By Christian Seifert, Security Researcher in the Forta community
As the global technology landscape has continued to evolve over the past decade, one concept that has piqued the interest of many people is that of ‘Web3.’ In its most basic sense, Web3 can be viewed as an iteration of the internet that is decentralized and grants users the ability to interact with one another in a secure, peer-to-peer fashion (i.e. without the need for any centralized intermediaries).
For perspective, conservative research studies estimate that the size of the Web3 market will grow from its 2021 levels of $3.2 billion to a staggering $81.5B by 2030, exhibiting a compound annual growth rate (CAGR) of 43.7%.
On a technical front, it should be noted that the Web3 ecosystem relies heavily on blockchain technology, a distributed database governed by multiple node operators. The use of blockchain allows for data storage in a manner that is not only highly secure but also eliminates any dependence on a third-party service provider (such as a government, financial intermediary, central governing agency, etc.).
However, despite the underlying cryptographic guarantees underpinning blockchains, there are still many avenues that bad actors and hackers have discovered to infiltrate such systems. In this article, we will examine some of these loopholes and highlight potential resolutions.
The World of Web3 Threats
The Web3 market has enormously impacted the cybersecurity industry over the last half-decade. This is because even though the data embedded in most blockchains is mainly resilient to hacks and third-party infiltrations (compared to traditional web apps) via decentralized applications’ (dApps) use of smart contracts. The issue with these, however, is that they are susceptible to the activities of miscreants, who can exploit them if they are not well-coded or contain particular vulnerabilities. Furthermore, due to the pseudo-anonymity aspect of many Web3 platforms, it can be challenging to track down/identify hackers and bad actors easily. Code is not only law for smart contracts, but capital.
In fact, despite the many security-centric promises offered by Web3-enabled tech, cybercriminal activity has been on the rise within this space. Chainalysis Cyber Crime Report 2021 notes that $2B was lost due to protocol attacks and despite the bear market, losses due to hacks from this year have already exceeded that number as of September 2022.
And while many would like to believe cryptocurrency blockchains’ defenses are unbreakable, many attack vectors are prominent on-chain, from economic attacks to smart contract exploits. Further, social engineering attacks from phishing/ ice phishing, scams, and rug pulls have caused significant damage to end users.
Notably, phishing threats have reared their ugly heads in the world of Web3. To this point, late last year, hackers were able to deploy scammy emails to rob 6,000 customers affiliated with the cryptocurrency exchange Coinbase by exploiting the company’s two-factor (2FA) SMS system. Similarly, this year, $1.7 million worth of non-fungible tokens (NFTs) were compromised as part of an elaborate phishing attack on popular NFT marketplace OpenSea, with the hackers exploiting a discrepancy in the platform’s Wyvern Protocol, a standard used by most NFTs today. Ice Phishing is a variation of traditional phishing in which users are tricked into signing transactions that give attackers control over users’ digital assets, such as the BadgerDAO and Celer attacks.
Many are hailing Web3’s growth as the ‘next big revolution’ in digital tech, since it stands to make life easier for the unbanked and everyone else involved. However, there is still much room for improvement in addressing the risks associated with loopholes and vulnerabilities that could potentially cause massive compromises in the future.
Combatting Web3 Security Challenges
When dealing with Web3 platforms, a comprehensive security strategy must be in place before a potential issue arises as decentralized ledgers can no longer be altered once a transaction is confirmed. In this regard, protocols need to think about security comprehensively from pre-deployment to post-deployment steps, such as smart contract audits, monitoring and response, bug bounties and cyber insurance. On the end user side, education is an important component, but users need to be supported in making secure decisions. This could be accomplished in making transactions more understandable as well as building negative/positive reputation systems to warn users from signing transactions that result in undesirable outcomes.
These solutions need to be adaptable to evolve with the changing threat landscape. Security platforms that harness the power of solid coding, artificial intelligence (AI), and machine learning (ML) are needed to detect and flush out security threats in real time.
The use of AI and ML, in particular, can help improve cybersecurity platforms' efficiency and decision-making processes, allowing them to formulate models equipped to harness data from the Web3 ecosystem and turn them into digestible pieces of information that can protect users from various threats in an automated fashion.
Last, but not least, it is worth mentioning that since cybercriminals, too, enjoy a wide array of freedoms and end-user ownership benefits offered by Web3 — making them more dangerous than ever before — security firms must develop holistic solutions that consider the highly autonomous nature of Web3. In doing so, they can empower users to harness this technological paradigm’s vast potential to their advantage.
As the world transitions towards a digital age helmed by Web3 enabled technologies, the industry needs to support end-users and protocols to adopt a comprehensive security strategy. Hackers are continuously developing new schemes, and the web3 ecosystem needs to roll up its sleeves and remain ready.
About the author:
Christian Seifert is a Security Researcher in the Forta community who previously spent 14 years working on web security at Microsoft.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.