The Web3 Security Podcast

Most Web3 security conversations focus on smart contracts. Mudit Gupta, CTO of Polygon Labs, thinks that's the wrong place to be worried. In this episode, he makes the case that ZK infrastructure carries significantly more bugs than the smart contract layer — the reason large-scale exploits haven't happened yet isn't that the bugs don't exist, it's that the expertise required to exploit them is vanishingly rare. That window won't stay open forever.Beyond the ZK risk, Mudit breaks down the structural and operational decisions Polygon has made as AI shifts both sides of the security equation. Since August, their bug bounty program has seen a surge in reports on years-old code in geth and P2P libraries — the kind of retroactive review humans don't do — forcing them to build a counter-AI triaging system just to manage volume. He also details the two-team security structure most Web3 companies still don't run, and why the team most protocols skip is where the majority of Web3 incidents actually originate.Topics Discussed:ZK infrastructure as the highest-vulnerability, lowest-exploitation surface in Web3 — more bugs than the smart contract layer, but the pool of people who can exploit them is small enough to count on two hands. Mudit's view: that expertise gap is the only thing standing between current ZK deployments and large-scale attacksWhat a near 10x spike in bug bounty submissions since August reveals about how AI reviews code differently than humans — specifically its tendency to audit legacy code that human researchers have long stopped reviewingBuilding a counter-AI triaging agent to handle report volume, including the case where it incorrectly closed a valid submission and how researcher pushback caught itWhy Polygon runs a dedicated security operations team alongside AppSec — and why the absence of a SecOps function is where most Web3 incidents actually beginEmbedding AppSec at the architecture stage rather than post-build, and how that shifts accountability from audit-and-flag to full product ownership of security outcomesSending an AI-generated deepfake video of Polygon's CEO to all employees as a phishing simulation — and why video-format tests caught people that standard phishing emails don'tWednesday as the target release day: how the Monday-Tuesday verification window protects against deployment failures when external dependencies and client teams won't have weekend coverageSecurity knowledge as a speed multiplier: how understanding your risk surface lets you move faster on acceptable risks — and how Mudit structures risk tracking and CEO-level reporting so leadership can hold context without blocking decisions

World Foundation's proof of personhood system defended against an iris spoofing attack where users verified multiple times by pairing their left eye with someone else's right eye—exploiting uniqueness checks that operated on eye pairs rather than individuals. DC Builder, Research Engineer at World Foundation, explains the multimodal defense they deployed: continuous 3D heat mapping, time-of-flight sensors, anomaly detection models trained on contact lens datasets across manufacturers, and checks for glasses that alter iris patterns.This represents one attack surface in a system protecting 38 million verified humans. World became Nvidia's largest security partner for Jetson NX embedded chips, filing more CVSS reports than any other customer after discovering edge cases from production deployment that Nvidia's internal teams hadn't encountered. DC's current focus: building Proofkit, a Noir backend optimized for client-side ZK proving on constrained mobile devices, because the 99th percentile of World's users operate phones with minimal memory and CPU headroom.The technical architecture spans layers most Web3 teams never touch. Trusted execution environments and secure enclaves depend on vendor supply chains. Private keys etched into Orbs during manufacturing get destroyed after provisioning. Groth16 proofs require trusted setups from both PSE and World's own ceremony. Multiparty computation encrypts iris codes, but compromise would expose biometric-derived data. Open-source firmware on ejectable SD cards enables independent verification against GitHub repos—an auditability model DC walks through in detail.Topics discussed:Iris spoofing via eye permutation attacks: left-eye/right-eye combinations bypassing uniqueness checksMultimodal biometric defense: 3D heat mapping, time-of-flight sensors, contact lens detection across manufacturersFiling majority of Nvidia Jetson NX CVSS reports through production edge cases undiscovered internallyBuilding Proofkit: Noir backend optimized for ZK proving on memory-constrained Android devices at 99th percentileFormal verification pipeline: automatic GNARC-to-Lean circuit extraction developed with RayLabsGroth16 trusted setup dependencies: PSE ceremony plus World's own setup and associated compromise risksMPC protocol security: encrypted iris codes and what exposure means for biometric-derived sensitive dataHardware auditability: ejectable SD cards enabling firmware verification against open-source repositoriesSupply chain trust model: secure enclave vendors, TEE implementations, manufacturing key provisioningAttack surface inventory: hardware TEEs, Linux-based custom OS, biometric ML pipelines, MPC protocols, ZK circuits

Coinbase's security process protecting over $7 billion in TVL rejects the single-audit model common in DeFi. Shashank Agrawal, Senior Engineering Manager, Protocol Security at Coinbase, explains their multi-round validation approach: internal security teams (separated from product engineering) audit first, then external firms audit, and rounds continue until external auditors surface only lows and informationals—never highs or criticals. This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room for error" standard when contracts hold substantial user funds. Their approach treats external auditors as verification layers rather than primary discovery mechanisms. Topics discussed: Multi-round audit methodology continuing until external firms find zero high-severity or critical issues Internal security team structure operating independently from product engineering before external validation Base bridge security requiring custom OP Stack validation independent of Optimism's audit coverage In-house MPC library development using professor-reviewed specs bridging research papers to production implementation Tabletop war gaming exercises simulating worst-case chain scenarios with security, engineering, legal, and compliance teams Free Hexagate monitoring partnership providing base-layer protocol coverage for Base ecosystem builders Security hiring process using live code audits at different complexity levels for senior (level 5) versus staff (level 6) positions Off-chain infrastructure security: key management and transaction signing treated as equal priority to smart contract auditing AI smart contract auditing tools showing current production limitations in determinism and false positive rates Incident response planning where monitoring systems and alert workflows prioritize minute-by-minute decision speed

When the Interchain Foundation acquired Skip Protocol in 2024, Cosmos Labs inherited a 200-chain ecosystem with no commercial strategy and a massive security backlog. Barry Plunkett, co-CEO, explains how they systematically tested three strategic pivots in six months, killed two based on hard metrics, and found enterprise product-market fit by following "accidental traction" signals they'd initially ignored. First pivot: ZK-based IBC bridging to Ethereum paired with Skip Go's interop API. They timeboxed three months to the Babylon Bitcoin LST launch as a forcing function. Volume data post-launch killed the thesis—existing bridges were "pretty good" and marginal improvements don't create ecosystem momentum. Second pivot: position Cosmos Hub as a unified deployment platform for seamless multi-chain experiences. Direct enterprise outreach revealed Base and Solana's network effects created insurmountable BD cost disadvantages for a smaller ecosystem. The breakthrough: Fortune 500 companies and governments kept reaching out for help with Cosmos infrastructure pilots they'd started internally. That inbound signal became the strategy. The security approach reflects the same first-principles methodology. Kevin, former head of security at Optimism who led Bedrock releases, implemented a policy: engineering managers receive HackerOne reports directly with no security intermediary layer. If you wrote the code and the bug was missed, you own the fix immediately—no backlog accumulation. For protocol-level changes, the team mandates line-by-line PR review sessions where code authors walk the full engineering team through every change. This catches critical vulnerabilities before external audits and prevents tribal knowledge from siloing. They coordinate patches monthly on the second Tuesday (Microsoft's schedule) after learning ad-hoc "patch when found" approaches burned out validator operators managing infrastructure across dozens of chains. Topics discussed: Timeboxing strategic experiments to three months with quantitative kill criteria before resource commitment Following inbound enterprise signals over predetermined theses when accidental traction contradicts core assumptions Mandatory line-by-line PR walkthrough sessions with full engineering teams before protocol-level releases Monthly coordinated patch schedule (second Tuesday) preventing validator operator fatigue across multi-chain infrastructure Direct bug bounty report routing to code authors eliminating security intermediary layers and backlog accumulation Engineering manager accountability for immediate fix implementation rather than sprint planning security debt Graduating experimental modules through staged test environment deployments before long-term support commitment Analyzing why standalone IBC interoperability and Hub-native deployment strategies failed against established L1 network effects Standardized component interfaces (ABCI between Comet/SDK, IBC cross-chain) enabling parallel experimentation across 200-chain ecosystem Tokenization thesis: bringing cost of holding and moving money to zero creates financial services "Internet moment"

Safe's smart account infrastructure secures $60B+ in TVL while handling over $1 trillion in cumulative transaction volume. Co-founder, Richard Meissner reveals how Safe is rebuilding its collaboration layer from scratch—replacing centralized transaction services with encrypted on-chain queues while preparing smart accounts for post-quantum cryptography through deterministic deployment standards. Topics discussed: Safe Harbor's permissionless transaction queue migrating from contract storage to event-based and blob storage to reduce costs while maintaining consensus-layer availability guarantees Validator network architecture in frictionless queues performing spam protection and integrity checks on encrypted payloads before paymaster-sponsored on-chain submission Asymmetric encryption implementation using shared keys among Safe signers to hide transaction intent, with blob storage providing shorter data availability windows than permanent contract storage ERC-7955's elimination of nonce-dependent deployment attacks by publicly exposing factory private keys through EIP-7702, preventing address spoofing exploits that caused historical fund losses Four-layer security methodology: audits during development, dual auditors from different firms at release, formal verification with Runtime Verification and Certora, and $1M+ bug bounties during phased rollouts Phased production deployment strategy starting with foundation Safes as front runners for months before prompting user upgrades to new contract versions Smart account migration pathways for post-quantum algorithms using passkey implementations (non-native curve support) as proof-of-concept for lattice-based signature schemes Organizational structure separating Safe Labs' enterprise custody focus from Research team's permissionless protocol development to balance adoption velocity with decentralization roadmap

When you discover someone who found a way to decrypt every WhatsApp message through symmetric key reuse, then later designed Coinbase's ETH staking architecture that has never experienced a slashing event, you're looking at a rare breed of security engineer who bridges the exploit and defense mindsets perfectly. Anto Joseph, Principal Security Engineer at Eigen Labs, walks through his unconventional path from exploiting Need for Speed CD keys in fourth grade to architecting some of crypto's most critical infrastructure. His work spans Intel's hardware security for retinal laser displays, Tinder's location privacy systems handling millions of users, and the 14-page security design document he authored for Coinbase's ETH staking as his first crypto project. Now at Eigen Layer, Anto's three-person security team protects $23 billion in assets while pioneering cryptographic verification systems that could fundamentally change how bug bounties work. His approach to using AI agents for security research, including getting Devin to solve real exploit scenarios in 8 hours, offers a glimpse into how automated security testing will evolve in Web3. Topics discussed: WhatsApp vulnerability: symmetric key reuse across all installations Tinder's 1-mile grid snapping preventing triangulation attacks Coinbase ETH staking architecture achieving zero slashing events Month-long fuzzing campaign on AWS for Base launch Economic security through programmable slashing and redistribution logic zKTLS proofs eliminating human verification in bug bounties Risk Zero proof system for atomic testnet-to-mainnet bounty claims Reinforcement learning approaches for Web3 vulnerability discovery

What happens when a veteran Web2 security executive turns multisig ceremony coordinator at Polygon? The result: a crash course in how Web3 security demands both old-school fundamentals and bleeding-edge vigilance in protecting billions of dollars locked on-chain. Christopher von Hessert, VP of Security at Polygon, reveals how traditional security expertise from companies like IBM and ServiceNow translates into defending against everything from North Korean IT workers to AI-generated phishing campaigns. His journey from managing ServiceNow's global security team to orchestrating multisig upgrades from Amsterdam studios highlights the evolving demands of Web3 security leadership. But von Hessert doesn't just protect protocols—he challenges the ethics driving the security research community. His perspective on white hat incentives, the ransomware-like behavior of some "ethical" hackers, and why the industry needs more than smart contract expertise creates a provocative framework for understanding Web3 security culture. Topics discussed: Building Web3 security careers through Web2 fundamentals like red teaming, threat modeling, and offensive security rather than just smart contract auditing. Implementing 13-step multisig verification processes at Polygon to prevent payload manipulation and ensure transaction integrity across upgrade ceremonies. Identifying North Korean IT workers through interview patterns and behavioral analysis while balancing ethical concerns about legitimate remote workers. Challenging the "hack first, negotiate later" mentality in white hat security research as essentially ransomware behavior disguised as ethical hacking. Managing security priorities across Polygon's POS bridge containing billions in user funds versus newer Ag Layer interoperability protocols. Defending against AI-powered attack vectors including automated phishing campaigns and deepfake video calls targeting multisig signers. Scaling security expertise beyond smart contracts to cover consensus algorithms, client software, and core blockchain infrastructure vulnerabilities. Establishing threat modeling frameworks that assume employee compromise and build defense-in-depth strategies for multisig operations. Balancing traditional Web2 security concerns like endpoint protection and phishing training with Web3-specific risks like private key management. Predicting the evolution of Web3 security toward secure-by-default tooling similar to how cloud platforms eliminated common Web2 vulnerabilities.