2025

CAKE and MARTSIA: Fine-Grained Data Sharing in Blockchain Applications and Business Processes

Video Slides

Abstract

Blockchain technology provides support for the automation of multi-party business processes, even in conditions of partial trust among the participants. Although this enhances traceability, integrity, and persistence, it hinders the adoption of public blockchains for process automation since it conflicts with typical confidentiality requirements in enterprise settings. The CAKE and MARTSIA approaches address this limitation by enabling fine-grained, read-access control over shared data at the level of individual message components. In these systems, encrypted data are stored in a distributed environment and linked to the blockchain that governs process execution. Data owners define access policies to regulate which users are authorized to access specific portions of the information. To ensure the desired confidentiality and integrity properties, these solutions leverage Attribute-Based Encryption (and its extensions) for secure data storage. They employ smart contracts to enforce access control, verify data integrity, and maintain linkage with process-level data.

Short Bio

Edoardo Marangone is a research assistant and PhD student at Sapienza University of Rome (Italy). His research focuses on the development of solutions aimed at introducing data confidentiality in public blockchains and enabling secure, confidential decision support. Edoardo holds both a Bachelor’s and a Master’s degree in Computer Science from the University of Udine (Italy).

Research at the Intersection of Blockchain and Business Processes: The Case of Decentralised Business Processes

Video

Abstract

At the core of any organisation lie its processes.

The field of Business Process Management (BPM) integrates concepts from business administration and computer science to analyse and implement processes via information systems. Currently, such processes are often centrally organised. The rise of platform economies has highlighted the risks of such centralisation, including market monopolisation and user dependency on proprietary systems. In this talk, I will outline my current research at the intersection of BPM and Blockchain, where we strive to explore decentralised systems that give rise to decentralised processes. On the way to autonomous, transparent, and trustworthy process execution, many organisational and technical challenges still need to be addressed.

Short Bio

Fabian Stiehle is a research associate and doctoral student at the Technical University of Munich. His research aims at the intersection of distributed information systems and their application in process automation. Specifically, regarding the architecture, development, and integration of such systems. Fabian holds a Master of Computer Science from Technical University of Berlin and a Bachelor of Applied Sciences from Konstanz University of Applied Sciences.

CRSet: Private Non-Interactive Verifiable Credential Revocation

Video

Abstract

Like any digital certificate, Verifiable Credentials (VCs) require a way to revoke them in case of an error or key compromise. Existing solutions for VC revocation, most prominently Bitstring Status List, are not viable for some use cases because they may leak the issuer’s activity, which in turn leaks internal business metrics. For instance, staff fluctuation through the revocation of employee IDs. We introduce CRSet, a non-interactive mechanism that trades some space efficiency to reach stronger privacy characteristics. It is built upon Bloom filters and uses Ethereum blob-carrying transactions.

Short Bio

Felix Hoops is a research associate at the chair of Software Engineering for Business Information Systems at TU Munich since June 2021. He researches Self-Sovereign Identity with a focus on simplifying industry adoption, improving technical elements of it, and the interplay of distributed ledger technology and SSI.

A Conceptual Model for Point-of-Sale Payment with Retail CBDC

Video

Abstract

The European Central Bank, like many other central banks, is pushing forward with the introduction of a Central Bank Digital Currency (CBDC). The Digital Euro is designed for retail use cases, which includes peer-to-peer and merchant payments. Many different form factors are supported, with a focus on offline capabilities. While the picture is clear about how users can access and obtain CBDC, the acceptance side is not fully understood yet. At points of sale, CBDC will become one of already many different payment options. This paper analyzes the technical background of CBDC wallets and proposes a conceptual model of how to introduce CBDC payment to consumers.

Short Bio

Software engineer Lars Hupel has a passion: modern payment services. Happily, as Chief Evangelist at G+D, it is their job to share this passion with others. In public lectures and workshops with banks and central banks, Lars spreads the word on Central Bank Digital Currency (CBDC) to a broad audience.

The EU Digital Identity Wallet: A Pragmatic Analysis of Ambition vs. Security Realities

Abstract

A decade since the EU’s eIDAS regulation aimed to unify digital identification, Europe is implementing a major restructuring of this framework, signaling a significant paradigm shift in the approach to digital identities. This talk assesses these pivotal changes. We’ll cover the original eIDAS network—its intended goals, actual outcomes, and particularly its shortcomings. Subsequently, we will scrutinize the forthcoming EU Digital Identity Wallet. We will explore its recognized potential for significant change but also critically examine the governance, privacy, and security challenges that must be addressed before its successful rollout. This session offers a pragmatic analysis of Europe’s evolving digital identity strategy and its concrete implications for cybersecurity.

Short Bio

Stefan Genchev is a Research Associate at the TUM Chair of Network Architectures and Services. With a longstanding enthusiasm for digital identities, his work focuses inter alia on the German eID scheme, where he has authored extensive test and research infrastructure. Prior to joining TUM, he spent several years in the industry, tackling digital identity projects across the globe. Today, he’s actively driving digitization efforts at TUM by introducing robust trust services. His research delves into applied cryptography and protocol design, with a keen eye on eIDAS, and his core mission is to build resilient and privacy-preserving trust services that empower the digital society and defend civil liberties in the digital realm.

Pod: An Optimal-Latency, Censorship-Free, and Accountable Generalized Consensus Layer

Video Slides

Abstract

In this talk, I will present pod, a new layer-1 aiming at achieving optimal latency matching the physical network conditions (one roundtrip). Pod can replace traditional blockchains for some (but not all) applications, including payments, auctions, and bulletin boards. It achieves optimal latency by relaxing the notion of total order provided by traditional blockchains, and instead provides only a partial order, where transactions have a bounded “wiggle room” to move around. We take inspiration from web2 systems such as databases, replication, and scalability techniques from the classical web, but also achieve byzantine and omission resilience by utilizing techniques and data structures from web3-era techniques such as Merkle Mountain Ranges.

Short Bio

Dionysis is a co-founder and researcher at Common Prefix focusing on consensus, light clients, bridges, interoperability, and fast bootstrapping. He did his post-doc at Stanford University, advised by David Tse. He holds a PhD from the University of Athens, advised by Aggelos Kiayias, and an Electrical and Computer Engineering degree from the National Technical University of Athens. Among other venues, he has published in IEEE S&P (Oakland), ACM CCS, ESORICS, and Financial Crypto, and presented at Black Hat Europe and Asia. Highlights of his research include the papers Non-Interactive Proofs of Proof-of-Work, Proof-of-Stake Sidechains, and Proof-of-Work Sidechains.

Fairness in Token Allocation: Mitigating Voting Power Concentration in Decentralized Autonomous Organizations

Video Slides

Abstract

As decentralized finance (DeFi) ecosystems mature, achieving fairness in token allocation is essential to maintaining fair governance. This talk explores two key studies—“Airdrops: Giving Money Away Is Harder Than It Seems” and “Understanding Blockchain Governance: Analyzing Decentralized Voting to Amend DeFi Smart Contracts”—to explore the unintended consequences of token distribution mechanisms like airdrops. Drawing on empirical data from leading DeFi projects, we reveal how these mechanisms can lead to token concentration and unfair voting power, which undermine the democratic ideals of decentralized autonomous organizations (DAOs).

Through case studies of prominent protocols such as Arbitrum, Uniswap, and Compound, we analyze how flaws in token distribution design contribute to the centralization of power. This concentration of tokens accelerates wealth accumulation and consolidates control over governance decisions, reducing diversity and participation in DAOs.

We conclude by offering strategies to improve token distribution models and governance structures, aiming to promote fairness and reduce centralization in these ecosystems.

Short Bio

Dr. Johnnatan Messias is a Research Scientist at the Max Planck Institute for Software Systems (MPI-SWS) with a Ph.D. in Computer Science from MPI-SWS, completed in collaboration with Saarland University in 2024. His research focuses on blockchain technologies, decentralized finance (DeFi), mechanism design for decentralized applications, and decentralized autonomous organizations (DAOs). Dr. Messias has made significant contributions to advancing fairness and innovation in blockchain protocols, covering topics such as transaction prioritization, liquid staking tokens (LSTs), and decentralized governance. His work has been published in top-tier venues, including FC, IMC, WWW, and CSCW, and he received the Best Paper Award at MARBLE 2024 for his research on automated market makers. Dr. Messias has also gained industry experience through a 6-month research internship at Chainlink Labs, focusing on improving decentralized price feeds, and his role as a Research Scientist at Matter Labs, where he led projects on Sybil resistance, airdrop design, and blockchain data research. Additionally, he has contributed to impactful machine learning projects in risk prediction and health insurance forecasting, including one recognized as Brazil’s most innovative health software in 2019 by IT Forum 365. As an active member of the academic community, Dr. Messias has served on program committees and frequently reviews for leading conferences in blockchain research such as AFT, WWW, FC, and CAAW. He has also presented his work at prominent events such as the Ethereum Community Conference (EthCC), SBC DAO, and Ethereum Zürich, where he discussed the pitfalls of airdrops, current fairness issues on DAOs, and the boom of inscriptions.

Programmable Privacy: Are we Stuck?

Video Slides

Abstract

Programmable privacy is complex to reason about and build applications with. Private payments have been around for a while, yet a proper zero-knowledge, fully programmable chain (think EVM-equivalent) is a myth. The so-called “zkRollups” today are only verifiable, not private. The fundamental impossibility of a “private” programmable chain is that web3 apps rely on a shared state, which must be public to provide any practical value.

In this talk, I will discuss approaches to programmable privacy with a few example applications.

Short Bio

Marti is the founder of NP Labs. He is a core contributor to the cryptographic library arkworks, and previously worked on the Polkadot blockchain. He was selected for the a16z CSX cohort in London’24.

CAKE and MARTSIA: Fine-Grained Data Sharing in Blockchain Applications and Business Processes

Video Slides

Abstract

Blockchain technology provides support for the automation of multi-party business processes, even in conditions of partial trust among the participants. Although this enhances traceability, integrity, and persistence, it hinders the adoption of public blockchains for process automation since it conflicts with typical confidentiality requirements in enterprise settings. The CAKE and MARTSIA approaches address this limitation by enabling fine-grained, read-access control over shared data at the level of individual message components. In these systems, encrypted data are stored in a distributed environment and linked to the blockchain that governs process execution. Data owners define access policies to regulate which users are authorized to access specific portions of the information. To ensure the desired confidentiality and integrity properties, these solutions leverage Attribute-Based Encryption (and its extensions) for secure data storage. They employ smart contracts to enforce access control, verify data integrity, and maintain linkage with process-level data.

Short Bio

Prof. Dr. Ingo Weber is Full Professor in the Computer Science Department, TUM School of Computation, Information and Technology, at Technical University of Munich, Germany. Ingo Weber is also Director of Digital Transformation and ICT Infrastructure at the Fraunhofer-Gesellschaft. Before moving to Munich, he was Full Professor of Software and Business Engineering at Technische Universität Berlin from 2019 to 2022. Before that, he spent ten years in Sydney, Australia, where he worked for the research institutions CSIRO, NICTA and UNSW. In 2009, he received his PhD from the University of Karlsruhe (TH), now KIT, and worked in parallel for SAP Research. In his research, Ingo Weber focuses on various subfields of computer science, in particular business process management and process mining, software architecture and engineering, DevOps, blockchain, and applied artificial intelligence (AI). He is author of numerous publications and co-author of the textbooks “DevOps: A Software Architect’s Perspective” (2015) and “Architecture for Blockchain Applications” (2019).

Mangrove: Fast and Parallelizable State Replication for Blockchains

Video Slides

Abstract

Mangrove is a novel scaling approach to building blockchains with parallel smart contract support. Unlike in monolithic blockchains, where a single consensus mechanism determines a strict total order over all transactions, Mangrove uses separate consensus instances per smart contract, without a global order.

To allow multiple instances to run in parallel while ensuring that no conflicting transactions are committed, we propose a mechanism called Parallel Optimistic Agreement. Additionally, we leverage a lightweight Byzantine Reliable Broadcast primitive to reduce latency.

Mangrove is optimized for performance under optimistic conditions, where there is no misbehavior and the network is synchronous. Under these conditions, our protocol can achieve the latency of 2 communication steps between creating and executing a transaction.

Short Bio

Ph.D. student at ETH Zurich

Deanonymizing Ethereum Validators: The P2P Network Has a Privacy Issue

Video Slides

Abstract

Many blockchain networks aim to preserve the anonymity of validators in the peer-to-peer (P2P) network, ensuring that no adversary can link a validator’s identifier to the IP address it is running from, due to associated privacy and security concerns. This talk presents work that demonstrates that the Ethereum P2P network does not offer this anonymity. I will present our methodology that enables any node in the network to identify validators hosted on connected peers and empirically verify the feasibility of the proposed method. Using data collected from four nodes over three days, we locate more than 15% of Ethereum validators in the P2P network. The insights gained from our deanonymization technique provide valuable information on the distribution of validators across peers, their geographic locations, and hosting organizations. The work presented in this talk has been awarded a bug bounty by the Ethereum Foundation.

Short Bio

Lucianna Kiffer is a Research Assistant Professor at IMDEA Networks, heading the newly formed Distributed Systems and Networks (DistSys) group. Her research focuses on the foundations of peer-to-peer networks and blockchain systems, including measurement studies, analytical evaluations, and building new protocols. Prior to joining IMDEA Networks, she spent two years as a postdoctoral researcher at ETH Zürich as a distinguished posdoctoral fellow at the Cyber Defense Center of Switzerland. She received her PhD and Masters from Northeastern University in Computer Science and her B.S. in Mathematics and Computer Science from Tulane University.

The Modular Thesis of Movement

Video Slides

Abstract

Blockchain scalability and security benefit from a modular approach, which separates sequencing, data availability, execution, and settlement, allowing networks to integrate new technologies as they emerge. This talk aims to highlight some of the opportunities that arise when taking a strongly modular - non monolithic approach to chain design.

Movement Network in particular applies this through the Move Stack, enabling configurable Move-based chains. A BlockSTM-based high-throughput execution layer ensures efficient processing, while a dedicated settlement mechanism provides fast confirmation using economic security from a validator network. The latter confirmation layer also underpins interoperability as it enables seamless synchronous cross-chain interactions within a chain-cluster without single points of failure.

Short Bio

Andreas is a research engineer specializing in distributed systems. He obtained his PhD on the topic of analytical modeling at Sheffield, UK. He contributed to the core systems of Iota and worked on rollup solutions at Mantle. At Movement Labs, his focus is on consensus, settlement, and interoperability within modular blockchain architectures. His research explores decentralized coordination, fast confirmations, and intra-cluster interoperability, aligning with cutting-edge trends in blockchain scalability and security

Sloth: Key Stretching and Deniable Encryption using Secure Elements on Smartphones

Video

Abstract

Privacy enhancing technologies must not only protect sensitive data in-transit, but also locally at-rest. For many secure communication protocols, we want deniable encryption based on passwords. However, traditional password-based encryption requires users to memorize long passphrases. The Sloth design leverages the Secure Element on both Android and iOS smartphones to enforce strict rate-limits and thus allow to generate shorter passphrases.

Working around the limitations of the user-level APIs which do not expose rate-limiting capability led to the development of new password-hashing schemes that provide strong wall-time guarantees and are available on the majority of smartphones today without any modifications. We presented the Sloth Paper at PETS ‘24 and it is available as an open-source project.

Short Bio

Daniel Hugenroth is a security researcher and software engineer living in Cambridge, UK. His research focuses on cryptographic protocols, confidential computing, secure AI, and mobile devices and he likes to work on projects where math meets metal. For more navigate to his website.

TEE-enforced Data Clean Rooms

Video Slides

Abstract

Ethereum block builders aim to maximize arbitrage opportunities across thousands of decentralized exchanges (DEXs) and limit order books, yet they often lack the specialized expertise and resources to identify these opportunities efficiently. We present Bob, a low-latency Trusted Execution Environment (TEE)-enforced data room designed to address this challenge by enabling secure collaboration between block builders and high-frequency trading (HFT) firms. Named after bottom-of-block arbitrage, Bob allows builders to leverage HFT expertise to enhance arbitrage capture while ensuring robust protection for both parties’ sensitive information.

Bob employs Intel’s Trusted Domain Extensions (TDX) to create a confidential and verifiable VM environment. Within this TDX VM, a rootless Podman container hosts a sandboxed proprietary process from the HFT firm, granting it controlled access to a stream of sensitive data from co-located block builders. This setup delivers near-native performance and requires no code modifications, offering HFT firms a seamless development experience.

A defining feature of Bob is its implementation of mutual privacy:

1. HFT proprietary code privacy: Access to the container is restricted to the HFT firm’s SSH public key, safeguarding their trading algorithms.
2. Builder data privacy: Many restrictions are enforced as root—including namespaced sandboxing, firewall rules, and delayed logging—to prevent the unknown HFT process from accessing or leaking sensitive builder data in undesirable ways. Bob democratizes access to block building on Ethereum, empowering small HFT teams to compete more effectively in arbitrage markets, which ultimately drives better user outcomes.

Beyond blockchains, this TEE-enforced data clean room primitive is versatile, performant, and user-friendly, with potential applications in domains like artificial intelligence and secure multi-party computation that require mutual privacy.

Short Bio

Moe Mahhouk is a senior software engineer at Flashbots, where he specializes in trusted execution environment product development and serves as a key interface between research and production. Prior to his industry career, Moe conducted research on TEEs, WebAssembly and cloud security during his PhD studies.

The Forking Way: When TEEs Meet Consensus

Video Slides

Abstract

An increasing number of distributed platforms combine Trusted Execution Environments (TEEs) with blockchains. This combination is often described as a promising “marriage”: TEEs enable confidential computing on the blockchain, while the consensus mechanism could help defend TEEs against forking attacks.

In this talk, we present a systemization of 29 blockchain solutions that integrate TEEs, ranging from academic proposals to production-ready platforms. We uncover a lack of consensus within the community on how TEEs and blockchains should be combined. Specifically, we identify four broad approaches to interconnect TEEs with consensus, analyze their limitations, and discuss potential remedies. Our analysis also reveals previously undocumented forking attacks on three production-ready TEE-based blockchains: Ten, Phala, and the Secret Network. We demonstrate how our findings enable effective countermeasures, showcasing a concrete fix for one of the affected systems.

Short Bio

Annika Wilde is a PhD candidate at the Faculty of Computer Science at Ruhr University Bochum, Germany. Her research focuses on the security of Trusted Execution Environments (TEEs) and the intersection of TEE security with blockchains. She is currently affiliated with the Chair for Information Security.

Tuning Block Size for Workload Optimization in Consortium Blockchain Networks

Video

Abstract

Determining the optimal block size is crucial for achieving high throughput in blockchain systems. Many studies have focused on tuning various components, such as databases, network bandwidth, and consensus mechanisms. However, the impact of block size on system performance remains a topic of debate, often resulting in divergent views and even leading to new forks in blockchain networks. This research proposes a mathematical model to maximize performance by determining the ideal block size for Hyperledger Fabric, a prominent consortium blockchain. By leveraging machine learning and solving the model with a genetic algorithm, the proposed approach assesses how factors such as block size, transaction size, and network capacity influence the block processing time. The integration of an optimization solver enables precise adjustments to block size configuration before deployment, ensuring improved performance from the outset. This systematic approach aims to balance block processing efficiency, network latency, and system throughput, offering a robust solution to improve blockchain performance across diverse business contexts.

Short Bio

Narges Dadkhah is currently a doctoral candidate at the Freie Universität Berlin. She has a Bachelor degree in Software Engineering and she got her Master in management of Information Technology from Nottingham University. At the moment, she is working as a team member of the Cybersecurity and AI group at Freie University Berlin lead by Prof. Dr-ing habil. Gerhard Wunder. Her research interests include Information Privacy , Security and Blockchain technology.

ZK Rollups supporting EIP-7702

Abstract

EIP-7702 enables a new transaction type for Ethereum transactions. This new set-code transaction delegates smart contract calls to EOAs, which essentially allows smart contract executions at EOAs (storage context of the EOA). EIP-7702 enables new interesting applications such as transaction batching, payment sponsorships, or privilege de-escalation (sign sub-keys with permissions). This talk explains interesting facets of EIP-7702 and how zk-rollups can support it.

Short Bio

Jan Lauinger is a researcher and PhD candidate at the Technical University of Munich with a research focus on TLS-oracles, decentralized identity, decentralized access control and decentralized policy compliant computation. During the last years, Jan Lauinger contributed to the an EU security project as a developer and project lead and has conducted teaching activities in the domain of IoT security.

Adding AIs to Sequencers

Video

Abstract

Rollups scale Ethereum by relying on sequencers, components which order and include transactions, to build blocks off-chain. This talk explores the transformative potential of integrating artificial intelligence (AI) into blockchain rollup sequencers. We’ll explore the idea of utilizing AI for transaction ordering, increase user security, enhance scalability, and more. Some of these ideas are in use right now, while others are worth exploring.

Short Bio

Jan is a co-founder of Zircuit. He is an experienced researcher in algorithm design and formal methods and is interested in all things rollups, plasma, and beyond. At Zircuit, Jan’s research is focused on sequencer-level security, minimizing proof generation time, and developing novel methods to check the correctness of zero-knowledge circuits. He received his Ph.D. in Computer Science from the University of Waterloo in 2022.

coSNARKs - Marrying MPC and ZK

Video Slides

Abstract

This talk will give an introduction to the topic of coSNARKs - executing zero-knowledge proof systems using multiparty computation protocols. We will go through the basic ideas, performance, existing tooling and current bottlenecks and also take a look at exising and new use-cases that can benefit from coSNARKs.

Short Bio

Daniel is a co-founder and technical lead at TACEO, building tooling and infrastructure for collaborative SNARKs. Before that, he completed his PhD at TU Graz on the topic of Post-Quantum Signatures built using MPC-in-the-Head ZK protocols.

Inside the Offchain Reporting Protocol

Abstract

Chainlink’s Offchain Reporting (OCR) protocol is the backbone of Chainlink products, including Data Feeds, Data Streams, CCIP, and more. This talk will explore the core design principles behind OCR and how it enables secure and efficient distributed applications. We’ll dive into the Reporting Plugin API, a powerful abstraction layer that allows developers to build a wide range of use cases on top of one battle-tested consensus protocol.

Short Bio

Chrysa Stathakopoulou is a distributed systems researcher, passionate about decentralizing computation and trust with highly performant systems. Prior to joining Chainlink Labs, she worked at the blockchain group in IBM research focusing on consensus protocols. She holds a PhD from ETH Zurich.

Pandora’s Box: Cross-Chain Arbitrages in the Realm of Blockchain Interoperability

Video

Abstract

Over recent years, the blockchain ecosystem has grown significantly with the emergence of new Layer-1 (L1) and Layer-2 (L2) networks. These blockchains typically host Decentralized Exchanges (DEXes) for trading assets such as native currencies and stablecoins. While this diversity enriches the ecosystem, it also fragments liquidity, posing challenges for DEXes offering the same assets across multiple blockchains. This fragmentation leads to price discrepancies, creating opportunities like arbitrages for profit-seeking traders, which fall under the broader category of exploitative economic practices known as Maximal Extractable Value (MEV). Although MEV extraction has been extensively studied within single domains (i.e., individual blockchains), cross-chain arbitrages, a form of cross-domain MEV, have received little attention due to their non-atomic nature, complicating both execution and detection.

In this paper, we shed light on opaque cross-chain MEV activities by presenting the first systematic study of two non-atomic cross-chain arbitrage strategies: Sequence-Independent Arbitrage (SIA) and Sequence-Dependent Arbitrage (SDA). The former involves independent, opposite-direction trades across chains, while the latter relies on asset bridges. We analyze the effectiveness of these strategies across nine blockchains over a one-year period from September 2023 to August 2024, identifying 260,808 cross-chain arbitrages, 32.37% of which involve bridging solutions. These arbitrages generated a lower-bound profit of 9,496,115.28 USD from a total traded volume of 465,797,487.98 USD. Additionally, we examine the security implications of cross-chain arbitrages, uncovering centralization among arbitrageurs, network congestion caused by failed transactions, and growing private mempool adoption. Finally, we discuss sequencer incentives and propose a risk-optimized arbitrage strategy.

Short Bio

Ph.D. at Technical University of Munich and Researcher at Flashbots

Venture Capital investing in the Blockchain Space

Video Slides

Abstract

This talk examines the critical success factors for blockchain startups from Maven 11’s unique vantage point. We’ll explore the evolving frameworks for evaluating product viability in decentralized ecosystems, how product thinking shapes investment theses, and where we see the most promising opportunities for builders in the current market.

Short Bio

Bram leads Product at Maven 11 Capital, where he drives portfolio company success and spearheads the firm’s Residency program—connecting exceptional founders with the resources to transform ideas into market-ready blockchain solutions. With deep operational experience as a former builder in the space, Bram specializes in identifying and nurturing applications that push the boundaries of what’s possible in decentralized technologies.

Do You Trust Your Wallet? An Analysis on the Privacy Aspects of Web3 Wallets

Abstract

Web3 promises decentralization and improved privacy. However, many decentralized applications and wallets rely on traditional web technologies that lack strong privacy protections. In this talk, we present a study on the privacy risks associated with Web3. We introduce a framework to assess wallet data exposure and find that over 1,300 websites check for installed wallets, potentially tracking users. Additionally, traffic analysis of 616 dApps and 100 wallets reveals over 2,000 instances of wallet address leaks. Our findings highlight the urgent need for privacy-centric Web3 design.

Short Bio

Christof Ferreira Torres is currently an Assistant Professor at the Department of Computer Science and Engineering (DEI) at Instituto Superior Técnico (IST), University of Lisbon and a researcher at INESC-ID, where he is a member of the Distributed, Parallel and Secure Systems (DPSS) group. His research lies at the intersection of program analysis and software security, with a focus on improving the privacy and security aspects of blockchain systems. Before joining IST, he has been a postdoctoral fellow at ETH Zurich, where he was part of the Secure & Trustworthy Systems (SECTRS) group. He received his Ph.D. in Computer Science in 2022 from the University of Luxembourg and the Technical University of Munich. His Ph.D. thesis focuses on the Automated Security Assessment and Improvement of Smart Contracts. Prior to that, he has been working as a security researcher at the Fraunhofer Institute for Applied and Integrated Security (AISEC) near Munich, Germany.

A Scalable Byzantine-Tolerant Distributed Membership Data Structure for Decentralized Networks

Abstract

Peer-discovery or membership protocols play a crucial role in any distributed system; they allow network participants to find other nodes and form the foundation for blockchains, file sharing, or decentralized storage networks. However, protocols deployed in practice mainly rely on heuristics to prevent Byzantine nodes from mounting eclipse attacks on honest nodes, biasing peer sampling for upstream applications towards malicious nodes, or taking over subspaces of the logical identity space. This issue becomes even more pressing when more complex overlay networks, such as the currently developed data availability sampling protocol for Ethereum, are built on top of the peer discovery protocol. To this end, we introduce a distributed membership data structure that guarantees uniform identity assignment, prevents network partitions and eclipse attacks, automatically scales up to very large network sizes, and exposes a lookup-based peer sampling functionality with quantifiable adversarial bias. The latter can be used by applications to build randomized structured overlay networks that inherit security guarantees from the membership protocol.

Short Bio

Kilian Glas is a PhD student at the chair of network services and architectures at TUM. He is interested in decentralized distributed systems, applied cryptography and computer security.

Data Center Execution Assurance - Closing the Gap in TEE Deployment Strategies

Video

Abstract

Confidential Virtual Machines (CVMs) provide isolation guarantees for data in use, but their threat model does not include physical level protection and side-channel attacks. Therefore, current deployments rely on trusted cloud providers to host the CVMs’ underlying infrastructure. However, the TEE attestation does not provide information about the operator hosting a CVM. Without knowing whether a Trusted Execution Environment (TEE) runs within a provider’s infrastructure, a user cannot accurately assess the risks of physical attacks. We observe a misalignment in the threat model, where the workloads are protected against other tenants but do not offer end-to-end security assurances to external users without reliance on cloud providers. The attestation should be extended to bind CVM with the provider. A possible solution can rely on the Protected Platform Identifier (PPID), a unique CPU identifier. However, the implementation details of various TEE manufacturers, attestation flows, and providers vary. This makes verification of attestations, migration easiness, and building applications without relying on a trusted party challenging, highlighting a key limitation that must be addressed for the adoption of CVMs. We discuss two points focusing on hardening and extensions of TEEs’ attestation.

Short Bio

Filip Rezabek received the Master of Science degree in communications engineering from the Technical University of Munich, in 2020. He is currently pursuing the Ph.D. degree with the Chair of Network Architectures and Services. His research interests include network security, applied and threshold cryptography, and distributed systems resilience and robustness. Besides, he is active in the area of TSN with focus on intra-vehicular networks and smart manufacturing. For both areas are important aspects of reproducible experiments.