Last month was a flurry of activity for the Arbitrary Execution team. Two thirds of our team descended upon Denver, Colorado for the annual ETHDenver convention. We were excitedly anticipating the event and the myriad conversations that would occur during it, and ETHDenver did not let us down! We must’ve talked with hundreds of people, from BUIDLers to VCs to project devs to curious passersby, all carrying an enthusiasm that kept us on our feet for long hours, leading to much welcome time off our feet in the evenings for dinners and yes, sleep (somewhere in there!). Here’s a quick recap of all the activities we participated in, with a little detail sprinkled throughout.

Arbitrary Execution Sponsors ETHDenver 2023

If you haven’t heard about ETHDenver yet, you’ve been missing out. The convention draws tens of thousands from all over the world for BUIDLweek, BUIDLathon (think: hackathon), Innovation Festival that includes panels, talks, and company booths, and plenty of side events, dinners, happy hours, and everything else you can imagine. Oh, and swag, tons of sweet swag (we think we would’ve won “best in show” for swag, had that been a thing). There is creativity in the air, with attendees sharing their latest innovations, brainstorms, and products covering the categories of infrastructure, community, DeFi, public goods, NFTs, and the metaverse. Protocol teams, individual developers, big players in the space, investors, job seekers, and security companies were mulling about, just trying to take in a fraction of what was available.

This year we sponsored ETHDenver, hoping to get the word out about the security services we offer and present a new approach to Web3 security that we’ve been working on for months…but more on that later. The conference gave us an opportunity to have conversations with current and prospective customers, gaining a more complete understanding of what matters to them when it comes to security and helping them understand ways that we can help bolster their current security posture. We also spoke with members of other security teams, briefly commiserating over the very real need for security in the Web3 space and exchanging contact information to keep communication lines open. 

What really struck us about the event was both the breadth of knowledge across all attendees and the depth of knowledge that each individual attendee possessed. We could be having a conversation about physical NFTs one moment, only to dive seconds later into a conversation about AI digital assistants that can consolidate “corporate knowledge” from multiple data sources.

Perhaps unintentionally, what we learned most from our booth at ETHDenver was that swag starts conversations, but super sweet swag tractor beams people in from other booths. Our Arbitrary Execution artwork on stickers and t-shirts had people dropping by not to find out who we were and what we did, but answer the question of HOW DO I GET THAT SHIRT? We may have even won over the hearts and minds of some attendees along the way. 

Although a tough act to follow, we will make the unqualified claim that we had the best beanies in the complex, with super-cozy polar fleece lining to combat the chilly Denver night air. We also had an array of comfortable t-shirts, stylish stickers, tote bags, and maybe, briefly, some water bottles (shhhh, don’t spread that around). So whether you got your hands on the popular swag or had to settle for the merely amazing swag, we had you covered. And if you missed out, hit us up, we’re thinking of doing some limited editions to keep up with the clamoring we heard. But don’t forget, we also do Web3 security!

Another feature at our booth was a QR code that you could scan to enter our Trezor T giveaway. If you’re not familiar with it, the Trezor T is a cryptocurrency hardware wallet with a slick touchscreen and great accompanying software for managing your digital assets. Yes, we made it a requirement that everyone fill out a survey to enter the giveaway, but that was a small price to pay for the opportunity to secure your crypto. We are excited to announce that Alex Linder is the winner of our Trezor giveaway!

ETHDenver Talk: Announcing the Web3 SDLC

After months of research, we made a major announcement at ETHDenver about the launch of the Web3 Secure Development Life Cycle (SDLC). This comprehensive security framework is designed to help Web3 protocols integrate security throughout all the phases of their projects' life cycles. 

We were fortunate to have a speaking opportunity on the DevTopia Infrastructure + Scalability stage on the second day of the Festival, where we laid out the need for security during all stages of a project, not just during a code audit (for the record, you still need an audit!). We walked through the way that most Web3 projects seem to approach security, touching on the high cost incurred by treating security like it’s just a momentary concern that can be compartmentalized into a single code audit. Then we showed how dealing with security concerns later in a project’s development incurs an exponentially increasing cost, compared to dealing with issues as soon as they arise. We had more than a few examples of Web3 protocols who had security issues that should have been identified and addressed early in the process, but by dealing with them in production they lost millions, in some cases hundreds of millions of dollars in value. Those examples were the motivational springboard we needed to introduce the Web3 SDLC, providing a high level summary of how to approach security in the Design, Develop, Deploy, and Defend phases of a project. There was so much more to cover than 20 minutes would allow, but for that we provided a lot of supplemental QR codes to direct the interested members of the audience.

If you want to watch the presentation that we gave at ETHDenver, you can find that recording here. If you’re okay listening to a version of the talk without the hubbub of the convention, you can find a webinar version here. And for all the available content that the presentation was based on, check out the Web3 SDLC section of our website here.

Web3 Security Trends and Themes

We had a lot of conversations over the course of the convention. A LOT of conversations. We noticed a number of themes emerging in those conversations, generally correlated with the type of people we spoke with. One thing that was common across the board: everyone was in agreement that the security posture of Web3 needs improvement, and the Web3 SDLC is a great direction to move in. 

Job seekers wanted to know what it looked like to become an auditor, specifically with respect to training resources, reference material, and our overall process for going from developer to shadow auditor to junior auditor to senior auditor.

Protocol developers typically wanted to know what our audit scheduling, pricing, and process were like. More than a few mentioned experiences with other audit firms that they were less than satisfied with. In one case, a developer referenced an audit with another firm, sharing that he was unhappy with the results because he himself found a critical bug in the code AFTER the audit was completed. We won’t throw shade in any direction, but some names came up several times from different developer teams.

Representatives from infrastructure or analysis tool teams wanted to make connections with potential power users (read: experienced developers and auditors) to help test their products and guide their future development. We’ve found that this space is full of creative, motivated individuals, and they’re all seeking valuable feedback from knowledgeable individuals. There may have also been an individual promoting a tool that could do the work of an audit in a very short period of time, but we will wait for him to bring receipts before we make a judgment.

One last insight we gained from our conversations was that there is a LOT of excitement and activity around zero-knowledge, or ZK, solutions and more than a few developers building their solutions on new GPT-based tools.

zkSync Developer Day

Some of our engineers stopped by at zkSync’s Era Developer day to learn more about the ecosystem and meet teams building on the L2. The event included workshops, panels, and presentations that highlighted exciting developments on Era. Here are some of our favorite talks:

WTF is Account Abstraction

Julien Niset from Argent walked through the basics of EIP-4337 and the possibilities with account abstraction (AA). Using AA to enable fraud monitoring and account recovery has us excited. It was especially cool to hear ideas from someone who has been working on smart contract wallets well before the 4337 standard was introduced.

zkSync Panel with Alex Gluchowski

This panel included folks from Matter Labs, OpenZeppelin, and Argent. Panelists discussed the future of AA and whether or not EIP-4337 is the end-all-be-all standard (spoiler: the panel was split). They also discussed the importance of building projects securely, and integrating security into the development process. Many of these discussion points lined up quite nicely with our Web3 SDLC.

Mentoring at #BUIDLWeek

In addition to the main conference, AE had a presence during #BUIDLWeek, the hackathon that precedes the main festival. Jeremy, one of our security researchers, served as a mentor during the hackathon. Mentors helped hackathon participants in all sorts of ways, ranging from design help to debugging nasty errors. There were different categories of expertise mentors could sign up for, and Jeremy signed up for AE’s specialties: Solidity and security. Through our audits and other work, we’ve developed deep knowledge here, and mentoring was a great opportunity to share what we’ve learned.

Jeremy lending a hand to #BUIDLathon teams

Some of our favorite projects at the hackathon devised novel applications using zero-knowledge proofs. With recent innovations on efficient proofs, ZK proofs can be generated in a matter of minutes on a phone, which opens new possibilities for applications. One of our favorite projects was zkPoEX (zero-knowledge Proof of EXploit), which gives researchers and bug bounty hunters a way to disclose the knowledge and impact of an exploit, but not the specifics of the exploit.

Conclusion

We had a blast meeting such a diverse group of people, all working together to make Web3 a better place. AE will be making some more appearances on the conference circuit this year, and our next stop is Consensus in Austin. We’ll have a booth there as well, so make sure to stop by to chat (and pick up some swag). Keep an eye on our socials for stops beyond Texas!