ETHDenver | IOSG Old Friends Reunion MeetUp drew to a Successful Close!

🎉🎉​IOSG Old Friends Reunion meetup was successfully held on March 1st during ETHDenver!!! The event, with the theme of STAY SAFU! Security Day, saw 100k+ reach&impressions, 1500+ registrants from luma, and 100+ top-tier industry experts’ engagement within the one-day event including 2 panels, and 9 talks, which makes the event come to a perfect end!

Allow us to extend our sincere gratitude and appreciation to all of you!

Click to check out the event photo collections on Onsite Photo Drive. The full recording of the event video and each session will be uploaded to IOSG Venture’s official YouTube accountsoon!

The Highlight of Each Session 👀

🔥 Welcome speech

🎙️ Ray Xiao, Senior Director at IOSG Ventures

Ray presented IOSG’s Investment Thesis and portfolio coverage. IOSG Ventures is a first-check crypto fund investing in the future of Web3. Ray said: “We are a thesis-driven firm, helping founders build community-driven Protocols”. Currently in the second cycle of the market from 2021 till now. He believes Middleware will eat the most value of the network in Crypto 2.0. Security is the safeguard of the web3 ecosystem. The opportunities lie in formal verification techniques, on-chain monitoring, and auditing services. The demand for these services is expected to grow, driven by the increasing complexity of on-chain protocol designs and the booming on-chain assets.

🔥Panel — Security Principles and Approaches in ZK Protocol?

🎙️ Queenie Wu, Partner of @IOSGVC (MC); Alex Gluchowski,
Co-founder, zkSync; Ye Zhang, Co-founder and Research lead, @Scroll_ZKP; Matt Finestone, COO, @Taiko; Mikhail Komarov, Founder, @nil_foundation; Brian R, Founder, Risc0;

This panel shares brilliant insight into security practice and approach in ZK protocol. The panel is hosted by Queenie Wu, partner of @IOSGVC

Alex Gluchowski believes that to scale to one billion users, only ZK and related technologies can be used. He introduced the tradeoff they made by adding a security counsel, which is a separated multi-sig formed by prominent Ethereum community members to accelerate the time lock of the upgrade. He emphasized ultimately people need to rely on completely trustless mechanisms and take full advantage of zero-knowledge proof, math, and open source, rather than any validators or trusted parties. He also emphasizes the importance of building a trustless and robust system in the blockchain.

Ye Zhang introduced their plan to decentralize the prover market, which aims to avoid single-point failure and move forward to a fully decentralized ZK system. The team wouldn’t prioritize adding fancy features to the current EVM but to stand by this standard and make things robust and performant. He aims to construct a no-trust and robust system that is compatible with EVM byte code and also developer-friendly.

Matt Finestone suggested that there are many solutions for ZK Rollup and that upgradability is a trade-off between a trustless system and trusting a good reputation developer to step in. He thought that trying to be as Ethereum equivalent as possible can help us reuse components such as Optimism to enhance the whole system when validity proof goes wrong.

Mikhail Komarovshared different views on how to take the problems of proof generation and sequencing not from the top but from the bottom.Theyaim to give the proof market that everyone can use, providing infrastructure for ZK projects.

Brian R shared the experience of building a general-purpose zero-knowledge VM that enables developers to write ZK applications using the generic Rust and C++ languages. The team agrees on the importance of building a trustless and robust system that is easy to use and developer-friendly. They focused on building cryptographic rights for a very simple system. For upgradability in ZK, he thought it’s good to not have the network deployed with a bunch of value behind it.

🔥Talk — Universal Truth Framework

🎙️ Grigore Rosu, President & CEO, @rv_inc

Grigore Rosudiscussed the Universal Truth Framework, which is a security auditing approach that generates verifiably true claims for the user to trust. This is achieved by using a trusty blockchain to take the claim and generate mathematical proof that can be SNARK-ed to produce a compact proof checker. This approach can be applied to create a blockchain of truth that generates cryptographic proof on top of the mathematical proof, with the 240 LOC proof checker being the smallest ever.

🔥Talk — Taiko ZK-EVM: Inheriting Layer 1 Security

🎙️ Dave, Developer Experience Lead, Taiko

Dave talked about Taiko’s goal of inheriting Layer 1 security in their decentralized Ethereum-equivalent zk-rollup. He discussed the importance of defining security, and how users should be careful with placing trust, bridges, permission overrides/upgrades, and ensuring correctness in the system. Dave emphasized the need for user-centric security by building easy-to-use tools, providing education, avoiding centralized platforms, and fostering diversity and collaboration in implementation.

🔥Talk — Automated Detection of ZK Bugs

🎙️ Jon Stephens, CTO, @VeridiseInc

In a discussion on the automated detection of ZK bugs, Jon Stephens explained the components of a ZK circuit. Then he talked about equivalence. In the equivalence violations, there would be two kinds of bugs: over-constrained bugs and under-constrained bugs. For over-constrained bugs, most ZK languages add field equations as assertions to circuits. With under-constrained bugs, verifiers can accept bad inputs/outputs. OrCa, Picus, and Vanguard can help developers avoid these bugs. Vanguard identifies potential bugs. OrCa gives concrete proof of the bug. Picus proves fixes correct. And Vanguard can detect unconstrained output, assignment misuse, type mismatch, unconstrained signal, unconstrained input, division by zero, nondeterministic dataflow, and bad dataflow-constraint. OrCa uses fuzzing to find concrete evidence circuit is under-constrained. Picus combines the strengths of static analysis and SMT.

🔥Talk — Programmable zkOracle Network

🎙️ Shuyang, Head of Research, @HyperOracle

Shuyang discussed the topic of a Programmable zkOracle Network. He stated that a dApp is only as decentralized as the most centralized layer. To achieve decentralization, security, and trustlessness, the zkOracle network adopts ZKP. This enables real-time data access, trustless correctness, and customized processing. Shuyang then described the network of zkOracle, which includes zkGraph, a customized logic in an off-chain environment that guarantees the integrity of computation from any nodes and can verify the result locally.

🔥Talk — Lessons Learned from Block Building and the Future of MEV

🎙️ Matt Cutler, CEO & Co-Founder, @blocknative

Matt Cutler discussed the lessons learned from block building and the future of maximal extractable value (MEV). Blocks are the foundation of a blockchain, and mining pool operators build them under the proof-of-work (PoW) mode. Under proof-of-stake (PoS), validators outsource block construction to block builders via MEV-boost. MEV is the traditional way transactions are ordered in a block based on gas fees, and there are different types of ordering with different outcomes. MEV also exists in other contexts, such as search engines, concert ticketing, mooring in harbors, and equities trading. Today, more than 35% of all mainnet blocks are subsidized.

🔥Talk — Incentive Structures in Web3 Security

🎙️ Oliver Hörr, Founder, @HatsFinance

Oliver Hörr discussed the incentive structures in web3 security and how to fix the problem of auditing marketing. The fix he proposed is to stake part of the audit fee into a bug bounty for a certain period. He also talked about the audit challenges, such as an open invitation to audit, no upfront costs, and only paying for valid findings, which can attract more auditors, and good auditors can earn a lot while bad ones walk away empty-handed. He emphasized the importance of being ethical for a hacker and how bug bounties can be a great tool but are currently unattractive. The goal is to get more security out of bug bounties, attract more security researchers to hunt bugs and make disclosure more attractive compared to exploiting.

🔥Panel — Security Life Cycle

🎙️Everett Hildenbrandt, CTO, @rv_inc (MC); Jon Stephens, CTO, @Veridise; Yi Sun, Founder, @axiom_xyz; Michael Lewellen, Head of Solutions Architecture, @OpenZeppelin; Vince Almeida, Director of Engineering, @blockswap_team;

This panel was led by Everett Hildenbrandt. In this panel, speakers share their insights regarding how to involve security in the software development stage.

Jon Stephensemphasized the importance of considering security at the beginning of development and using auditing and testing to achieve robust security since a lot of developers will continue to build on top of the protocol after the release. Developers need to make sure they follow proper security protocol the entire way through. He also suggested building fuzzing tools based on Truffle for protocols and working on a trustless setup that can be used in multiple protocols.

Yi Sun shared the principle they will follow to keep the system safe, which is writing less code. It can either be less functionality or write code that’s more expressive. He also shared insights on tooling for ZK, recommending writing less code to ensure security, checking all assumptions when using novel cryptography, and stressing testing through open-source development. For ZK, users need to trust the math behind the crypto, the proof system implemented in Rust, and the trusting setup.

Michael Lewellen stressed the importance of thinking about security early in the development process and putting everything into MVP, getting help from auditors at the beginning. He shared giving the entire community a strong awareness of security, such as access control on DAO multi-sig, can also help a lot. He thought that in the long term, the best way to protect MEV is to always assume it happens on the protocol and design against it. He also highlighted that clients often have unrealistic expectations about audits, and testing should include monitoring beyond deployment and code.

Vince Almeida shared the practice of integrating formal approaches and formalizing protocol and smart contract-based mechanisms. He recommended a formal process of writing formal models at the beginning of development and caring about the black box, such as the Solidity compiler. He also recommended developers build a detailed and clear document when they release something new to the industry, which can help people reproduce and recalculate the whole thing. He emphasized that even after deployment, security is still necessary, and monitoring should occur at the execution and consensus layers to catch potential issues early.

🔥Talk — Open Source Solution for Cold Crypto Storage

🎙️ Alex Devyatkin, CEO&Founder, @hrdwlt @1inch

Alex Devyatkinpresented an open-source solution for cold crypto storage, highlighting the need for hardware wallets as custodial wallets lose trust. He emphasized the importance of considering core performance and function, connection type, physical features, and security levels, including open source, authentication, and backups. Devyatkin also discussed the security gap of blind signing and the potential for compromised applications, noting that the device will inform the user directly. Additionally, he highlighted the benefits of multi-seed functionality, which allows users to create and control several sets of wallets with different seed phrases, all within one device using the hierarchical deterministic (HD) wallet algorithm in accordance with BIP44.

🔥Talk — The Next Chapter of Safe: Account Abstraction

🎙️ Lukas Schor, Co-founder, @safe

Lukas Schor discussed the next chapter of Safe, which involves account abstraction. This is considered the most secure way to own assets, and it is now available for L2 networks. Account abstraction can do more than just multi-sig, it can also handle spending policies and roles. Schor emphasized the importance of building a web2-user experience by allowing users to authenticate using social login and for applications to sponsor transactions for users, who can pay directly with a credit card.

🔥Talk — Why Education Alone Won’t Solve Security？

🎙️ Co-founders Ohm Shah & Martin Peko from @wallet_guard

Ohm ShahandMartin Pekodiscussed why education alone wouldn’t solve security issues. While it is important to educate users about how to identify phishing websites and understand transactions, mass adoption should not require intense onboarding. Instead, a simple interface, phishing detection and warning, and social engineering prevention should be implemented to improve security for users.

Final Thoughts 🤔🤔

Security of the assets requires a complete and systemic approach starting from how developers are designing their mechanisms, writing and deploying their codes to to how the users are storing their seed phrases and interacting with the blockchains through their wallets. A vulnerability in a single part of this stack can easily result in a loss of funds. Cryptocurrency wallets, as the first stop and only entry point for everyone to join the web3.0 world, will have a direct impact on when that day comes. We are acutely aware that security is the cornerstone of any wallet and will have a direct impact on the user experience in the Web 3.0 world. We envision a future where more people can participate in a decentralized economy without worrying about the vulnerabilities and complexities of using a cryptocurrency wallet. We are confident that this day is not too far away.

​IOSG highly values the significance of security players to the whole crypto ecosystem. Although the direction is still in a relatively early stage compared with web2 security, we believe there lie great opportunities no matter as to auditing, firewall, insurance, or any other sub-segments and are keen to help make the journey of each BUIDLer in web3 security become much more pleasant.

About Co-hosts🔥🔥

⚡️​​IOSG Venturesis a pioneering crypto fund that invests in the future of Web3. As a thesis-driven firm, we assist founders in developing community-driven protocols that are primed to transform the crypto landscape. Our portfolio comprises a wide range of innovative and high-potential investments, including L1/L2 (Polkadot, NEAR, Starkware, Arbitrum), Security Auditing(Runtime Verification, Hexens), DeFi/NFT-Fi (1inch, 0x, Metamask), GameFi (Bigtime, Illuvium), and SocialFi (Galaxy, Cyberconnect).​Our team comprises experienced crypto-native BUIDLers and long-term HODLers, and we remain fully committed to supporting our early-stage developers and founders. Since our founding in 2017, we have invested in several industry leaders, including Arweave, Cosmos, Celestia, Eigenlayer, Scroll, zkSync, Nil Foundation, and Mina. Whether you’re building infra, middleware, Security, gaming, or social platforms, we are passionate about investing in crypto-native paradigms that have the potential to transform the future of the industry.

​​Follow us on to stay tuned for our updates!

⚡️ ​Safeis the most trusted platform to manage digital assets and secures >$40 Billion in assets today. With its flagship web and mobile interfaces and expanding ecosystem, Safe is on a mission to unlock digital ownership for everyone in web3 including DAOs, enterprises, and retail or institutional users by establishing a universal standard for custody of digital assets, data, and identity with smart contract-based accounts.

⚡️​Runtime Verification Inc. is a startup company aimed at using runtime verification-based techniques to perform security audits on virtual machines and smart contracts on public blockchains. It is dedicated to using its dynamic software analysis approach to improve the safety, reliability, and correctness of software systems in the blockchain field.

​For the time being, blockchain safety tests are mostly lightweight static analysis tests (testing only the internal logic of source code), while dynamic analysis test (using the data generated as the codes are compiled and executed) increases coverage to find bugs as opposed to static analysis tests. Runtime Verification is a global leader in formal verification and is capable of directly verifying compiled binary code. Compared to the formal verification of source code, this catches bugs that are otherwise missed due to miscompilation.

⚡️​zkSync is a trustless protocol for scalable low-cost payments on Ethereum, powered by zkRollup technology. It uses zero-knowledge proofs and on-chain data availability to keep users’ funds as safe as though they never left the mainnet. While security is our paramount priority, user and developer experience are central to zkSync design. We obsessively seek out improvements that eliminate friction and complexity to make zkSync the most enjoyable platform on Ethereum, for both end-users and builders.

​⚡️Taikois a fully decentralized Ethereum-equivalent ZK-Rollup, also known as a Type-1 ZK-EVM. As a ZK-Rollup, it inherits the security guarantees of Ethereum while providing lower transaction fees. Taiko enables developers and users of dApps developed for Ethereum to use Taiko without needing to consider any changes. Additionally, Taiko enables a vibrant community of block proposers, provers, and node runners due to its decentralized design.

Originally published at https://medium.com on March 24, 2023.