break
15:30 – 16:30 – How to block malicious txs using Forta Firewall | Andy Beal & Carlos Salort (Forta)
Speaker:

Andy Beal & Carlos Salort

Abstract:

Forta Firewall is a new threat detection and prevention network that screens and blocks exploit transactions before execution. This workshop will provide an overview of Forta Firewall, and discuss how to integrate Firewall into rollups and DeFi protocols.

16:30 – 17:30 – Firewall implementation | Assaf Eli - Co-Creator Venn
Speaker:

Assaf Eli – Co-Creator Venn

Abstract:

This workshop will guide participants through the fundamentals of firewall technology and its role in network security.

Core Review Committee

Fraser Brown, CMU and Cubist

Curtis Spencer, Electric Capital

Nat Chin, Independent Security Researcher

Ernesto Boado, Aave BGD

Samczsun, Paradigm

Rajeev, Secureum

Mudit Gupta, Polygon

Harikrishnan Mulackal, Spearbit 

Chandra Nandi , Certora and Univ. of Washington

Yoav Weiss, Ethereum Foundation

Mehdi Zerouali, Sigma Prime

Anton Permenev, Chainsecurity

Yannis Smaragdakis, Dedaub and Univ. of Athens

Uri Kirstein, Certora

Byron Gibson, Stanford University

Gerard Persoon, Spearbit

Sock, Code4rena

Mooly Sagiv, Tel Aviv University and Certora

Yura Sherman, Certora

Dima Kogan, Fordefi

Jota Carpanelli, OpenZeppelin

Matthias Egli, Chainsecurity


Joran Honig, Consensys

DSS 2024 Tickets

Round 3 is now LIVE: Full-price and student tickets available

 

Follow us on Twitter to get notified on ticket releases.

 DSS 2024 Sponsors

Diamond

Gold

Aave
Aptos

Silver

Fuzzland
starkware
ironblocks

Bronze

trailofbits
rareskills