This week in Tapx Talks we were talking about securing web3 and how blockchain technology is evolving to become more safe, reliable, and secure for users and projects in this space.
You can listen to the conversation on Twitter.
It was a great discussion and we don’t want you to miss a single piece of it so make sure you read this recap till the end, save it to come back to it later, and share it with those who are interested in the web3 security.
From this recap, you’ll learn:
- What makes security in web3 so important?
- How do web3 projects tackle the security issues in B2B and B2C segments?
- Will web3 be more secure in the nearest future?
Now it’s time to learn more about the projects who are making web3 a safer place for both users and other projects in the industry.
Guardians of the Blockchain
GBC.ai apply artificial intelligence and superpower solutions to blockchain problems by creating security tools.
GBC.AI wants blockchains to become safe and secure. They are building tools to detect issues and ensure that threats are pre-actively dealt with before they become problems.
At Lossless, they provide solutions for projects to protect their cryptocurrencies from various exploits such as hacks and social engineering.
Their protocol allows web3 companies to spot the hacks to freeze them and return stolen funds back to the users.
Using Lossless protocol, the Horizon Bridge was able to retrieve 78 million tokens which at the moment of the hack were worth $1.3 million, and return these funds back to the owners.
Code Arena is a web3 security auditing click. They organise security audit contests that differ from traditional audits and bug bounties. The Code Arena model of audit offers wider coverage to protocols and at the same time guaranteed payouts to participants with an average participation rate of +35 auditors per contest.
An important aspect of Code Arena’s model is the ability to start an audit in just 48 hours. A timeline that is unheard of when it comes to auditing the space.
At Hacken, they do penetration testing of different web mobile applications, apps, protocols, and debug bounces.
They are looking for vulnerabilities in order to protect projects in different ways. Mostly they do this like consultants, not like bug bounty, but separately they have a product that unites around 10,000 hackers and projects like FSX, Avalanche, and others.
At Interlock, they are focused on protecting DeFi consumers by giving them access to enterprise trade security tools.
Interlock helps to protect DeFi by building products and rewarding people with their tokens for sharing threats and helping them improve security overall.
Functionland is a creator of Box, the web3 response to cloud subscription. It’s the first blockchain-attached storage solution for your data.
With Functionland, your data is fully encrypted and owned exclusively by you.
KYC Alliance is educating readers on how to identify and avoid crypto scams, phishing schemes, and other financial crimes.
Make sure you go to the KYC blog on Mirror to learn more about NFT scams, Ponzi schemes, and the anatomy of scams.
Now let’s jump into recapping some of the most important things we’ve discussed.
What makes security in web3 so important?
Web3 has a low-entry level. Everyone can make a token or a marketplace, and anyone can invest. You don’t need a license for that.
So this means there’s a lot of exposure and there’s a lot of potential risks because no one really sorts scammers. There are no regulations that can help to ensure that the protocol or project is reliable. So it might be complicated for both newcomers and crypto-native to identify the malicious players. One of the most widespread frauds in web3 is social engineering.
Social engineering is the idea of tricking someone into doing something for your bidding. The most basic concept of it and it can be anything from a phone call to an e-mail to a DM on Twitter or other social media.
Recently with the really down economy and the bear market, a lot of the hooks have turned from this project will be the next thousand X invest in us and it’s going to the moon to zero investment hooks like you’ve won money at our exchange, come claim it, or here’s a free NFT mint that ends up connecting to a wallet-draining app, or the mint isn’t actually free, and there’s actually a tiny hidden fee to it. So the tactics like that have changed in relation to the market conditions.
As web3 hackers go smarter and greedier, security is a top priority for both users and companies in the space.
How to protect individuals in web3?
One of the ways to stay safe in this ecosystem is by doing your own research (DYOR). But how many people really know how to do that? Or have the time to do that?
In reality, most people perceive the role in a transaction as a leap of faith. Because we don’t have any tool that would help us to identify whether the smart contract is malicious or not.
Guardians of the Blockchain have developed a tool that does just that. It pops up next to Metamask or any other wallet with a red sign for stop, if there’s a fraud risk, the yellow for attention, and the green for clear.
Watch the demo on their YouTube to see how that works.
And this tool is powered by artificial intelligence. It aggregates all the latest data with machine learning and helps protect users.
It’s like a pre-do your own research and a bit like an antivirus suite for a PC but it’s for your wallet and it’s for what you do in web3 when you connect your wallet — says Will De’Ath of GBC.ai.
Interlock is also focused on protecting individual users from threats on the web. The main perspective they are working on is the user level and consumer level.
They created a method of using a reputation system for smart contracts. All of their users contribute in a voting fashion combined with the actual smart contract writers to determine what’s valid and what isn’t.
Interclock’s method has a B2B side too because every piece of threat data that’s created smart contract information that’s usable, private, and anonymous is then delivered to cyber security companies and enterprises which need that data to keep themselves more secure.
Functionland created a full protocol to give the guarantees that the cloud gives people in a P2P way. It’s a people-owned network, so it’s not controlled by Google, Apple, Spotify, or any other centralised company.
Keyvan, the CEO of Functionland, mentioned that now we have a mixing system of web3 components (blockchains, transparency), on the one hand, and the web2 elements (censorship and access to user data) on the other hand.
To show the benefits of web3 to people and build trust, web3 companies need to completely remove those web 2 bottlenecks.
We neet to give the users their data in a secure way with the same benefits that they are receiving from Web 2 right now.
And we need to guarantee that users data are always encrypted. No one can access it and use it, So this is the mission that we are working on at Functionland: to eliminate Web 2 from Web 3.
KYC (Know Your Crook) is an educational resource where users can learn everything about the most popular crypto scams and how to avoid them.
Chris of KYC, collects all fraud messages he gets on various social media apps, and documents them, and shares them on Twitter as it’s happening with live commentary. His posts help users to identify and avoid crypto scams, phishing schemes, and other financial crimes.
How to protect companies in web3?
Trust in crypto is everything, says Yevgeniia, the CEO of Hacken. The company provides B2B services to help web3 companies build trust within their communities and investors. These include looking for vulnerabilities at different application levels like smart contracts, web applications, protocols, etc.
We’ve gathered information about around 2000 projects from Coin Gecko to discover what they do in terms of smart contract audits, bug bounties, whether they had high cases or not, whether they have insurance or no, and also whether their audits are relevant.
These security ratings are integrated into Coingecko so every user can go to the project page and see what projects do in terms of security.
So nowadays security is a part of the trust for web3 projects, says Yevgeniia. And it’s important for projects to understand because now to be listed on an exchange, you would need to provide a sort of proof of security that your project is reliable. Unfortunately, still, a lot of projects require security audits just because it’s required, but they don’t really understand what should be behind that.
To change that, the Hacken team is working on creating some standards within the industry with some major alliances to make this industry more transparent and clear for users and for investors on how they tackle security issues, what they do in order to prevent hacks, save money and reputation for their investments.
In Code Arena, they believe in a community-driven approach to security. Usually, we think of code as a logical and mechanical thing, but there are actually many emotions involved with it, says Vee of Code Arena.
Just imagine the responsibility and this is something that you’re referring to creating something that hundreds of numerous transactions, a big fund, and ultimately people’s trust is tremendous, so the possibility of a hack in that regard is everyone’s worst nightmare.
Developers fear that they will be publicly embarrassed by the hack, and auditors are stressed out that they are missing something.
In Code Arena we are changing this by creating a really open community where everyone can learn, and share their burden. At the same time, ensuring that great results are being made and altogether we aim to make web3 a safer place for all.
Lossless protocol implements an additional layer of blockchain transaction security for ERC-20 standard tokens, mitigating the financial impact of smart contract exploits and private key theft.
Lossless protocol utilises community-driven threat identification tools and a unique stake-based reporting system to identify suspicious transactions, providing real-time protection.
The protocol is driven by a network of security experts, developers, whitehat hackers, and such people who are able to identify suspicious transactions and Lossless provides the opportunity to stop them from happening and return funds back to the owners.
Here’s how they do that:
A person who sees that the transaction is actually a malicious one is able to stake Lossless tokens and in this way stop the transaction from going from wallet A to wallet B. It stops in between and then the Lossless team starts an investigation.
After they received a verification that the transaction is a result of a hack, they are able to then initiate the retrieval of the tokens and return those funds back to the actual owner with the deduction of a small fee.
It’s not Lossless doing the work. Basically it’s more like we have created a tool, a product which is being able to be integrated into various projects into into their token smart contracts. But it’s the community, it’s the developers and white hat hackers. Those people are the ones who use our product to stop hacks from happening — Monica, the marketing lead of Lossless.
What are the challenges of making web3 a more secure place?
Speakers highlighted that unfortunately, most web3 projects do not see security as the priority.
The general mentality is that investors and senior leadership alike are more than willing to do anything they can to prevent something bad from happening again. But that willingness isn’t there to prevent something bad from happening the first time.
Before something bad happens, they think that it won’t happen to them and their product. And then that’s when they want to dump time, money, and resources into preventing it from happening again — Will, the CEO of GBC.ai.
From a psychological perspective, from a user perspective, the marketing of cyber security products is like insurance whereas human psychology was more prone to take the reactive solution like a painkiller versus a vitamin. And it’s the same here in security: it’s not on their radar until it happens to them.
Yev from Hacken mentioned that now the situation is way better than it was like 5 years ago. However, the motivation behind that hasn’t changed dramatically. Yevgenia shares 3 main reasons why projects start to care about security in web3:
- they’ve been hacked.
- someone forced them to do this, like regulators for crypto exchanges, for licensing, or for investors.
- a really rare case is when they are security aware and they do this proactively.
Crypto space is really transparent, highlights Yev, and once you’ve been hacked, your project evaluation is going down pretty fast and it gets in terms of understanding what is the cost of security.
However, Chris of KYC adds, that it’s not just about companies who don’t care much about security.
Web3 is predicated on self-custody. And, you know, at the end of the day, you can have all of these safety measures in place. But if a user wants to click a thing because social engineering is that good and they say hey, don’t worry about those warning messages popping up, you know happens all the time, blah blah, blah, just click. They’re going to click the thing, and they’re going to be compromised.
It really all comes down to the user level. And even though it’s essential for every project to make sure they are safe and secure, it still comes down to their index finger sitting on the mouse and whether or not to click a thing.
So the best we can do is educate people primarily and that’s why KYC is focused on teaching users how to identify frauds and stay safe.
Will web3 be more secure in the nearest future?
Chris of KYC highlighted that companies usually treat their security efforts as a static moment in time which is the wrong approach. The pace that these projects grow and the pace that the projects scale themselves often outpaces how security grows.
Security, in general, should be dynamic. Your security process should be a living, breathing process that evolves with the project.
What you have at the very beginning of a project at launch might be sufficient security. But then once you’ve grown and you have 150,000 holders and you’ve expanded your product line, your security has to expand with that.
But the good news is that in web3 everything goes really really fast. In general, financial crime in the crypto world is not going to be nearly as lucrative as it used to be and we’re going to see that number steadily decline.
We have a great example of web2 security and a lot of web2 security companies are coming to web3 now. So we have already good examples, good methodology, and good standards. We should just take them as a base level and adapt them to the web3 needs.