December 12th, 2022
High-profile hacks have become commonplace within the Web3 space. Hardly a week goes by without at least one major hack in which millions of dollars are stolen from a crypto project and its users.
One of the main drivers of these high-cost Web3 hacks is the fact that blockchain-based projects face unique security risks. In this article, we summarize the top 5 security risk factors of Web3 projects.
Historically, “security through obscurity” has been a core part of an application security strategy. While an application’s security should not be reliant on its source code remaining secret, many developers take steps to make their code difficult to reverse engineer. This both serves to protect the company’s intellectual property and makes it more difficult for attackers to identify and exploit vulnerabilities.
In Web3, most smart contracts are open-source, and all are deployed to the blockchain. As a result, attackers have more opportunities to reverse engineer smart contract code and identify vulnerabilities for exploitation. Additionally, the immutability of the blockchain’s distributed ledger makes it more difficult to apply updates to contract code to patch identified vulnerabilities.
In Web2, cybersecurity incidents have a limited impact, and incident response is often focused on restoring operations and systems to a normal state. If an organization suffers a ransomware infection or data breach, it can restore data from backups, implement identity monitoring for customers, and move on. If money is stolen, there is a chance that financial institutions will reverse malicious transactions.
On the blockchain, transactions are often high-value and irreversible. Web3 hacks commonly have price tags in the millions, and blockchain immutability makes it impossible to reverse malicious transactions and undo the attack. Instead, Web3 organizations must focus on damage control, attempting to compensate affected users for their losses.
Early investment in a company is nothing new. Often, startups will perform rounds of investment before they have a fully-fledged product. This allows them to get the funding necessary to reach production and start earning revenue and paying off those investments.
However, these initial investments are typically performed by venture capitalists and similar individuals who have a good understanding of the potential risks and visibility into the project.
In Web3, ICOs and similar investment events allow customers to buy into a project that doesn’t exist yet and maybe never will. By normalizing the creation of high-value projects still in their infancy, Web3 creates opportunities for fraud, such as rug pulls.
Another major contributor to fraud on the blockchain is the visibility of the team behind the product. In Web2, most companies have a very visible team of executives who take public ownership of the company. If something goes wrong, it is clear who to blame.
In Web3, on the other hand, anonymous teams or project members are commonplace. This anonymity makes it easier for Web3 projects to perform a rug pull or other fraud and then disappear. High-profile incidents involving public personas — such as the recent FTX meltdown — are the exception, not the rule.
Undervaluing security is a common problem in Web2. The number of newly discovered software vulnerabilities in production software continues to grow each year, resulting in a rising number of hacks and high-profile data breaches.
However, the results of failing to properly prioritize security are even more visible in Web3. A “test in prod” mindset in which smart contracts are launched without proper security testing has led to billions in losses. Most of the biggest hacks of DeFi projects to date are of unaudited projects.
The main security risks of Web3 are split between users and developers. Before investing in a Web3 project, users should do their own research to verify that a project is legitimate before investing funds.
For Web3 project owners, a security audit before launch can go a long way towards reducing potential risk exposure. To learn more about how you can secure your Web3 project, reach out to our blockchain security experts at firstname.lastname@example.org.