Cybersecurity Implications for Web3 Trends

Introduction

Much before the Blockchain technology was invented, the idea of a fully computer-controlled semantic web was proposed by Tim Berners Lee in 1999. He envisioned a web where computers would be capable to manage all links, transactions and data flowing across the internet. Fast forward to the implementation of smart contracts and digital assets coupled with advancement of computing power through quantum computers and thick protocols, the concept of a semantic web could finally take shape. With time, the scope and concept of semantic web evolved into the modern day Web3. Decentralized data ownership and control became the key driver of Web3 and computer-controlled decision making became the means to achieve it.

Unlike Web 2.0, where consumer data is managed by a handful of centralized organizations, Web3 aims to utilize the Blockchain ecosystem to store and record data, shifting its ownership in the hands of individual consumers. Use-cases of decentralized control spurred across traditional business models in the form of DAOs and dApps where business decisions are made through machine operated smart contracts and unbiased voting procedures. Additionally, industries such as online gaming, arts, music, and heritage have benefited from the development of the Metaverse ecosystem where creators and performers can engage directly with users without interference from any middlemen. Users can use asset backed Non-Fungible Tokens (NFTs) to pay for services in the Metaverse and sell it to their peers for fiat or other cryptocurrencies. The creator or developer of the asset backing the NFT can earn perpetual royalties for every transaction on the specific token. This creates a unique reward system to motivate stakeholder participation in Web3.

Although initial traction is promising, the industry faces several new security challenges brought about by its unique technology stack combining the power of cloud and edge computing, intertwined protocols, and nascent developer tools with end user technologies such as VR Headsets, AR Glasses, and digital asset wallets. These tools are essential for the mass adoption of Web3 and should be addressed by security programs of organizations aiming to capitalize on the multi-billion dollar market opportunity presented by the Web3 ecosystem.

This paper aims to evaluate the cyber security implications of top Web3 trends expected in 2024.

Notable Web3 Trends & Their Cyber Security Implications

Decentralization of asset ownership and decision making is the focal point of all innovations within the Web3 space with data as its core asset. In previous instances, this core value proposition of true decentralization within Blockchain has been challenged after biased voting practices and concentration of voting power within a handful few actors emerged across Blockchains. Within the Blockchain industry, centralized crypto exchanges (CEXs) where the policies and terms are set by a centralized organization, and information on company operations is kept private are contrary to the foundations of Web3.

With the collapse of FTX and other exposed exchanges in a domino effect, early adopters, developers, and investors and are now exploring new operating models that have the core principles of Web3 embedded in their vision and mission.

Permissionless & Trustless Blockchains will Spearhead Web3 Adoption

We expect a surge in the number of users joining organisations built on permissionless and trustless blockchains. Such blockchains have no access controls and users are not required to rely on or trust any third-party for the availability of the platform. Although this model offers independence, it may present several security and privacy challenges. Transaction information on the blockchain is available for the public to read. Since permissionless blockchains allow any user to access this data, adversaries may use this as a reconnaissance and discovery opportunity to study behaviour of addresses, their transaction rules, and association with other addresses. They can use this information in their future attacks to evade security software which identify and flag risky addresses, by masquerading as normal traffic. Permissionless blockchains may expose sensitive user information to bad actors which may tarnish its reputation that may drive legitimate users to exit the platform leading to business redundancy. In such systems, responsibility, and accountability towards platform security presents a surmountable challenge, especially in the event of an attack.

Shift To Decentralized Autonomous Organizations (DAO) Business Model

DAOs are a textbook example of the original semantic web proposed by Berners-Lee and have gained popularity recently due to their commitment to decentralized control. Rather than humans, computerized smart contracts execute business decisions in DAOs. Smart contract, as the name suggests is a protocol-based software which undertakes transactions or decisions after the conditions defined by the code are fulfilled. Smart Contracts have been a key component to achieve interoperability across blockchains to enhance the usability of crypto tokens. Evidently, these contracts have been an attractive target for mainstream hacker groups aiming to steal virtual assets and disrupt normal operations. For instance, in 2021, an adversary exploited a privilege escalation flaw in a smart contract to call an administrative function within another elevated smart contract used to control transfer of crypto assets between multiple blockchains. This exploit put 610 million USD worth of tokens at risk of theft. Design flaws and vulnerabilities in the source code of smart contracts poses major risk to sustainable operations and continuous user acquisition by DAOs especially, as fully computer-controlled operations leave no fallback option in the event of a protocol hijack caused by a compromised smart contract. DevSecOps and diligent code review/testing practices are essential in the early stages as well as throughout the lifecycle of DAOs where smart contracts form the backbone of operations.

Data Privacy will Evolve as a Shared Responsibility between Users & Businesses

As DAOs and permissionless blockchains gain traction, individual users concerned about data privacy practices at centralized organizations will shift their attention to Web3 applications where they can influence the decisions related to management and processing of their personal data. In the Web2 era, businesses could monetize their collected user data by signing data sharing agreements with other organizations. These agreements would enable the data purchasers to build a user profile which could be used for personalising marketing and sales campaigns. Although data sharing across blockchains could improve user experience by expediting due diligence, we expect a decline in data sharing agreements permitting use of personal data for marketing campaigns in the Web3 space and consequently, expect a shrink in the economic opportunities which arise from such deals.

As the control of personal data shifts into the hands of individual users, so does the responsibility and accountability for its security. Cyber security controls during establishment of a decentralised organisation may be enforced by its founding members but ensuring the robustness of data security practices as new developments are undertaken may now fall under the cap of individual users who can participate in driving business strategy and direction. Although currently uncertain, if the organization experiences a data breach, all stakeholders including developers and users could be held accountable as decision makers in a decentralized organization.

Large Scale Open-Source Code Repositories & Transparent Software Development

Web3 will be largely developed on open-source code repositories. Although open source is deemed quicker to recognise and remediate software bugs, it is dependent on the proactiveness of the developers and members of the community to report unidentified vulnerabilities. Transparent software development practices in a permissionless system will attract attention from bad actors who would be looking to discover unencrypted data, hard-coded credentials, non-parameterised functions, insecure API traffic etc for launching their attack campaigns. Web3’s unique technology stack requires the amalgamation between numerous older and nascent technologies leading to an enlarged enterprise attack surface. Organisations in Web 2.0 place minimal servers facing the internet to avoid network configuration discovery by bad actors. Adopting true decentralisation involves segregating not just control but also computational power across multiple interconnected geographies, thereby increasing reliance on edge computing. This would expose a much larger portion of devices to the internet and dramatically increase the enterprise attack surface.

Additionally, developers may use several Web3 specific tools such as Ganache, Truffle, Remix IDE, DApp builder for developing, storing, collaborating, testing, and deploying their code. Cyber-attacks and open exploits in such tools may increase supply chain risks for Web3 applications. For instance, Inter-Planetary File Service (IPFS), an application designed for decentralised storage of files and resources on the internet and common among Web3 developers has experienced widespread abuse by hackers who are misusing the protocol to store malicious payloads.

Creators & Influencers Are Pivotal for Mass Adoption of Web3 Applications

By shifting control and power in the hands of users, Web3 has transformed the financial dynamics of the creator economy. Creators including painters, musicians, bloggers, and other influencers can directly engage with their audience through the Metaverse by organizing concerts, exhibitions and shows without the need for talent management agencies or platforms which absorb a large portion of the creator’s revenue. Several painters and museums have generated millions of USD in revenue by selling their art as NFTs to users directly. These NFTs are generally backed by an asset such as real estate, crypto currency (of a blockchain), or valuable archives. As influencers become early adopters of the Web3 ecosystem, their fans are expected follow suit resulting in organic pool of early users.

However, rising NFT and crypto scams may prove to be major barriers for mass adoption of Web3 applications. In past, adversaries have successfully manipulated NFT prices through pump-and-dump schemes where the price of an NFT is forcefully inflated by heavy purchasing within a small period, and then they are sold-off in bulk resulting in a sharp price decline. This may leave legitimate buyers with devalued or worthless tokens. Moreover, several buyers who purchase NFT tokens out of FOMO (fear of missing out) often fail to perform extensive due diligence on the selling platform and are consequently, tricked into buying spyware NFTs which are used to relay sensitive device and user information to a malicious host.

To extend the agony of end users, attackers have targeted digital wallets, principally used for holding crypto assets. Attackers begin their campaign as a phishing or brute force attack and obtain an unrestricted access the user’s digital wallet on the exchange to facilitate transfer of crypto tokens to a malicious address. Exchanges often rely on users to report suspicious activities on their accounts which may either cause a delay in incident response or lead to irreversible financial loss if the tokens have been exchanged for fiat currency or sent to a crypto mixer like Tornado prior to detection of the attack. Digital wallets are a must-have for transactions in the Web3 and securing access to such facilities is imperative to assure safety of customer wealth against bad actors.

The cyber implications highlighted above merely scratch the surface of security within the Web3 space. As new applications, tools and protocols are developed, the cyber threat landscape will evolve particularly with a rise in attacks targeting crypto assets and sensitive user data. As of writing this paper, the Web3 market is still unregulated, making it difficult to hold any party accountable for enforcement of strict security controls or data breach response procedures within Web3 organisations. However, security should not be considered as a blocker for new innovations or societal development. Security threat detection and response practices need to adapt and fit to the complex attack scenarios facing Web3 organisations. For instance, decentralised exchanges could be alerted of a potential wallet compromise before the attacker executes the transfer to a malicious address, triggering a computerised playbook to call a smart contract function for automatically suspending transfers or withdrawals from the malicious address until their actions can be proved legitimate. Applied across other organisations, this practice could uphold the integrity of Web3 organisations and gage users’ trust.

Artificial Intelligence Can Improve User Experience & Drive Consensus In Web3

Artificial intelligence has immense potential to address common challenges faced by Web3 organisations. AI can significantly improve user trust and experience in Web3 applications by playing a pivotal role to drive consensus among application users. AI models have been used by industry outperformers to extract valuable insights from raw data and drive the business strategy towards economically favourable outcomes. In the absence of any centralised decision-making authority, users holding virtual assets of Web3 organisations such as DAOs will be relied upon to make sensible business decisions who in-turn rely on the data available to them by their application interface. Artificial Intelligence algorithms can decipher the data points relevant to an individual and customise their webpages with relevant information lowering time to reach decision and eventual consensus amongst users.

How To Address These Challenges

There is no dominant design or best-practice playbook when it comes to security in the Web3 universe. However, based on the past incidents faced by Blockchain organizations, it is important to recognize that on-chain infrastructure is not the only resource which these companies need to secure.

Besides cross-chain interoperability protocols that set the foundation for cross-blockchain bridges and proprietary smart contracts, Web3 companies would rely on cloud computing, email and collaboration tools, workstations, on-prem servers much like organizations in any other industry. Sufficient resources and time needs to be allocated to secure the off-chain components, particularly end-user and employee focused technology. Zero-Trust architecture and mindset is a great start where activities like authentications, admin logins, developer logins, remote desktop/ virtual machine logins should all operate within strict boundaries documented as workflows and approved by “technical” managememt personnel.

It is also, necessary to deploy resources for penetration testing and red-teaming exercises to find potential backdoor accesses possible through misconfigured connected components particularly focused to protect the crown-jewels against privilege escalation and remote code execution type flaws.

Remember, several hacker groups operating in this space are teenagers and they always look for easy ways through tools such as grayhatwarfare or publicly available GitHub repositories to action their campaigns. Developing prudent and customized detection and response capabilities is essential.

There is no right way to conclude this paper because in the foreseeable future cybersecurity within Web3 will evolve with it’s surmountable applications. By being humble, proactive, money-wise and result-oriented, companies can construct resilient cyber security programs and continue paving the way forward for innovation and growth.