The decentralization of the internet as we know it today. is a rapidly expanding tech movement. Early adopters, founders, evangelists. and advocates for web3 are united around the idea of decentralization and greater control for end-users over the internet. They also reject the centralized control of big tech. However, for web3 platforms to achieve mainstream and sustainable adoption, it is essential to incorporate a proactive approach to blockchain security.
In the recent past, owing largely to the sudden disclosure of fantastically proportioned security violations and newsworthy crypto-wallet hacks, there have been growing concerns about the security of cryptocurrencies and all blockchain-based applications in general. This is especially true for the DeFi space. Many recent attacks in the web3 ecosystem have proven to be far more damaging than that incurred by traditional (web2-based) consumer applications. These events are usually irreversible, and the damage from them may cascade across the network due to smart contract exploits.
According to the blockchain analysis firm ChainAnalysis, 2022 was the biggest year of crypto attacks, in terms of both frequency and magnitude. They said Oct ‘22 was the “Biggest month ever”.
The hacks mentioned in their publicly available data feeds add up to an outrageous $2.07 Billion, and yet, these represent only a mere fraction of the total crypto attacks witnessed in 2023.
From artificial withdrawal proofs, to hacked private keys and exploitation of security bugs during infrastructure upgrades, the blockchain industry has been subjected to almost every perceivable form of cyber distress.
Needless to say - if you're an early-stage web3 founder today, following the following seven tenets of impenetrable web3 security will not only help you stay (a) solvent and (b) ahead of the curve in terms of secure technical infrastructure; You will also be able to (c) build a reliable and trustworthy brand around your decentralized product or service. In the long run, this will help you gain the confidence of every wave of users that you add, as your community grows larger at scale.
Security-by-design principles should be incorporated into your Web3 system's designs, products, and infrastructure. These principles are as essential for web3 systems as for any other system.
Minimizing attack surface areas, zero-trust frameworks, and secure defaults should be the primary concerns for developers. Design principles should inform technology choices - more so when launching an innovative solution.
A recent cross-chain crypto bridge attack on Wormhole (with wETH tokens worth $326Mn minted by the hackers) was facilitated almost entirely due to oversight on the potential vulnerabilities of the experimental infrastructure that goes into bridging. In fact, Chainalysis has reported that 69% of all stolen crypto funds in 2022 came from hacking protocols that bridge different blockchains together.
When choosing the primary blockchain infrastructure to use for your web3 system, you must give serious thought to the type of layer-1 network you’re signing up for. There are two types of blockchain networks - public and private. Public blockchain networks, such as Ethereum, Polygon, or Solana, are open to anyone. Users can enjoy different degrees of anonymity depending on the application. Private, or permissioned, blockchain networks, require users to confirm not just their identity, but also membership and access privileges.
Private, or Public? Open, or Encrypted? Choose your pill wisely before you swallow it whole.
Figure out if your product needs a specialized, private infrastructure to support its security needs.
If you’re not convinced, check out what OpenZeppelin had to say about the discovery of a potential $350Mn risk in Avalanche, via a clever exploit of seemingly “innocent” behavior during the precompile period, allowing native assets to be transferred, alongside an optional call to the receiver.
Keep in mind that different blockchains have varying degrees of complexity. It is therefore essential to understand them in-depth before making a choice. It is also essential to understand hybrid infrastructures such as sidechains, multi-chains, cross-chains, federations, oracles, and other distributed ledger components. These components affect speed, efficiency, and resilience, in addition to your primary security concerns.
A web3 product of scale is almost always impacted by legal, cultural, and economic dynamics that product designers must consider.
For instance: When it comes to identity, certain configurations or integrations are likely to conflict with existing compliance regimes such as locally applicable Know Your Customer (KYC) or GDPR policies. Different jurisdictions have varying regulations on crypto technologies.The progressive outflow of regulatory information across various legal territories, is contributing to a very diverse playbook for web3 founders today. No two countries have the exact same policies on crypto. Additionally, social engineering can certainly pose a security risk.
Twitter feeds, Telegram channels, and Discord communities can easily be manipulated to misconstrue or overhype the benefits of digital assets, which will eventually get you into murky waters with the federal reserve, the SEC, or worse - your own local government. Bad actors may also be incentivized by the encoded financialization of crypto platforms.
The mystery attacks on FTX immediately after they filed for bankruptcy on November 12 last year,, allegedly wiped out a further $446 Million in tokens amidst all the fear and loathing. Due to the availability of fast laundering tactics, most of this money was never traced or recovered, and contributed to the compounded effect on market sentiments.
If you’re building an exchange today, think about the data (that even though you’re not storing, is still being provided by your users). Think about the impact this has on the dynamics that govern your platform and your token. Apply appropriate safeguards in place to ensure that your exposure to such socially engineered risk is minimized.
Collaboration with industry peers can increase your understanding of security vulnerabilities and mitigate emerging threats. Besides, when you pool your resources with peers, you’re much more likely to beat the odds stacked against your “category”, together.
Scour the internet for vulnerabilities that your founder-peers have already reported. Traditional resources (for instance) open source platforms such as GitHub, or the more recently released Cryptocurrency Incident Database by OODA Loop, can help.
The latter was built after OODA Loop registered a significantly high number of cybersecurity incidents (attacks) among web3 projects. This repository is updated in real time, and helps security researchers and engineers see common cyber attack categories and root causes.
As an ethical builder, you should also publish security guidance for developers on your own communication channels, for the benefit of the community. Other avenues for known vulnerability and attach-research, include Reddit, Discord, and Twitter.
A team of ethical hackers felt “noble” enough to report a potential $1 Billion vulnerability that even the best eyes at Multichain had managed to miss out on. Turns out, due to low-level EVM semantics, the Ethereum ABI standard, and the way the Solidity compiler works, wETH (and some other ERC20 tokens) have a permissive fallback function will allow arbitrary function calls to succeed. But it was an amazing stroke of luck that the bug was reported externally, instead of being exploited against the fortunes of the firm in concern.
If you’re building a scalable DeFi organization today, it is important that you model, analyze, and mitigate your risks before and throughout the development life cycle. Developers and security professionals must ask these questions (and potentially more) well in advance, to ensure that the development process runs without hiccups.
Here are some good questions to ask your CTO when evaluating a security vulnerability and its impact on your product:
Which areas of (our) code have the potential for highest impact?
How can (our) incident response protocols be affected?
How will (our) users and testers report vulnerabilities?
How will (our) users be supported to elevate risks?
How will user permissions be managed?
What kind of interoperability across wallets, chains, etc., should be accounted for?
To safeguard your blockchain network, it is important to assess the risks associated with data manipulation and information quality. This assessment should inform decisions about what information should be stored on-chain versus off-chain, and what information is needed to validate transactions or establish ownership.
TechCrunch reports that in the second quarter of 2022, the crypto space witnessed 290 recorded phishing attacks, up 170% from 106 attacks in the first quarter of the same year. The major attacks that were taken in consideration for this analysis, contributed to crypto losses of $100,000 or more, each!
As a security-first product designer, you can prevent common threats like phishing, by implementing security measures across the system's architecture and user experience workflows. For example, users should be encouraged to install malware detection software in their browsers, employ multi-factor authentication, and avoid open Wi-Fi networks. Regular reminders to update systems should also be sent.
In addition, unique risks associated with blockchain architectures, like 51% or Sybil attacks, should be avoided by using alternative consensus algorithms and monitoring mining pools. User onboarding and experience design should also prioritize security measures, given the novel user responsibilities associated with blockchain keys and wallets. Communication about security should be clear and ongoing to ensure user awareness and preparedness.
Finally, one of the most important steps in building secure technical infrastructure for Web3 is to prioritize continuous education and improvement. As the Web3 space continues to evolve and grow, new security threats will emerge, and builders and organizations must be prepared to adapt and evolve to meet these challenges.
This means staying up-to-date with the latest security best practices and trends, as well as investing in ongoing education and training for development teams and security professionals. Do you know what this means?
If you’ve already reached this point in the article, you’re like WAAAAY ahead of the game!
Puns aside, as you scale up as an organization, you should also make a commitment to imbibe continuous improvement into your development culture, regularly reviewing and updating your security protocols and procedures to stay ahead of emerging threats.
Planning and deploying secure technical infrastructure for web3 is critical for the eventual success and growth of the decentralized internet. By following the seven god-mode principles discussed above, early-stage founders can ensure that their products and services are secure, resilient, and trustworthy, gaining the trust of early adopters and establishing a solid foundation for long-term growth and success.
Global decentralization itself is still in its early stages, and there is much work to be done to realize the full potential of this exciting converging point of technologies. However, by prioritizing security-first thinking, builders and collaborative decentralized organizations can help ensure that this face of the internet develops in a safe and sustainable way, benefiting users and the broader ecosystem at the same time.
So if you’re someone who has the right team in place to build the right decentralized technology (and the right time is of course now), it’s time you took a proactive approach to security. From the ground up, incorporate security-by-design principles, embrace and evaluate different blockchain designs, become aware of relevant market and trust dynamics, collaborate with peers and industry leaders on security resources and intelligence, bring web3 projects into the umbrella of security governance, apply attack prevention techniques, and prioritize the continuous education and improvement of your users.
#WAGMI