If you’d like to speak at ETHBerlin Security Unconference – please include your topic in the comments. We will use this discourse thread and comments to organize the agenda. Please propose your topic, length of time and any associated materials below:
Also, if you have suggestions for different types of things we should do, things like brainstorming sessions (like #EIP0) etc., please make suggestions here.
I think a lot of us will have similar things to say, and I think the best talks will be ones where a large problem is described (that is so far unsolved) or unique solutions were found (that will be broadly useful if adopted).
Assume an audience of your peers. What do you wish they knew? What do we need to colloborate on? What do we disagree about?
What’s the attitude towards presenting on any of the following Diligence projects
- Our tools: (ie. Mythril/Surya)
- https://www.panvala.com/ (secure contract TCR)
- Our audit process
We’re sensitive to the need educate, not sell.
Tools might be interesting, to get to know what’s out there. The contract TCR is a pretty interesting concept, would also be neat to explore that.
I think we might try to have a workshop comparing and contrasting audit processes since most people in the room either have one or have gone through one. A presentation about it might get a little repetitive if everyone did one lol.
I definitely think a deep dive on Mythril/Surya would be valuable. I think everyone at some level in the ETH community has vaguely heard of Mythril and Oyente at this point, and presenting some of the more interesting facets would be of value for a lot of people.
Agree about redundancy, and I also favor more interactive/collaborative content vs. a lot of one to many talks.
Maybe another interactive talk about figuring out all the tools and what they each do? Also, perhaps what tools are needed?
I’d like to talk about the newest Mythril developments & explain how to use our public API, which will most likely be released by then. We have some really cool things in the pipeline. Maybe 30-40 mins.
I wonder if a more interactive workshop on tools might be fun. E.g. setting them up, running against a benchmark, getting a feel for how they work.
Might spark creativity of what is missing in the dev toolbox.
I’d like to give a talk about Automated Protocols for Smart Contract Security, such as the one built by Quantstamp. The talk would present the network architecture, some challenging problems, and current developments.
Can you explain more fully? I.e. products that continuously watch deployed code for new vulnerabilities as they become available
it’s more of a decentralized network for performing security audits before the code gets deployed. Think of it as mythril, oyente, and other tools that run on multiple nodes and produce an audit report.
Monitoring services for deployed code could be something to brainstorm about, e.g., what would be useful properties to monitor for.
I think a pretty well agreed upon metric would be analysis for the fabled “list of all Ethereum bugs” we need to create (and curate). A set of tools that checks 100% coverage against this list (through standard and custom analysis) can be monitored over time (rerun for every new bug), and the relevant developer alerted when a new bug breaks the on-chain deployed code.
This might look similar in practice to etherscan’s “this contract may suffer from…” information they provide.
Also, why wouldn’t I just run these tools myself? Does the network provide analysis of the results to determine false positives?
I’d like to present how you can use insurance as a final safety-net should something slip through all the security checks. Including how all the security tools (now and in the future) can impact the cost of cover.
While this is my project (Nexus Mutual) I hope it will add something to the conversation, as an additional piece of the security puzzle, the intention is not to sell.
In terms of format, I prefer a more interactive, something like a 15min presentation followed by 15min Q&A but happy to go with whatever suits.
@drgoldberg and us have done some brainstorming & we came up with the idea to do a joint smart contract auditing workshop (Bloctrax / ConsenSys Diligence / Mythril team). This way we can leverage the workshop materials they already have including practical exercises. I could also do a briefing on new & upcoming Mythril features. Maybe 1/2 day length. What do you think?
By this do you mean laying out an audit process? I think this may have utility, but the point is not to say what an audit looks like as there is different layers of need an different capabilities each firm brings to the table.
A presentation on mythril and it’s capabilities would be good I think.
Yesssss, and maybe we can have a discussion on how you evaluate risk of smart contract systems, so that you can pay appropriate premiums relative to the market. I think this can be a major part of ensuring adoption of a quality process, one that doesn’t require it to be in place, but eventually ensures it because who wants to pay 30% a month in premiums?
well, maybe. Whereas a “list of all Ethereum bugs” may be a good place to start, certainly not all Ethereum bugs apply to all the contracts. For example, increased token supply may be a bug in one project, but not in another (here to property to check is whether the supply is constant, or varies by no more than certain amount over a given period of time).
- If a developer is capable of setting up the tools, running analyses, and understanding the results, they may as well do it; providing that they have access to the tools, enough time, and the resources (e.g., computing power) to run the tools.
- Currently we are focused on building the network itself. Tools improvements are a future work. The improvements (e.g., filtering of false positives) will provide value added over the vanilla tools.