Thanks to the use of decentralization and blockchain, Web3 is expected to create a new fundamental step in developing the Internet. But implementing these technologies also leads to emerging risks and new types of cyber attacks. Cybercriminals looking to capitalize on such developments are coming up with new ways of compromising products and services used in the Web3 space, such as smart contracts, cryptocurrencies, or non-fungible tokens (NFTs). In 2022 alone, hackers stole $2 billion worth of crypto.
What exactly is security in Web3? What are the most serious risks and challenges in this area? Keep reading to find out.
In moving beyond Web2, Web3 resolves many of the vulnerabilities inherent to Web2 technology. However, this process is not completely painless as Web3 brings its own set of vulnerabilities and inherits many Web2 problems.
Web3 security refers to multiple attack vectors that both projects and users are confronted with – and the various means by which they can defend themselves. It’s also about the pivotal goals for the Web3 ecosystem and all related projects, dependent on each other’s success and security.
Web3 relies on the decentralized storage of data, using cryptography to ensure that data cannot be altered or removed without agreement from the supporting network. For example, it’s difficult and expensive to change a given block in a blockchain. Changing a block automatically changes the value of the subsequent block. This would, in turn, invalidate the hash on the block following that, and so on. In other words, any change would require changing much of the rest of the blockchain. It’s not impossible for such changes to occur, but they involve broad consensus from the supporting network and are highly resource-intensive. Clients participating in Web3 do not have to trust a centralized provider as implicit trust is built into the blockchain.
Web3 proponents claim that anonymity is one of its key parts. For example, in cryptocurrencies, user wallets and transactions are visible on the blockchain but not connected to their owner’s identity. This gives some privacy, ut it also poses challenges to security with uncertain KYC/AML or nodes tracking IP address transactions. For example, if a hacker steals funds from a cryptocurrency wallet, it would be difficult to track down the person responsible. The challenge of connecting a wallet with an identity allows hackers to get away with stolen funds.
This, in turn, requires a complicated process of tracking money flow between wallets, typically through centralized exchanges. Privacy tools make it more difficult to track transactions, but blockchain analytics tools can anticipate, track and visualize attacks on the blockchain. That’s why blockchain analytics tools are becoming a vital part of any project’s security defenses as they address the pain points caused by anonymity.
In the future, regulatory frameworks will likely include Know Your Customer (KYC), and Anti-Money Laundering (AML) checks for Web3 users. One clear benefit of this for Web3 security is that it would combat the widespread rug pull scams. Exit scams are the most popular attack vector in Web3, so increasing transparency around project teams and their accountability is a significant advantage. The tension between the benefits and risks involved with internet anonymity has yet to be resolved, but new technologies such as decentralized identity may help address some of the concerns.
Web3 projects typically foster transparency through transparent ledgers and open-source practices. Transparency creates a healthier environment for Web3 security, making it harder for projects and institutions to conduct irresponsible activity out of sight. Furthermore, with the underlying code and its ledger activity available for anyone to access, it’s very easy to check a project for issues, vulnerabilities, or malicious code at any time.
Still, this leaves projects open to new types of attacks. Most people need more time, expertise, or motivation to comb through a project’s code, looking for vulnerabilities and flaws. And those who do may be looking to exploit it for their own gain. This problem becomes even more relevant due to the speed at which the Web3 ecosystem is growing, with new technologies such as bridges, flash loans, and decentralized exchanges all being launched with potential vulnerabilities.
While Web3 brings many benefits, it does present some risks – and one of them is centralization. Centralization risk is one of the most common attack vectors. While decentralization is foundational to the Web3 ecosystem both at the level of technology and as an overarching principle, many projects still retain some centralization features. This happens due to various reasons – from organizational goals and technological limitations to the simple convenience in running projects. But note that, in doing so, this provides a clear route of attack for hackers to exploit.
A good example of a centralization risk would be privileged access management risks. Hackers employ them to target project team members with privileged access to a network. The goal is to exploit points of centralization in a project’s structure and technology to make away with high-value assets. A good example of this is the recent Ronin Network Hack, where a hacker used an advanced spear phishing attack to access a network’s private keys and drain the protocol of $625 million.
Increasing decentralization is the answer to this challenge. This might entail distributing control of privileged keys over a larger number of nodes or moving control of a project’s network away from its team to its community. Smart contract audits help prevent the threat of centralization risk by seeking out and providing solutions to single points of failure. Similarly, blockchain analytics tools provide project teams with on-chain insights for their smart contracts.
Although Web3 is more secure than Web 2.0 in some respects, like any technology, it introduces its share of security risks. Some of these vulnerabilities come from the way Web3 and Web 2.0 architectures work together; others are inherent to how protocols like blockchain and IPFS function. And Web3’s reliance on network consensus can make patching these and other flaws a slow process.
Web3 applications often rely on unauthenticated API calls, introducing security vulnerabilities. In theory, Web3 is completely decentralized, and any connected node on the network can interface directly with stored data. However, in practice, most Web3 application frontends still need to rely on Web 2.0 technologies that users can interact with easily.
Currently, Web3 API queries are not cryptographically signed. This leaves them vulnerable to on-path attacks, data interception, and other attacks. By contrast, web apps that use HTTP are vulnerable to data leakage and on-path attacks unless they’re signed with a cryptographic signature.
Like any code, smart contracts can contain major security flaws that put user data at risk. Researchers identified poorly coded Ethereum smart contracts that put $4 million in Ether at risk, and the problem has yet to improve with time. In 2021, a hacker stole approximately $31 million in digital currency from MonoX Finance using a flawed smart contract. And this year, a flawed algorithm caused TerraUSD to lose about $50 billion in value.
However, companies can entrust the audit to a specialized and trusted company and effectively reduce risk related to smart contracts.
Attacks on cryptocurrency and non-fungible token (NFT) wallets are common. Most often, attackers gain access to users’ private keys or trick users into handing over their keys through phishing schemes. If these private keys are stored locally on a user’s device, they are vulnerable to physical theft.
To this point, with cryptocurrency being the main use for decentralized applications (dApps) and Web3 technology in general, most attacks have targeted digital currency. But the implications for other applications of Web3 technology could be equally significant.
In contrast to the Web 2.0 model, where access to databases is highly restricted, data on a blockchain can be stored and accessed by any connected node. This introduces multiple security and privacy concerns depending on what data is stored; even if it is anonymized while at rest, no data is truly anonymous.
Just as the Internet has several layers, so does blockchain. One example of a protocol built on top of blockchain is the widespread reliance on “bridges,” which enable transfers from one blockchain to another. This can be a point of vulnerability, as in February 2022 when thieves exploited the Wormhole bridge to steal $320 million in cryptocurrency. Another example is Binance, which suspended the Binance Smart Chain (BSC) after an exploit.
As businesses explore the blockchain space, they must ensure that security remains a top concern. Security holes can cripple a business or damage its reputation. And because blockchain applications rely on traditional Web 2.0 applications for frontends, businesses will need to simultaneously address both traditional and blockchain security risks.
Web3 security and the Web3 ecosystem are inextricably linked, and the Web3 ecosystem cannot grow without specific measures to protect it. To that end, specialized security solutions play a vital role in fostering Web3 security across the leading projects that seek to make their security a priority.
If you found this article interesting and would like to deepen your knowledge about Web3, read our article What is Web3 and how does it work?.