WAGMI: I’m optimistic about Web3 because of its security

Yes, I know it sounds absurd. After all, Web3 security is currently one of most ridiculed aspects in the tech landscape, largely supported by the fact that Web3 had lost more than $10 billions USD last year due to security incidents. However, I believe the current state of affairs should be considered as more of “growing pains” than the steady state, and in fact once Web3 apps become more mature, they will excel and surpass “classic apps” in their security.

What is Web3?

Before we start discussing Web3 security, we need to first define what it is. For now, let’s define Web3 as apps that rely on “Smart Contracts,” with their business logic and storage implemented on the blockchain. Therefore Web3 currently mainly consists of Decentralized Finance (DeFi) apps and NFTs, but can expand to more fields in the future.

The Web3 triangle

Now that we have defined Web3, we can go and discuss its security, which mainly consists of smart contract security. For brevity, we will only address Ethereum’s smart contracts, but we believe the arguments are general enough and hold true for similar systems and blockchains.

Web3 security is inherently superior

Close your eyes and imagine a software environment without malware, Denial of Service (DoS) attacks and other popular attack methods. That would be an exciting upgrade, right? Now open your eyes and look at Web3 that achieves this security utopia:

• Web3 solved the trusted execution problem: for classic apps, trusted execution is a major unsolved problem. Currently an app must trust its software (operating system) and hardware (processors and firmware) execution environments. If this trust is compromised by a malware or a hardware supply chain attack planting a rogue processor, attackers can gain control. Web3 solves that fundamental security issue with decentralization of execution. All of the blockchain nodes are executing the web3 code in parallel and must agree on the result of the execution. Unless there is some systematic risk in the execution engine itself (e.g. a vulnerability in Ethereum’s EVM itself), attackers would have to launch a “51% attack” to infect the majority of the blockchain node with malware in order to subvert its execution.
• Web3 is immune to injection attacks: for classic web apps, all parameters are sent as strings. This design flaw is the core reason behind most of classic web apps’ most notorious vulnerabilities, such as SQL injection and command injection, allowing attackers to smuggle their unintended input to the unprepared web app. In contrast, Web3 is strongly typed and such unintended inputs (e.g. a string when a number is expected) would fail immediately without any special preparation on the Web3 app side.
• Web3 is more resistant to Denial of Service (DOS) attacks: while these attacks are not very clever and are usually carried out not with “brains”, but with “brawn” of a botnet army flooding the target with garbage traffic at a low cost for the attacker, they are still a major headache for classic web apps. In contrast, Web3 apps are not bothered, since the blockchain protects itself by design against excessive use, by increasing the transaction fees, by thus inflicting an economical barrier for DoS attackers.

There are other important security elements in which Web3 provides better security (e.g. software supply chain attacks), but even the short list above, promising a software environment without malware, DoS and injection attacks should be exciting enough.

But besides the aforementioned technical advantages, Web3 also carries some important philosophical security advantages, due to Web3’s total openness and transparency. The open security philosophy had many advocates in the security community long before the emergence of Web3, claiming it would yield better security than “security through obscurity” . Web3 takes open security concepts to the extreme. In Web3 not only the code is open sourced as a social convention but also the binaries are publicly available on the blockchain by definition and can be verified to be the outcome of the published source code. Furthermore, all code executions (transactions) are public by definition and can be verified and scrutinized by anyone.

If it’s so good, why is it so bad?

So if Web3 security is so much superior to classic apps in theory, how come that in practice the current security results for DeFI apps are disappointing compared to their predecessors, the traditional banking apps?

I think the reason is not because of Web3 security per se, but because it operates in a much more harsh environment that allows attackers to monetize their hack much more easily. Web3 apps are always on 24/7/365, and are dealing with “cash money” as money transfers over the blockchain are almost immediate and immutable, while in the classic banking systems even if bank apps are hacked, the malicious transactions can be reverted until the attackers cash in.

To make it more concrete, let’s look at the one of the largest reported banking hacks, the 2016 Bangladesh bank digital heist. The attackers used a malware based campaign to infiltrate into the bank, and send fraudulent SWIFT wires to try and hack $1B. To monetize, the attackers needed to aim for a specific date that coincided with banks’ holidays to give the attackers enough time to cash out. They also needed advanced preparation in a Philippines bank that was the target of many of the wires, in order to be able to cash out the funds before the wires were reverted. Eventually, the attackers were able to gain “only” $60M out of the potential $1B, not because of the banks’ superior software security, but due to the more lenient environment that gave enough time to defenders to revert.

Therefore we can conclude that in order to make things better we need to buy more time for defenders in order to defeat attackers.

To do so, we need to either reduce attacks’ detection time, or to increase the time before the transaction can be reversible, or both.

I am very optimistic about our ability as a community, to improve attacks’ detection time. We already have some security firms (e.g. peckshield) are already providing alerts on hack based just on publicly available data and leveraging the aforementioned blockchain transparency and “open security” state of mind. Looking into recent hacks and their post-mortems, nothing prevents the analysis from being executed in real time as the transactions are executed (or even before that, when the transactions are just “a candidate” in the node’s mempool). Such an advanced warning system, might suffice on itself, when integrated into contracts to pause such transactions, as suggested by recently emerging projects such as Forta.network and others.

Additionally, even today actually cashing out is not as easy as it seems. Some crypto tokens already apply a blacklist that can freeze assets. Furthermore, to cash out into fiat money, attackers usually need to go through centralized exchanges that are being more and more regulated and apply KYC (Know Your Customer) and blacklists that hinder attackers abilities to cash out. As a result, even today some attackers prefer to return most of the hacked funds and settle for a smaller portion, white washed as a “bug bounty” awarded by the victim app. As we have seen with the recently seized Bitfinex hackers’ funds, it’s actually very hard to cash out with large sums of crypto. It is safe to assume it’s only going to get harder.

Summing up: WAGMI!

Web3 security is currently in a bad state, but it has the potential to be a serious improvement to the security of our digital activities. As with most revolutionary technologies, we had started with building the functional aspects of Web3 and security came as a trailer, once the technology had gained enough traction. This is the way it always has been. And with the flow of security talent, backed by VC and successful web3 projects’ money, coming from traditional security products into the Web3 domain, I’m sure we can make Web3 security live up to its full potential.

Web3 and crypto involve many disciplines from computer science and economy and I only know something about security. But the possibility that Web3 can be a major improvement in the field of security, makes me optimistic about its potential to improve other fields which I am not an expert in.

Or in Web3 jargon, WAGMI. WE’RE ALL GONNA MAKE IT!