This agenda will comprehensively explore multiple attack surfaces in Web3, analyzing from the consensus layer to the execution layer (VM), then to the application layer (smart contracts) and toolchains (compilers), combined with real-world examples of actual cases we have discovered.

First, we will start with the consensus layer, introducing the core protocols in blockchain, such as Proof-of-Work and Proof-of-Stake, and discussing vulnerabilities in consensus mechanisms and possible attack methods. Next, we will analyze the execution layer, focusing on the virtual machine (VM). Using Solana's SVM, we will explore potential attack methods, such as race conditions caused by parallel computation, backward compatibility issues when updating the execution layer that could lead to denial of service (DoS) attacks, and more severe remote code execution (RCE) vulnerabilities. In the application layer, we will focus on the security issues of smart contracts, discussing how to defend against common attacks. Finally, we will explore the often-overlooked security of toolchains, particularly compiler vulnerabilities, and how mistakes when these tools convert high-level code into executable code can become an attack vector for exploiting smart contracts.

The agenda will introduce several common vulnerabilities that cannot be detected by static analysis tools, classified as medium to high risk and capable of causing financial losses. These include slippage losses and other vulnerability types that occur under specific conditions and scenarios. The session will cover the detection of potential impacts caused by these vulnerabilities and share our approach to developing tools and designing identification processes. Additionally, we will discuss how to optimize security lifecycle management from development to audit stages.

Reentrancy Trap: Debunking the Myth of Smart Contract Immutability

Smart contracts, a highly anticipated blockchain technology, face a critical challenge: reentrancy attacks.

These attacks operate like invisible assassins, waiting for the perfect opportunity to strike. Once successful, they can lead to asset loss and even the collapse of an entire system.

Traditional defense mechanisms often address only the symptoms rather than the root cause, making them insufficient in truly mitigating the risk.

In this talk, we will delve into the origins of reentrancy attacks and uncover a crucial truth:

"The essence of a reentrancy attack lies in the inconsistency of smart contract states."

Our discussion will focus on how to approach smart contract design and architecture to ensure state consistency, effectively preventing reentrancy attacks at their core. You will learn:

Why are reentrancy attacks so dangerous?

What is their underlying mechanism, and how do they impact the smart contract ecosystem?

Why is maintaining immutability key?

How does state consistency ensure the security of transactions?

How to build an immutable smart contract?

This talk will introduce various practical design patterns and best practices to strengthen contract security.

By attending this session, you will gain not only an understanding of reentrancy attack defense strategies but also a deeper insight into smart contract security design principles, contributing to a safer and more reliable blockchain ecosystem.

Key Takeaways:

A deep understanding of the nature of reentrancy attacks

Mastering essential principles for secure smart contract development

Enhanced awareness of smart contract security design

Practical defense strategies for developers

Ethereum mainnet suffers from low transaction processing speed and high gas fees. To address these challenges, Layer 2 scaling solutions have been developed. Among these, rollups play a critical role in enhancing scalability. There are two main types of rollups: ZK Rollups and Optimistic Rollups. ZK Rollups utilize zero-knowledge proofs to validate transactions, offering faster finality and enhanced security. Optimistic Rollups, on the other hand, assume transactions are valid and leverage fraud proofs to ensure correctness, providing higher throughput.

While rollups effectively scale Ethereum, they operate as separate ecosystems, making interoperability crucial. To enable seamless token and asset transfers across different rollups or Layer 2 solutions, users rely on cross-chain bridges. These bridges facilitate asset movement between Layer 2 and the Ethereum mainnet or across different Layer 2 solutions, ensuring a more connected and efficient blockchain ecosystem.

This session will focus on the critical security aspects of Layer 2 solutions and cross-chain bridges, exploring potential vulnerabilities and strategies to enhance the safety of Ethereum's expanding ecosystem.