EthCC 2026-recap: Cannes & the State of Web3 Security
Conversations on digital asset security, AI, and what institutional adoption demands from Web3.
--
After ETHDenver, the French Riviera.
From March 29 to April 2, the Consensys Diligence team gathered in Cannes (Palais des Festivals) for EthCC[9], the annual Ethereum Community Conference. Each edition offers a snapshot of where Ethereum is heading. It’s a reminder that the strongest ideas come from people sitting together. This recap is built from those encounters.
The conference days opened with our soiree event, where we had the pleasure of bringing together auditors, researchers, and friends from across the security community. Some we’ve known for years, some we just met. A night of good conversations around the direction of security, where artificial intelligence and automation will play a key role, and create new threat models.
As the week unfolded, we hosted what we value the most: a private dinner in a smaller setting. Good food, long conversations, and meaningful exchanges. Around the table with us are builders from the Ethereum Foundation’s dAI team, Puffer.fi, Human Tech, MetaMask, and others. We’re deeply grateful to the teams who joined us. To every one of you: thank you.
From there, the week continued with DeFi and security-focused events, including the Rekt Security Summit, the EthCC main event, and the W3ST seminar. These reflected a growing shift toward AI-augmented security and new ways to reason about systemic DeFi risk.
Overall, the conference moved from informal exchanges to technical discussions. What follows captures the key takeaways that emerged along the way.
What the benchmarks revealed
The insights from this section are the result of conversations with auditors, technical panels, and side events. Moving between different rooms and teams, informal exchanges clarify what formal presentations only partially capture.
Similar to what we observed in our in-house testing, presenters at the Rekt Security Summit benchmarked AI tooling against live audit engagements and reported autonomous detection of roughly 30% of vulnerabilities. That figure is a moving target and shifted noticeably over the course of months.
A consistent takeaway from our dinner and soirée, AI is used to cover the mechanical layer: reentrancy, gas optimizations, storage collisions, topology discovery, pre-audit cleanup, and real-time scanning. This frees auditors to focus on deep logic, novel exploits, and final sign-off.
What we noticed was how universal the experimentation phase feels. Teams are testing AI in their workflows. Most sit somewhere between using AI to speed up existing tasks and actively redesigning how they work around it. A few firms are testing solutions and building their entire operations around AI, though no one has claimed to have arrived.
Where firms sit on the adoption spectrum
Companies are shifting towards an “AI-augmented” phase. In this new phase, speed is not what sets it apart. The process itself has shifted. They’re redesigning proprietary workflows to integrate AI agents for first-pass code review. Auditors are the initiators and the final validators — signing off on the output to ensure alignment with both spec and intent.
Teams are independently developing proprietary approaches. AI is advancing fast. That speed makes outcomes hard to predict. Audits are described as broader in coverage, yet offensive capabilities accelerate at the same rate.
Clear consensus: agents are force multiplier, not replacement. Every expert designed workflow makes the agent more effective.
Beyond AI: what else caught our attention
- Drift Protocol exploit: On April 1st, the conference attention received an entropy injection with the Drift Protocol hack. Solana’s largest decentralized perpetual futures (perps) exchange, drained for $285 million. The weak point was not a standard smart contract bug, but a human-and-process failure: social engineering and admin key compromise, reportedly initiated face-to-face at another crypto conference. (Security does not stop at code review.)
- Unaudited dependency risk: On a similar note, a keynote at Rekt Summit raised a related overlooked issue: the dependency of decentralized applications on centralized, unaudited libraries.
- Composable defense infrastructure: At W3ST, presenters covered merging state-of-the-art tools into unified toolchains, state coverage with invariants, and graph-based approaches to DeFi systemic risk. A move toward composability and interoperability.
- Ethereum as a crypto moat for AI verification bottleneck: Builders also discussed an emerging hypothesis around verification. Following Vitalik’s CROPS AI principles, introduced in March 2026, Ethereum-native primitives - formal verification, ZKML, on-chain inference - were raised as possible direction for making AI execution verifiable and trustless.
Security architecture shifts toward continuous defense
Different conference, similar observations. As already highlighted in the EthDenver recap, AI threat models are becoming even more complex. The era of the static audit report as a definitive seal is fading. In its place, teams described continuous, multi-layered defense systems where auditors, researchers, and bounty hunters operate as ongoing protection layers.
The relationship between audit firms and the protocols they serve is evolving from a single engagement with a deliverable, to a sustained partnership. Shared threat modeling. On-going advisory and cooperation.
We’ve long advocated for shifting security left - integrating it earlier in the development cycle. AI is now reducing the cost: auditing early and often is no longer prohibitively expensive.
Speed is the defining variable
The Web3 security community is in transition. The overall posture we observed is “cautious pragmatism and optimism grounded in momentum”. Teams are building, testing and iterating. Benchmarks and best practices became outdated almost as fast as they got established.
A recurring pattern in technology shifts: machines absorbing the heavy lifting, freeing up human thinking. AI is increasingly seen as a way to reduce mechanical work.
Beneath all the change, the direction of the field is being shaped by people, human coordination, dinners that turn into debates, pressure testing ideas and alignment around stronger ways to build security practices. The real infrastructure is the community.
We’ll see you at the next one.
Consensys Diligence has been auditing Ethereum smart contracts since 2017. For more on our security research and tooling, visit consensys.io/diligence.
