Without the Foundation of Web2 Security, There Is No Web3 Security
The destructive potential of 0-day vulnerabilities in traditional network security is indisputable. However, in the current Web3 landscape, there has been inadequate attention given to traditional network security vulnerabilities.
There are two primary reasons for this. Firstly, the Web3 industry is still in its nascent stages, with both technical professionals and security infrastructure engaged in ongoing exploration and refinement. Secondly, network security regulations have compelled Web2 companies to prioritize their own security development, thus minimizing the likelihood of security incidents.
These factors have resulted in a heightened focus on on-chain security and the overall security of the blockchain ecosystem within the present Web3 sphere. However, there is a lack of sufficient awareness regarding lower-level vulnerabilities, including system-level vulnerabilities, browser vulnerabilities, mobile security, and hardware security, within the realm of traditional network security (referred to as Web2 0-days in the subsequent text).
Web2 Serves as the Foundation of Web3
The entire Web3 ecosystem relies on the underlying foundation provided by Web2. Therefore, any security vulnerabilities within Web2 pose a substantial threat to the overall security of Web3 and the assets held by its users.
For instance, browser vulnerabilities and vulnerabilities in mobile platforms (such as iOS and Android) can clandestinely exploit and steal user assets without their awareness.
Here are actual instances where Web2 0-days or vulnerabilities were exploited to steal digital assets:
- Hackers exploit a zero-day bug to steal cryptocurrency from Bitcoin ATMs.
- North Korean hackers took advantage of a Chrome zero-day vulnerability for a period of 6 weeks.
- A vulnerability in Microsoft Word could potentially enable the theft of cryptocurrencies.
- A report reveals that an Android vulnerability allows hackers to pilfer crypto wallet information.
These cases demonstrate the tangible threat that Web2 vulnerabilities pose to digital assets, resulting in significant consequences and implications.
Web2 vulnerabilities not only impact individual assets but also pose substantial risks to exchanges, asset custody companies, mining operations, and other entities.
The Significance of Numen’s Research in Web2 Security
As mentioned previously, the influence of Web2 on Web3 cannot be underestimated. Without a strong security foundation in Web2, achieving security in the Web3 ecosystem becomes an arduous task.
Our team is composed of a team of elite security experts from across the globe, equipped with extensive technical capabilities covering both Web2 and Web3 domains.
We firmly believe that relying solely on single code audits is inadequate for ensuring robust security measures in the Web3 space. The Web3 ecosystem requires enhanced security infrastructure, such as real-time detection and response mechanisms to combat malicious transactions effectively.
Security technology is a serious matter that directly impacts user assets, and the level of research capabilities demonstrated by a security company reflects its expertise. This is precisely why Numen has been dedicated to researching Web2 vulnerabilities from its inception, adhering to the principle of “know the enemy and know thyself.”
Here are some technical details regarding security vulnerabilities discovered by us at Numen:
- “Analysis and PoC of HTTP Privilege Escalation Vulnerability CVE-2023–23410”
- “Analysis of DHCP Service Remote Code Execution Vulnerability CVE-2023–28231”
- “Using Leaking Sentinel Value to Bypass the Latest Chrome v8 HardenProtect”
- “Analysis and Exploits of Javaweb Framework ZK CVE-2022–36537 Vulnerability”
- “From Leak TheHole to Chrome Render RCE”
- “0day Vulnerability: Analysis of the Latest UAF Code Execution Vulnerability in Chromium v8 Engine”
Numen remains committed to its ongoing research in low-level security and is dedicated to expanding its efforts to create a safer Web3 landscape.
