During Devconnect Buenos Aires, the Ethereum Foundation, in collaboration with Secureum TrustX, convened a pivotal event for Ethereum security practitioners: Trillion Dollar Security Day. This focused gathering aimed to dissect the multifaceted challenges and propose concrete solutions required to securely support an economy projected to reach trillions of dollars in value. Approximately eighty key stakeholders from across the entire Ethereum security ecosystem, spanning critical areas such as Infrastructure, Interoperability, Layer 1 & 2, Onchain, Offchain, Privacy, and Wallets, convened to candidly assess the current security landscape, identify shared pain points, and chart a course for actionable next steps. The collective insights and proposed initiatives generated at this event are set to significantly inform the Ethereum Foundation’s ongoing One Trillion Dollar Security (1TS) initiative, a strategic effort dedicated to ensuring the robust and secure growth of the Ethereum network.
The impetus behind Trillion Dollar Security Day was the recognition that as Ethereum’s economic footprint expands exponentially, so too does the complexity and scale of its security requirements. The event was meticulously designed to foster focused, in-person dialogues within specific layers of the Ethereum stack. By bringing together practitioners intimately familiar with distinct yet interconnected segments of the ecosystem, the objective was to facilitate candid assessments of current security postures, share real-world operational challenges, and collaboratively prioritize immediate areas for improvement. The outcomes from these granular discussions were subsequently synthesized to reveal overarching patterns, dependencies, and potential synergies across the broader Ethereum security domain.
The overarching goals of the Trillion Dollar Security gathering were ambitious yet essential: to meticulously evaluate the present security landscape across all layers of the Ethereum stack; to foster open dialogue and identify common challenges faced by practitioners within each security domain; to collaboratively devise actionable, near-term priorities for strengthening Ethereum’s security; and to articulate a clear roadmap for ongoing collaboration and development within the Ethereum security community. Participants engaged in deep-dive breakout sessions tailored to their respective layers, candidly discussing what is currently functioning effectively, pinpointing existing vulnerabilities and shortcomings, and highlighting areas where immediate and sustained effort is most critically needed.
A comprehensive snapshot of the discussions revealed several recurring themes that permeated across the various layers of the Ethereum ecosystem. These cross-layer observations underscored the interconnected nature of security in a complex decentralized network.
The following table offers a condensed overview of the key issues identified and the immediate next steps proposed during the Trillion Dollar Security Day sessions:
| Layer | Key Issues | Identified Immediate Next Steps |
|---|---|---|
| Layer 1 & 2 | Quantum risk, weak L1/L2 coordination, cloud dependence, compressed testing | Expand EPF onboarding, create L2 liaisons, improve EIP versioning & ownership |
| Wallets | Blind signing, paywalled security, low coordination | Form an Open Signing Alliance, neutral/on-chain EIP-7730 registry, wallet dashboards |
| Onchain | "Audited" not "secure", weak IR, OpSec failures | Fund OSS security tooling, create DeFi security visibility, promote SEAL |
| Interop | Unsafe trust assumptions, UX favors speed over safety | Interop trust ratings, clearer disclosures, improve canonical bridge UX |
| Infrastructure | Frontend hacks, RPC centralization, DNS SPOFs | Verifiable frontends, infra transparency dashboards, light-client wallets |
| Offchain | Misaligned incentives, Web2 attack-surface blind spots | Security frameworks, certifications, public-goods staffing models |
| Privacy | UX and infrastructure constraints | Light-client data over P2P RPC, investment in private wallet UX, ZK-capable hardware signer research |
Layer 1 & 2: Coordination Remains a Bottleneck
The fundamental security architecture of Ethereum, characterized by its multi-client design, rigorous specification-driven development, and a deliberately conservative approach to Layer 1 changes, continues to provide a robust foundation. However, participants at Trillion Dollar Security Day identified significant risks stemming from a perceived lack of cohesive coordination between Layer 1 and Layer 2 solutions. Furthermore, compressed testing timelines, an over-reliance on centralized cloud infrastructure, and persistent concerns surrounding the security of the software supply chain were highlighted as areas demanding immediate attention.
Specific challenges articulated during the sessions included limited community and Layer 2 participation in crucial All Core Devs calls, constrained capacity within client teams to thoroughly review evolving Ethereum Improvement Proposals (EIPs) at their early stages, and ongoing vulnerabilities related to Layer 1-Layer 2 bridging mechanisms and the resilience of Remote Procedure Call (RPC) services.
To address these critical issues, proposed next steps focus on tangible actions such as expanding the reach and impact of the Ethereum Protocol Fellowship (EPF) program, establishing clearer roles and responsibilities for Layer 2 liaisons, enhancing the clarity and ownership associated with EIP versioning, and bolstering moderation and accessibility within existing coordination forums to encourage broader participation.
Wallets: User Security Remains Too Opaque
While progress has been made on signing standards like EIP-7730 and improvements to wallet discoverability, significant concerns persist regarding user security. A key issue identified is the continued reliance on "blind signing" by most hardware wallets, a practice where users approve transactions without a clear understanding of their full implications, potentially exposing them to malicious scripts. Furthermore, wallet participation in collaborative security discussions remains notably limited, exacerbated by a perceived "paywalled" approach to security information and a general lack of cohesive coordination across the diverse wallet ecosystem.
The competitive nature of the wallet market was cited as a structural impediment to open collaboration, with an over-reliance on the Ethereum Foundation to spearhead coordination efforts. To counter these challenges, a pivotal proposal emerged: the formation of an Open Signing Alliance. This alliance would be anchored in Ethereum’s core values of openness, neutrality, and the critical "walkaway test" – the ability for users to easily understand and reject potentially harmful transactions. Additional priorities include hosting the EIP-7730 registry in a neutral, or ideally on-chain, context to ensure accessibility and immutability, and the development of dedicated wallet-focused security dashboards. These dashboards would aim to enhance transparency, build user trust, and provide a more legitimate and verifiable security posture for wallet solutions.
Onchain Security: Tooling and Visibility Lag Behind Risk
The onchain security landscape continues to benefit from a growing pool of highly skilled security researchers, enhanced tooling such as the Foundry framework, and increased awareness surrounding incident response, exemplified by initiatives like SEAL911. However, a persistent issue is the tendency for security to be treated as a mere compliance checkbox, with the term "audited" often being conflated with the more robust assurance of "secure."
Participants emphasized that a significant majority of recent financial losses within the ecosystem stem from operational security (OpSec) failures rather than novel smart-contract exploits. Other critical challenges include the increasing complexity of onchain protocols, insufficient invariant monitoring, and a widespread lack of comprehensive economic audits.
To address these gaps, immediate next steps are focused on securing sustained funding for open-source security tooling, including fuzzers, static, and dynamic analyzers. There is also a strong call for improved visibility into the overall security posture of Decentralized Finance (DeFi) protocols, drawing inspiration from platforms like L2BEAT to create similar metrics for DeFi security. Furthermore, broader adoption of SEAL frameworks and standardized checklists tailored for different classes of smart contracts is deemed essential to elevate onchain security practices.
Interoperability: Trust Assumptions Must Be Explicit
Ethereum users today benefit from a vast array of interoperability solutions, offering increasingly fast and cost-effective user experiences. However, a critical concern raised by participants is that many interoperability protocols rely on poorly communicated or implicit trust assumptions. This often leads users to incorrectly equate "fast and cheap" cross-chain transactions with inherent safety and security.
A significant finding was that many non-canonical bridges fail to meet the fundamental "walkaway test," meaning users cannot easily discern or opt-out of potentially risky underlying mechanisms. Moreover, residual risks often persist even after bridging, due to the complexities of wrapped assets and the cascading dependencies within the broader DeFi ecosystem.
To mitigate these risks, proposed actions include the development of standardized interoperability trust ratings. These ratings would explicitly detail the underlying assumptions and verification models employed by different cross-chain solutions. There is also a strong emphasis on setting clear expectations for explicit trust disclosures by cross-chain aggregators. Furthermore, efforts to improve the speed and cost-effectiveness of canonical bridges are crucial to reduce the incentive for users to opt for less secure alternatives. A dedicated follow-up workshop focused specifically on interoperability security was also proposed to further delve into these complex issues.
Privacy: UX and Infrastructure Are the Primary Constraints
A broad consensus emerged at Trillion Dollar Security Day that privacy is increasingly viewed not as an edge case, but as a normal and necessary component of Ethereum’s future. Encouraging progress in zero-knowledge (ZK) research and growing institutional interest in privacy-preserving solutions were noted. However, significant barriers remain, primarily revolving around user experience (UX), cost, and fundamental infrastructure limitations.
Key challenges identified include the pervasive issue of RPC-based tracking, which compromises user privacy, and difficulties associated with secure private data storage and recovery mechanisms. A notable gap exists in the number of builders actively focused on developing user-friendly private wallet experiences, and there is a conspicuous absence of hardware support for privacy-enhancing cryptographic operations.
Suggested next steps include promoting the greater use of light-client data transmitted over peer-to-peer (P2P) networks to reduce reliance on centralized RPCs. Significant investment in private wallet UX is crucial to drive adoption. Research into ZK-capable hardware signers is also a priority. Furthermore, proactive engagement with regulators is deemed necessary to seek clearer guidance and a more favorable environment for permissionless privacy technologies.
Infrastructure & Offchain Security: The Invisible Attack Surface
The event highlighted a critical underestimation of risks associated with frontend compromises, DNS hijacks, RPC centralization, and software supply-chain attacks, which were repeatedly cited as significant vulnerabilities. Participants also observed a lack of sustainable economic alignment for non-profit organizations that provide essential security public goods, leading to potential underfunding and resource constraints.
A key point of discussion was the artificial separation often made between "Web2" and "Web3" security practices, failing to recognize the interconnectedness of these domains. There is also a noted lack of accountability for off-chain failures, and a prevalent tendency to prioritize speed or convenience over robust security measures. The inability for users to easily run nodes over Tor, a privacy-focused network, was also identified as a notable limitation.
Proposed next steps in this domain include the development of verifiable frontend prototypes to enhance trust and transparency. Increased transparency regarding the health and performance of RPC and other critical infrastructure is also a priority. Advancing the development of comprehensive security frameworks and certifications for off-chain services is essential. Finally, creating structured collaboration models where private companies can dedicate resources and expertise to security public goods was strongly advocated for, fostering a more shared responsibility for ecosystem security.
Event Reflections and Future Outlook
Participants overwhelmingly lauded the quality of discussions and the relevance of the topics addressed during Trillion Dollar Security Day, underscoring the immense value of in-person, cross-layer exchanges in building shared understanding and momentum within the Ethereum security community. The primary areas identified for logistical improvement included optimizing group sizes for more focused dialogue and increasing opportunities for structured networking among attendees.
A significant demand was expressed for future initiatives focused on developing applied security standards, fostering the creation and adoption of shared tooling, and providing practical, actionable "how-to" guidance for security implementation across the ecosystem.
The Trillion Dollar Security gathering served as a powerful testament to the efficacy of bringing security practitioners together in person. These focused, face-to-face interactions proved instrumental in accelerating alignment on critical standards, essential tooling, and practical solutions – outcomes that are demonstrably more challenging to achieve through asynchronous coordination alone. The discussions also powerfully reinforced the imperative of maintaining a continuously updated, shared understanding of Ethereum’s overall security posture. As the ecosystem continues its rapid evolution, proactively identifying and mitigating emerging risks necessitates a regular reassessment of what is currently effective, where existing assumptions may no longer hold true, and which areas require renewed and intensified attention to ensure the secure scalability of a multi-trillion dollar economy.
The invaluable insights gleaned from the Buenos Aires event will continue to shape the Ethereum Foundation’s One Trillion Dollar Security efforts, complementing ongoing work across the broader ecosystem. The immediate focus remains steadfast on supporting the practical execution of proposed initiatives, championing the adoption of open and neutral security standards, and reinforcing the foundational elements necessary to maintain Ethereum’s security as it scales to accommodate unprecedented economic growth.
The success of this event owes much to the dedicated security layer champions, including @vdWijden, @barnabas, @zachobront, @ethzed, @mattaereal, @ncsgy, and @ThewizardofPOS, whose expertise and contributions were instrumental. Special thanks are also extended to @0xRajeev and @fredrik0x for their invaluable hosting and facilitation of this critical gathering.
