Over the last few months my PhD student Weihong Wang and me have been studying issues with Web3’s “serving layer” – the infrastructure that makes data stored on a blockchain accessible to the application layer (aka decentralized apps or “dapps”). One of our key findings is that access to major “permissionless” blockchain networks today is, counter-intuitively, quite “permissioned”: because of both technical and economical factors, access is mediated by centralized gatekeepers. In response, we have designed a new RPC (Remote Procedure Call) protocol to interact with permissionless blockchains that attempts to keep the access “depermissioned”, yet without compromising on data integrity or accountability issues that plague the naive use of anonymous public RPC endpoints.

Our paper on this new RPC protocol recently got accepted at the IEEE International Conference on Distributed Computing Systems (ICDCS 2025). Weihong will present the work in Glasgow next week. Here’s a link to the preprint copy of the paper. Read on below for a high-level introduction to the work.

Read more

It is no secret that participating as a validator node (aka “full node”) in the Ethereum blockchain requires non-trivial hardware and storage resources. The hardware requirements to run a Geth full node (one of the more popular Ethereum full node implementations) state that the recommended minimum storage is a 2TB SSD drive - and with a default cache size, operators should expect storage to grow at a rate of about 14GB/week.

These storage requirements apply to anyone who wants to help validate transactions on the mainnet, not just to “staking” validators who want to earn Proof-of-stake rewards for validating transactions (who have additional requirements, such as ensuring high node uptime).

The more costly the hardware requirements, the fewer the number of parties capable of running a full node. Less full nodes leads to increased load on fewer servers, or to more parties relying on intermediaries (such as “node providers”) to operate the hardware for them.

This got us thinking: can we modify the block validation protocol used in networks like Ethereum so that storing the full blockchain state is no longer a prerequisite for participating as a block validator? In other words, can we let a node with “small” storage capacity (say, 5-10GB) meaningfully contribute to transaction validation without requiring it to store a full copy of the chain, and without compromising blockchain data integrity?

Today at the BRAINS 2024 conference in Berlin my PhD student Weihong Wang presented our work on “A Scalable State Sharing Protocol for Low-Resource Validator Nodes in Blockchain Networks” which addresses this question.

Read more

If you have ever looked at how Ethereum smart contracts are developed in the Solidity programming language, you will know that one of the most critical aspects of the code are the so-called “access control checks”: short conditional tests that check whether the call to the contract is “legit”: was it made by a party with sufficient rights? (e.g. the owner or creator of the contract) Is the contract in the right state to handle the request? Were all the necessary actions executed earlier? And so on. Forgetting such a check usually leads to security vulnerabilities with disastrous consequences.

In our recent paper “Safe design and evolution of smart contracts using dynamic condition response graphs to model generic role-based behaviors” (which got published last week in the Journal of “Software: Evolution and Process”), we develop a method to express such access control logic not as conditional tests scattered throughout the contract code, but rather as a separately specified set of constraints.

Read more

How effective are Static Application Security Testing (SAST) tools at finding bugs in consensus-critical code in application-specific blockchains? That’s the question we addressed in our new paper “Static Application Security Testing of Consensus-Critical Code in the Cosmos Network” that recently got accepted at the 5th Conference on Blockchain Research & Applications for Innovative Networks and Services (BRAINS 2023).

Read more

This past semester I had the pleasure of running a seminar course in KU Leuven’s brand new Advanced Master of Cybersecurity. The course is called “Security & Privacy of Contemporary Distributed Software Systems”. That’s a mouthful, but at least it’s quite descriptive.

For this inaugural year I decided to focus the course on security & privacy aspects of blockchain and distributed ledger technology. As far as “contemporary distributed systems” go, it’s hard to miss the rapid expansion of this class of systems - the core technology underpinning “Web3”.

Read more