Web3 security opportunities and the lessons we must learn from Web2
Image Credit: Art tools/Shutterstock
Check out all the on-demand sessions from the Intelligent Security Summit here.
Even though much of the initial hype around the crypto economy hinged on its use of blockchain technology, more and more people in the last couple of years (especially following the decentralized finance boom of 2020) have begun to realize that the ongoing Web3 revolution is much broader than its underlying technology.
To put it another way, Web3 represents an entirely new paradigm for the world wide web (Web2) — one that is rooted not only in the ethos of decentralization and shared ownership of data, but transparency.
However, like any other technology, Web3 also has its share of problems. As this sector has grown over the last few years, so has the entry of bad actors and hackers. Since these individuals are financially incentivized to carry out their nefarious schemes, it is possible for them to illegally acquire millions of dollars via a single exploit, which is entirely unheard of in the world of traditional Web2 systems.
To elaborate, even though there are several well-established security/privacy systems in the Web3 market today (such as OpenZeppelin’s secure contract libraryImmunefi’s bug bounty, Peckshield’s scam token, and phishing site protection), it continues to face a growing number of hacks, seemingly every month. For example, earlier in October, Binance’s BSC Token Hub bridge was drained of more than $500 million after hackers were able to forge artificial withdrawal proofs. Similarly, Axie Infinity’s Ronin bridge was hacked earlier this year for $650M.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
How can Web3 become more secure?
Straight off the bat, it is worth mentioning that no single magic solution can make Web2 and Web3 systems completely airtight. However, we can employ a layered, comprehensive security approach to minimize risk, including monitoring and incident response.
In this regard, decentralized, real-time threat detection networks capable of bolstering the security of Web3 platforms — while at the same time providing blockchain activity monitoring — can be of much use. Moreover, it can be helpful to incorporate features such as community incentivization because they allow participants of these platforms to shape the future of the network and own the value they generate.
That said, analyzing the similarities and differences between Web2 and Web3 can unearth great opportunities for strengthening and innovating in Web3 security. So, without any further ado, let’s jump straight to the heart of the matter.
A look at the similarities between Web3 and Web2
Many have argued that blockchain transactions feature a high degree of atomicity; however, when it comes to Web2 systems, hackers must go through a whole host of complicated steps to facilitate their illegal actions. In essence, atomicity refers to the idea that a single transaction contains many different actions, all of which must be correct to be accepted. In other words, if any individual part of the transaction is incorrect or conflicting, the entire transaction will fail.
That said, when it comes to Web3 platforms, attackers must still undertake multiple action stages — including funding, preparation, exploitation, and finally, laundering the illicitly-acquired funds. But each one of these steps allows security providers to monitor, prevent and mitigate potential attacks.
Another key similarity between Web2 and Web3 is the element of socially engineered attacks. Since the digital infrastructure underlying Web3 still lags behind its centralized counterpart, better solutions are required to make social engineering attacks more difficult within Web3.
When discussing Web2 technologies, the issue of ‘attacker/defender imbalance’ is always significant since an attacker only needs to be right once, while security defenders need to be correct all the time. However, with the distributed setup of Web3 systems, the tables are turned: while an attacker only needs to be right once, only one of the many thousands of defenders has to be correct at least once.
Additionally, data contained in blockchains are available to all network participants — contrary to how Web2 systems work since only selected pieces of information are made public, especially from a security standpoint. Thanks to the distributed nature of Web3, the potential to foster innovation by the broader security research community (via the utilization of diverse approaches) is much greater.
Another clear difference is that when it comes to Web3, it is easier to assess losses because all of an attacker’s transactions are available on a public ledger. As a result, it is possible to devise superior risk quantification models capable of providing robust cyber insurance and protocol risk mitigation strategies.
Lastly, attacks in the Web3 realm have some sort of finality to them, thanks to the immutable nature of the blockchain. However, when it comes to Web2, things are much grayer since stolen details (such as personal credentials) can result in continued unchecked losses. Thus, in Web3, this will likely lead to new mitigation strategies and give rise to cyber insurance adoption in the near- to mid-term.
What lies ahead for the Web3 ecosystem?
As is probably evident by now, the Web3 technological paradigm stands to completely revolutionize how people worldwide operate on a day-to-day basis; however, at the same time, it also faces several challenges. That being said, in recent years, a growing number of skilled developers have entered this rapidly-evolving niche, helping to innovate and solve many of the pressing security challenges facing Web3 users today.
Christian Seifert is a security researcher in the Force community who previously spent 14 years working in web security at Microsoft.
Welcome to the VentureBeat community!
DataDecisionMakers is where experts, including the technical people doing data work, can share data-related insights and innovation.
If you want to read about cutting-edge ideas and up-to-date information, best practices, and the future of data and data tech, join us at DataDecisionMakers.
You might even considercontributing an articleof your own!