By David L. Schwed, Chief Operating Officer at Halborn
Web3 is here to stay. It provides the tools necessary for a more user-centric world, disrupting identity, data and asset management. This introduces unprecedented business models, revenue streams and creator economies. Web3 thus empowers everyone from business owners to end-users, resolving many pain points of Web2.
But Web3’s journey has only just begun. The road ahead is long, and innovators must overcome various challenges before unleashing the domain’s full potential. Cybersecurity concerns rank highly among these challenges, especially as Web3 increasingly captures mainstream imaginations.
Web3 solutions must achieve top-notch robustness, reliability and security. Coupled with rich and practical utility, these features will ensure the industry’s long-term success. There’ll also be a steady capital influx, particularly from institutional investors.
The question, however, is this: Can Web3 triumph over current security challenges and emerge stronger on the other side? It’s easier said than done, but not impossible. And for that, one must begin with a clear understanding of the risks involved.
Web3 retains some of Web2’s problems, making them worse at times
Everything new retains something of the old, for better or worse. Web3, for instance, inherits some of Web2’s processes, frameworks and functionalities. This is a necessary evil that brings along prevalent attack vectors to Web3.
Web2 users often receive shady texts and emails luring them to divulge sensitive information like passwords or financial details. Compromised or stolen credentials thus comprised 19% of security breaches in 2022—$4.5 million—according to IBM’s ‘Cost of a data breach’ report. Users also lost $4.91 million to phishing attacks which accounted for 16% of all breaches this year.
Likewise, Web3 protocols and their users have been susceptible to traditional and novel forms of phishing attacks. This is evident from recent phishing campaigns involving prominent platforms like OpenSea and BadgerDAO. The situation is, in fact, more glaring in Web3 vis-à-vis Web2 since attackers gain direct access to financially valuable assets.
Attackers even game Web3’s community orientation, impersonating prominent personalities or getting them to abet phishing campaigns, albeit successfully. Furthermore, besides social engineering attacks like phishing, malicious actors also exploit vulnerable DNS Infrastructure and APIs.
Web3 API queries often aren’t cryptographically encrypted or signed; they are thus prone to on-path and data interception attacks. The distributed nature of blockchain-powered Web3 networks escalates the threat by providing attackers with a greater number of breachable pathways.
Overall, Web3 currently has a broader attack surface but weaker security systems compared to Web2. And that brings forth the core of Web3’s security pain points, i.e. vulnerable smart contracts.
Smart contracts — the Achilles Heel of Web3 security
Smart contracts are among Web3’s most groundbreaking innovations, given the wide range of functionalities they enable. They make ‘trustless’ systems possible, for example, besides automated legal contracts, decentralized financial protocols, supply chain management solutions, etc. But while being foundational to Web3, smart contracts are also currently its weakest point.
There’s no such thing as 100% hack-proof code. This also applies to smart contracts since that’s what they essentially are—code blocks or programs running on blockchains. They may, for instance, contain bugs or loopholes. A multi-author report from 2019 highlighted the extent of this issue, flagging over 34,000 poorly coded, Ethereum-based smart contracts that put over $4 million at risk.
Although Web3 has evolved significantly since 2019, the issue with flawed smart contracts remains. In December 2021, MonoX users lost over $31 million due to bugs in the DeFi protocol’s smart contract. Similarly, in 2022, Nomad users lost about $200 million, while NFT creator Micah Johnson lost $34 million due to smart contract bugs and errors.
Having said that, one must identify the main factors causing vulnerabilities around smart contracts. Smart contract development has a considerably steep learning curve, often with a lack of precedence. This leads to ecosystems with buggy and half-baked smart contracts reaching end-users, especially during hype cycles and bull runs. Moreover, Web3’s transparency and preference for open-source code mean attackers can easily recognize and target such flaws.
The second major and multi-faceted issue with smart contracts is inefficient key management. Since private keys are significant for on-chain transactions like deploying and modifying smart contracts, storing them safely is necessary for security. However, while most online solutions used for storing private keys are similarly risk-prone as the smart contracts themselves, the ‘bridges’ or ramps to off-chain wallets are breachable via on-path or other similar attacks. It’s a worrying dilemma, indeed.
Third, besides off-ramps, smart contracts also may rely upon oracles to interact across chains or with real-world systems. These oracles are corruptible and prone to manipulation, expanding the attack surface for hackers. In October 2021, for instance, hackers drained about $130 million from the Ethereum-based C.R.E.A.M. lending market by manipulating its oracles.
Invest, Involve, Improve — The mantra for Web3 security
So much for the current, rather concerning state of cybersecurity in Web3. But it isn’t all gloom and doom. The prolonged bearish sentiments have weeded out the bulk of opportunists and short-term profit seekers in 2022. Web3 has thus moved on from a mania phase to a build phase, where innovations for robust security are steadily underway.
Investing adequate amounts of time, effort and money to bolster security at every level is the foremost requirement in this phase. Web3 solutions must be secure from the ground up and get-go, engaging professional cybersecurity and security audit service providers like Halborn.
Involving Web2’s security leaders to help build resilient frameworks is necessary for Web3. Learning is always the key to success and Web3, for one, is all about cooperation and collaboration. Being true to the principle of inclusiveness, Web3 innovators must adopt and implement Web2’s time-tested security measures minus their limitations.
Improving steadily and continuously is the ultimate requirement for bolstering security in Web3. Besides regular audits, this implies adopting best practices and establishing checks and balances with top-notch security solutions. Moreover, end-users must also do their due diligence before onboarding and using Web3 offerings.
Following the ‘Invest, Involve and Improve’ mantra, Web3 can evolve as a whole. Security is indeed a make-or-break factor for blockchain technology, cryptoassets, and overall, Web3. It’s now or never, so every stakeholder must do their part to foster a more robust, reliable and secure Web3.
About the author:
David L. Schwed is Chief Operating Officer at Halborn, an award-winning blockchain cybersecurity firm that uses ethical hackers to provide end-to-end cybersecurity advisory services and products to Web2 companies and over 250 Web3 organizations, including Coinbase, Avalanche, and more. Previously, he served as the Global Head of Digital Assets Technology for BNY Mellon, as well as various roles in the financial services sector at a senior level for Merrill Lynch, Salomon Smith Barney, Citigroup, and Galaxy Digital.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.