Nikita Belenkov
Nikita is a security engineer at Anza, a Solana-focused research and development firm behind the Agave validator client and core developer tooling, where he works on security across development, upgrades, and releases.
Before Anza, Nikita was a Senior Security Engineer at Quantstamp, where he contributed to and led protocol and infrastructure security reviews for major blockchain projects securing over $10B in assets, including TON, Alchemy, and Trust Wallet. He is a co-author of the ERC-6900 modular smart contract account standard and has published research on cross-chain bridge security. Nikita holds an MEng from Imperial College London and co-founded the Imperial Blockchain Group.
Session
We keep seeing the same supply chain failures in crypto: compromised dependencies, leaked or abused publishing keys, and malicious or compromised contributors. These incidents are often framed as uniquely web3, leading teams to design bespoke trust models rather than adopt proven, well-understood security practices.
From an attacker’s perspective, none of this is new.
Open-source communities have spent years responding to these exact classes of supply chain attacks, resulting in concrete standards such as SLSA and ecosystem-level guidance and tooling from the OpenSSF. These approaches map directly to crypto development workflows, yet remain underutilized in practice. Instead, we repeatedly invent new frameworks, often increasing complexity without reducing risk.
In this talk, I’ll walk through how we approach release system design at Anza, looking at the full development lifecycle through an adversarial lens. We’ll identify where things commonly go wrong, how existing tools and frameworks already address these failure modes, and why reinventing the wheel in supply chain security frequently makes systems less secure, not more. I’ll also cover emerging tooling like gittuf, which takes a fundamentally different approach to Git security and policy enforcement.