The Web3 Security Podcast

Most Web3 security conversations focus on smart contracts. Mudit Gupta, CTO of Polygon Labs, thinks that's the wrong place to be worried. In this episode, he makes the case that ZK infrastructure carries significantly more bugs than the smart contract layer — the reason large-scale exploits haven't happened yet isn't that the bugs don't exist, it's that the expertise required to exploit them is vanishingly rare. That window won't stay open forever.
Beyond the ZK risk, Mudit breaks down the structural and operational decisions Polygon has made as AI shifts both sides of the security equation. Since August, their bug bounty program has seen a surge in reports on years-old code in geth and P2P libraries — the kind of retroactive review humans don't do — forcing them to build a counter-AI triaging system just to manage volume. He also details the two-team security structure most Web3 companies still don't run, and why the team most protocols skip is where the majority of Web3 incidents actually originate.
Topics Discussed:
ZK infrastructure as the highest-vulnerability, lowest-exploitation surface in Web3 — more bugs than the smart contract layer, but the pool of people who can exploit them is small enough to count on two hands. Mudit's view: that expertise gap is the only thing standing between current ZK deployments and large-scale attacks

What a near 10x spike in bug bounty submissions since August reveals about how AI reviews code differently than humans — specifically its tendency to audit legacy code that human researchers have long stopped reviewing

Building a counter-AI triaging agent to handle report volume, including the case where it incorrectly closed a valid submission and how researcher pushback caught it

Why Polygon runs a dedicated security operations team alongside AppSec — and why the absence of a SecOps function is where most Web3 incidents actually begin

Embedding AppSec at the architecture stage rather than post-build, and how that shifts accountability from audit-and-flag to full product ownership of security outcomes

Sending an AI-generated deepfake video of Polygon's CEO to all employees as a phishing simulation — and why video-format tests caught people that standard phishing emails don't

Wednesday as the target release day: how the Monday-Tuesday verification window protects against deployment failures when external dependencies and client teams won't have weekend coverage

Security knowledge as a speed multiplier: how understanding your risk surface lets you move faster on acceptable risks — and how Mudit structures risk tracking and CEO-level reporting so leadership can hold context without blocking decisions

When Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean.
Topics discussed:
Treating audit findings as internal process failures requiring investigation, not just bug fixes

Six-month mandatory onboarding periods before engineers can modify spellcrafting code

Pre-audit internal review standards achieving consistent zero-finding results across multiple audit firms

Spellcrafting governance requiring bi-weekly token holder votes and execution delays for all protocol changes

LLM auditing integration delivering PR-level feedback before code reaches internal review

Mandatory OPSEC certification with domain hash verification testing for multisig signers

Protocol security workstreams codifying senior engineer practices into transferable frameworks

Auditor selection prioritizing codebase-specific experience over firm reputation

Subdao security enforcement maintaining core standards across autonomous entities with independent economics

Game theory-based development considering internal actor exploitation during code design

World Foundation's proof of personhood system defended against an iris spoofing attack where users verified multiple times by pairing their left eye with someone else's right eye—exploiting uniqueness checks that operated on eye pairs rather than individuals. DC Builder, Research Engineer at World Foundation, explains the multimodal defense they deployed: continuous 3D heat mapping, time-of-flight sensors, anomaly detection models trained on contact lens datasets across manufacturers, and checks for glasses that alter iris patterns.
This represents one attack surface in a system protecting 38 million verified humans. World became Nvidia's largest security partner for Jetson NX embedded chips, filing more CVSS reports than any other customer after discovering edge cases from production deployment that Nvidia's internal teams hadn't encountered. DC's current focus: building Proofkit, a Noir backend optimized for client-side ZK proving on constrained mobile devices, because the 99th percentile of World's users operate phones with minimal memory and CPU headroom.
The technical architecture spans layers most Web3 teams never touch. Trusted execution environments and secure enclaves depend on vendor supply chains. Private keys etched into Orbs during manufacturing get destroyed after provisioning. Groth16 proofs require trusted setups from both PSE and World's own ceremony. Multiparty computation encrypts iris codes, but compromise would expose biometric-derived data. Open-source firmware on ejectable SD cards enables independent verification against GitHub repos—an auditability model DC walks through in detail.
Topics discussed:
Iris spoofing via eye permutation attacks: left-eye/right-eye combinations bypassing uniqueness checks

Multimodal biometric defense: 3D heat mapping, time-of-flight sensors, contact lens detection across manufacturers

Filing majority of Nvidia Jetson NX CVSS reports through production edge cases undiscovered internally

Building Proofkit: Noir backend optimized for ZK proving on memory-constrained Android devices at 99th percentile

Formal verification pipeline: automatic GNARC-to-Lean circuit extraction developed with RayLabs

Groth16 trusted setup dependencies: PSE ceremony plus World's own setup and associated compromise risks

MPC protocol security: encrypted iris codes and what exposure means for biometric-derived sensitive data

Hardware auditability: ejectable SD cards enabling firmware verification against open-source repositories

Supply chain trust model: secure enclave vendors, TEE implementations, manufacturing key provisioning

Attack surface inventory: hardware TEEs, Linux-based custom OS, biometric ML pipelines, MPC protocols, ZK circuits

When Solana dropped to $8 during FTX, Matt Sorg watched Twitter erupt while his validator network stayed focused on the technical roadmap. The VP of Technology at Solana Foundation had built something that would prove more valuable than hype: a technically aligned community shipping performance improvements on a quarterly cadence.

Matt explains why Solana's early instability wasn't architectural it was financial constraint forcing impossible tradeoffs. Spring 2018's dead ICO market meant launching with roughly $2-3 million versus the hundreds of millions typical L1s raise today. The choice: ship with tech debt or die waiting for perfect code. They shipped, survived the resulting instability crisis, and spent the next several years systematically eliminating every bottleneck through what Matt calls "mindful engineering."

The maturity shows in the security infrastructure. Four independent audit firms review every Anza code release. Continuous fuzzing catches performance regressions. Firedancer's launch as a second client enables differential testing that's becoming the de facto Solana specification. The result: approaching two years of continuous uptime with upgrades shipping every three months. But the real technical leap is what's coming: Alpenglow consensus enabling 40% validator failure tolerance, multiple concurrent leaders eliminating MEV by removing block building monopolies, and local inclusion certificates delivering Web2 speed feedback before global consensus.

Topics discussed:

Launching mainnet spring 2018 with $2-3M in dead ICO market versus modern $100M+ L1 funding

Systematic tech debt elimination through bottleneck analysis achieving nearly two years uptime

Four independent audit firms plus continuous fuzzing reviewing every Anza release

Firedancer second client enabling differential testing becoming canonical Solana specification

Alpenglow consensus mechanism allowing 40% validator failure versus standard 33% Byzantine tolerance

Multiple concurrent leaders requiring only one honest leader among eight for inclusion guarantees

Local inclusion certificates providing Web2 speed feedback before global consensus finalization

800+ profitable validators independently reviewing GitHub releases on bare metal versus cloud VMs

Savvy validator recruitment through performance focused mission attracting talent that only operates on Solana

AI powered social engineering replacing technical exploits as dominant app layer attack vector

Applications over engineering financial components before product market fit validation

Non financial primitives like points enabling faster iteration without security overhead

When Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean.

Topics discussed:

Treating audit findings as internal process failures requiring investigation, not just bug fixes

Six-month mandatory onboarding periods before engineers can modify spellcrafting code

Pre-audit internal review standards achieving consistent zero-finding results across multiple audit firms

Spellcrafting governance requiring bi-weekly token holder votes and execution delays for all protocol changes

LLM auditing integration delivering PR-level feedback before code reaches internal review

Mandatory OPSEC certification with domain hash verification testing for multisig signers

Protocol security workstreams codifying senior engineer practices into transferable frameworks

Auditor selection prioritizing codebase-specific experience over firm reputation

Subdao security enforcement maintaining core standards across autonomous entities with independent economics

Game theory-based development considering internal actor exploitation during code design

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website