The move towards decentralization and web3 has, unbeknown to many, necessitated a paradigm shift in security. Projects and protocols can be custodying millions of dollars in digital assets, all accessible from the internet.
The same assumptions that underpinned the cybersecurity industry in web2 simply no longer apply.
Thanks to the sector’s relative youth, Brian Pak, CEO of web3 security firm ChainLight , told CCN that, thanks to the sector’s relative youth, “web3 clients navigate a dynamic and less predictable environment,”.
Pak notes that while traditional tech “emphasizes perimeter security, data encryption, and centralized trust,” web3 operates in a “dynamic and less predictable environment.” New attack vectors like smart contract hacks demand “innovative approaches to safeguard decentralized assets and systems.”
Key concerns about smart contracts include reentrancy attacks , where a function is externally called repeatedly; gas limiting , a technique that causes transactions to fail; and timestamp dependencies , which can lead to manipulation risks. All of these exploit methods would have been unknown to your typical cybersecurity expert only a few years ago. Most outside of crypto still won’t have much of an idea about them.
While smart contracts enable trustless exchange by executing automatically based on predefined conditions, Pak believes “trustlessness has an inversely proportional relationship with cost from an end-user’s perspective.” To balance things, projects should look at whether making systems fully trustless starts hurting how easy they are for people to actually use.
To top things off, vulnerabilities in web3 can be more easily spotted by those with the requisite skills. The web3 ecosystem “tends to be open-source and thus open to scrutiny or attack from anyone,” explains Pak.
In a trend familiar to anyone who has closely followed the crypto world, individuals and institutions aren’t directly succumbing to hacking attempts, explains Pak. Instead, they’re incurring losses through their investments in protocols like the HECO bridge, Wormhole and Ronin .
Cross-chain bridges in crypto connect different networks, enabling asset transfers and interoperability across blockchains. But the fact they’re a recipient of so many funds makes them a prime target for hackers.
Furthermore, major exchanges like Curve, KyberSwap, and CoinEx have suffered substantial financial hits in the past year. Curve faced a $62 million loss, KyberSwap $48 million, and CoinEx $70 million. Pak said: “Vulnerabilities tend to be exploited in areas of the ecosystem where most of the volume tends to reside.”
Does Pak have any advice for the legions of web3 projects, many of them holding millions of dollars in digital assets? He said: “Build in a way that ensures security by design.
“In doing so, projects can help ensure they aren’t stagnating but also aren’t cutting corners in the name of progress.
“By designing each and every product with security in mind, developers can achieve the best equilibrium of a secure system right from the start.”
But things are improving, says the ChainLight CEO. Many users are taking the time to scrutinize projects’ security bonafides, and even checking who conducted the project’s security audit. This is a positive development, says Pak.
Thankfully for users, protocols are investing more into “post-audit” monitoring for ongoing resilience. Two examples are investing in on-chain monitoring and performing battle-tests — a simulated exercise that replicates a real-world attack. This “can help teams prepare for worst-case scenarios.”