3 October 2022

4 critical steps toward securing Web3

Ronghui Gu, CertiK

The data on hacks, scams and exploits is in, and 2022 is already the most expensive year for Web3 on record. Where 2021 saw losses of $1.3 billion, losses were already at $2 billion at the close of June 2022. Extrapolating from these numbers, 2022 is projected to see a 223% increase in the amount lost to hacks, scams and exploits when compared with 2021. Shocking figures, to say the least.

This will no doubt be disheartening for a Web3 community still struggling to find its feet in the context of a bear market. Moments like this require sober and level-headed analysis of how these losses occurred and what the next steps are for anyone working toward mass adoption.

The rise in losses is disheartening, but experience makes clear what needs to happen for Web3 to achieve mass adoption. To do so, it is vital that the community remain clear-eyed about the challenges and opportunities of where things stand right now — the vulnerabilities of the current ecosystem, what they mean for the current state of the community, and the steps that must be taken to reach a secure and stable Web3 future. Here are four of the most critical steps:

1. Understand Web2’s role in Web3 breaches

There has been a significant rise in the number of phishing attacks, with an increase of over 170% when compared with the previous quarter. This increase is frustrating for multiple reasons, not least because phishing attacks ought to be easily avoided, with even naive investors knowing that promises of too-good-to-be-true giveaways from random strangers are likely to be fraudulent.

MetaBeat 2022

MetaBeat will bring together thought leaders to give guidance on how metaverse technology will transform the way all industries communicate and do business on October 4 in San Francisco, CA.Register Here

However, as phishing attacks have become more sophisticated, even experienced investors have been falling prey to them, with the attackers increasingly operating under the guise of authenticity after they gain access to projects’ official social media accounts. This has led to phishing attacks that are both more lucrative and have a higher success rate, as otherwise savvy investors are duped into following seemingly authentic links.

One example of this is the Bored Ape Yacht Club (BAYC) hack which occurred in June after a hacker compromised the Discord account of the project’s community manager. With access to the BAYC Discord, the hacker posted a link to a duplicate of the BAYC site which lured users into connecting their wallets with the promise of free NFTs. In total, over 200 ETH worth of NFTs were lost in the attack.

The rise in these attacks shows one of the key sticking points for Web3 security: Web3 projects are becoming dependent on Web2 infrastructure to be successful. As a result, hackers are able to leverage the vulnerabilities of Web2 to compromise otherwise secure Web3 projects.

This is especially frustrating for those of us working to secure the Web3 ecosystem as, taken on its own, the principles of a decentralized architecture that uphold Web3 should render single-point-of-failure and centralization risks obsolete. Seeing hackers exploit these vulnerabilities as they occur in social media platforms to launch arguably the oldest trick in the book of internet attacks is like witnessing a bank being robbed because someone left the back door open.

So, what can the Web3 community do about it? First, any Web3 project that relies on Web2 infrastructures such as a website marketplace, or Discord and Telegram, needs to foster practices of decentralization around these points of centralization. In practice, this involves requiring multiple signatures each time an account with privileged controls is accessed and revoking that authorization after each use. In addition, traditional Web2 security best practices and solutions like anti-phishing security need to be implemented. This makes it far more difficult for a hacker to exercise a Web2 style attack, gain access and inflict damage.

At the other end is education. Users need to exercise utmost caution when engaging with any platform asking you to connect your wallet or offering giveaways. Even if it appears to come from a reliable source, you can never be too careful given this new breed of phishing attack. Always verify a link’s authenticity by comparing messages and websites to their official counterparts, and if in doubt, reach out to the project team via an official email. Good-faith projects will be as keen to avoid a potential scam as you are!

2. Learn from flashloan attacks

Alongside phishing attacks, Q2 2022 saw a continuation of the rise in what is proving to be one of the most devastating exploits in a hacker’s arsenal: the infamous flashloan attack.

After seeing more losses to flashloan attacks than any other quarter on record (a staggering 2,000% increase from last quarter), Q2 highlights the urgency for Web3 projects and security companies to address the vulnerabilities that make them possible.

Flashloan attacks rarely run along predictable or standardized patterns, and recent events are no exception. Rather, the data shows how hackers are continually finding new ways of leveraging flashloans to target some flaw in a project’s code or architecture. This means that flashloan attacks are often tailored to vulnerabilities specific to each project, and as a result, they are one of the most difficult-to-detect attack vectors.

Putting the urgency of this problem in perspective, 2022 is now forecast to see $656M in losses to flashloan attacks. That’s a 78% increase in loss over the previous year, a worrying figure in a category that targets some of the more innovative features of Web3. Changing this trajectory will rely on the collective effort of the entire Web3 community to double down on security best practices and for those practices themselves to advance beyond their current limitations.

This difficulty in addressing flashloan attacks, however, brings into focus a problem that faces the Web3 ecosystem as a whole: How can Web3 projects shift to a position of anticipating and preparing for new forms of attack rather than merely responding to them after the fact?
3. Implement end-to-end security for a secure Web3

Web3 projects must introduce end-to-end security as part of their security posture. This means having regular and thorough smart contract audits, as attacks often target new features that fall outside the scope of a project’s previous audit. Beyond this, blockchain analytics tools such as wallet and transaction tracking and on-chain analytics help Web3 projects stay on top of their on-chain activity. By providing liquidity monitoring and flashloan detection, these kinds of tools give the projects vital time to anticipate and respond to an attack.

While the tools already available are vital for maintaining a safe and secure Web3 ecosystem, there is a pressing need for both the variety and the performance of these tools to increase. Ultimately the methods of detecting vulnerabilities need to be far more acute and granular than those of the hackers, and the methods of imagining new and unseen attack vectors even more creative.

4. Identify room for improvement and innovate accordingly

As with any new technology and any innovation, particularly one that has grown at such a rapid pace, vulnerabilities in code are an inevitable part of Web3’s growth. Because of this, it is of vital importance that Web3 security grows and is implemented in lockstep with Web3 technology’s growth.

Part of this means developing new and better detection and prevention mechanisms. But it also involves fostering cultures of transparency around projects through more human-based tools such as KYC checks. Not only does this fight back against hacks and rug pulls by introducing ways to hold project teams accountable, it helps to drive investment by bolstering user confidence in projects.

Ultimately, we cannot know where the Web3 industry will be at the end of 2022, nor what condition it will be in. However, we can ensure that the state of our collective Web3 security improves by pushing for end-to-end security in Web3 projects.

This is largely down to Web3 projects adopting these approaches themselves and, of course, Web3 security providers continuing to develop and hone their methods. However, the wider Web3 community of investors and users can also aid this by becoming more security-aware and using this awareness to invest in projects that are doing the utmost to protect themselves and their user base. Such collective effort is key to pushing back against the mounting losses to hacks and securing a healthy Web3 ecosystem.

Ronghui Gu is CEO of CertiK

DataDecisionMakers

Welcome to the VentureBeat community!

DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.

If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.

You might even consider contributing an article of your own!

No comments: