The story starts in a country up north in Europe, Sweden, where a group of software researches from the Royal Institute of Technology, KTH, gather to study the fascinating web3 world.

About the author:

Hej hej!
This is Sofia, I'm a first-year PhD student working on automated program repair for smart contracts. I had the wonderful opportunity to be part of the DevCon Scholar Program and this is my outcome of this experience, a learning artifact of my takeaways as a researcher attendee at DevCon 2024.

Enough about me, let me introduce you to who we are, because this post won't be only about my experience instead of the one gathered by my colleagues as well, all of them researchers from KTH, Sweden. Hope you can enjoy it and ultimately learn something. :)

Our research group-- ASSERT

Starting from 2017, the lead professor of this group, Martin Monperrus, has investigated the blockchain from different perspectives. And 7 years after, 2024, the group grows strong with 3 full-time PhD students, 2 engineers and 6 master students working in blockchain related topics.

It is a well-known phenomenon that computer science research tends to be far from industry efforts, sometimes even completely disconnected, leading to research efforts being overlooked due to the lack of adoption or for not being grounded enough. Particular at KTH and in our group, we aim to build knowledge on real problems, to present real and applicable solutions. The way to do this is by connecting to the industry.

This mentality leads to our group embarking on the journey to DevCon 2024 in Thailand with a clear goal in mind:

  • To understand the past, present, and future of the Ethereum Ecosystem.
  • To get inspired but the cutting-edge research and incredible people we will meet at the event.
  • To find companies interested in our research, and validate our ideas

What happened at DevCon 2024?

While fighting our jet lags, the 5 attendees from our group heavily engage in the community, spending the day listening to interesting talks and having stimulating conversations with the incredible DevCon attendees.

By no surprise we found other researchers from Japan, Canada, France and Singapore, non-surprising they belong to the strongest groups in academia.

But now, let's go technical ;)

Smart Contract Development and Security

Disclaimer, this is my main focus, so be prepared.

One of the most interesting takeaways was seeing the difference in positions between auditors, developers, and security researchers.

Regarding the use of tools, opinions were quite divided. Auditors do not want to spend time using tools that won't really contribute (because detection is faulty) and spent extra time doing manual review. Developers, and security researchers consider the process to be way too manual, and adding a tool that checks for this repetitive vulnerable patterns would be great.

For us, this was a clear indicator that

  • There is no reliable tool that the community is using. It will be hard to convince auditors to change their current process, as their abilities surpass the current options.
  • We, security researchers, need to do better at understanding our target audience.
  • Developers want to improve their ci/cd pipeline, SecOps, this was very well presented in Palina Tolmach's presentation (https://t.co/ozdCb5YqEk).

On other areas, the talks from the ChainSecurity team were very interesting and refreshing to listen, I particularly remember Theresa Wakoning on "Things you didn't know about contract deployment" (https://app.devcon.org/speakers/3C9UGV), as written in the well-known paper Sok:DeFi Attacks (https://sok.defi.security/) most of the attacks follow unexpected patterns of usage, you got to know the code and its “magic” to protect yourself from exploits.

On the offensive learning:

Learning about the attacks that the community faces this past 2 years was very insightful.

Particularly, seeing how much Web2 attacks are used for Web3 attacks woke up our strong background in the software supply chain. On the other side, it was shocking to know that most of the losses in assets comes from attacks that collect private keys!

Security for smart contracts is crucial, but are we overlooking the most direct method of attack? See our newest Master thesis topic in this matter: https://www.monperrus.net/martin/topics#uid80

For future conferences, the suggestion is to also attend the side event: DeFi Security Summit (https://cryptoevents.global/defi-security-summit-2024-devcon-7/), extremely beneficial for any folk interested in security.

The trending one: Zero Knowledge

I'm not going to b*s* you, I'm still not updated with they are, but do you know who is ? My steamed colleague Javier Ron who heavily search for talks and inspiration on the matter.

Indeed, they have recently submitted a white paper on Proving and Rewarding Client Diversity to Strengthen Resilience of Blockchain Networks (https://arxiv.org/pdf/2411.18401). This research is partially fund by the EF itself, check it out! :)

Some final words

We came back happy and inspired to our cold yet lovely place. Being a researcher did not stop us from enjoying DevCon, and it has definitely become a steering point in our careers.

We strongly recommend further academic researchers to include themselves in such events. From my perspective, the technical, and community learning is invaluable.

Finally, this can be an excellent opportunity to find internships and possible collaborators from industry, or, as I told my new friend Matt, Guinea pigs that will happily try our future tools xD .

Thank you for reading :)

Med vänliga hälsningar,
Sofia Bobadilla