Layla Zulfa
During Devconnect Buenos Aires, a pivotal gathering of Ethereum security practitioners converged for Trillion Dollar Security Day, a landmark event co-hosted by the Ethereum Foundation and Secureum TrustX. This focused summit explored the intricate pathways and robust frameworks required to securely underpin a burgeoning trillion-dollar Ethereum economy, underscoring a proactive stance towards safeguarding the decentralized future.
The event, which brought together approximately eighty leading experts from across the vast Ethereum Security Ecosystem, served as a critical forum for a comprehensive assessment of the current security landscape. Participants, representing diverse segments including Infrastructure, Interoperability, Layer 1 & 2, Onchain, Offchain, Privacy, and Wallets, collectively surfaced shared challenges and meticulously identified concrete, actionable next steps across the entire technological stack. The insights gleaned and outputs generated from this intensive day directly feed into the Ethereum Foundation’s overarching One Trillion Dollar Security (1TS) initiative, a long-term strategic endeavor aimed at fortifying Ethereum’s resilience against evolving threats as its economic significance continues to soar.
The Imperative: Why a Trillion Dollar Security Day Now?
The decision to dedicate a full day to "Trillion Dollar Security" reflects the profound growth and increasing complexity of the Ethereum ecosystem. With Ethereum’s market capitalization frequently oscillating in the hundreds of billions and the total value locked (TVL) in its decentralized finance (DeFi) protocols reaching tens of billions of dollars, the network has transitioned from a nascent technology to a global financial and computational backbone. This exponential growth, while validating its potential, simultaneously amplifies the stakes associated with security breaches. As the digital economy built on Ethereum inches closer to the trillion-dollar valuation mark, the potential financial and reputational fallout from security vulnerabilities becomes astronomical. According to various blockchain security reports, such as those from Chainalysis or Immunefi, billions of dollars have been lost to hacks and exploits across the broader crypto landscape in recent years. This stark reality underscores the urgency of collaborative, proactive security measures.
Trillion Dollar Security Day was meticulously designed to foster intensive, in-person discussions within specific layers of the Ethereum stack. By gathering practitioners who specialize in similar areas, the event aimed to facilitate a candid assessment of existing security postures, enable the sharing of operational realities, and pinpoint the most urgent near-term priorities. The outcomes of these granular sessions were then synthesized, revealing crucial patterns, interdependencies, and systemic vulnerabilities that span the broader ecosystem. The overarching goal was to move beyond isolated problem-solving towards a unified, holistic security strategy capable of protecting a network of unprecedented scale and value.
Cross-Layer Consensus: Overarching Themes Emerge
Despite the diverse specializations of the participants, several recurring themes and challenges resonated across all seven layers of the Ethereum security landscape. These shared observations painted a clear picture of the collective hurdles and priorities facing the ecosystem:
- Coordination Gaps: A persistent challenge across multiple layers was the lack of seamless coordination among different teams, projects, and stakeholders. This included communication breakdowns between Layer 1 and Layer 2 developers, limited collaboration among wallet providers, and fragmented efforts in incident response.
- User Experience vs. Security Trade-offs: There was a strong consensus that user experience (UX) often inadvertently compromises security. The drive for speed, convenience, and low costs in areas like interoperability or privacy solutions can lead users to overlook critical security implications or rely on unsafe defaults.
- Underinvestment in Public Goods and Tooling: Participants highlighted a systemic underfunding of open-source security tooling, research, and infrastructure that benefit the entire ecosystem. This includes fuzzers, static analyzers, and invariant monitoring tools, which are essential but often lack sustainable economic models.
- Opacity and Misleading Trust Assumptions: Many protocols and services, particularly in the interoperability and onchain sectors, suffer from poorly communicated or implicitly assumed trust models. Users are often left unaware of the underlying risks, mistaking "audited" for "secure" or "fast and cheap" for "safe."
- Invisible Attack Surfaces: The discussions brought to light the often-underappreciated risks associated with off-chain components, traditional web infrastructure (Web2), and supply chain vulnerabilities. Frontend hacks, DNS compromises, and RPC centralization were cited as significant, yet frequently overlooked, attack vectors.
- Scalability Challenges in Security: As Ethereum scales with Layer 2 solutions and more complex DeFi protocols, the demands on security auditing, testing, and incident response are rapidly outstripping current capabilities and resources. Compressed testing timelines and increasing protocol complexity contribute to this challenge.
- Economic Misalignment: The competitive nature of various sectors, such as wallets, can act as a barrier to shared security initiatives. Additionally, non-profits providing critical security public goods often struggle with sustainable funding models, creating a misalignment between the value provided and the resources allocated.
These cross-layer observations underscore that Ethereum’s security challenges are not confined to isolated technical vulnerabilities but are deeply intertwined with human coordination, economic incentives, user behavior, and the broader architectural evolution of the network.
Deep Dive by Layer: Key Issues and Immediate Pathways
The event saw participants split into specialized breakout sessions, allowing for granular discussions on what is currently functioning well, what is failing, and where concerted effort is most urgently required. The following provides a detailed overview of the key themes and proposed actions for each critical layer:
Layer 1 & 2: Bridging Coordination Gaps for Foundational Security
Ethereum’s core architecture, characterized by its multiclient design, specification-driven development, and a conservative Layer 1 change process, remains a bedrock of security. However, participants voiced concerns regarding nascent but significant long-term threats like quantum risk, which theoretically poses a threat to current cryptographic primitives in a post-quantum computing era. More immediate challenges included weak L1/L2 coordination, leading to potential vulnerabilities at the interface between the core chain and its scaling solutions, and an over-reliance on cloud infrastructure, which introduces centralization risks. Compressed testing timelines for new features and upgrades were also highlighted as a growing concern, increasing the potential for undiscovered bugs.
Key challenges further elaborated included limited community and Layer 2 participation in critical All Core Devs calls, hindering early feedback on evolving Ethereum Improvement Proposals (EIPs), and persistent concerns around L1-L2 bridging and RPC resilience.
To address these, immediate next steps include expanding the Ethereum Protocol Fellowship (EPF) to onboard more security researchers and developers, thereby increasing client team capacity. The creation of clearer L2 liaison roles was proposed to improve communication channels, alongside better EIP versioning and ownership expectations to streamline the review process. Strengthening moderation and accessibility in coordination forums was also emphasized to ensure broader engagement.
Wallets: Enhancing User Security and Transparency
Significant progress has been made in wallet security with the development of signing standards like EIP-7730, aimed at improving transaction clarity, and advancements in wallet discoverability. Yet, a critical vulnerability remains: blind signing, where users approve transactions without fully understanding their implications, especially prevalent in many hardware wallets. Participants also noted paywalled security, where advanced security features are often locked behind premium services, and low coordination among wallet providers, hindering the development of universal security best practices.
The highly competitive wallet landscape was identified as a structural barrier to collaboration, with an over-reliance on the Ethereum Foundation to drive ecosystem-wide security initiatives.
A groundbreaking proposal was the establishment of an Open Signing Alliance, founded on Ethereum’s core values of openness, neutrality, and the "walkaway test" (the ability for users to switch providers without significant friction). Other priorities included hosting the EIP-7730 registry in a neutral or on-chain context to ensure its integrity and accessibility, and funding the development of wallet-focused security dashboards to improve transparency and legitimate security insights for users.
Onchain Security: Bridging the Gap Between Audits and Real-World Resilience
The onchain security landscape benefits from a burgeoning community of experienced security researchers, sophisticated tooling (e.g., Foundry), and enhanced incident response mechanisms like SEAL911. However, a dangerous perception persists: security is often treated as a mere checkbox, leading to the misleading conflation of "audited" with "secure." Participants emphasized that the majority of recent financial losses stem from operational security (OpSec) failures, rather than novel smart-contract exploits, highlighting a gap between code-level security and deployment/management practices.
Other challenges include the ever-increasing protocol complexity, making comprehensive audits more difficult; limited invariant monitoring in live protocols; and a critical lack of economic audits, which assess the financial incentives and potential attack vectors within a protocol’s design.
Immediate next steps focus on sustained funding for open-source security tooling, including fuzzers and static/dynamic analyzers, to empower developers. Improved visibility into DeFi security posture (a "L2BEAT-like" approach) was proposed to offer transparent risk assessments, alongside broader promotion and adoption of SEAL frameworks and checklists tailored for different contract classes.
Interoperability: Demystifying Trust Assumptions in a Multi-Chain World
Ethereum users benefit from an expanding array of interoperability solutions, offering increasingly fast and low-cost user experiences. However, a significant risk highlighted was that many interop protocols rely on poorly communicated trust assumptions, leading users to erroneously equate "fast and cheap" with "safe." This often results in a scenario where many non-canonical bridges fail the "walkaway test," meaning users are locked into specific systems without viable exit strategies. Furthermore, risk often persists after bridging due to wrapped assets and complex downstream dependencies, creating a chain of interconnected vulnerabilities.
Proposed actions include developing interop trust ratings that explicitly detail trust assumptions and verification models, setting strong expectations for clearer trust disclosures by cross-chain aggregators, and improving the speed and cost efficiency of canonical bridges to reduce reliance on potentially unsafe alternatives. A dedicated follow-up interoperability workshop was also suggested to continue these critical discussions.
Privacy: Overcoming UX and Infrastructure Hurdles
There was unanimous agreement that privacy is not just a desirable feature but an increasingly necessary component of Ethereum’s future, with encouraging progress in zero-knowledge research and growing institutional interest. Nevertheless, user experience, cost, and infrastructure limitations remain significant roadblocks to widespread adoption.
Key challenges include RPC-based tracking, which compromises user privacy even when using private transactions; difficulties surrounding private data storage and recovery; a notable lack of builders focused on intuitive private wallet UX; and the absence of hardware support for privacy-preserving keys, which could significantly enhance user security.
Suggested next steps involve greater utilization of light-client data over P2P RPC to reduce reliance on centralized data providers, targeted investment in private wallet UX research and development, deeper research into ZK-capable hardware signers, and proactive engagement with regulators to seek clearer guidance for permissionless privacy technologies.
Infrastructure & Offchain Security: Addressing the Invisible Attack Surface
The often-overlooked realm of infrastructure and off-chain security was a major point of discussion. Participants repeatedly cited frontend compromises, DNS hijacks, RPC centralization, and software supply-chain attacks as underappreciated yet high-impact risks. The discussions also shed light on the lack of sustainable economic alignment for non-profits providing critical security public goods in this space.
Key challenges included a "false separation" between "Web2" and "Web3" security, where traditional web vulnerabilities are often ignored in the blockchain context; limited accountability for off-chain failures; and a pervasive tendency to trade security for speed or convenience. The inability to easily run nodes over Tor for enhanced privacy and censorship resistance was also highlighted.
Proposed immediate next steps include building verifiable frontend prototypes to mitigate client-side attacks, increasing transparency around RPC and infrastructure health through public dashboards, advancing security frameworks and certifications for off-chain components, and creating structured collaboration models where private companies contribute dedicated time and resources to security public goods.
Event Reflections and Future Trajectories
Feedback from participants overwhelmingly rated the quality of discussion and the relevance of topics as excellent, underscoring the immense value of in-person, cross-layer exchange. The collaborative environment fostered a sense of shared purpose and accelerated alignment on complex issues. While the content and interactions were highly praised, the primary areas identified for improvement were logistical, such as optimizing group sizes for breakout sessions and providing more structured networking opportunities to maximize interaction among the diverse group of experts.
Crucially, there was a strong, collective demand for future work that focuses on applied security standards, shared tooling, and practical "how-to" guidance for implementation. This indicates a desire to translate theoretical discussions into tangible, executable strategies that can be adopted across the ecosystem. The practitioners emphasized the need for clear, actionable roadmaps to operationalize the identified solutions.
What Comes Next: Sustaining the Momentum Towards a Secure Trillion-Dollar Ethereum
The Trillion Dollar Security gathering in Buenos Aires unequivocally highlighted the irreplaceable value of bringing security practitioners together in person. Such focused, face-to-face discussions proved instrumental in building shared understanding, fostering trust, and generating momentum for solutions in ways that are inherently difficult to achieve through asynchronous coordination alone. This human element is critical for tackling the multifaceted and evolving challenges of securing a decentralized network.
The discussions also served as a powerful reminder of the imperative to maintain a continuously updated, shared view of Ethereum’s security posture. As the ecosystem continues its rapid evolution, with new protocols, scaling solutions, and user behaviors emerging, staying ahead of potential risks necessitates a constant reassessment of what security measures are effective, where underlying assumptions may no longer hold true, and which areas demand renewed attention to robustly support a trillion-dollar economy.
The profound insights and actionable strategies formulated in Buenos Aires will continue to directly inform the Ethereum Foundation’s ambitious One Trillion Dollar Security (1TS) efforts. This initiative is not a static blueprint but a dynamic framework designed to adapt to the network’s growth and new threat vectors. Near-term focus for the Foundation and the broader community remains steadfastly on supporting the execution of these proposed solutions, enabling the widespread adoption of open and neutral security standards, and continuously strengthening the foundational layers necessary to keep Ethereum secure, resilient, and dependable at an unprecedented scale. The journey towards a truly trillion-dollar secure Ethereum is ongoing, demanding perpetual vigilance, collaboration, and innovation from its dedicated global community.
With sincere thanks to the security layer champions @vdWijden, @barnabas, @zachobront, @ethzed, @mattaereal, @ncsgy, and @ThewizardofPOS for their invaluable contributions. And to @0xRajeev and @fredrik0x for expertly hosting this critical summit.
