Web3 Needs More and Better Pliers and Hammers in Its Cybersecurity Toolbox

• Existing security tools have shown limited ability to protect Web3 projects and users from losing millions in digital assets.
• Sacrificing security for quick cash is a formula for disaster for projects in the Web3 space.
• Integrating battle-proven Web1 and Web2 security tools and mechanisms into Web3 will require a concerted effort.

Decentralized technologies are slowly but surely sieving into the mainstream, with many governments and central banks increasingly adopting and regulating digital currencies.

Businesses, too, are keeping pace in search of the diamond in the rough—the unique way to leverage the latest technologies to onboard billions of users and drive profits. A rethinking of the way people and businesses transact is underway.

This gradual supplanting of the financial systems of old in favor of decentralization has brought about a surge in automated Web3 security tools designed to lend support to manual security reviews.

However, those available in the market show limited ability to protect Web3 projects and users from losing millions in digital assets. Last year alone, Web3 hackers and fraudsters took home $1.8 billion in stolen funds.

News of such hacks in a space where protocols are deeply intertwined and even a minor security threat can have far-reaching consequences for millions has sometimes caused irreparable reputational damage to the cause.

No wonder security is still the main impediment to the mass adoption of Web3. As a security expert leading a pioneering global cybersecurity company, I do want to talk about security. Let me show you why this goes beyond personal interests.

Move fast (but don’t) break things

As an early disciple of all things Web3, I’m excited to see decentralized technologies mushroom in every way, including novel cryptography, zero-knowledge proof, liquid staking, restaking, and more.

But all too often, the driver of such rapid growth is either money, a desire to be the first to bring a product to market, or both. And who can blame them? Operating in a nascent industry, where competition is tough and pressure from investors to produce results fast is ever-present, is a challenging feat.

The problem with this approach is that the security infrastructure meant to keep projects and the assets they hold safe is typically the first to take a hit. In addition to this, there are not enough projects put in the work to select trusted and reputable partners to undergo a proper security check. Thus, it becomes evident why security is the most significant obstacle to Web3 adoption  at scale.

The night is dark and full of terrors

Distributed ledger technologies (DLTs) like blockchain and smart contracts that power them are inherently endowed with a degree of security. This is thanks to the cryptographic techniques at the core of DLTs and the immutability of smart contract code.

Yet neither are without their Achilles heel. Unlike Web2, where draining a protocol of its assets is an extremely rare occurrence, Web3 exposes users, builders, projects, investors, and everyone in between to a single point of failure: one line of code containing a single inconsistency that can (and probably will) spell financial disaster.

Stories of single-point-of-failure exploits abound. The most recent and disastrous example is the $81 million exploit of the cross-chain bridging platform Orbit Chain.

Ironically, even immutability—a cornerstone of Web3—comes with a catch. What do you do when a bug is accidentally baked into the code of a smart contract, without offering due recourse?

The recent Slerf  incident, where $10 million worth of a Solana meme coin was irrevocably burnt, offers the ideal cautionary tale.

This tells all those who dare venture into Web3 that it’s still a very dangerous place to be without proper protection.

Spend some to get some

Yet, in the time I’ve been in Web3, one of the biggest challenges has been getting companies in the space to appreciate the importance of thoroughly reviewing their tech at regular intervals.

Don’t get me wrong. I know an expensive security review can be painful when funds are low and the need to go to the market is pressing. But with millions, if not billions, at risk, the stakes are just too high.

Existing Web3 security tools have experienced a leap forward and are getting markedly better over time. There’s even one now that lets you run queries and uncover vulnerabilities in the millions of smart contracts deployed across every integrated EVM blockchain. It does this in a matter of seconds, safeguarding billions in digital assets.

However, keep in mind that cyber threat actors are constantly evolving their techniques and looking for new ways to exploit code.

Previous iterations of the web have since long addressed these with a whole range of web app security solutions and initiatives like the Open Worldwide Application Security Project (OWASP). Meanwhile, similar enterprises in Web3 are still in their embryonic phase.

The number of Web3 fintech projects is steadily rising and approaching a state of stability. A concerted effort to transplant battle-proven web infosec mechanisms and processes into the security fabric of the new digital landscape is required to attain equilibrium.

This must happen on par with the continued development of new and better tools to address the security challenges unique to Web3.

About the author: Sipan Vardanyan  is a co-founder and CEO at Hexens, a cybersecurity solutions firm pioneering a safer Web3 ecosystem. The proud recipient of several hacker awards in pentesting and OSINT, Sipan boasts the title of the youngest Chief Information Security Officer of an Armenian bank at age 22 and was the OWASP Armenia Chapter Lead. Sipan is also a co-founder of ARMSec, Armenia’s premier security conference, and is an advisor to multiple global tech startups, offering expert guidance and insights to help them grow and thrive in their respective fields.

Disclaimer: The views, thoughts, and opinions expressed in the article belong solely to the author, and not necessarily to CCN, its management, employees, or affiliates. This content is for informational purposes only and should not be considered professional advice.

About the Author

Guest Writer

The Opinion & Commentary section features guest posts from a diverse group of experts, thought leaders, and influencers from various industries and walks of life. They bring fresh perspectives and insights on current events and topics of public interest.

See more

[email protected]