This week at Tapx Talks we were discussing web3 security. We’ve touched on this topic in a previous episode of Tapx Talks, but it’s so important to learn about how web3 can become more secure that talking about it again was definitely worth it. 

If you missed our first episode, make sure you’ve checked it out here. We discussed the following questions: 

  • What makes security in web3 so important?
  • How do web3 projects tackle the security issues in B2B and B2C segments?
  • Will web3 be more secure in the near future?

In part 2 of this discussion we discussed the popular types of web3 hacks and how to avoid them, what is a security by design approach and why it matters and also trying to find a balance between security, usability, and education in web3. 

So let’s kick off with a short introduction of our panelists. 

Guardians of the Blockchain 

Guardians of the Blockchain create Artificial Intelligence Superpower tools to enhance and protect Blockchains. GBC.AI wants blockchains to become safe and secure. They are building tools to detect issues and ensure that threats are pre-actively dealt with before they become problems.

Code4rena 

Code Arena is a web3 security auditing click. They organise security audit contests that differ from traditional audits and bug bounties. The Code Arena model of audit offers wider coverage to protocols and at the same time guaranteed payouts to participants with an average participation rate of +35 auditors per contest.

An important aspect of Code Arena’s model is the ability to start an audit in just 48 hours. A timeline that is unheard of when it comes to auditing the space.

Hacken

Hacken is a leading cyber security consulting company. Hacken is delivering cybersecurity services for businesses of any scale and end customers around the world.

At Hacken, they do penetration testing of different web mobile applications, apps, protocols, and debug bounces.

Interlock 

At Interlock, they are building community-driven security products to protect DeFi users. Interlock helps to protect DeFi by building products and rewarding people with their tokens for sharing threats and helping them improve security overall.

Know Your Crook

KYC Alliance is educating readers on how to identify and avoid crypto scams, phishing schemes, and other financial crimes.

Make sure you go to the KYC blog on Mirror to learn more about NFT scams, Ponzi schemes, and the anatomy of scams.

Coreto

Coreto is a reputation-based research platform developing and implementing the Decentralized Reputation System (DRS). Their goal is to create a safe environment for sharing and verifying information, helping everyone make better-informed decisions, and learning about the crypto market and technologies.

 

We opened our conversation by unpacking some basics of web3 technology and asked our speakers about what a smart contract is in simple terms. We believe it’s important to avoid overcomplicated explanations because the simpler it is for the individuals, the better it is for understanding security and its role in web3.

What is a smart contract?

Rick of Interlock explained a smart contract as a piece of code that executes when certain conditions are met. It’s the execution of something on a blockchain network.  

Desmond from Code Arena came up with an analogy that a smart contract is like a vending machine. It’s designed in such a way that you put in for example $1 and you get a can of coke. It’s then up to the machine vendor to decide what he wants to spend it on. In this case the vendor is a programmer and the vending machine is a smart contract.

But smart contracts are not perfect. There are different things that could be written in a smart contract that would allow somebody to steal your coins.

Imagine when you put your coin into the vending machine, press V6 to get coke and nothing comes out. It was programmed to take money in but never get anything out.  Projects that are coded like that are called honey pots, explains Chris of KYC. You can buy the tokens from them but its written into the contract that nobody except the owner can sell it. 

Another thing that can be written into the contract is when you connect your wallet to the contract it’s going to ask you for certain permissions. Usually these include asking to view your wallet content and suggest transactions. But there are contracts that ask you for absolutely all permissions.That means you allow them to transfer everything out of your wallet without any further approval.That happens pretty often in the NFT space now. 

So smart contracts are just a piece of code, a program, but users need to be careful about what it’s programmed to do and what the owner of that smart contract has control over. 

How do you make sure that the smart contract is secure and works as it should? Companies can request a smart contract audit from businesses like Hacken and Code Arena.They check the contract and make sure it is secure and ready to be deployed. 

That’s a perfect world scenario. But in many cases, web3 companies still ignore the smart contract audit procedure. According to Footprint only 52% of the attacked projects were audited. 

Besides that, many companies who actually audited their contracts deploy different code in the end which is a big problem that happens quite often, says Yev of Hacken.

One of the most vulnerable elements of the web3 ecosystem are blockchain bridges. There’s a lot of bridge breaches happening almost every month, the Ronin hack being one of the most known with $650M being hacked. So we asked our speakers to explain what blockchain bridges are and why they are so vulnerable.

What are blockchain bridges and how do they work?

Blockchains can’t interoperate – you can’t do a transaction on the Ethereum blockchain using Bitcoin. Blockchain bridges solve this being the missing link in the crypto economy. These are applications that allow users to transfer their tokens from one blockchain to another. 

Bridge services “wrap” cryptocurrency to convert one type of coin into another. So if you go to a bridge to use another currency, like Ethereum  (ETH), the bridge will spit out wrapped eths (WETH). It’s a sort of a check that represents stored value in a flexible alternative format. 

Bridges need a reserve of cryptocurrency coins to underwrite all those wrapped coins, and that reserve is a major target for hackers.

Hacks of blockchain bridges are typically designed to cause tokens to be released on one blockchain without a corresponding deposit on the other. That hack has a huge impact on the security of the bridge as well as the chains from both sides. 

However, there are cases when the money can be returned to the users. So we asked our panelists of the possible ways of funds recovery. 

Chris tells of two possible ways when companies can return the money of their users. The first one is when the hackers take the stolen funds and instead of running through tornado cash and other tumbler, they send them to centralised exchange like Binance. Then Binance steps in and freezes those funds.which happens because in centralized exchanges you don’t have custody over your coins – they have and they can easily block them. 

The second way is  when the victims of the hack work out a deal with the thieves. Then the hackers keep a certain amount of money but they also return the piece to the people. It’s a sort of bug bounty – the platform just says thanks for finding the security bug, we’re going to work this out, here’s your money for revealing the problem

Despite the fact that a certain amount of money stolen in the result of bridge hack can be recovered, maintaining the security of the bridge is crucial. That’s why smart contract audits are a vital component of the bridge security process.  

By identifying and remediating vulnerabilities before code is released onto the blockchain, a smart contract security audit could have prevented many of the largest hacks of cross-chain bridges. That leads us to another topic of discussion which is the security-by-design approach.

What is security-by-design?

Yev says that a security-first mindset is something that founders should keep in mind from the very beginning of designing their projects in web3.

This mindset is implementing the basic and most important security steps at the initial stage of designing the product before it goes live. 

It’s crucial to keep highlighting the importance of the security-first approach because right now so many projects skip that stage in a rush before the launch, says Yev. And it’s very important to make sure that this stage is done properly and the smart contract actually delivers the value and promises that are mentioned in the whitepaper and the roadmap.

Security-first mindset includes not only software development but also on the operational level because there are a lot of issues on that level like operational security and the communication channels, password sharing, etc. At the end of the day all the phishing scams and social engineering are always about people.

Rick adds that security by design is a framework that you build on top of. It’s the frame of the car versus the mirrors, he says. So you start from the security and then build your product from there. 

The tools that Interclock builds are going to help people think about these things early and often, and they  expand on existing tools to make them even more secure – protecting users from the possible attacks and clicking malicious links. 

Privacy by design is important because fraud and scams will never go away. They just become even more smarter in how they hack users. And it’s a never ending challenge for the security companies because as soon as they solve one problem another one comes up.  

So it’s crucial for web3 security companies to work closely together toward making this place safer because security is one of the first and foremost rights of every internet user.

In the end it all goes back to the user education and more importantly user experience which is making things simple enough for the everyday internet user to understand that they have a strong base going into this. 

Finding a balance between security, usability, and education

In web3, user education is important, because unfortunately there are a lot of bad players in the field, highlights Vlad of Coreto. So the user security highly depends on individuals and their willingness to take some time and learn about how everything works in this place, what are possible frauds and how to avoid them. 

But it is not as easy to persuade users of the importance of doing their research. People don’t have time to educate themselves, they can’t spend their days researching on a project before investing in it or buying an NFT. The web2 system didn’t require any due diligence elements and its’ quite a new area of interest for many people.

Coreto wants to help people do their own research and discover the fundamental analysis of projects. They do it by providing a reputation-based social platform that bridges the trust gap between blockchain investors, influencers, and project teams.

Vee of Code Arena says that people need to do a lot of research to be sure that the project is worth investing in and still they can’t be 100% sure  that the project is secure. In many cases web3 projects mistakenly assume that their users are tech-savvy and have experience in web3. 

This is the task and the mission of the project to be as user-friendly as possible – delivering clear information, making transactions easily readable, clarify transaction waiting time,etc. 

That’s something that GBC.ai are aiming to do with their newest product – Wallet Guardian. It’s a  smart contract scanner that acts as a traffic light system – something that is clear and understandable for every person.  

If the contract is a scam, there’s red light, if it might be a scam – it’s yellow, and the green means 

that the contract is secure and legit. It’s a simple and really user-friendly interface that could help people to become more confident in what they are doing and help them to avoid potential hacks.

They are not stopping users from signing the transaction – rather telling that there might be something wrong with this stuff, it is a potential fraud so take a closer look but in the end, it is up to the user whether to sign this or not. 

As we discussed, we also addressed another important point:

How do we maintain accessibility in the web3 space while reducing security threats?

Vlad highlights that it is crucial for founders and builders to create their products in such a way that it’s clear and familiar for web2 users rather than making it very technical because it will scare them.The user journey must be clear and simple.

With that being said, the security aspect shouldn’t be neglected too, adds Vlad. It’s important to show that the project is not just accessible and user-friendly but also secure. It includes smart contract audits, and taking security measurements such as 2AF, strong passwords and others.

Yev says that it’s essential to keep a balance between security and usability. Because if you make the security measures too imperative and you make your users go through multiple steps, they will find a way around it. 

There are different approaches to make it more seamless from the users perspective while maintaining security. For example – gamify the security process, making it more fun.

The only way to fix security in web3 is to include people in the process, says Rick, to make them be contributive to security to make it better overall instead of excluding or blaming them for lack of education. 

Because users, especially those who are new to web3, don’t know what they don’t know. They  used to be protected by centralised web2 organisations. They know that the Mastercard or Visa logo is good and it’s secure, because it has a reputation that has been proven by many users across the globe for many years. Unfortunately, web3 companies can’t offer that level of security and reputation just yet. But it will definitely come in the future. 

We’ll end up building a similar brand awareness as we see in web2. Every web3 company should have a trust score with a security part of it being the most important one. 

Project audit is the best and the only right way for the blockchain businesses to receive these trust scores. It is still ignored by many founders but we’ll definitely be coming to the time when it will be a must for the project to receive a certain amount of security scores in order to be called secure. At the end of the day, the price of a project’s audit is much less than the cost that might be lost in a hack and of course, the reputational losses. 

Key takeaways

Web3 is the future. But it lacks security. From January to June 2022, assets lost in the web3 space due to attacks totaled $1,912.87 million.
Only a small percent of these funds is recovered.

Here’s what can be done to ensure that web3 is secure and safe for both companies and users:

  • implement security-by-design approach

Security-first mindset is implementing the basic and most important security steps such as a smart contract audit at the initial stage of designing the product before it goes live.

  • apply security strategically

Businesses must also consider data quality and manipulation risks throughout each iteration in the application development cycle. Security should be at the heart of decisions concerning what goes on-chain versus what goes off-chain.
work on solutions collectively.

It’s crucial for web3 security companies to work closely together toward making this place safer because security is one of the first and foremost rights of every internet user.

  • make security audits a must

Failing to engage in security audits can lead to cybersecurity events and losses. Hence, businesses should ensure that they have at least properly secured known vulnerabilities before hackers can exploit them.

  • educate and support users

This is the task and the mission of the project to be as user-friendly as possible - delivering clear information, making transactions easily readable, clarifying transaction waiting time, etc.

Related Posts

  • The Tapx ecosystem has grown and evolved since we launched […]

    Continue reading

  • Whether you’re a beginner or an expert, keeping up-to-date with […]

    Continue reading

  • Should NFT creators expect royalties? It was the question that […]

    Continue reading