What is Web3 Security?
Web3 is a term given to a broad range of technological advances that constitute a huge evolution in the nature of the internet and our online lives. There are multiple lenses through which we can view web3. One is as a collection of growing sectors that are supported by blockchain technology and that includes the Internet of Things, the Metaverse, Cryptocurrencies, NFTs, and Game-Fi.
Another is a conceptual shift in the way that the internet is organized, with companies and projects moving away from centralization to more decentralized structures.
We can also understand web3 through the impact it has on user experience, as it allows individual users more control over their personal data and assets, and enriches the ways they can interact and share value online.
Lastly, and perhaps most importantly, we can understand web3 through the concept of web3 security. In moving beyond web2, web3 resolves many of the vulnerabilities that were inherent in web2 technology. However, this process is not completely painless as web3 also brings with it its own set of vulnerabilities, and inherits many of the problems of web2.
Web3 security can refer to the multiple attack vectors that web3 projects and users are confronted with, and the various means by which they can defend themselves. It also refers to a pivotal goal for the web3 more broadly, with the success of all web3 projects dependent on the security of the web3 ecosystem.
Identity and Anonymity: The Double-Edged Sword
For many, one of the pillars of web3 is the anonymity it affords to its users. With the titans of web2 routinely making headlines for abusing and exploiting user data, one of the promises of web3 is that it will protect identity and data rights by allowing for total user anonymity. This is most pronounced in cryptocurrencies, where user wallets and transactions, whilst fully visible on the blockchain, are not connected to their owner’s identity.
Because of this, anonymity and privacy is fundamental to web3 security. However, this anonymity also brings with it some critical problems for web3 security– namely, it allows hackers to conduct attacks in the knowledge that it is extremely difficult to connect their true identity to the attacking wallet.
The difficulty of connecting a wallet with a specific identity allows hackers to get away with stolen funds. This in turn requires a complicated process of tracking the flow of money between wallets in the hopes of discovering the hacker’s identity at crypto to fiat off ramps, typically in the form of centralized exchanges. However, the invention of privacy tools such as Tornado Cash which sever the flow of funds has made this all the more difficult.
In fighting this, blockchain analytics tools such as CertiK’s Skynet and SkyTrace apply state-of-the-art techniques to anticipate, track and visualize attacks as they move on the blockchain. Because of this, blockchain analytics tools have become a vital arm of any project’s web3 security defenses, and a necessary tool in pushing back against the pain points of anonymity.
User anonymity is a key topic in the conversation around future regulation in the web ecosystem, with any regulatory framework likely to include basic KYC and AML checks for web3 users. Whatever your opinion on governmental regulation, one clear benefit of this for web3 security is how it would combat the widespread rugpulls and exit scams perpetrated by founders behind fake projects. Indeed, with exit scams being the most popular attack vector in web3 by far, it is not hard to see the advantages of requiring transparency around project teams and the accountability it affords.
The tension between the benefits and the risks involved with user anonymity has yet to be resolved, yet there may well be a way for the web3 ecosystem to have its cake and eat it. New technologies such as decentralized identity provide some user accountability whilst still allowing users to be in control of their privacy. Furthermore, tools that anticipate governmental regulation such as CertiK’s KYC verification for project teams help foster trust between investors and project teams whilst also working to improve web3 security without the need for governmental intervention.
Like anonymity, transparency is also a pillar of web3 security, and web3 projects typically foster it through the transparent ledgers discussed above and also the open source practices.
In principle, this transparency provides a healthy environment for web3 security, as it makes it harder for projects and institutions to conduct irresponsible or underhanded activity out of sight. Furthermore, with a project’s underlying code and its ledger activity available for anyone to access, a project can be checked for flaws, vulnerabilities, and malicious code at any time, from anywhere.
However, again, this improvement to web3 security also brings with it new attack vectors. The fact is that most people do not have the time, expertise, or incentive to comb through a project’s code looking for vulnerabilities and flaws. And those who do are often those looking to exploit it for their own gain. This is exacerbated by the speed at which the web3 ecosystem is growing, with new technologies such as bridges, flash loans, and decentralized exchanges all being launched with the potential of vulnerabilities.
Whilst white hats have been known to assist projects by ethically seeking to penetrate a project’s defenses, relying on them to do so can be risky. This is why web3 security is inconceivable without smart contract audits. CertiK’s smart contract security audit uses the cutting edge of AI technology combined with the leading minds in computer science to meticulously analyze a project’s code. By spotting flaws and advising steps to remedy them, CertiK’s smart contract audits help ensure that transparency is a positive rather than a negative force in web3 security.
Although web3 does bring with it some new attack vectors, many of the issues that web3 security is concerned with are inherited from practices associated with web2. Chief among these is centralization. CertiK’s State of DeFi report identified centralization risk as the most common attack vector in 2021, responsible for an eye-watering $1.3 Billion in losses.
Whilst decentralization is foundational to the web3 ecosystem both at the level of technology and as an overarching principle, many projects still retain some features of centralization. This may be for organizational purposes, technological limitations, or even simple convenience. However, in doing so they provide a clear route of attack for hackers to exploit.
Perhaps the most clean-cut example of a centralization risk is in privileged access management risk– a process by which hackers target project team members with privileged access to a network. In doing so they aim to exploit points of centralization in a project’s structure and technology to make away with high-value assets. The recent Ronin Network Hack is a clear example of this, where a hacker was able to use an advanced spear phishing attack to access a network’s private keys and drain the protocol of over $620 Million.
In many ways, centralization risk can be considered a growing pain of the web3 ecosystem. As more and more projects make the shift to decentralized practices, those that defer fixing such vulnerabilities are targeted by hackers. In such cases, the answer to centralization risk is increased decentralization. This might mean distributing control of privileged keys over a greater number of nodes or transitioning control of a project’s network away from its team to its community.
Web3 security tools such as smart contract audits and blockchain analytics are essential here. Smart contract audits help to prevent the threat of centralization risk by seeking out and providing solutions to single points of failure. Similarly, blockchain analytics tools provide project teams on-chain insights for smart contracts.
Web3 Security- The Road Ahead
The goals of a thriving web3 ecosystem and web3 security are inextricably linked. We can’t imagine a positive web3 ecosystem without measures to protect it, and we cant imagine web3 security without a dynamic and growing range of projects to protect. In this sense, web3 security is not only a precondition for the web3 ecosystem but also an ongoing concern– something that needs to be maintained over time, rather than checked once and forgotten about. To that end, CertiK plays a vital role in fostering web3 security in partnership with the leading projects that seek to make their security a priority. Check out our Web3 Security Leaderboard to see which projects are taking the most proactive approach to their security, and to see first-hand how CertiK is working to secure the web3 world.