Shows
The Web3 Security PodcastWeb3 Security Podcast: DC Builder, Research Engineer at World FoundationWorld Foundation's proof of personhood system defended against an iris spoofing attack where users verified multiple times by pairing their left eye with someone else's right eye—exploiting uniqueness checks that operated on eye pairs rather than individuals. DC Builder, Research Engineer at World Foundation, explains the multimodal defense they deployed: continuous 3D heat mapping, time-of-flight sensors, anomaly detection models trained on contact lens datasets across manufacturers, and checks for glasses that alter iris patterns.This represents one attack surface in a system protecting 38 million verified humans. World became Nvidia's largest security partner for Jetson NX embedded ch...
2026-01-271h 09
The Web3 Security PodcastHow Solana achieved 2 years uptime after launching with $3M | Matt Sorg (Solana Foundation)When Solana dropped to $8 during FTX, Matt Sorg watched Twitter erupt while his validator network stayed focused on the technical roadmap. The VP of Technology at Solana Foundation had built something that would prove more valuable than hype: a technically aligned community shipping performance improvements on a quarterly cadence.
Matt explains why Solana's early instability wasn't architectural it was financial constraint forcing impossible tradeoffs. Spring 2018's dead ICO market meant launching with roughly $2-3 million versus the hundreds of millions typical L1s raise today. The choice: ship with tech debt or die waiting for perfect code...
2026-01-141h 07
The Web3 Security PodcastSix months before touching production: How Sky enforces context-building that delivers zero-finding audits | Deniz YilmazWhen Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean.
Topics discussed:
Treating audit findings as internal process failures requiring investigation, not just bug fixes
Six-month mandatory onboarding periods before engineers can modify spellcrafting code
Pre-audit internal re...
2026-01-061h 05
The Web3 Security PodcastCoinbase's auditing standards with Shashank AgrawalCoinbase's security process protecting over $7 billion in TVL rejects the single-audit model common in DeFi. Shashank Agrawal, Senior Engineering Manager, Protocol Security at Coinbase, explains their multi-round validation approach: internal security teams (separated from product engineering) audit first, then external firms audit, and rounds continue until external auditors surface only lows and informationals—never highs or criticals.
This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room fo...
2025-11-181h 04
The Web3 Security PodcastEthereum Foundation's path to 10,000 TPS and Bitcoin's 51% attack risk | Justin DrakeJustin Drake reveals Ethereum's infrastructure path to 1 gigagas per second—equivalent to 10,000 TPS and 10x Solana's current user transaction throughput—while operating validators on consumer hardware. As researcher on Ethereum Foundation's protocol architecture team, he details how ZK-EVM proof systems will eliminate the validator bottleneck within six years, enabling state verification on Raspberry Pis while scaling capacity 500x through annual 3x gas limit increases.
The technical requirements are crystallizing rapidly. Real-time proving now achieves sub-12 second latencies (one Ethereum slot) with under 10kW power consumption—accessible in standard home electrical systems rather than data center infrastructure. Drake frames...
2025-11-051h 23
The Web3 Security PodcastCosmos Labs' 3 pivots in 6 months: Timeboxing experiments to find PMF | Barry PlunkettWhen the Interchain Foundation acquired Skip Protocol in 2024, Cosmos Labs inherited a 200-chain ecosystem with no commercial strategy and a massive security backlog. Barry Plunkett, co-CEO, explains how they systematically tested three strategic pivots in six months, killed two based on hard metrics, and found enterprise product-market fit by following "accidental traction" signals they'd initially ignored.
First pivot: ZK-based IBC bridging to Ethereum paired with Skip Go's interop API. They timeboxed three months to the Babylon Bitcoin LST launch as a forcing function. Volume data post-launch killed the thesis—existing bridges were "pretty good" and marginal improvements do...
2025-10-211h 14
The Web3 Security PodcastCentrifuge's serial audits: 6 security reviews that reshaped RWA architecture | Jeroen OfferijnsMaker's core accounting contract—the vat—has remained immutable for six years while processing tens of billions in TVL. Centrifuge is proving this isn't legacy thinking; it's the only approach that survives institutional custody requirements where protocol upgrades introduce unacceptable counterparty risk.
Jeroen Offerijns, CTO of Centrifuge, explains why their $750M TVL RWA protocol runs 6-7 serial audits rather than parallel reviews on a final commit hash. The goal isn't redundant coverage—it's forcing architectural iteration between audits. Low-severity findings don't get dismissed; they trigger contract redesigns before issues compound. This matters when tokenizing Apollo's private credit or S&P...
2025-10-141h 05
The Web3 Security PodcastSafe's $60B security stack: Formal verification, audits, and $1M bounties | Richard MeissnerSafe's smart account infrastructure secures $60B+ in TVL while handling over $1 trillion in cumulative transaction volume. Co-founder, Richard Meissner reveals how Safe is rebuilding its collaboration layer from scratch—replacing centralized transaction services with encrypted on-chain queues while preparing smart accounts for post-quantum cryptography through deterministic deployment standards.
Topics discussed:
Safe Harbor's permissionless transaction queue migrating from contract storage to event-based and blob storage to reduce costs while maintaining consensus-layer availability guarantees
Validator network architecture in frictionless queues performing spam protection and integrity checks on encrypted payloads before paymaster-sponsored on-chain submission
Asymmetric encryption implementation using shared ke...
2025-10-081h 10
The Web3 Security PodcastGnosis validator sniping attacks: How to harvest MEV through IP mapping | Sebastian BürgelSebastian Bürgel's modified Lighthouse client can map any Ethereum validator's public key to their IP address by collecting attestation signatures and tracking their network origin points. Once mapped, attackers can launch precisely-timed DDoS attacks during that validator's block production slot, forcing them offline and redirecting their MEV opportunities to the next validator in sequence.
This network-layer exploit operates entirely outside the smart contract security model that most teams focus on, yet threatens the economic assumptions underlying Ethereum's consensus mechanism. As VP of Technology at Gnosis and founder of HOPR's privacy infrastructure, Sebastian demonstrates how current validator s...
2025-09-241h 07
The Web3 Security PodcastEigen Labs' 3-person team securing $23B in crypto: Restaking security at scale | Anto JosephWhen you discover someone who found a way to decrypt every WhatsApp message through symmetric key reuse, then later designed Coinbase's ETH staking architecture that has never experienced a slashing event, you're looking at a rare breed of security engineer who bridges the exploit and defense mindsets perfectly.
Anto Joseph, Principal Security Engineer at Eigen Labs, walks through his unconventional path from exploiting Need for Speed CD keys in fourth grade to architecting some of crypto's most critical infrastructure. His work spans Intel's hardware security for retinal laser displays, Tinder's location privacy systems handling millions of users...
2025-09-101h 10
The Web3 Security PodcastHow to secure $70 billion in DeFi: Aave's approach to Web3 security at scale | Ernesto Boado (BGD Labs)What happens when you're responsible for $70 billion in user funds and every code change requires approval from hundreds of token holders? Ernesto Boado discovered that managing AAVE's security feels identical whether it's $10 million or $70 billion at stake—the key is abstract thinking that prevents paralysis while maintaining rigorous procedures.
As co-founder of BGD Labs and former CTO of Aave, Ernesto reveals how they've kept the world's largest DeFi protocol secure through systematic auditor evaluation, strategic upgrade decisions, and a hands-on approach to security research relationships. His contrarian take on bug bounties and practical insights into decentralized governance of...
2025-09-031h 18
The Web3 Security PodcastPolygon's 13-step multisig securing billions: Advanced governance security | Chris von HessertWhat happens when a veteran Web2 security executive turns multisig ceremony coordinator at Polygon? The result: a crash course in how Web3 security demands both old-school fundamentals and bleeding-edge vigilance in protecting billions of dollars locked on-chain.
Christopher von Hessert, VP of Security at Polygon, reveals how traditional security expertise from companies like IBM and ServiceNow translates into defending against everything from North Korean IT workers to AI-generated phishing campaigns. His journey from managing ServiceNow's global security team to orchestrating multisig upgrades from Amsterdam studios highlights the evolving demands of Web3 security leadership.
But von...
2025-08-261h 08
The Web3 Security PodcastEthereum Foundation's 10-year bug bounty program: Security lessons | Fredrik SvantesFredrik Svantes evolved from hunting World of Warcraft gold farmers to securing Ethereum's trillion-dollar ecosystem as the foundation's Security Research Lead. Running the world's oldest blockchain bug bounty program while spearheading initiatives to make Ethereum safe for both billion-user adoption and institutional trillion-dollar deployments, he offers rare insights into the security challenges of protecting critical infrastructure at unprecedented scale.
His contrarian stance on replacing reactive blacklists with protocol-level whitelists, combined with hard-won lessons from coordinating the merge and subsequent upgrades, reveals how Ethereum balances decentralization with protection. From managing AI spam in bug reports to designing crowdsourced...
2025-08-191h 02