Exploring The Web3 Security Landscape in 2024

web3 security

Exploring The Web3 Security Landscape in 2024

Decentralized finance (DeFi) applications, such as protocols, run on public blockchains and use open-source codebases that malicious actors can inspect and exploit in a pseudonymous manner. Over the last few years, DeFi users and investors has suffered more than $12 billion in losses due to theft and fraud. This provokes the question: Are DeFi systems fundamentally insecure, and will this stunt their adoption?

Web3 security is not intractable but immature.

Unnamed security expert

This article will discuss the various sub-categories of web3 security that have emerged, for better equipping the decision making of end-users, investors, web3-developers, C-level executives, and any participants who may choose to get involved with Web3.

Defining the Web3 Security Verticals

  • Smart contract audit services
  • Formal verification
  • Crowdsourced security
  • Threat monitoring and incident response
  • Blockchain forensics (KYC + AML)
  • Protocol risk management
  • User security

Smart contract audit services

An audit is a process that evaluates the smart contract code of a system to expose vulnerabilities and propose ways in which its security can be improved. Cutting-edge smart contract firms, like ConsenSys, combine manual code reviews and automated vulnerability scanning to scrutinize contract code for potential vulnerabilities. Despite the value of manual code inspection by experienced auditors, complex systems are difficult to scrutinize, resulting in deployment delays. That is why, an increasing number of audit companies are applying their expertise towards the design of proprietary and open-source software that can automatically detect known vulnerabilities. This enables manual inspectors to focus on discovering new or insiduous errors. Notable examples include ConsenSys Diligence's suite of automated testing tools like Mythril, Surya, and Diligence Fuzzing, as well as offerings from Trail of Bits such as Echidna, Slither, and Manticore. Additionally, initiatives like Pwned No More are pioneering AI-driven automated fuzzing engines to optimize code analysis within the web3 security auditing domain.

Formal verification

Audits can discover errors in the code of a smart contract that may cause it to behave incorrectly at runtime. However, they can't guarantee that it will always behave correctly. This is where formal verification comes in. It proves that a smart contract tightly adheres to certain specifications, providing stronger assurances that it will work reliably and securely. Formal verification involves translating the code of a smart contract into an abstract mathematical representation called a formal model. Enginners can verify that the smart contract matches its specifiction by applying techniques like automated theorem proving and model checking.

Crowdsourced security

Crowdsourced security in Web3, typically takes the form of bug bounty programs and audit contests. Bug bounties provide, often generous, financial incentives for finding bugs in smart contracts. Rewards can range from a hundred dollars, to several million, in proportion to the severity of the discovered vulnerability. Immunefi stands out as a major player in the field, recently securing funding to broaden its range of services beyond the typical bug bounty hosting and consultation offerings. Other bug bounty platforms such as Hackenproof, HackerOne, and Bugcrowd also engage whitehat hackers to uncover vulnerabilities and prevent potential exploits for project teams. Code4rena and Secure3 present an unconventional approach to traditional audits through audit contests, which, despite their experimental nature, offer advantages like reduced wait times and access to a diverse pool of security experts. Additionally, platforms like Sherlock are innovating by integrating decentralized auditing with insurance coverage, enhancing the value proposition for clients.

Threat monitoring and incident response

Public blockchains, being censorship-resistant and decentralized, render traditional methods of attack detection and prevention ineffective for Web3 applications. Developers lack the ability to restrict interactions, reverse operations, or take servers offline, necessitating investment in preemptive solutions to gather information and promptly respond to potential threats. While comprehensive discussion of proactive threat prevention merits separate consideration, it's evident that threat detection and emergency response services are essential for security-conscious developers. Forta incentivizes bot operators to monitor on-chain activities for high-risk transactions, while Tenderly Alerts provides similar services for identifying suspicious operations involving specific smart contracts and wallet addresses. OpenZeppelin Defender suite equips web3 project teams with incident response tools, integrating multisig wallet infrastructure and a private relayer service to expedite emergency actions such as protocol pausing. Notably, some companies like Forta, Cyvers, and Hypernative are integrating artificial intelligence and machine learning (AI/ML) for advanced smart contract monitoring. Trained AI models analyze data from various sources to detect anomalies in real-time and assist teams in preemptively addressing attacks and thwarting exploits.

Blockchain forensics (KYC + AML)

Blockchain forensics firms offer tools for analyzing blockchain data to uncover financial crimes involving cryptocurrencies. Common use cases include tracing funds after crypto hacks, or de-anonymizing criminal actors by linking addresses to real-world identities. Elliptic, Chainalysis, and CipherTrace (a subsidiary of MasterCard) are prominent examples in this field, alongside emerging players like Merkle Science and TRM Labs. Their services also benefit traditional finance institutions entering DeFi, addressing compliance concerns by providing insights into cryptocurrency transactions and user profiles. This enables businesses to monitor and restrict activities that contravene anti-money laundering (AML) regulations. Notable examples include "Know Your Token" (KYT) services like Solidus Labs' recent acquisition, TokenSniffer, which helps detect scam contracts and blacklist tokens on centralized exchanges and TradFi institutions. Similarly, "Know Your Wallet" (KYW) offerings from firms such as Coinfirm, TRM Labs, and AnChain enable inspection and blocking of transactions from addresses associated with illicit activity, leveraging AI for predictive analysis.

Protocol risk management

The standard use of audits and bug bounties in web3 have reduced the number of vulnerabilities in code, yet attackers are now resorting to hacks that exploit economic mechanisms to compromise systems, as seen in incidents like the Mango Finance exploit and Euler Finance hack. Consequently, there's a growing need for solutions that enhance cryptoeconomic security for users, often categorized as protocol risk management tools. These solutions empower protocol developers to optimize efficiency and incentives while mitigating attacks arising from volatile market conditions. Leading players that drive the adoption of risk management, are entities like Gauntlet Networks and Chaos Labs, which have serviced Aave, Maker, and Compound. Additionally, platforms like Apostro offer risk management solutions that aid DeFi protocols in monitoring market conditions, identifying price oracle anomalies, and implementing stringent liquidity requirements.

User security

As scammers refine old tactics and evolve new ones, even advanced crypto users find OpSec (operational security) difficult. This is why consumer security solutions that help users, investors, and institutions safeguard digital assets have a compelling value proposition. Fraud prevention, transaction safety, and private key management are viewed as the most dominant verticals in this category.

Transaction safety: These are tools that provide real-time risk assessment of transactions and flag or block risky operations that could result in loss of funds.

Fraud prevention: This includes applications designed to detect malicious contracts and tokens, social media scams, phishing websites, social engineering schemes, and more.

Secure key management: Multisignature wallet technology and multiparty-computation (MPC) reduce the safety risk that is inherent with centralized storage of private keys and seed phrases.

Final Words:

Web3 security is evolving, with projects prioritizing pre-launch audits but lagging in adopting DevSecOps practices. However, as web3 product teams shift towards a security-first approach, the utilization of discussed tooling is expected to rise. Currently underutilized layers of the web3 security stack are likely to see increased attention as the industry matures, especially in DeFi where security activities may expand to include proactive threat monitoring, automated risk management, and not just vulnerability assessments. Anticipate audit companies to develop products facilitating automated and scalable security testing, exemplified by ConsenSys Diligence's Diligence Fuzzing tool for detecting smart contract vulnerabilities. Moreover, as web3 adoption grows, ensuring on-chain user security will become paramount, offering opportunities for services to scale and establish sustainable economic models.