Security in Web3: Building a Secure Ecosystem.
Web3 is a conceptual evolution of the internet structure that empowers users to rid themselves of Big-Tech control over their data and become the owners themselves. Although the emergence of web3 fixed a lot of vulnerability and privacy concerns of the Web2 internet, it also introduced a new set of challenges. With many assets running on open source code amidst an increasing spate of attacks, there is an urgent demand for a different approach to the question of security in web3.
In just the first half of 2022, over $2 billion has been lost in the web3 space to different kinds of security issues, ranging from flash loan attacks and hacks to socially engineered phishing attacks,
Sadly enough, there might be more to come.
Certik, a global cybersecurity firm, estimates up to a 214% increase in financial losses in the web3 space before the end of the year compared to 2021. This is due to the rapidly increasing attacks on web3 projects and applications. To build a safe and thriving web3 ecosystem, more attention has to be paid to ensuring that protocols, applications, and infrastructure running on the web3 internet are protected from malicious efforts of the cybersecurity underworld.
Let’s look at some security issues that have continued to plague and seek to hold the web3 internet captive.
Web3 Security Challenges:
Unauthorized access to sensitive information:
To create a personalized and semantic web where information retrieval is customized to match the user’s unique needs, data, including personal information and browsing information, have to be automatically harvested by AI. Open sesame, a new type of threat is unlocked.
Authorization vulnerabilities, parameter manipulation, and message relay attacks are only some of the security issues that can arise from a weak security blueprint. Any of which can result in data manipulation or theft due to lapses in the encryption and authentication processes.
In Web2, companies were always looking for more ways to monetize users’ data in the most efficient manner possible, which placed a premium on a strict anti-spam policy. Doing this also meant the implementation of more robust authentication measures. Since privacy and anonymity are the ideals of web3, many developers employ weak user authentication checks, which unfortunately makes it easier for attackers to perpetuate hacks and intrusions.
Flash Loan Attacks:
Decentralized finance is an essential component of the web3 internet, serving as a welcome alternative to the complicated route of traditional finance. But as with every money spinner, Defi platforms have become a hotbed for attacks. The target?
Flashloans typically involve short-term funds borrowing and repayments. The borrower obtains a loan, uses it to execute an instant transaction, and returns the borrowed amount plus an agreed interest while keeping the remaining profit. The loans are programmed and monitored by algorithms that ensure the whole process reverts if the borrower does not meet the return policy. Unfortunately, attackers often target these types of loans.
The attacker borrows a large sum and tricks the algorithm to make it look like the loan has been repaid while making away with the stolen funds.
In 2022, over $308 million has already been lost to flash loan attacks, carting away over 182 million in a single coordinated attack against Beanstalk farms.
Threats through phishing attacks have existed well before the emergence of web3 and remain a viable threat to projects, applications, and even individuals in the web3 ecosystem. In April, the official Instagram account of Bored Apes Yacht club was taken over by attackers, and well over $30 million in NFT was estimated to have been stolen.
Several phishing attacks also happen on social media platforms, especially on chat platforms like Discords and Telegram, with the attacker posing as a legitimate entity or baiting members with supposed giveaways or rewards. There have also been reports of phishing attempts through Twitter, although the effect is milder due to Twitter’s more robust account verification systems.
In addition, since web3 runs on open source, it will be possible for spammers to use information harvested by AI on anti-spam software to design new ways to evade detection. Personalization of web content will also make it harder to differentiate between legitimate conversations and spam since attackers may have access to accurate personal information that masks them as genuine. Sometimes social phishing is engaged as a strategy in 51% of attacks; this can be seen in the case of Ronin’s validators’ attack.
The open-source approach has contributed significantly to innovation in the web3 space. Still, it also means anybody can look up the source code for a project and potentially exploit any vulnerability found. For example, in February 2022, attackers exploited a vulnerability in the Wormhole network and made off with over 120,000 Wrapped Ethereum tokens. Norman Bridge, another cross-chain service, also suffered a loss of around $180 million when attackers took advantage of an initializing mistake made by a developer. One of the most dangerous threats to the web3 ecosystem is code vulnerability.
The way out?
To enhance optimal security levels in the web3 ecosystem, developers and other players must pay attention to implementing, among other measures;
Security by design architecture:
Incorporating security as a ground principle in the architectural designs of systems on the web3 internet will ensure potential security risks are determined and fixed before attackers can find loopholes. Web3 approach to security must essentially be more proactive.
A security audit identifies security risks in a system application or network. Independent security audits from external sources can also help identify risks, tendencies, and other security flaws that in-house testers might have missed or overlooked. Routine security audits are also necessary to determine the health of Web3 products and infrastructure per time.
Web3 Security Education:
Perhaps one of the best ways to combat social engineering attacks such as phishing is to educate more users on how to keep their details away from attackers. Not limited to users alone, developers of Web3 companies are often the target of phishing attacks. Hence, they must be up to speed with measures to prevent their devices and resources from getting hijacked by malicious attackers.
All players in the web3 ecosystem must be adequately educated on how to keep their information and funds safe. From implementing two-factor authentication systems to installing security updates and understanding custodial services, all hands must be on deck to ensure web3 is safe.
Flux is committed to building a secure web3 ecosystem where the data and integrity of decentralized applications are guaranteed.
Join us: www.runonflux.io