The Web3 Security Podcast

When Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean.
Topics discussed:
Treating audit findings as internal process failures requiring investigation, not just bug fixes

Six-month mandatory onboarding periods before engineers can modify spellcrafting code

Pre-audit internal review standards achieving consistent zero-finding results across multiple audit firms

Spellcrafting governance requiring bi-weekly token holder votes and execution delays for all protocol changes

LLM auditing integration delivering PR-level feedback before code reaches internal review

Mandatory OPSEC certification with domain hash verification testing for multisig signers

Protocol security workstreams codifying senior engineer practices into transferable frameworks

Auditor selection prioritizing codebase-specific experience over firm reputation

Subdao security enforcement maintaining core standards across autonomous entities with independent economics

Game theory-based development considering internal actor exploitation during code design

World Foundation's proof of personhood system defended against an iris spoofing attack where users verified multiple times by pairing their left eye with someone else's right eye—exploiting uniqueness checks that operated on eye pairs rather than individuals. DC Builder, Research Engineer at World Foundation, explains the multimodal defense they deployed: continuous 3D heat mapping, time-of-flight sensors, anomaly detection models trained on contact lens datasets across manufacturers, and checks for glasses that alter iris patterns.
This represents one attack surface in a system protecting 38 million verified humans. World became Nvidia's largest security partner for Jetson NX embedded chips, filing more CVSS reports than any other customer after discovering edge cases from production deployment that Nvidia's internal teams hadn't encountered. DC's current focus: building Proofkit, a Noir backend optimized for client-side ZK proving on constrained mobile devices, because the 99th percentile of World's users operate phones with minimal memory and CPU headroom.
The technical architecture spans layers most Web3 teams never touch. Trusted execution environments and secure enclaves depend on vendor supply chains. Private keys etched into Orbs during manufacturing get destroyed after provisioning. Groth16 proofs require trusted setups from both PSE and World's own ceremony. Multiparty computation encrypts iris codes, but compromise would expose biometric-derived data. Open-source firmware on ejectable SD cards enables independent verification against GitHub repos—an auditability model DC walks through in detail.
Topics discussed:
Iris spoofing via eye permutation attacks: left-eye/right-eye combinations bypassing uniqueness checks

Multimodal biometric defense: 3D heat mapping, time-of-flight sensors, contact lens detection across manufacturers

Filing majority of Nvidia Jetson NX CVSS reports through production edge cases undiscovered internally

Building Proofkit: Noir backend optimized for ZK proving on memory-constrained Android devices at 99th percentile

Formal verification pipeline: automatic GNARC-to-Lean circuit extraction developed with RayLabs

Groth16 trusted setup dependencies: PSE ceremony plus World's own setup and associated compromise risks

MPC protocol security: encrypted iris codes and what exposure means for biometric-derived sensitive data

Hardware auditability: ejectable SD cards enabling firmware verification against open-source repositories

Supply chain trust model: secure enclave vendors, TEE implementations, manufacturing key provisioning

Attack surface inventory: hardware TEEs, Linux-based custom OS, biometric ML pipelines, MPC protocols, ZK circuits

When Solana dropped to $8 during FTX, Matt Sorg watched Twitter erupt while his validator network stayed focused on the technical roadmap. The VP of Technology at Solana Foundation had built something that would prove more valuable than hype: a technically aligned community shipping performance improvements on a quarterly cadence.

Matt explains why Solana's early instability wasn't architectural it was financial constraint forcing impossible tradeoffs. Spring 2018's dead ICO market meant launching with roughly $2-3 million versus the hundreds of millions typical L1s raise today. The choice: ship with tech debt or die waiting for perfect code. They shipped, survived the resulting instability crisis, and spent the next several years systematically eliminating every bottleneck through what Matt calls "mindful engineering."

The maturity shows in the security infrastructure. Four independent audit firms review every Anza code release. Continuous fuzzing catches performance regressions. Firedancer's launch as a second client enables differential testing that's becoming the de facto Solana specification. The result: approaching two years of continuous uptime with upgrades shipping every three months. But the real technical leap is what's coming: Alpenglow consensus enabling 40% validator failure tolerance, multiple concurrent leaders eliminating MEV by removing block building monopolies, and local inclusion certificates delivering Web2 speed feedback before global consensus.

Topics discussed:

Launching mainnet spring 2018 with $2-3M in dead ICO market versus modern $100M+ L1 funding

Systematic tech debt elimination through bottleneck analysis achieving nearly two years uptime

Four independent audit firms plus continuous fuzzing reviewing every Anza release

Firedancer second client enabling differential testing becoming canonical Solana specification

Alpenglow consensus mechanism allowing 40% validator failure versus standard 33% Byzantine tolerance

Multiple concurrent leaders requiring only one honest leader among eight for inclusion guarantees

Local inclusion certificates providing Web2 speed feedback before global consensus finalization

800+ profitable validators independently reviewing GitHub releases on bare metal versus cloud VMs

Savvy validator recruitment through performance focused mission attracting talent that only operates on Solana

AI powered social engineering replacing technical exploits as dominant app layer attack vector

Applications over engineering financial components before product market fit validation

Non financial primitives like points enabling faster iteration without security overhead

When Sky's audits return serious issues, they don't just fix bugs and ship—they pull the brake and investigate what failed in their internal review process. Deniz Yilmaz, CTO of Sky Frontier Foundation, walks through the defensive layers behind USDS (third-largest stablecoin globally): six-month engineer onboarding requirements, spellcrafting governance with mandatory execution delays, and a protocol security team dedicated to codifying the implicit knowledge that keeps audit reports clean.

Topics discussed:

Treating audit findings as internal process failures requiring investigation, not just bug fixes

Six-month mandatory onboarding periods before engineers can modify spellcrafting code

Pre-audit internal review standards achieving consistent zero-finding results across multiple audit firms

Spellcrafting governance requiring bi-weekly token holder votes and execution delays for all protocol changes

LLM auditing integration delivering PR-level feedback before code reaches internal review

Mandatory OPSEC certification with domain hash verification testing for multisig signers

Protocol security workstreams codifying senior engineer practices into transferable frameworks

Auditor selection prioritizing codebase-specific experience over firm reputation

Subdao security enforcement maintaining core standards across autonomous entities with independent economics

Game theory-based development considering internal actor exploitation during code design

Listen to more episodes: 

Apple 

Spotify 

YouTube

Website

Coinbase's security process protecting over $7 billion in TVL rejects the single-audit model common in DeFi. Shashank Agrawal, Senior Engineering Manager, Protocol Security at Coinbase, explains their multi-round validation approach: internal security teams (separated from product engineering) audit first, then external firms audit, and rounds continue until external auditors surface only lows and informationals—never highs or criticals.

This stopping rule creates a quality bar where internal audits must catch everything significant before external validation. For the Base bridge specifically, this meant independent OP Stack security validation despite Optimism's existing audit work, driven by the "absolutely zero room for error" standard when contracts hold substantial user funds. Their approach treats external auditors as verification layers rather than primary discovery mechanisms.

 

Topics discussed:

Multi-round audit methodology continuing until external firms find zero high-severity or critical issues

Internal security team structure operating independently from product engineering before external validation

Base bridge security requiring custom OP Stack validation independent of Optimism's audit coverage

In-house MPC library development using professor-reviewed specs bridging research papers to production implementation

Tabletop war gaming exercises simulating worst-case chain scenarios with security, engineering, legal, and compliance teams

Free Hexagate monitoring partnership providing base-layer protocol coverage for Base ecosystem builders

Security hiring process using live code audits at different complexity levels for senior (level 5) versus staff (level 6) positions

Off-chain infrastructure security: key management and transaction signing treated as equal priority to smart contract auditing

AI smart contract auditing tools showing current production limitations in determinism and false positive rates

Incident response planning where monitoring systems and alert workflows prioritize minute-by-minute decision speed