I’m concerned that the need for security and correctness in smart contract engineering is being outweighed by the pressure to deliver highly complex systems to anxious ICO investors.
Following conversations at EdCon in Toronto, there’s a clear need for a gathering specifically focused on smart contract security. Here is my best attempt at outlining what I think this event would look like, as well as my open questions.
Goals
To share knowledge to prevent and mitigate security risks facing smart contract systems. I’m particularly interested in anything that improves the working relationship between auditors and developers, and the outcomes of working with a security audit firm.
Topics
For best results, the scope should be well defined, and strictly enforced.
in Scope
- Secure development lifecycle
- especially how auditors can work with developers earlier (not doing security at the end)
- Auditing standards, techniques and best practices
- Security analysis tools
- Formal verification in practice
- Risk mitigation
- Upgradeability
- Running a good bug bounty
Out of scope
- Protocol governance
- Security of protocol client software
- Crypto-economics and game theory
- Product/service sales pitches which are not educational, or fre
Event details
Timing/Location: August or September, at a time coinciding with another major event which would attract the right audience. ETHBerlin is a good candidate. It should be before, or after the primary event. Not concurrent, or as a sub-conference.
Attendance: Attendance should be skewed towards the security community, with healthy representation from high quality developer teams. I think this should be small-ish, in the range of 40 to 100 attendees.
Format: I really don’t know. An unconference format might work, but I’m least opinionated about this, and think it will figure itself out during the organization process.
Open Questions
- What’s the right format?
- When/where should this happen?
- Can the goal and scope be refined?
-
Who can help make this happen?
- I can help by reaching out to the security and dev community, provide input on curation, facilitation, topics of discussion, etc.
- I do not have bandwidth to organize logistics, or the kinds of activities the require a lot of quick email response.