What I Didn’t Get to Say at EthDenver
At this year’s EthDenver, I had the privilege of presenting a session titled “Audited. Formally Verified. Totally Compromised.” — and if you were there, you know time ran out before I could cover everything I wanted.
This post is the section that didn’t make the cut.
Before diving in, a quick note on context. The full talk covered three foundational ideas that feed directly into what follows:
- The Bybit Hack Anatomy — a breakdown of how the attack unfolded
- The “bridge” between Web2 and Web3 components
- The Semantic Gap: How data is presented and interpreted by end-users vs. How data is represented at the byte level for blockchain transactions.
- Protections at Scale in different domains: Protocol, Supply Chain, Phishing and Teams
If you’re not familiar with these, I’d strongly recommend watching the full session first (link here) before continuing.
Protection at Scale — Teams Domain
A few months ago, I came across a concept that could potentially help set a good framework on how the process of building products can improve the resilience of its multiple components.
It’s called Conway’s Law, formulated by Melvin Conway back in 1967:
“Any organization that designs a system will produce a design whose structure mirrors the organization’s communication structure.”
Its corollary is equally important:
“If you want a particular system architecture, you must design your team’s organization to match it.”
Applying Conway’s Law to the Bybit Attack
In that scenario, you have two distinct scopes operating in parallel:
- Web2 Scope — the Safe Wallet UI, running in a traditional web environment
- Web3 Scope — the MultiSig Smart Contract, running on-chain
Each scope has its own dedicated team, its own engineering concerns, and its own definition of “secure.” And in isolation, both can be — and often are — well-audited and formally verified.
But here’s the question: Who owns the bridge between them?
That bridge — the layer where Web2 interfaces translate human intent into on-chain bytecode — is precisely where the Semantic Gap lives. It’s the same gap attackers have been quietly monetizing for years, to the tune of hundreds of millions of dollars.
When no team explicitly owns that boundary, it becomes a blind spot. Not out of negligence, but out of structure.
The Missing Team
If Conway’s Law tells us that system architecture reflects team structure, then the inverse gives us a roadmap: if you want resilience at the bridge, build a team whose entire purpose is that bridge.
A dedicated team focused on the Web2/Web3 bridge would:
- Actively map and shrink the Semantic Gap
- Stress-test how transaction data is rendered vs. how it’s actually encoded
- Build tooling that makes it harder for users — and signers — to be deceived by what they see on screen
- Create shared accountability between the Web2 and Web3 teams rathe than leaving the boundary to chance
Why This Matters Beyond Bybit
The Bybit hack wasn’t a one-off. The vector it exploited — manipulating what signers see versus what they sign — has been used before and will be used again.
The uncomfortable truth is that audits and formal verification, as rigorous as they are, operate within scope. They verify what they’re pointed at. If the threat lives between the scopes, it can walk right past both undetected.
Team structure is also a security decision. How you organize people determines what gets built, what gets monitored, and critically, what gets forgotten.
Teams don’t just shape products — they shape the attack surface of those products.
This post is part of a broader talk delivered at EthDenver 2026. Watch the full session here for the complete context.