Why is Web3 Security Different From Web2: Role of Smart Contracts

Security Implications of Smart Contract Vulnerabilities

2023 has been the year of hacks and exploits so far.

Security firm Certik reports that a billion dollars have already been lost in exit scams ($137 million), flash loan attacks ($261 million), and exploits ($596 million).

10 of The Biggest Hacks as of August 2023

Cybersecurity in Web3 isn’t just a technological issue; it’s a philosophical one, too. It threatens the principles of user-first, code-led systems that have been redefining and redeeming how we look at the internet today.

Web3 security challenges are much more complex and expansive than Web2. Do you know that 67% of liquidity pools on DEXs have been impacted by wash trades since 2020 or that, in 2022 alone, there were 188,525 smart contract scams? A new scam every 4 minutes!

Remember the recent Curve Finance hack, where the exploiter took away millions after exploiting a bug in one of the versions of Vyper?

I needed to wash the heavy stats down with some expert opinion, so I interviewed Kenny Chung, a Web3 Security Researcher.

In this article, I will attempt a run-along explanation from my end and excerpts from the interview to help you better understand what security entails in Web3.

Time to roll the carpets!

How is Web3 Security Different from Web2?

Q: Hi Kenny. Thank you for joining us in this crucial conversation today. So, why is Web3 security different from Web2 (traditional application) security?

Kenny: At its core, the immutable nature of blockchains means once a smart contract is deployed, it’s set in stone, making any vulnerabilities permanent. This contrasts sharply with traditional applications that can be updated and patched regularly.

Additionally, the transparent structure of most blockchains allows any observer to scrutinize the contract, inevitably turning them into targets for those with ill intentions. Given that many of these applications handle direct transfers of valuable assets like cryptocurrencies, they offer tantalizing incentives for potential attackers.

This landscape is further complicated by the rapid pace of technological evolution in the blockchain space, leading to a continuously evolving set of best practices. In essence, the open, decentralized, and unalterable nature of Web3 demands a wholly different security approach than traditional applications.

Truly, it’s more a patchwork vs. prevention case scenario in the transition from Web2 to Web3. Web2 allowed application revisions and roll-backs, while attacks can only be prevented in Web3. Web3 security needs a rather proactive approach.

Here are a few more differences to note:

• Identity Management: Web2 has been accused of mishandling and misusing user data. However, Web2 companies have been stringent with their user authentication process. In Web3, user identity is pseudonymous, i.e., a user is identified by their public key and blockchain address.
• Private key management and weak user authentication: These issues have recently invited many social engineering attacks. For instance, the most recent hack on the CoinEx exchange drained $52 million worth of assets from user accounts.
• Decentralization woes: Web2 organizations control the security aspects of their infrastructure. In Web3, however, no one owns this security, i.e., decision-making is distributed. Since governance is a slow process and systems have no means of forcing updates, Web3 systems can become soft targets for attackers.
• Zero scope for obscurity: public blockchains allow for public (Read ‘hacker’) scrutiny. Black hat hackers are always looking for vulnerabilities that can be exploited. There’s no way systems can hide the vulnerabilities. Anyone can download the source code of open-source projects from GitHub or Blockchain Explorer, decompile it, and exploit the vulnerabilities.
• Easier Attack Monetization: Web2 attacks involve stealing valuable user data and using the information to exploit systems. Comes Web3, cryptocurrencies live on the blockchains. Cybercriminals can monetize their attacks directly by compromising systems.
• User Experience: Navigating Web3 interfaces isn’t easy. Users are solely responsible for the security of their data, making them more vulnerable to social engineering attacks. I discussed this in one of my previous pieces on Web3 challenges. For instance, private key leaks. Gambling protocol Stake lost $41 million to one such private key leak.

Role of Smart Contracts in Web3 Security

Since Web3 is still in its early phases of development, hacks are more prevalent and diverse. There have been smart contract logic exploits, flash loan attacks, rug pulls, phishing attacks, social engineering attacks, and many more security threats surfacing now and then.

However, for this article, we will restrict our discussion to smart contract vulnerabilities and related attacks.

Smart contracts are self-executing codes that can be programmed to execute automatically once a set of predetermined conditions are met. As Kenny said, Smart contract conditions are set in stone, and any flaw in them cannot be fixed immediately.

Smart contracts are a double-edged sword for Web3 security. They can enforce legal agreements, trade, and manage financial contracts. But they aren’t protected legally by any regulations themselves.

Smart contracts form the core of DeFi on Ethereum and other L1s and L2s. DeFi protocols for NFTs, lending, borrowing, etc., involve billions of dollars of cryptocurrencies and smart contracts. In 2022, $3.7 billion was lost to hacks on Web3 protocols.

Smart contract security becomes even more pertinent when Web3 still struggles with interoperability, privacy, and scalability issues.

Smart Contract Vulnerabilities

Poorly written smart contracts have cost DeFi protocols millions over the years. Some of the risks that come with smart contracts include the following:

• Improper input Validation: When smart contracts fail to ‘validate and sanitize user inputs, they become vulnerable to many attacks, such as contract logic manipulation or injection of malicious data.

One such vulnerability was recently pointed out in the Lido protocol, where the hackers conducted malicious deposit attacks. Lido’s smart contracts weren’t able to bounce transactions if the sender didn’t have enough funds.

• Incorrect Calculation: Developers can assume a wrong range of values or do inconsistent calculations while coding smart contracts. Such vulnerabilities can lend unauthorized advantages within the contract.
• A bug fix was done to rectify incorrect reward calculation, which could have led to the attacker draining unclaimed MPH tokens rewards.
• Price Manipulation: Price manipulation occurs when oracles are compromised or manipulated. This vulnerability may cause incorrect reward calculation and pricing. It is one of the leading causes of on-chain DeFi exploits.
• An attacker exploited a price oracle on BonqDAO to inflate the price of the WALBT token momentarily and buy more stablecoins to which he was entitled.
• Weak Access Controls: This smart contract vulnerability can invite hackers to gain unauthorized access to critical functions within a smart contract.
• A researcher was rewarded for finding one such vulnerability in an external integration with The Gas Station by Enzyme Finance.
• Replay Attacks: When an attacker replays a valid transaction to fool the smart contract. Such vulnerability causes the smart contract to perform the transaction more than once.
• The hacker who identified Polygon’s Double-Spend vulnerability (a bug in Polygon’s WithdrawManager) was rewarded with one of the highest bounties in history.
• Reentrancy: Ethereum’s undoing, Rentrancy vulnerability was responsible for the DAO hack. This vulnerability allows a hacker to call a vulnerable contract repeatedly before the previous call is completed. This can lead to unexpected changes and fund transfers.
• Frontrunning: An attacker exploits the time delay between the execution of two pending transactions. By placing their transaction ahead of the targeted transaction via higher gas fees, they make profits. MEV attacks are a famous front-running attack.

If you are interested in going into further details, you can read an in-depth research-backed study on smart contract vulnerabilities on ImmuneFi’s Medium channel.

The DAO Hack: An OG Case Study for Smart Contract Security

There have been many infamous hacks in the DeFi space. Kenny considers the DAO hack in 2016 as the most spectacular hack so far.

Q: Why do you think ‘The DAO’ has been the most infamous hack so far?

The DAO, which stands for Decentralized Autonomous Organization, was a form of investor-directed venture capital fund. It was set up to hold and disburse funds to investment projects without intermediaries. Within a short time, it amassed over $150 million in Ether.

However, in June 2016, an unidentified entity exploited a vulnerability in The DAO’s code, allowing them to drain more than a third of The DAO’s funds, which was equivalent to around $50 million at the time. This wasn’t a typical “hack” in the sense of breaking into a system through unauthorized means; instead, the attacker exploited poorly written smart contract code legitimately, according to the contract’s own rules.

The DAO hack is particularly notable for several reasons:

The hack led to a major controversy in the Ethereum community, which ultimately resulted in a “hard fork” to revert the effects of the hack, dividing Ethereum into two blockchains: Ethereum (ETH) and Ethereum Classic (ETC).

It served as a cautionary tale about the potential dangers of code vulnerabilities in smart contracts. The incident emphasized the importance of thorough security audits and highlighted the broader implications of governance and consensus in decentralized systems.

How to Secure Smart Contracts?

Blockchains and smart contracts are still in their early stages of development. We need to push the boundaries for innovation; risks will always be involved. But innovation shouldn’t come at the cost of security.

So, what’s the way out? Kenny describes his job and tells us how they secure blockchains against vulnerabilities.

Q: You say you are a Web3 Security Researcher, Kenny. But what does a security researcher do and how do you help secure blockchains?

As web3 security researchers, our job is to keep blockchain space secure — and we do that mainly by finding vulnerabilities in blockchain-related systems such as smart contracts and implementing best practices to keep them away. Another way to describe a Web3 security researcher is a “white hat hacker” or a “good hacker.”

Like how a security guard would identify weak points in a building’s security before a burglar can, I identify vulnerabilities in blockchain systems, like smart contracts, ensuring they remain safe from malicious attacks.

Before entering this line of work, I worked as a privacy lawyer and full-stack developer for many years. Although vastly different in a sense, I sometimes think that I went from reviewing “dumb legal contracts” to smart contracts. Maybe I just went full circle.

Some proven measures to secure smart contracts can be performing smart contract audits religiously. Battle-test your code rigorously to find bugs and other vulnerabilities in the code.

Always use a testnet to check the efficacy of smart contracts and their intended performance. This way you can also know if the protocol is functioning as it should.

You should also try using unit tests to look at parts of your code in isolation and find discrepancies if any.

Involve team members to conduct independent team audits and get feedback for improvements. Once that process is done, you are ready to deploy it on the blockchain.

A fail-safe mechanism for your smart contract can also help meet contingencies or limit unsolicited attacks once the smart contract is triggered.

Slither and Echidna are a few smart contract analysis tools for testing smart contract vulnerabilities.

Some of the best practices that I feel should form a part of every coder’s bible are:

• Continuous code reviews and final auditing of all smart contracts need to become a part of every DeFi protocol’s arsenal.
• Limit privileges and permissions to smart contracts. By doing this, developers can minimize any potential damage from a breach or hack.
• Bug bounty programs can encourage ethical hacking to find security issues related to smart contracts.

Role of white hat hackers in smart contract security: White Hat hackers ethically examine code to find vulnerabilities in the smart contracts of protocols. They report the findings to the clients and help patch weaknesses before any malicious player such as a Black Hat hacker exploits them.

I asked Kenny about his wins as a security researcher and white hat hacker.

Q: What’s your greatest achievement as a Web3 security researcher?

Kenny: I recently competed in a couple of contests with great results! There are these security/audit contest platforms where projects apply to have their protocols/smart contracts audited/reviewed. In one of the contests, I took 1st place with my team, with over 200+ security reviewers.

On another platform, I placed 7th in the world on their leaderboard.

The Way Ahead

The State of DeFi Security report from Certik states that most of the exploited smart contracts didn’t receive any security audits. As DeFi experiments and delves deeper into multiple use cases and more complex codes, newer possibilities of hacks and exploits are bound to arise.

The vulnerabilities need to be handled proactively to prevent attempts for manipulation and protect the assets and interests of investors.

Regulations are much needed and Cybersecurity remains a prime issue in Web3.

For the decentralized architecture to stay robust and running, we need to make the smart contracts more sophisticated in judging anomalies and keeping the DeFi systems safe.

Kenny’s advice for builders:

Keep building. Bear markets are perfect opportunities to invest in one’s skills. Many of the successes we see in the space today — were successes in the making during tough times.

Connect with Kenny on LinkedIn: https://www.linkedin.com/in/kenny-chung-02315b131/