Web3 Security: Uncovering the Hidden $100 Billion Market
BD Telegram:@frankmiao_bd
Intro
Once, the Greeks offered a colossal wooden horse to the city of Troy, which the citizens took as a symbol of peace, not knowing the threat it represented.
With the successful launch of Bitcoin ETFs, an increasing influx of new users and capital is moving towards Web3, seemingly bringing the future of Web3 towards mass application one step closer. However, the lack of policies and security vulnerabilities still pose significant barriers to the widespread adoption of cryptocurrencies.
In the crypto world, hackers can profit millions or even billions of dollars by exploiting on-chain vulnerabilities, while the anonymity of cryptocurrencies provides a perfect cover for their retreat. By the end of 2023, the total value locked (TVL) in all decentralized finance (DeFi) protocols was approximately $40 billion (currently $100 billion), and in 2022, the total value of tokens stolen from DeFi protocols reached $310 million, accounting for 7% of the above-mentioned value. This figure starkly highlights the severity of security issues within the Web3 industry, hanging over us like the sword of Damocles.
Not only in the on-chain environment, security issues on the user side also cannot be underestimated either. According to data released by Scam Sniffer, in 2023, 324,000 users lost assets due to phishing attacks, wtih a loss of $295 million in total. From the persepective of both impact and the amount of money, the situation is gravely serious. However, from a user’s perspective, security incidents are inherently delayed — it’s often hard for users to fully realize the seriousness of potential risks before an incident actually happens. Hence, people often fall into the “survivorship bias,” neglecting the importance of security.
This article starts with the security challenges currently faced by the market, exploring the security risks brought about by the rapid growth of Web3 users. By analyzing security solutions proposed by companies like GoPlus, we delve into how to support the mass adoption of Web3 from aspects of compliance and security. We believe Web3 security represents an untapped hundred billion market and that the demand for user-end security services will see exponential growth as the Web3 user base continues to expand.
The Hidden Threats and Hundred Billion Market
The current Web3 security product are primarily ToB, ToC, and ToD. The Business side mainly deals with product security audits, conducting penetration tests, and producing audit reports to protect the product side. The Consumer side focuses on protecting the user security environment, offering detection services through APIs based on real-time capture and analysis of threat intelligence for user-side protection. Developer side mainly targets developer tools, providing automated security audit tools and services for Web3 developers.
Security audits are necessary static security measures. Almost every Web3 product undergoes a security audit, with the report made public. Security audits not only enable the community to verify the protocol’s security a second time but also form a basis for users to establish trust in the product.
However, security audits are not all-powerful. Given the market’s development trend and current narratives, we foresee a continuous rise in challenges to the user security environment, mainly reflected in the following aspects:
- Asset Security
Every market cycle is accompanied by the issuance of new assets. With the popularity of ERC404 and the rise of FT and NFT hybrid Tokens, the issuance of on-chain assets will continue to innovate and become more complex. The challenge to the security of new types of assets is growing day by day. As different asset types are mapped and integrated through smart contracts, increasing the system’s complexity, the security challenges also grow. This complexity offers attackers a wider space for attacks, such as disrupting asset transfers through specific callback mechanisms or tax systems, or even launching direct DoS attacks. This brings challenges to traditional pre-chain methods like asset issuance contract security audits and formal verification. Solutions with real-time monitoring, warning, and dynamic interception are urgently needed.
- Behavioral Security
Data from CSIA shows that 90% of cyber-attacks start with phishing. This also applies to Web3, where attackers target users’ private keys or on-chain funds, sending phishing links or scam messages through platforms like Discord, X, and Telegram, leading uninformed users to make erroneous transfers, interact with malicious smart contracts, or install virus files.
Interacting on-chain comes with a steep learning curve, which is inherently anti-human. Even an offline signature can lead to the loss of millions of dollars. When we click to sign, facing various input parameters, do we really know what we are authorizing? On January 22, 2024, a cryptocurrency user fell victim to a phishing attack, signing a Permit with incorrect parameters. After obtaining the signature, the hacker used it to transfer tokens worth $4.2 million from the user’s account.
The vulnerability of the user’s security environment can also lead to asset loss. For example, when a user imports a private key into an Android app wallet, the private key often remains in the phone’s clipboard and isn’t overwritten. In such cases, opening malicious software allows the private key to be read and automatically transfers assets detected in the wallet or steals user assets after a period of latency.
As more and more new users entering Web3, the security issues in the user-end environment will become a significant hidden danger.
- Protocol Security
Reentrancy attacks are still one of the biggest challenges faced by protocol security. Despite numerous risk control strategies being employed, incidents involving these attacks continue to occur frequently. For example, last July, Curve suffered a severe reentrancy attack due to a compiler flaw in its contract programming language Vyper, resulting in a loss of $60 million. This incident raised widespread doubts about the security of DeFi.
Although many “white-box” solutions target contract source code logic, incidents like the one with Curve reveal a crucial problem: even if the contract’s source code is flawless, issues with the compiler could lead to discrepancies between the final execution outcome and the intended design. Transforming contracts from source code to actual runtime is a challenging process, with each step potentially introducing unforeseen issues, and the source code itself may not cover all potential scenarios. Therefore, relying solely on source code and compiler-level security is far from sufficient; even if the source code appears flawless, vulnerabilities can still emerge due to compiler issues.
Consequently, runtime (Runtime) protection becomes necessary. Unlike existing risk control measures that focus on the protocol source code level and take effect before execution, runtime protection involves protocol developers writing runtime protection rules and operations to handle unforeseen circumstances during execution. This helps to evaluate and address runtime execution outcomes in real-time.
According to cryptocurrency asset management company Bitwise’s forecast, the total cryptocurrency assets will reach $16 trillion by 2030. If we analyze from a Security Cost Risk Assessment perspective, the occurrence of on-chain security incidents leads to almost 100% asset loss, setting the Exposure Factor (EF) at 1. Therefore, the Single Loss Expectancy (SLE) is $16 trillion. With an Annualized Rate of Occurrence (ARO) of 1%, the Annualized Loss Expectancy (ALE) would be $160 billion, representing the maximum investment cost for cryptocurrency asset security.
Given the severity, frequency, and rapid market growth of cryptocurrency security incidents, we can foresee that Web3 security will become a hundred billion-dollar market, growing rapidly with the expansion of the Web3 market and user base. Furthermore, considering the massive growth in individual user numbers and the increasing concern for asset security, we can predict that the Consumer side market’s demand for Web3 security services and products will show geometric growth, representing an untapped blue ocean market.
Web3 Security Track Analysis
With the continuous emergence of Web3 security issues, there is a clear increase in demand for advanced tools capable of protecting digital assets, verifying NFT authenticity, monitoring decentralized applications, and ensuring compliance with anti-money laundering regulations. According to statistics, the main security threats facing Web3 currently stem from:
- Protocol-directed hacker attacks
- User-targeted scams, phishing, and private key theft
- Security attacks aimed at the blockchain itself
To counter these risks, companies in the current market mainly focus on pre-chain testing and auditing (ToB) and on-chain monitoring (ToC) with corresponding services and tools. Compared to ToC track, ToB track players entered the market earlier and continue to see new entrants. However, as the Web3 market environment becomes more complex, ToB audits gradually struggle to cope with various security threats, highlighting the importance of ToC monitoring, whose demand is steadily increasing.
- To B
Currently, companies represented by Certik and Beosin provide ToB testing and auditing services. These companies mostly offer services at the smart contract level, conducting security audits and formal verification of smart contracts. Through these pre-chain methods, such as wallet visualization analysis, smart contract vulnerability security analysis, and source code security audits, smart contracts can be checked to some extent, reducing risk.
- To C
ToC monitoring is executed on-chain, completing risk analysis, transaction simulation, and state monitoring of smart contract code, on-chain state, and user transaction metadata. Compared to ToB, companies focusing on Consumer side security in Web3 generally started later, but their growth rate is quite impressive. Companies like GoPlus, representing Web3 security, are gradually being applied across various Web3 ecosystems.
GoPlus, since its launch in May 2021, has seen a rapid increase in daily API call volume, from a few hundred queries a day initially to twenty million at peak times today. The following graph shows the increase in token risk API calls from 2022 to 2024, highlighting GoPlus’s growing importance in the Web3 domain. Its user data module has gradually become an essential component of various Web3 applications, playing a crucial role in top market websites like CoinMarketCap (CMC), CoinGecko, Dexscreener, Dextools, leading decentralized exchanges like Sushiswap, Kyber Network, and wallets like Metamask Snap, Bitget Wallet, Safepal. Furthermore, this module is also adopted by user security service companies like Blowfish, Webacy, and Kekkai. This demonstrates GoPlus’s significant role in defining the security infrastructure of the Web3 ecosystem and its importance in contemporary decentralized platforms.
GoPlus primarily offers the following API services, providing comprehensive insights into user security data through specific data analysis of multiple key modules, safeguarding against evolving security threats, and addressing the multifaceted challenges of Web3 security.
- Token Risk API: Assesses risks associated with various cryptocurrencies.
- NFT Risk API: Evaluates the risk overview of various NFTs.
- Malicious Address API: Identifies and tags addresses related to fraud, phishing, and other malicious activities.
- dApp Security API: Provides real-time monitoring and threat detection for decentralized applications.
- Approval Contract API: Manages and audits smart contract call permissions.
In the ToC track, we also notice Harpie. Focusing on protecting Ethereum wallets from theft, Harpie collaborates with companies like OpenSea and Coinbase, protecting tens of thousands of users from scams, hacking, private key theft, and other security threats. The company’s products start with “monitoring” and “recovery,” monitoring wallets for vulnerabilities or threats, immediately notifying and assisting users in fixing discovered vulnerabilities; and responding promptly when users become victims of hacking attacks or scams to recover assets. They prevent attacks and handle security emergencies, achieving significant results in Ethereum wallet security.
Additionally, ScamSniffer offers services in the form of a browser plugin. This product conducts real-time detection using a malicious website detection engine and multiple blacklist data sources before users open links, protecting them from malicious websites. During online transactions, it provides detection against phishing and other scam tactics to ensure user asset security.
Next-Generation Security Products: Safeguarding the Mass Adoption of Web3
Addressing the issues of asset security, behavioral security, and protocol security mentioned above, as well as the need for on-chain compliance, we delved into solutions by GoPlus and Artela to explore how they support the mass adoption of Web3 by maintaining user and on-chain operation security environments.
- User Security Environment Infra
Blockchain transaction security is the cornerstone of Web3 mass application security. Frequent on-chain hacker attacks, phishing attacks, and rug pulls make transaction tracing, suspicious behavior identification on-chain, and user profiling capabilities crucial for security. Based on this, GoPlus launched the first full-scenario personal security detection platform, SecWareX.
SecWareX, built on the SecWare user security protocol, offers a one-stop, comprehensive security solution including real-time identification of on-chain runtime attacks, early warning, timely interception, and post-incident dispute resolution. It supports asset issuance contracts with customized security interception strategies for specific scenarios.
To educate users on behavioral security, SecWareX cleverly integrates learning security knowledge with earning token incentives through the Learn2Earn program, enhancing users’ security awareness while providing tangible rewards.
2. Compliance Solutions for Funds
Anti-money laundering (AML) is one of the most urgent needs on public blockchains. By analyzing the source, expected behavior, amount, frequency and other factors of transactions, suspicious or abnormal behaviors can be promptly identified. This helps decentralized exchanges, wallets, and regulatory agencies detect potential illegal activities like money laundering, fraud, and gambling, and take timely measures such as warnings, asset freezes, or reporting to law enforcement, enhancing DeFi’s compliance and mass application.
As on-chain behaviors continue to diversify, Know Your Transaction for decentralized applications will become an essential condition for mass adoption. GoPlus’s Malicious Address API is crucial for exchanges, wallets, and financial services operating in Web3 to comply with regulatory requirements and ensure their operation, highlighting the intrinsic connection between regulatory compliance and technological progress in the Web3 domain. It emphasizes the importance of continuous monitoring and adaptation to safeguard the ecosystem’s integrity and its users’ security.
3. On-Chain Security Protocol
Artela is the first public Layer 1 chain natively supporting runtime protection. Through its EVM++ design, Artela’s dynamically integrated native extension module, Aspect, allows adding extension logic at various points in the transaction lifecycle, recording the execution state of each function call.
When a potentially threatening reentrancy call occurs during the execution of callback functions, Aspect detects and immediately reverts the transaction to prevent attackers from exploiting reentrancy vulnerabilities. For instance, in replicating the protection against the reentrancy attack on the Curve contract, Artela provides a native-level protocol security solution for various DeFi applications.
As the complexity of protocols and the diversity of underlying compilers increase, it becomes increasingly evident that “black-box” runtime protection solutions is more important than “white-box” solutions that only perform static checks on contract code logic.
Conclusion
On January 10, 2024, the SEC officially approved the listing and trading of spot Bitcoin ETFs, marking a significant step towards the mainstream adoption of cryptocurrency assets. As the regulatory environment matures and security measures are continually strengthened, we will eventually witness the arrival of large-scale applications in Web3. If the large-scale application of Web3 is tumultuous waves, then Web3 security is the robust dyke constructed to protect users’ assets against external storms, ensuring safe passage through every wave.
