The Web3 Security Podcast

Polygon Labs' two-team security structure: where most Web3 breaches actually start | Mudit Gupta

Most Web3 security conversations focus on smart contracts. Mudit Gupta, CTO of Polygon Labs, thinks that's the wrong place to be worried. In this episode, he makes the case that ZK infrastructure carries significantly more bugs than the smart contract layer — the reason large-scale exploits haven't happened yet isn't that the bugs don't exist, it's that the expertise required to exploit them is vanishingly rare. That window won't stay open forever. Beyond the ZK risk, Mudit breaks down the structural and operational decisions Polygon has made as AI shifts both sides of the security equation. Since August, their bug bounty program has seen a surge in reports on years-old code in geth and P2P libraries — the kind of retroactive review humans don't do — forcing them to build a counter-AI triaging system just to manage volume. He also details the two-team security structure most Web3 companies still don't run, and why the team most protocols skip is where the majority of Web3 incidents actually originate. Topics Discussed: * ZK infrastructure as the highest-vulnerability, lowest-exploitation surface in Web3 — more bugs than the smart contract layer, but the pool of people who can exploit them is small enough to count on two hands. Mudit's view: that expertise gap is the only thing standing between current ZK deployments and large-scale attacks * What a near 10x spike in bug bounty submissions since August reveals about how AI reviews code differently than humans — specifically its tendency to audit legacy code that human researchers have long stopped reviewing * Building a counter-AI triaging agent to handle report volume, including the case where it incorrectly closed a valid submission and how researcher pushback caught it * Why Polygon runs a dedicated security operations team alongside AppSec — and why the absence of a SecOps function is where most Web3 incidents actually begin * Embedding AppSec at the architecture stage rather than post-build, and how that shifts accountability from audit-and-flag to full product ownership of security outcomes * Sending an AI-generated deepfake video of Polygon's CEO to all employees as a phishing simulation — and why video-format tests caught people that standard phishing emails don't * Wednesday as the target release day: how the Monday-Tuesday verification window protects against deployment failures when external dependencies and client teams won't have weekend coverage * Security knowledge as a speed multiplier: how understanding your risk surface lets you move faster on acceptable risks — and how Mudit structures risk tracking and CEO-level reporting so leadership can hold context without blocking decisions

Sky's zero-finding audit framework: Six-month onboarding and process investigation | Deniz Yilmaz

When Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean. Topics discussed: * Treating audit findings as internal process failures requiring investigation, not just bug fixes * Six-month mandatory onboarding periods before engineers can modify spellcrafting code * Pre-audit internal review standards achieving consistent zero-finding results across multiple audit firms * Spellcrafting governance requiring bi-weekly token holder votes and execution delays for all protocol changes * LLM auditing integration delivering PR-level feedback before code reaches internal review * Mandatory OPSEC certification with domain hash verification testing for multisig signers * Protocol security workstreams codifying senior engineer practices into transferable frameworks * Auditor selection prioritizing codebase-specific experience over firm reputation * Subdao security enforcement maintaining core standards across autonomous entities with independent economics * Game theory-based development considering internal actor exploitation during code design

Web3 Security Podcast: DC Builder, Research Engineer at World Foundation

World Foundation's proof of personhood system defended against an iris spoofing attack where users verified multiple times by pairing their left eye with someone else's right eye—exploiting uniqueness checks that operated on eye pairs rather than individuals. DC Builder, Research Engineer at World Foundation, explains the multimodal defense they deployed: continuous 3D heat mapping, time-of-flight sensors, anomaly detection models trained on contact lens datasets across manufacturers, and checks for glasses that alter iris patterns. This represents one attack surface in a system protecting 38 million verified humans. World became Nvidia's largest security partner for Jetson NX embedded chips, filing more CVSS reports than any other customer after discovering edge cases from production deployment that Nvidia's internal teams hadn't encountered. DC's current focus: building Proofkit, a Noir backend optimized for client-side ZK proving on constrained mobile devices, because the 99th percentile of World's users operate phones with minimal memory and CPU headroom. The technical architecture spans layers most Web3 teams never touch. Trusted execution environments and secure enclaves depend on vendor supply chains. Private keys etched into Orbs during manufacturing get destroyed after provisioning. Groth16 proofs require trusted setups from both PSE and World's own ceremony. Multiparty computation encrypts iris codes, but compromise would expose biometric-derived data. Open-source firmware on ejectable SD cards enables independent verification against GitHub repos—an auditability model DC walks through in detail. Topics discussed: * Iris spoofing via eye permutation attacks: left-eye/right-eye combinations bypassing uniqueness checks * Multimodal biometric defense: 3D heat mapping, time-of-flight sensors, contact lens detection across manufacturers * Filing majority of Nvidia Jetson NX CVSS reports through production edge cases undiscovered internally * Building Proofkit: Noir backend optimized for ZK proving on memory-constrained Android devices at 99th percentile * Formal verification pipeline: automatic GNARC-to-Lean circuit extraction developed with RayLabs * Groth16 trusted setup dependencies: PSE ceremony plus World's own setup and associated compromise risks * MPC protocol security: encrypted iris codes and what exposure means for biometric-derived sensitive data * Hardware auditability: ejectable SD cards enabling firmware verification against open-source repositories * Supply chain trust model: secure enclave vendors, TEE implementations, manufacturing key provisioning * Attack surface inventory: hardware TEEs, Linux-based custom OS, biometric ML pipelines, MPC protocols, ZK circuits

How Solana achieved 2 years uptime after launching with $3M | Matt Sorg (Solana Foundation)

When Solana [https://solana.org/] dropped to $8 during FTX, Matt Sorg [https://www.linkedin.com/in/matt-sorg/] watched Twitter erupt while his validator network stayed focused on the technical roadmap. The VP of Technology at Solana Foundation had built something that would prove more valuable than hype: a technically aligned community shipping performance improvements on a quarterly cadence. Matt explains why Solana's early instability wasn't architectural it was financial constraint forcing impossible tradeoffs. Spring 2018's dead ICO market meant launching with roughly $2-3 million versus the hundreds of millions typical L1s raise today. The choice: ship with tech debt or die waiting for perfect code. They shipped, survived the resulting instability crisis, and spent the next several years systematically eliminating every bottleneck through what Matt calls "mindful engineering." The maturity shows in the security infrastructure. Four independent audit firms review every Anza code release. Continuous fuzzing catches performance regressions. Firedancer's launch as a second client enables differential testing that's becoming the de facto Solana specification. The result: approaching two years of continuous uptime with upgrades shipping every three months. But the real technical leap is what's coming: Alpenglow consensus enabling 40% validator failure tolerance, multiple concurrent leaders eliminating MEV by removing block building monopolies, and local inclusion certificates delivering Web2 speed feedback before global consensus. Topics discussed: * Launching mainnet spring 2018 with $2-3M in dead ICO market versus modern $100M+ L1 funding * Systematic tech debt elimination through bottleneck analysis achieving nearly two years uptime * Four independent audit firms plus continuous fuzzing reviewing every Anza release * Firedancer second client enabling differential testing becoming canonical Solana specification * Alpenglow consensus mechanism allowing 40% validator failure versus standard 33% Byzantine tolerance * Multiple concurrent leaders requiring only one honest leader among eight for inclusion guarantees * Local inclusion certificates providing Web2 speed feedback before global consensus finalization * 800+ profitable validators independently reviewing GitHub releases on bare metal versus cloud VMs * Savvy validator recruitment through performance focused mission attracting talent that only operates on Solana * AI powered social engineering replacing technical exploits as dominant app layer attack vector * Applications over engineering financial components before product market fit validation * Non financial primitives like points enabling faster iteration without security overhead

Coinbase's auditing standards with Shashank Agrawal

Coinbase's security process protecting over $7 billion in TVL rejects the single-audit model common in DeFi. Shashank Agrawal, Senior Engineering Manager, Protocol Security at Coinbase, explains their multi-round validation approach: internal security teams (separated from product engineering) audit first, then external firms audit, and rounds continue until external auditors surface only lows and informationals—never highs or criticals. This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room for error" standard when contracts hold substantial user funds. Their approach treats external auditors as verification layers rather than primary discovery mechanisms.   Topics discussed: * Multi-round audit methodology continuing until external firms find zero high-severity or critical issues * Internal security team structure operating independently from product engineering before external validation * Base bridge security requiring custom OP Stack validation independent of Optimism's audit coverage * In-house MPC library development using professor-reviewed specs bridging research papers to production implementation * Tabletop war gaming exercises simulating worst-case chain scenarios with security, engineering, legal, and compliance teams * Free Hexagate monitoring partnership providing base-layer protocol coverage for Base ecosystem builders * Security hiring process using live code audits at different complexity levels for senior (level 5) versus staff (level 6) positions * Off-chain infrastructure security: key management and transaction signing treated as equal priority to smart contract auditing * AI smart contract auditing tools showing current production limitations in determinism and false positive rates * Incident response planning where monitoring systems and alert workflows prioritize minute-by-minute decision speed