Trillion Dollar Security Day at Devconnect | Ethereum Foundation Blog

During Devconnect Buenos Aires, a pivotal gathering of Ethereum’s foremost security practitioners convened for Trillion Dollar Security Day, a collaborative initiative spearheaded by the Ethereum Foundation and Secureum TrustX. This focused event delved into the multifaceted challenges and strategic imperatives required to establish and maintain a robust security framework capable of underpinning a future trillion-dollar Ethereum economy. The discussions and resulting outputs directly contribute to the Ethereum Foundation’s ongoing One Trillion Dollar Security (1TS) initiative, underscoring a proactive commitment to safeguarding the network as it scales to unprecedented valuations and user adoption.

Background: Securing Ethereum’s Ascent to a Trillion-Dollar Economy

The Ethereum ecosystem has experienced explosive growth since its inception, evolving from a nascent blockchain platform into a global decentralized computing network with a market capitalization that has, at times, exceeded half a trillion dollars. With billions of dollars in Total Value Locked (TVL) across decentralized finance (DeFi), non-fungible tokens (NFTs), and various decentralized applications (dApps), the stakes for security have never been higher. The vision of a "trillion-dollar Ethereum economy" is not merely aspirational but reflective of the network’s potential to become a foundational layer for global commerce and digital interaction. However, this immense value proposition also presents an increasingly attractive target for sophisticated attackers, necessitating a continuous and collaborative effort to identify, mitigate, and preempt security vulnerabilities across every layer of the stack.

Devconnect, held in Buenos Aires from September 8-15, 2023, served as the ideal backdrop for this critical dialogue. Unlike larger, more sprawling conferences, Devconnect is designed to foster intimate, focused gatherings for deep technical discussions and collaborative problem-solving. This environment allowed for concentrated attention on the complex, interconnected security challenges facing Ethereum. Secureum TrustX, known for its expertise in blockchain security and auditing, partnered with the Ethereum Foundation to co-host the event, bringing a wealth of practical experience and a community of dedicated security researchers and developers. The 1TS initiative itself represents a strategic long-term commitment by the Ethereum Foundation to invest in security research, tooling, and coordination mechanisms necessary for the network’s sustained health and resilience.

Event Structure and Goals: A Layered Approach to Security Assessment

The Trillion Dollar Security Day brought together approximately eighty distinguished participants, representing a broad spectrum of the Ethereum security ecosystem. This diverse group spanned expertise in Infrastructure, Interoperability, Layer 1 & 2 protocols, Onchain smart contracts, Offchain components, Privacy solutions, and Wallets. The event’s design facilitated intensive, in-person discussions within these specialized layers, enabling practitioners to share their unique operational realities, assess the current security posture of their respective domains, and collectively identify immediate, actionable priorities.

Participants were divided into breakout sessions corresponding to these seven distinct layers. Each group was tasked with a detailed analysis of "what is working today," "what is not working," and "where effort is most urgently needed." This structured approach allowed for a granular examination of specific vulnerabilities and strengths, fostering a shared understanding of the intricate dependencies that exist across the entire Ethereum stack. The outcomes of these individual layer-focused sessions were then synthesized, revealing overarching patterns, systemic risks, and cross-layer dependencies that require coordinated solutions. The primary goals of this gathering were to:

• Assess Current Security Posture: Gain a comprehensive understanding of the existing security landscape across all critical layers.
• Surface Shared Challenges: Identify common pain points, systemic risks, and recurring vulnerabilities that affect multiple components of the ecosystem.
• Identify Concrete Next Steps: Develop actionable recommendations and priorities for improving security in the near and long term.
• Foster Collaboration: Strengthen ties and facilitate information exchange among security practitioners from diverse backgrounds.

Cross-Layer Observations: Unveiling Systemic Vulnerabilities and Collaborative Pathways

Across the intensive breakout sessions, several recurring themes emerged, highlighting both the inherent strengths of Ethereum’s security model and areas requiring urgent attention. A key observation was the persistent challenge of coordination, whether between Layer 1 and Layer 2 teams, or among competing wallet providers. The reliance on centralized infrastructure components, the evolving threat landscape (including quantum computing concerns), and the human element of operational security failures were also prominent.

The following table summarizes key issues identified and immediate next steps proposed during the sessions, providing a condensed snapshot of the collective intelligence gathered:

Layer	Key Issues	Identified Immediate Next Steps
Layer 1 & 2	Quantum risk, weak L1/L2 coordination, cloud dependence, compressed testing	Expand EPF onboarding, create L2 liaisons, improve EIP versioning & ownership
Wallets	Blind signing, paywalled security, low coordination	Form an Open Signing Alliance, neutral/on-chain EIP-7730 registry, wallet dashboards
Onchain	"Audited ≠ secure", weak IR, OpSec failures	Fund OSS security tooling, create DeFi security visibility, promote SEAL
Interoperability	Unsafe trust assumptions, UX favors speed over safety	Interop trust ratings, clearer disclosures, improve canonical bridge UX
Infrastructure	Frontend hacks, RPC centralization, DNS SPOFs	Verifiable frontends, infra transparency dashboards, light-client wallets
Offchain	Misaligned incentives, Web2 attack-surface blind spots	Security frameworks, certifications, public-goods staffing models
Privacy	UX and infrastructure are primary constraints	Light-client data over P2P RPC, private wallet UX, ZK hardware signers, regulatory engagement

Deep Dive into Key Themes by Layer

The comprehensive discussions within each layer yielded detailed insights and specific action plans, highlighting the nuanced challenges and innovative solutions being pursued by the Ethereum security community.

Layer 1 & 2: Bridging the Coordination Gap
Ethereum’s core architecture, characterized by its multi-client implementation, specification-driven development, and a deliberately conservative Layer 1 change process, continues to provide a robust security foundation. However, participants voiced concerns regarding potential future risks such as quantum computing’s long-term cryptographic implications, suboptimal coordination between Layer 1 and Layer 2 development teams, significant reliance on cloud infrastructure providers (e.g., AWS, Google Cloud, Azure) which could represent single points of failure, and increasingly compressed testing timelines for critical protocol upgrades. The limited participation of Layer 2 teams and the broader community in crucial "All Core Devs" calls, coupled with client teams’ strained capacity to review evolving Ethereum Improvement Proposals (EIPs) early in their lifecycle, were identified as critical bottlenecks. Furthermore, ongoing concerns about Layer 1-Layer 2 bridging mechanisms and RPC (Remote Procedure Call) resilience underscored the need for enhanced robustness. Proposed solutions include expanding the Ethereum Protocol Fellowship (EPF) to nurture new talent, establishing clearer L2 liaison roles to improve communication channels, refining EIP versioning and ownership expectations, and actively strengthening moderation and accessibility within coordination forums to ensure broader engagement.

Wallets: Demystifying User Security
Significant progress has been made in wallet security, particularly with advancements in signing standards like EIP-7730 (which aims to improve the clarity and context of transaction signing) and enhanced wallet discoverability. Nevertheless, the prevailing reliance on "blind signing" in many hardware wallets—where users approve transactions without a human-readable interpretation of the underlying data—remains a substantial risk. The competitive nature of the wallet landscape often impedes collaborative security discussions, with many providers hesitant to share insights or pool resources. Participants also noted an over-reliance on the Ethereum Foundation to drive coordination in this fragmented sector. A pivotal proposal was the formation of an "Open Signing Alliance," envisioned as a collaborative body anchored in Ethereum’s core values of openness, neutrality, and the "walkaway test" (the ability for users to easily switch providers without vendor lock-in). Additional priorities include hosting the EIP-7730 registry in a neutral, or even on-chain, context to enhance transparency and immutability, and funding wallet-focused security dashboards to provide users with clearer, more legitimate information about their security posture.

Onchain Security: Beyond the Audit Checklist
The onchain security landscape benefits from a growing cadre of experienced security researchers, the proliferation of advanced tooling like Foundry (a fast, comprehensive testing framework), and increased awareness around incident response, exemplified by initiatives like SEAL911. Yet, security is frequently relegated to a mere checklist item, with "audited" often mistakenly conflated with "secure." Participants emphasized that the majority of recent financial losses in DeFi have stemmed not from novel smart contract exploits, but from fundamental operational security (OpSec) failures, such as insecure private key management or social engineering attacks. Other challenges include the ever-increasing complexity of protocols, insufficient invariant monitoring (mechanisms to ensure that certain properties of a system always hold true), and a notable scarcity of "economic audits" that assess financial risks beyond code vulnerabilities. Immediate next steps include sustained funding for crucial open-source security tooling (e.g., fuzzers, static analyzers, dynamic analyzers), developing a "L2BEAT-like" dashboard for comprehensive DeFi security visibility, and promoting the broader adoption of SEAL frameworks and checklists tailored for different classes of smart contracts.

Interoperability: Explicit Trust, Enhanced Safety
Ethereum users currently enjoy a rich array of interoperability options, facilitating faster and more cost-effective user experiences across various networks. However, this convenience often comes at the cost of clarity regarding underlying trust assumptions. Many interoperability protocols rely on poorly communicated or implicit trust models, leading users to equate "fast and cheap" with inherent safety. A significant concern is that numerous non-canonical bridges fail the "walkaway test," meaning users might become locked into a specific bridge or face undue risks if that bridge fails. Furthermore, risk frequently persists post-bridging due to the nature of wrapped assets and their downstream dependencies. Proposed actions include developing standardized interoperability trust ratings that explicitly detail trust assumptions and verification models, enforcing stronger expectations for explicit trust disclosures by cross-chain aggregators, and enhancing the speed and affordability of canonical bridges to reduce reliance on potentially unsafe alternatives. A follow-up workshop specifically dedicated to interoperability challenges was also proposed, underscoring the complexity and criticality of this area.

Privacy: Addressing UX and Infrastructure Barriers
There was broad consensus that privacy is evolving into a fundamental and necessary component of Ethereum’s future, marked by encouraging progress in zero-knowledge (ZK) research and increasing institutional interest. However, significant hurdles remain, primarily centered around user experience (UX), prohibitive costs, and infrastructure limitations. Key challenges include the pervasive nature of RPC-based tracking (where nodes can observe user transaction patterns), difficulties associated with private data storage and recovery, a noticeable dearth of builders focused on intuitive private wallet UX, and the absence of robust hardware support for privacy-preserving cryptographic keys. Suggested next steps involve advocating for greater use of light-client data over P2P RPC to reduce surveillance, investing heavily in private wallet UX research and development, exploring research into ZK-capable hardware signers, and actively engaging with regulators to seek clearer guidance and frameworks for permissionless privacy technologies.

Infrastructure & Offchain Security: The Unseen Attack Surface
The discussions illuminated often-underappreciated risks stemming from frontend compromises (e.g., malicious websites mimicking legitimate dApps), DNS hijacks, the centralization of RPC providers, and vulnerabilities within the software supply chain. Participants also highlighted the critical issue of misaligned economic incentives, particularly for non-profit organizations that provide essential security public goods without sustainable funding models. Key challenges include a false dichotomy between "Web2" and "Web3" security, leading to blind spots regarding traditional web attack vectors. There is also limited accountability for off-chain failures, and a pervasive tendency to prioritize convenience and speed over robust security. The difficulty of running Ethereum nodes easily over privacy-enhancing networks like Tor was also noted as a significant concern. Proposed next steps include the development of verifiable frontend prototypes to combat phishing, increasing transparency around RPC and infrastructure health, advancing standardized security frameworks and certifications, and establishing structured collaboration models where private companies dedicate resources and expertise to support security public goods.

Event Reflections and Future Trajectory

The Trillion Dollar Security Day was overwhelmingly lauded by participants for the quality of discussions and the acute relevance of the topics addressed. The in-person, cross-layer exchange was highlighted as exceptionally valuable, fostering a depth of understanding and collaboration that is difficult to replicate through remote or asynchronous communication. Feedback for improvement primarily focused on logistical aspects, such as optimizing group sizes and providing more structured networking opportunities. There was a strong, palpable demand for future work concentrated on applied security standards, the development and adoption of shared tooling, and practical "how-to" guidance for implementation across the ecosystem.

The gathering underscored the profound value of bringing security practitioners together physically to cultivate shared understanding and momentum. These focused, face-to-face discussions proved instrumental in accelerating alignment on critical security standards, tooling, and practical solutions – an outcome challenging to achieve through distributed coordination alone. Moreover, the event reinforced the necessity of continuously maintaining an updated, shared perspective on Ethereum’s evolving security posture. As the ecosystem expands and innovates at a rapid pace, staying ahead of emerging risks demands regular reassessment of existing assumptions, identification of areas where current security models may no longer suffice, and renewed attention to critical domains to ensure Ethereum remains secure and resilient at scale.

The insights gleaned from Trillion Dollar Security Day in Buenos Aires will serve as a foundational input for the Ethereum Foundation’s ongoing One Trillion Dollar Security efforts, complementing existing initiatives across the vibrant Ethereum ecosystem. The immediate future will see a concerted focus on supporting the execution of identified next steps, promoting the widespread adoption of open and neutral security standards, and strengthening the foundational elements indispensable for keeping Ethereum secure as it progresses towards its trillion-dollar destiny. The dedicated efforts of the security layer champions – @vdWijden, @barnabas, @zachobront, @ethzed, @mattaereal, @ncsgy, and @ThewizardofPOS – along with the hosting leadership of @0xRajeev and @fredrik0x, were instrumental in the success of this vital event and will continue to guide the path forward.