
AWS Web3 Developer Camp 2023 Highlights Recap
TechFlow Selected TechFlow Selected

AWS Web3 Developer Camp 2023 Highlights Recap
Experts and guests participating in this security-themed seminar come from several leading industry institutions, including Beosin, Conflux, Hashkey Exchange, OKX Wallet, Polkadot, Scroll, SlowMist, SNZ Capital, and Taiko.
Compiled by: CrossSpace
On December 7, the Web3 Developer Camp, led by Amazon Web Services (AWS) and exclusively supported by the CrossSpace community, was successfully held at AWS’s Causeway Bay event venue. As the offline session of the "Web3 Security" series workshops, this event brought together experts and executives from leading organizations in Web3 security, wallets, Layer 1/Layer 2 blockchains, cloud services, exchanges, and investment firms, delivering a highly engaging and knowledge-rich Web3 security conference.
As a global leader in cloud computing, AWS has been actively exploring and supporting secure practices in the Web3 industry. By spearheading this series of security events, AWS aims to enhance industry-wide awareness of security, foster a sustainable Web3 ecosystem, and lay a solid foundation for healthy growth across sectors in 2024. Experts and guests participating in this workshop came from top-tier organizations including (in no particular order): Beosin, Conflux, Hashkey Exchange, OKX Wallet, Polkadot, Scroll, SlowMist, SNZ Capital, and Taiko.
Let’s begin with a recap of the event’s panel discussion — a highlight that featured senior executives and experts from leading Web3 projects such as Taiko, Hashkey Exchange, Beosin, and SNZ Capital, sharing insights on how their teams implement Web3 security. We were also privileged to hear in-person, first-time public updates from Conflux and Scroll — two trending Layer 1 and Layer 2 blockchains — on their 2024 technical roadmaps and ecosystem development plans.

Left to right: Leon (CrossSpace Co-founder & CEO, moderator), Michael (Investment Manager, SNZ Capital), Terence (Co-founder & Chief Strategy Officer, Taiko), Ming Wu (CTO, Conflux), Marcus Liu (Head of APAC Growth, Scroll), Vincent Wong (Product Director, Hashkey Exchange), Eaton (Security Researcher, Beosin).
Hot Topic Panel: What Security Considerations Should Web3 Projects Keep in Mind?
In their pursuit of market expansion, Web3 projects often overlook foundational security — a blind spot highlighted by several high-profile fund thefts in 2023. Eaton, a security researcher at Beosin — a firm deeply rooted in the security space — offered practical advice: “During early operations, project teams should leverage AI and auditing tools to accelerate contract reviews and detect vulnerabilities, saving time and addressing complex business logic. During development, ensure accuracy in business logic, emphasize testing, and adopt test-driven development. Exercise caution when integrating third-party applications to avoid introducing unknown security flaws. After development, it is strongly recommended to engage professional audit teams to identify and fix potential vulnerabilities, ensuring overall project security.”
SNZ Capital, with extensive experience investing in Web3 infrastructure and application-layer projects, emphasized its focus on portfolio company security. Investment manager Michael stated: “Security is critical for SNZ and a key factor in our investment strategy. We partner with security firms to provide comprehensive security services to our portfolio teams. Beyond securing infrastructure and middleware, we offer post-investment management support, connecting them with trusted security vendors. We require our portfolio companies to prioritize security in their business strategies, understand the importance of security audits, and implement real-time fraud detection, vulnerability monitoring, and compatibility assessments to ensure robust security design.”
Hot Topic Panel: How Do Mature Web3 Projects Practice Security?
Taiko, a rapidly growing open-source ZK-rollup in the Ethereum ecosystem, ensures security through a fully decentralized architecture and multi-validator consensus. Terence, Taiko’s Co-founder and Chief Strategy Officer, explained during the panel: “Taiko is an Ethereum-equivalent Rollup L2 with full decentralization. Our strengths lie in open-source development, community involvement, and security — all driven by global contributors to ensure code quality and integrity. Currently on testnet, Taiko hosts over 10,000 proposer and validator nodes, a number expected to grow. This means users don’t need to trust Taiko — we have no centralized sequencer, a key differentiator from other L2 solutions.”
Hashkey Exchange, a Hong Kong-licensed virtual asset exchange directly serving retail investors, has recently expanded its product offerings. Ensuring user trust remains paramount. Vincent Wong, Product Director at Hashkey Exchange, shared: “We strictly adhere to SFC custody regulations. 98% of assets are stored in cold wallets, with only 2% in hot wallets, maximizing asset security. To further protect investors, we’ve partnered with insurers like AON and OneDegree to provide additional insurance coverage.” He added: “Our KYC verification ensures all customers are legitimate. We offer password reminders, enforce regular password changes, and provide educational materials to help users understand blockchain fundamentals. These efforts aim to build long-term trust and ensure users feel safe and protected while trading on our platform.”
Hot Topic Panel: Technical Roadmaps and Ecosystem Support from Leading Layer 1/2 Blockchains
Conflux, a leading Layer 1 blockchain, recently unveiled its 2024 developer roadmap. CTO Ming Wu shared several focus areas aimed at improving developer experience: actively pursuing programmable data availability (DA) solutions to enable smart contracts to interact with independent DA layers for efficient large-scale state storage and retrieval; integrating AI platforms into Conflux as an incentive layer; exploring heterogeneous virtual machine architectures to boost scalability and expand the ecosystem; and researching multi-party computation (MPC) integration to enhance privacy and resistance against MEV. Ming Wu stated: “We aim to adapt our system performance to more use cases in the coming years, making our technology more mature and practical.”
Scroll, a recently launched Layer 2 blockchain, also shared its latest ecosystem security practices. Marcus Liu, Head of APAC Growth at Scroll, said: “Our primary security comes from ZKPs — leveraging the mathematical guarantees of zero-knowledge proofs to ensure secure and trustworthy execution of ZK-EVM, with proofs submitted to Ethereum for on-chain validation. In addition to rigorous audits of all contracts and circuits, we’ve launched a bug bounty program, inviting the community to strengthen security through open collaboration. Future roadmap items — including decentralized provers and decentralized sequencers — will further enhance Scroll’s decentralization and security.”
Beyond the panel, the event featured AWS’s hands-on training session on “Web3 Ethical Hacking and Best Security Practices,” along with insightful talks from security firm SlowMist, next-gen blockchain Polkadot, and Web3 application OKX Wallet. Let’s now dive into frontline security knowledge, covering risk categories, practical strategies, application-level security, and ecosystem development safety.
Smart Contract Vulnerabilities Remain Top 3 Attack Vector in 2023
Smart contract vulnerabilities continued to rank among the most common attack types in 2023. According to Beosin’s Q3 2023 security report, contract exploits ranked third in attack frequency, behind private key leaks and database breaches. “22 contract exploits resulted in approximately $93.27 million in losses. Among subcategories, reentrancy attacks caused the most damage — accounting for about 82.8% of total losses from contract vulnerabilities.”
AWS Web3 Solutions Architects David Sung and Gong Tao highlighted three common smart contract attack types, starting with reentrancy. In such attacks, hackers exploit flaws in contract logic to repeatedly call a function before the initial transaction completes, draining funds. These flaws often stem from poor design or inadequate defensive measures. Given the serious threat reentrancy poses to contract stability, defending against it must be a priority in smart contract development.
Two other prevalent attack vectors include delegatecall exploits and integer overflow/underflow. The EVM provides the DELEGATECALL opcode to promote code reuse by inserting the called contract’s bytecode into the caller’s context — but malicious contracts can thereby manipulate the caller’s state variables. Integer overflow/underflow occurs when arithmetic operations exceed Solidity data type limits, enabling unauthorized modifications to state variables.
For guidance on mitigating these threats, refer to AWS’s hands-on course “Web3 Ethical Hacking and Best Security Practices” on the dedicated page.
Security Strategies Before, During, and After Web3 Project Launch
Web3 projects must address potential security risks from day one, as incidents commonly occur in smart contracts, wallets, and exchanges. Tony, Hong Kong Community Lead at SlowMist, shared: “SlowMist addresses security incidents in three phases: pre-event, during-event, and post-event.” Project teams can assess their risk exposure based on development stage.
Before an incident, comprehensive testing helps uncover vulnerabilities. SlowMist’s red teaming service simulates real-world attacks across personnel, business systems, supply chains, office infrastructure, and physical security, offering customized defense strategies to protect high-risk nodes and increase attacker costs.
During an active incident, real-time on-chain and off-chain monitoring is crucial. Partnering with security firms enables prompt detection and response. After an incident, immediate defensive actions — such as leveraging SlowMist’s emergency response and forensic investigation services — help mitigate damage and identify root causes.
Recognizing that many Web3 teams must bake security into code design rather than rely solely on external audits, SlowMist has open-sourced its Web3 Project Security Practice Requirements on GitHub. This detailed guide outlines security pitfalls to avoid during development, empowering teams to build robust internal security systems and maintain capabilities beyond audit cycles.

SlowMist calls on projects to全面提升 security capabilities
Embracing Cutting-Edge Tech to Build Secure Web3 Applications
As blockchain infrastructure matures, more Web3 front-end applications are emerging. OKX Wallet stands out for its exceptional user experience. As a consumer-facing app, how does it balance usability with security? Darrel Wang, Product Manager at OKX Wallet, shared their approach: system-level hardening, full-stack security, and proactive adoption of advanced security technologies.
First, OKX Wallet implements system-level enhancements, ensuring asset-related features meet financial-grade security standards. By strengthening app security, they reduce the risk of hacking and provide users with a secure trading environment.
Second, OKX Wallet emphasizes full-stack security — from node services and block explorers to end-user clients — ensuring compliance and strong protection throughout the entire service chain. For example, proactive risk alerts help prevent phishing attacks, further safeguarding user assets.
Third, OKX Wallet embraces innovation and frontier technologies. Their implementation of account abstraction (EIP-4337) introduces smart contract accounts with recovery features, significantly enhancing wallet security. Their MPC keyless wallet uses multi-party computation to eliminate single-point failures from private key storage, eliminating fears of key loss.
OKX Wallet sees itself as a tech company, not a financial institution. Their mission is to solve problems from core product principles and technical perspectives, delivering secure and seamless digital transaction experiences.

OKX Wallet launched its MPC keyless wallet in April 2023
Substrate Framework Empowers Developers to Build More Secure Blockchains
Many developers are familiar with Substrate — an open-source, modular, and extensible framework for building blockchains. The Polkadot relay chain itself is built using Substrate. How does it enhance security for developers in the ecosystem? Jimmy, a core Polkadot developer, explained that Substrate allows developers to use pre-built components (pallets) developed by Parity engineers. These support runtime upgrades without forks, offer multiple consensus mechanisms, and enable cross-chain interoperability and enhanced security.
Jimmy added that Polkadot’s core goal is cross-chain interoperability and scalability. It connects disparate blockchains, enabling communication and coordination. This architecture supports data and value transfer between chains, boosting network efficiency and scalability. Its design includes a relay chain (responsible for security and validation) and parachains (offering specialized functionality). Polkadot carefully balances scalability, security, and decentralization through unique architectural choices and bridging technologies to enable secure, efficient asset transfers.

Polkadot’s core components — the relay chain provides security
Web3 Projects Should Leverage Cloud Infrastructure with Attention to Service Range, Security, and Flexibility
Cloud services are a critical foundation for Web3 — essential for exchanges, blockchains, and front-end apps alike. For Web3 projects, the scope, security, and flexibility of cloud platforms are vital. AWS, a household name in Web3 cloud services, addressed these aspects through David, an AWS Solutions Architect.
In terms of service range, AWS is the world’s most widely adopted cloud platform, offering over 200 feature-rich services and a global network of data centers to meet diverse infrastructure needs. Seven of the most widely used AWS services among Web3 projects include: EC2 (Nitro Enclaves), KMS/CloudHSM, API Gateway, S3, Elastic Block Store, Shield Advanced, and WAF.
On security, AWS provides comprehensive services in compliance, governance, and protection. The AWS Nitro System embeds security at the chip level, continuously monitoring and validating instance hardware to minimize attack surfaces. AWS supports more security standards and certifications than any other cloud provider. The combination of Nitro Enclaves and KMS/CloudHSM offers Web3 BUIDLers the best-in-class solution for cloud-based private key management — widely adopted across the industry. Shield Advanced and WAF provide robust protection for dApps, nodes, and other Web3 infrastructure layers.
Regarding flexibility, AWS offers various pricing models alongside its broad service catalog to help optimize costs. David added: “We provide extensive analytics and machine learning services — covering data movement, storage, big data analytics, log analysis, stream processing, business intelligence, and ML — giving teams the flexibility to choose cost-effective options.”
AWS offers a wide range of services tailored for Web3 projects
For more information on building secure cloud applications on AWS and AWS’s Web3 ecosystem support, visit the official page.
These highlights capture the essence of the event — valuable insights for Web3 BUIDLers and developers. We sincerely hope that, with growing consensus on security across the industry, the Web3 ecosystem will enter a new phase of rapid growth. CrossSpace will continue partnering with AWS, leading security firms, and Web3 ecosystem players to bring you more knowledge-sharing events.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News














