Tl;dr: Yes, we know it sounds absurd. After all, Web3 security is currently one of the most ridiculed topics in the tech landscape. This claim is largely supported by the fact that Web3 lost more than $10 billions USD last year due to security incidents. However, we believe the current state of affairs should be considered more “growing pains” than steady state. In fact, once Web3 matures, its apps will surpass the security assurances of “Web2 apps”.
Before we start discussing Web3 security, we need to first define what Web3 is.
For now, let’s define Web3 as apps that rely on “Smart Contracts” with their business logic and storage implemented on the blockchain. Therefore, Web3 mainly consists of Decentralized Finance (DeFi) apps and NFTs, but can expand to more fields in the future.
Now that we have defined Web3, we can discuss its security, which mainly consists of smart contract security. For brevity, we will only address Ethereum’s smart contracts, but we believe the arguments are general enough and hold true for similar systems and blockchains.
Close your eyes and imagine a software environment without malware, Denial of Service (DoS) and other popular attack methods. That would be an exciting upgrade, right? Now, open your eyes and look at Web3. This is how we achieve this security utopia:
If this trust is compromised by malware or a hardware supply chain attack, attackers can gain control. Web3 solves that fundamental security issue with decentralization of execution. All of the blockchain nodes are executing the web3 code in parallel and must agree on the result of the execution.
Unless there is some systematic risk in the execution engine itself (e.g. a vulnerability in Ethereum’s EVM itself), attackers would have to launch a “51% attack” to infect the majority of the blockchain node with malware in order to subvert its execution.
Such as SQL injection and command injection, which allow attackers to smuggle their unintended input to the unprepared web app.
In contrast, Web3 is strongly typed and such unintended inputs (e.g. a string when a number is expected) would fail immediately without any special preparation on the Web3 app side.
In contrast, Web3 apps are unaffected by DOS attacks. Blockchains protect themselves against excessive use by utilizing transaction fees that increase with demand, thus making DoS attacks prohibitively expensive.
There are other important security elements in which Web3 provides better security (e.g. software supply chain attacks). Even just including the short list above, a software environment without malware, DoS, and injection attacks would be a utopia!
Besides the aforementioned technical advantages, Web3 also carries some important philosophical security advantages. Web3 has total openness and permissionless transparency.
The open security philosophy had many advocates in the security community long before the emergence of Web3. Many asserted it would yield better security than “security through obscurity”.
Web3 takes open security concepts to the extreme. In Web3 not only the code is open sourced as a social convention but also the binaries are publicly available on the blockchain by definition and can be verified to be the outcome of the published source code. Furthermore, all code executions (transactions) are public by definition and can be verified and scrutinized by anyone.
So, if Web3 security is so much superior to Web2 in theory, why is DeFi suffering from these large hacks, while the traditional banking apps are not?
We think the reason is not because of Web3 security per se, but because the environment allows attackers to monetize their hack far easier.
Web3 apps are always on 24/7/365, and are dealing with “cash money” as transfers over the blockchain are almost immediate and immutable. Conversely, hacks in the classic banking systems allow the malicious transactions to be reverted until the attackers cash in.
To illustrate, let’s look at the one of the largest reported banking hacks: the 2016 Bangladesh bank digital heist.
The attackers used a malware based campaign to infiltrate the bank, and send fraudulent SWIFT wires to try and hack $1B. To monetize, the attackers needed to aim for a specific bank holiday to allow enough time to cash out. They also needed advanced preparation in a Philippines bank where many of the wires were being sent. Eventually, the attackers were able to gain only $60M out of the potential $1B. This was not because of the banks’ superior software security, but due to the more lenient environment that gave enough time to defenders to revert.
From this example and others, we can conclude that in order to improve security we need to buy more time for defenders to defeat attackers. To do so, we need to either 1) reduce the amount of time it takes to detect an attack, 2) increase the amount of time it takes to finalize a transaction, or both.
We are very optimistic about our ability as a community to improve attacks’ detection time. There are already some security firms (e.g. peckshield) providing alerts on hacks based on publicly available data. Also leveraging the aforementioned blockchain transparency and “open security” state of mind.
Looking into recent hacks and their post-mortems, nothing prevents the analysis from being executed in real time as the transactions are executed (potentially before, when the transactions are “proposed” in the node’s mempool). Such an advanced warning system may be enough to greatly reduce attack detection time, if and when it is integrated into contracts. This was suggested by recently emerging projects such as Forta.network and others.
Additionally, cashing out is not as easy as it seems. Some crypto tokens already apply a blacklist capable of freezing assets. Furthermore, to cash out into fiat, attackers typically need to go through centralized exchanges that are regulated and apply KYC (Know Your Customer). As a result, even today some attackers prefer to return most of the hacked funds and settle for a smaller portion, often played down as a “bug bounty” awarded by the victim app.
As we have seen with the recently seized Bitfinex hackers’ funds, it’s actually very difficult to cash out large sums of crypto. It is safe to assume it’s only going to get harder.
Web3 security is not currently in the most ideal state, but it has the potential to seriously improve the security of our digital activities. As with most revolutionary technologies, functionality was the primary aim of Web3 and security came only once it had gained enough traction. There continues to be a flow of security talent along with backing from VCs and successful Web3 projects, which makes us very confident Web3 security will live up to its full potential!
Or in Web3 jargon, WAGMI.
WE’RE ALL GONNA MAKE IT! 😀