Back to Blog ![EthCC[9] security guide for EVM and Solana devs](/_next/image?url=%2Fpost%2Fethcc-security-guide%2Fcover.png&w=3840&q=95&dpl=dpl_9BxXwqK39KDZnERWmg1c5Vjt4Zd6)
Your protocol is going to EthCC. Is your security thinking ready for it?
There's a version of EthCC where you come back with a tan, a tote bag, and a vague sense that something important happened in a room you weren't in. There's another version where you leave Cannes with three architecture decisions validated, two assumptions shattered, and one conversation that rewires how you think about your attack surface for the next twelve months.
The difference is rarely talent. It's almost always preparation — knowing which rooms to be in before the schedule drops, understanding which tracks are technically dense versus networking theatre, and showing up to the right side events before the RSVP slots close.
EthCC[9] runs March 30 – April 2, 2026 at the Palais des Festivals et des Congrès in Cannes. 15 tracks. Five stages. A full surrounding week of side events. Four days that can be genuinely useful — if you approach them like a developer, not a tourist.
This post breaks down what's actually happening and how to prioritize it, particularly if your work intersects with the problem that every protocol shipping on EVM or Solana eventually has to reckon with: keeping your contracts from being the next exploit in someone's post-mortem.
The layout: what you're actually walking into
The Palais des Festivals is set on the Croisette — Cannes' waterfront boulevard. Inside, the conference spreads across color-coded floors and five stages:
- Chaplin Stage — main stage, highest-capacity talks
- Hepburn Stage — mid-size, where a lot of the focused technical sessions land
- Taylor Stage — breakouts and panels
- Burton Stage — workshops and interactive sessions
- Riviera Lounge — networking-oriented, more conversational format
Beyond the stages: a coworking space (actually usable, not just symbolic), a food court, a coffee corner, and — if EthCC has ever broken your brain before — a nap room.
The Agora runs separately on March 31 at the JW Marriott Cannes. Organized by Kaiko, it's a curated institutional forum for executives and protocol leadership. If you're at the stage where compliance, RWA integration, or institutional custody is on your roadmap, it requires its own ticket (bundled into the €1,300 Full Pass + Agora) but it's the right room for those conversations.
15 tracks: a security-first reading
EthCC runs 15 official tracks. Here's how to read them if security is a first-class concern on your team — which, after the last two years of protocol exploits, it should be.
The tracks you cannot skip
Security — "Don't get rekt"
This one is obvious, but don't just attend the talks. The Rekt Anonymous breakout session on March 30 is a moderated roundtable on security failures — run by the community, not sanitized for PR. Protocols discuss what actually went wrong. The signal-to-noise ratio is unusually high because the format forces specificity. You'll recognize attack patterns seen in your own codebase if you're paying attention.
If your team hasn't done a divide-and-conquer audit methodology review recently, this session will tell you exactly why you should.
Zero knowledge and TEE
ZK is no longer just a theoretical track at EthCC. The provers are shipping. The circuits are going into production. The security implications of ZK systems — underconstrained circuits, unsound proof systems, trusted setup assumptions — are not widely understood by the developer community yet, and that gap is where exploits will come from in the next wave.
If your protocol is integrating a ZK rollup component, or if you're auditing contracts that do, this track is essential calibration.
Cypherpunk and privacy
Privacy has moved from ideological to architectural. On-chain analytics tools, MEV searchers, and regulatory pressure have converged into a moment where privacy is a protocol design requirement, not an optional layer. The session by Andrii Bondar on March 31 at the Hepburn Stage (10:00–10:20 AM) is explicitly in the Cypherpunk & Privacy track and a useful anchor for how practitioners are thinking about this right now.
Applied cryptography
For developers whose work touches signature schemes, commitment protocols, threshold systems, or anything cryptographic below the contract layer: this track runs denser than most. Expect discussions of primitives that haven't made it into audit checklists yet because they're too new. This is where your mental model of the cryptographic attack surface gets updated.
Tracks worth your time even if they feel adjacent
Core protocol
Ethereum's roadmap decisions — account abstraction maturation, state tree changes, validator set dynamics — affect the security assumptions your contracts make. The Core Protocol track is where you find out which assumptions are safe to keep making and which ones the protocol is invalidating in the next two years.
L2s
Cross-chain is the current frontier of exploit surface. Bridge contracts, sequencer centralization, shared sequencer trust models, and rollup proof systems all introduce risk vectors that standard EVM audit methodology doesn't fully cover. If your team is building cross-chain, our bridge security checklist is worth reviewing before the L2 track sessions.
DeFi
If you're auditing or building DeFi protocols — AMMs, lending markets, liquidity vaults, perps — this track is where you'll encounter the freshest thinking on mechanism security. Economic attacks, oracle manipulation, and governance exploits don't show up in static analysis tools. They show up in this kind of technical conversation.
Understanding the security engine behind DeFi gives you a framework for evaluating these discussions with depth.
Built on Ethereum — live product demos
Underrated. Live demos are where you see real codebases under real conditions. Watch what breaks, what gets hand-waved, what the presenter clearly doesn't want to talk about. As a security-focused developer, this track is a practical exercise in reading live contracts for surface area.
EthCC week: the side events that actually matter
The conference week — roughly March 27 through April 3 — includes community-organized events running in parallel and around the main schedule. No conference ticket required for most of them. Several of the most technically focused sessions happen in these smaller formats precisely because they're not filtered through a conference committee.
Before the main conference opens
- BEAST MODE — zkEVM / Ethproofs Day (March 28, invitation): Ultra-focused, invitation-only ZK workshop. If you're in the ZK proving space or auditing ZK circuits, this is worth pursuing an invite.
- FORT MODE (March 29, invitation): Post-quantum consensus workshop, 80 people. Small enough that you'll actually have a conversation with the people presenting.
- Stable Summit IV (March 27–28, JW Marriott): Full paid conference dedicated to the stablecoin and payments ecosystem. Payment protocol developers will find the density worth the ticket.
During conference days
- Legal & Compliance Breakout (March 30, Palais): DeFi meets TradFi. For developers whose contracts operate in any regulated context — payments, RWA, institutional custody — this session is where the compliance conversation gets technical rather than vague. If you're operating in the EU, our MiCA compliance roadmap covers what this means for your protocol.
- Physical & Operational Security 101 Breakout (March 30, Palais, 3:30–5 PM): Consistently underattended relative to its value. Opsec for protocol teams and developers handling sensitive keys is not glamorous, but it's where human-layer exploits originate. This is the weakest link in DeFi that most teams ignore.
- Proof of Liquidity (March 30, invitation): Capital formation summit for protocols with liquidity bootstrapping challenges. Relevant if you're at the stage where tokenomics and liquidity security intersect.
Browse and RSVP at ethcc.io/week/events — many events only reveal their exact address after you register, and slots close fast.
The conversation that doesn't happen in the session room
The most useful technical conversations at EthCC don't happen on stage. They happen in the fifteen minutes before a talk when you're standing next to someone who just deployed on the same protocol you're building on. They happen at Builder Nights Cannes (March 30, evening, MetaMask/Linea-organized) when the day's talks have been digested enough to argue with. They happen at the coworking space on day two when someone pulls up a contract and asks you what you see.
That's the actual product of EthCC — the density of technically competent people who are all working on hard, overlapping problems at the same moment in the same building.
Whether you're thinking about Solana security in 2026 or refining your Solidity audit process with AI tooling, the person sitting next to you at the Hepburn Stage has probably already hit the same wall you're about to.
Find the Zealynx team at EthCC
We're a boutique smart contract security firm — 35+ protocols audited across EVM and Solana, direct access to senior auditors, no ticket queues. We've reviewed contracts across DeFi, GameFi, liquid staking, AMMs, account abstraction, oracles, and cross-chain bridges.
Our clients include BadgerDAO, Aurora, Glif, Matchain, Monadex, and Paragon, among others.
We'll be at EthCC[9] — at the main conference, at the Security and ZK tracks, at side events during the week. We're particularly interested in talking to developers and protocol teams who are:
- Preparing for a first audit and unsure how to scope it, what to prioritize, or which methodology fits your codebase — start with our pre-audit checklist
- Post-exploit, post-audit, or mid-development and questioning whether your current security posture is actually holding up — our defense-in-depth workflow is how we think about this
- Building cross-chain, ZK-integrated, or Solana contracts where standard audit methodology has real gaps — if you're migrating from EVM to SVM, our EVM to SVM guide covers the security differences
- Running a bug bounty or internal review and hitting the limits of what automated tooling can find — read about how fuzzing strengthens smart contract security
If any of that is your situation, the conversation is worth having before you hit production. Not in a sales call format — over coffee at the conference, at a side event, or during the coworking hours at the Palais.
Get the DeFi Protocol Security Checklist
15 vulnerabilities every DeFi team should check before mainnet. Used by 35+ protocols.
No spam. Unsubscribe anytime.
Practical reference
Tickets
All prices include VAT. All tickets are nominal/personal.
| Ticket | Price | Status |
|---|---|---|
| EthCC Full Pass — 4 days + catering + after party | €500 | Available |
| Full Pass + Agora | €1,300 | Available |
| Single Day | €125 | Available |
| Student (full access, 400 slots) | Free | Sold out |
| Volunteer (17hr commitment, full access) | Free | Sold out |
Getting there
- Nice Airport (NCE) → Cannes: bus, train, or taxi — 30–45 min
- TGV from Paris, Lyon, or Milan
- Walkable from most central Cannes hotels to the Palais
Key dates
| EthCC Week begins | ~March 27 |
| Main conference opens | March 30 |
| The Agora (JW Marriott) | March 31, 8 AM – 6 PM |
| Main conference closes | April 2 |
Where to stay
- Cannes itself is ideal — walking distance to the Palais
- Mandelieu-la-Napoule (~8km) and Antibes (~11km) are solid alternatives
- Book now — conference week fills fast
Get in touch
Whether you want to schedule a conversation at EthCC or you need a security review before the conference, we're available.
- Website: zealynx.io
- X/Twitter: @ZealynxSecurity
- Request a quote: zealynx.io/quote
- Read about our process: How to efficiently prepare for a productive smart contract audit
- Understand audit costs: Smart contract audit pricing in 2026
- See our ROI framework: How smart contract audits boost gas savings and market cap
FAQ: EthCC[9] and smart contract security
1. What is EthCC and why does it matter for smart contract developers?
EthCC (Ethereum Community Conference) is the largest annual Ethereum event in Europe. EthCC[9] runs March 30 – April 2, 2026, in Cannes, France, with 15 technical tracks and five stages. For smart contract developers, it's one of the few conferences where security, ZK systems, L2 architecture, and DeFi mechanism design are discussed at implementation depth — not marketing depth. The hallway conversations and side events often yield more actionable security insights than formal talks.
2. Which EthCC tracks are most relevant for protocol security teams?
Four tracks are essential: the Security track ("Don't get rekt") covers audit failures and attack pattern analysis. The Zero Knowledge & TEE track addresses ZK circuit security and trusted execution environments. Applied Cryptography covers signature schemes and cryptographic primitives below the contract layer. The L2s track covers cross-chain bridge security, sequencer trust models, and rollup proof systems — all expanding attack surfaces that standard EVM audits don't fully address.
3. What is the difference between EthCC main conference and EthCC week side events?
The main conference (March 30 – April 2) requires a ticket and runs inside the Palais des Festivals with structured talks and panels. EthCC week (March 27 – April 3) includes community-organized side events — workshops, roundtables, hackathons, and networking events — that run in parallel venues across Cannes. Many side events are free but require separate RSVPs. Some of the most technically focused sessions, like BEAST MODE (zkEVM workshop) and FORT MODE (post-quantum consensus), happen exclusively as side events.
4. What is a ZK circuit and why are underconstrained circuits a security risk?
A ZK (zero-knowledge) circuit is a mathematical program that proves a computation was performed correctly without revealing the underlying data. An underconstrained circuit lacks sufficient mathematical constraints to fully validate the computation, meaning a prover could generate a valid-looking proof for an incorrect or malicious computation. This is analogous to a smart contract missing a require statement — the logic executes but doesn't enforce the rules it should. As ZK systems move into production, underconstrained circuits represent one of the most dangerous and least understood attack vectors.
5. How should a protocol team prepare their security posture before attending EthCC?
Before the conference: (1) Run your codebase through a pre-audit checklist to identify known gaps. (2) Document your architecture's trust assumptions, especially around cross-chain interactions and oracle dependencies. (3) Review recent exploit post-mortems from 2025 to understand current attack patterns. (4) Prepare specific technical questions about your most complex contract interactions. (5) Identify which EthCC tracks and side events align with your risk areas. Arriving with concrete questions turns hallway conversations from small talk into architecture reviews.
6. What does MEV have to do with protocol security at a conference like EthCC?
MEV (Maximal Extractable Value) is profit extracted by reordering, including, or excluding transactions within a block. It's a security concern because MEV searchers can front-run your users, sandwich their trades, or exploit ordering dependencies in your contract logic. At EthCC, the Privacy and DeFi tracks both address MEV mitigation strategies — from private mempools to protocol-level ordering mechanisms. Understanding MEV is essential because it represents an attack vector that static analysis tools cannot detect; it requires architectural awareness of how your contracts interact with the broader transaction supply chain.
Glossary
| Term | Definition |
|---|---|
| Attack surface | The total set of entry points and vectors through which a system can be exploited. |
| Cross-chain | Technology enabling interoperability and asset transfers between different blockchain networks. |
| MEV (Maximal Extractable Value) | Profit extracted by reordering, including, or excluding transactions within a block. |
| Oracle | External data feed providing off-chain information to smart contracts on-chain. |
| ZK rollup | Layer-2 scaling solution using zero-knowledge proofs to batch transactions off-chain. |
Information sourced from ethcc.io as of March 2026. Speaker schedules and side event details are updated live — check the official site for the latest.
Get the DeFi Protocol Security Checklist
15 vulnerabilities every DeFi team should check before mainnet. Used by 35+ protocols.
No spam. Unsubscribe anytime.
