Mar 4
Loading video player...
ZK infrastructure carries more bugs than the smart contract layer — and the only thing preventing large-scale exploits is that the number of people capable of executing them is countable on two hands. Mudit Gupta, CTO of Polygon Labs, makes the case for why that gap is the most underestimated risk in Web3 right now. He also breaks down the two-team security structure most protocols are missing, what a near 10x spike in bug bounty submissions since August reveals about how AI audits code differently than humans, and why his team had to build a counter-AI triaging agent just to keep up with volume. CHAPTERS 00:00 Intro – Web3 Security & Sherlock 01:18 Mudit’s Background in Crypto 03:52 Discovering Smart Contract Security 06:40 Early Days of Sherlock 09:15 Why Traditional Audits Fall Short 12:08 Competitive Auditing Model Explained 15:22 Incentives & Security in Web3 18:37 Common Smart Contract Vulnerabilities 21:54 Lessons from Major Exploits 24:30 Scaling a Security Marketplace 27:45 Building Trust in Decentralized Systems 30:12 The Future of Web3 Security 32:40 Final Advice for Builders 34:05 Closing ABOUT THE GUEST Mudit Gupta is the CTO of Polygon Labs, where he leads engineering across one of the world's largest blockchains — 6.4 billion transactions and $2 trillion in on-chain transfers. He has been building in the blockchain space since 2013, starting with Monero core and the CryptoNote protocol, before moving to Bitcoin, Ethereum, and smart contract development. He led blockchain development at Polymath and protocol development at Sushiswap before joining Polygon Labs. He is one of the most widely cited voices on Solidity security and smart contract vulnerability analysis. CONNECT WITH MUDIT LinkedIn: ae.linkedin.com/in/mudit4 ABOUT THIS PODCAST The Web3 Security Podcast explores the discipline of Web3 security through conversations with those leading security at the world's most important crypto and blockchain companies. New episodes cover security philosophies, vendor evaluation, team structure, and lessons learned — without exposing sensitive implementation details.