Layer 1: Web3 Company Management

From key management to scams and Discord servers

TriWei.io
7 min readJan 14, 2024

This article explores vital topics such as access control, key management, and protection against phishing and other cybersecurity threats. Using real-world examples like the Ronin bridge hack, it underscores the importance of robust security measures and the human factor in safeguarding Web3 projects.

Further insights into TriWei’s security approach can be explored at triwei.io/education.

Principle of Least Privilege: Precision in Access Control

In Web3, careful management of authority is crucial. The “Principle of Least Privilege” suggests giving people only the access they need, nothing more. This approach isn’t about mistrust; it’s about minimizing risks.

Despite blockchain’s tendency to encourage anonymity, it’s important to recognize the value of verifying team members’ identities and conducting background checks. These measures can provide an additional layer of assurance against the potential threat of insider misconduct. Anon teams can still partially adopt such a measure, utilizing a trusted intermediary during the hiring process.

Safe Key Management

In the Web3 world, keeping cryptographic keys safe is extremely important. These keys are central to security, so managing them well is a key part of keeping your project secure.

Lets consider the use of Multisignature (Multisig) wallets in order to boost your project’s security. These wallets require multiple authorized signatures or keys to validate transactions. However, not all Multisig wallets are created equal. The notorious Parity Multi-Sig wallet breach in 2017 highlights the critical importance of choosing audited and battle-tested wallet solutions. Neglecting this crucial step can result in unforeseen vulnerabilities that could lead to significant financial losses.

Multisig should be properly configured with a signers threshold high enough to suit projects’ security requirements.
A few memorable examples from the past: The Ronin bridge was structured to authorize transactions based on a multi-signature model that required approval from five out of nine validators. In the security breach, the infiltrator managed to compromise Sky Mavis, the entity overseeing four validator nodes. There seemed to be a pre-existing agreement between Sky Mavis and the Axie DAO, which, in practice, granted Sky Mavis indirect control over an additional, fifth validator node. Despite the arrangement ending the next month, the allowance list was unintentionally left unchanged, unintentionally permitting Sky Mavis to keep producing signatures for Axie DAO. Consequently, when Sky Mavis was hacked, the cybercriminal obtained control over the requisite majority of five out of the nine validators, enabling the authorization of transactions.
Another good example is the Harmony Bridge hack, the bridge was secured by a 2-of-5 multisig, two of which got compromised resulting in $100M drained from the bridge.

We have two lessons learned from this paragraph: to enforce high signer thresholds, and do not store private keys for governance on remote servers, which brings us to the next topic: make use of hardware wallets.

For production systems, the adoption of hardware wallets is strongly recommended. They work as a form of two-factor authentication, but at a much higher security grade, serving as a robust bulwark against unauthorized access.
Hardware wallets, often referred to as cold wallets, are purpose-built devices designed to manage private keys in a secure, offline environment. Their operational paradigm is predicated on a ‘what you have’ principle, which means transactions cannot be signed without the physical possession of the device, thereby drastically reducing the attack surface for potential cyber threats.

In practical terms, hardware wallets reduce the number of attack vectors software or “hot” wallets are susceptible to, such as phishing attacks, malware, and even direct system breaches. They are engineered with a fortified architecture, often incorporating specialized secure elements that are resistant to physical tampering and sophisticated intrusion attempts.

Empowering Your Team Against Phishing Threats

Even with excellent code, the human factor can still be vulnerable. To prevent phishing attacks, educate your team. Create a simple phishing training program with practical phishing scenarios, hands-on workshops, and basic educational content. Regularly update these materials to keep pace with new phishing methods. Encourage your team to stay aware of the latest trends in phishing and share their knowledge. Remember, though, repeated training is necessary and doesn’t guarantee complete safety.

Established threat actors like Lazarus, have been known to employ various lures, such as enticing job offers, to ensnare unsuspecting victims. They started targeting companies in traditional sectors including aerospace and defense, but in recent years they moved toward the lucrative web3 space. Hard to forget the previously mentioned $620-million cryptocurrency heist against the popular Axie Infinity game back in 2022.

These attacks are often meticulously crafted to mimic legitimate communications, masquerading as documents shared by known and trusted contacts, achieving a high success rate. In this tweets from Metamask’s Tyvano you can find many examples of such phishing messages.

https://twitter.com/tayvano_/status/1661473965825740800
https://twitter.com/tayvano_/status/1516225457640787969

Check out these two articles from EllipticResearch and Palo Alto Networks about the most recent tactics of Lazarus Group: https://www.elliptic.co/blog/how-the-lazarus-group-is-stepping-up-crypto-hacks-and-changing-its-tactics
https://unit42.paloaltonetworks.com/two-campaigns-by-north-korea-bad-actors-target-job-hunters/

To protect against these threats, any time you receive an email with an external link or an attachment, first make sure the sender is not spoofed, then adopt tools such as https://dangerzone.rocks to view email attachments in a safe manner and avoid visiting untrusted domains.
It’s a good hygienic practice to perform such dangerous actions on a sandbox machine that could be compromised without consequences.

Protect your Web2 Endpoints

  • Keep your devices safe
    This topic deserves an article on its own. Just to mention some standard hygiene best practices: no porn on the same machine you use to develop or interact with wallets. Use a good antivirus and keep it updated. Use a VPN to reduce the attack surface, and pick a good one! Do not open suspicious attachments and do not fall for scams.
  • Protect your Discord server
    In recent months tens of discord servers belonging to prominent web3 projects got hacked, resulting in millions of stolen funds and heavy damage to the projects’ public image.
    Scams got pretty elaborate, and securing a Discord server requires multiple steps. If your project includes a Discord server, you should carefully read this well-written guide from OfficerCIA.
  • Protect your accounts from sim-swap
    Adopt authenticator apps such as Aegis or Authy for 2FA, and avoid relying on SMS. Sim-swap attacks are extremely cheap to perform and can be highly disruptive. Note that some platforms might undergo an account recovery procedure through phone numbers even if an authenticator app is set for 2FA. Be careful where you link your phone number.
    Even Vitalik and the SEC got sim-swapped on Twitter, resulting in a 600K loss scam.
    Follow this Twitter thread from OfficerCIA for advanced sim-swap protection.
  • Work only with reputable Domain Registration Providers
    DNS hijacking happens regularly to web3 projects, resulting in high losses for the users. By redirecting traffic to malicious clones of projects’ frontends, hackers let users sign malicious messages and approve malicious transactions to steal their funds. Read this detailed Twitter thread from SlowMist for further information.

Document Your Security Policies

It is imperative to maintain a comprehensive knowledge repository that includes meticulously documented software security policies. These policies serve as guiding principles for your team, ensuring that every member comprehends the purpose, implementation, and significance of security measures. However, possessing these policies is not sufficient; they must also be readily accessible and integrated into the onboarding process for new team members.

Developing a Written and Tested Incident Response Plan

Even if you are doing all things right, unforeseen incidents can occur without warning. Therefore, a well-defined incident response plan is a priceless asset in your security arsenal.

Designate a team member with specific security responsibilities, akin to appointing a crisis management lead.

Your incident response plan should adhere to established frameworks, such as the NIST Computer Security Incident Handling Guide. This comprehensive framework breaks down the incident response process into six distinct phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

Having a strong incident response plan offers significant advantages: it prepares you for unexpected emergencies, ensures a consistent and effective approach to handling security issues, and improves coordination during crises, which is especially important in large organizations. Additionally, it helps identify security weaknesses before they turn into serious problems, preserves valuable insights gained from each incident, and fosters continuous improvement by establishing a clear, repeatable process for responding to security events.

The incident response plan development would require a deeper analysis than the one we are providing here. To further research the matter we suggest this two-minute clip from Coinbase’s Heidi Wilder’s recent talk — the whole talk is interesting, watch it from the beginning if you’re not in a hurry.

As we conclude our exploration of the first layer in our seven-part series on Web3 security, remember that this is just the beginning. Each layer offers unique insights and strategies crucial for the security and success of any Web3 project. Continue your journey with us to uncover more essential aspects of Web3 security.

Dive into the remaining layers and enrich your knowledge at triwei.io/education. Stay informed, stay secure, and lead the way in the Web3 space.

--

--

TriWei.io
TriWei.io

Written by TriWei.io

Three experienced solo auditors joined to create TriWei, a Smart Contract auditing firm. Lean process, high quality, competitive pricing. www.triwei.io

No responses yet