Web3 security technology in the blockchain landscape in 2023 have witnessed remarkable growth and innovation. However, amidst this rapid expansion, a pressing issue has emerged: a surge in exploits and security breaches within the world of decentralized finance (DeFi) and Web3 projects. As an investor, it’s vital to comprehend these challenges to protect your investments and make informed decisions in this evolving space.
Web3 Losses Exceed $3.9 Billion in 2022
Reports reveal that Web3 projects have suffered losses surpassing a staggering $3.9 billion in 2022 due to various exploits. These vulnerabilities underscore the need for robust security measures within the ecosystem. Here are some web3 example of recent hacks:
Notable Exploit: The Ronin Bridge
The biggest exploit yet has occurred in the Ronin Bridge, a cross-chain DeFi protocol facilitating value transfers between Ethereum and Axie Infinity’s Ronin blockchain, which experienced a massive hack on March 29, 2022. The attacker gained control of private keys holding more than $615 million, utilizing Tornado Cash to siphon funds.
This significant breach resulted in losses exceeding 173,000 ETH and 25.5 million USDC. It is believed that the Lazarus Group, a hacking organization associated with North Korea, was responsible for this substantial heist.
The Web3 Security Landscape
To navigate this landscape effectively, it’s crucial to grasp the key aspects of Web3 security:
Rogue developers are also a very common occurrence in a business landscape where most users are anonymous and most development teams reach great heights without having to put their identity forward.
One of the most recent examples of a Rogue developer taking advantage of a project unfortunately happened to the Remilia Corporation, known for the creation of Miladys. A developer involved with the team, named Bonkler, robbed the company of close to $1M.
Furthermore, with the help of two accomplices, they stole codebases, and tried to overtake the company’s social media accounts, in order to request more money.
Luckily for the team, the core NFT features were not affected, and the team is looking to restart the minting process once the contracts have been redeployed and fully secured.
Remilia’s CEO announced that they are pursuing legal action against the rogue developer, but in the Web3 landscape this often results in nothing, particularly if the person in question is anonymous.
Rug Pulls and Scams
The rise of rug pulls and scams is a concerning trend. Vigilance is essential; research projects meticulously, verify team credentials, and exercise caution when dealing with high-risk, anonymous ventures.
One of the notable rug pulls happened in 2021, when the project named Squid Game (SQUID) Web3 project, inspired by the Netflix series, lured investors with $3.3 million but turned out to be one of crypto’s worst rug-pulls.
Solidus Labs reported it as a classic honeypot exploit, using external contracts to deceive users. A Twitch streamer even witnessed the coin’s market cap crash from $2.2 trillion to near zero in real-time Today, SQUID trades at $0.0096, down over 96% from its peak.
How could web3 exploits have been avoided?
In hindsight, understanding how developers could have averted the security breaches and exploits that plagued Web3 projects provides valuable lessons.
Projects that prioritize security audits are generally more trustworthy. Look for Web3 projects that have undergone comprehensive third-party audits to mitigate risks.
CertiK, founded in 2018 by Columbia and Yale professors, stands out as a blockchain security firm. What distinguishes CertiK is its unique approach, using formal verification and AI technology to conduct comprehensive security audits of smart contracts.
This combination enables them to mathematically confirm the safety of smart contracts, an achievement unmatched by many. Furthermore, CertiK has introduced the “CertiK Chain,” a security-focused blockchain designed to enhance smart contract safety. They boast of examining over 1,800 projects and assessing a total market capitalization valuation exceeding $278 billion.
Likewise there are many other reputable smart contract audit companies, such as Hacken, ConsenSys, Slowmist or Halborn just to name a few. Most of the aforementioned companies are quite pricey but they might save your project from imminent death.
Do not underestimate your community’s feedback. A quite large amount of Web3 investors are either developers themselves, or users that are studying hard to recognise potential exploits, vulnerabilities or shady practices in the smart contracts of a project. If you are unsure of your contracts, run a community bug bounty to let users battle test your smart contracts before they go live. This could be a very good add-on to a reputable smart contract audit.
Rug Doc is also one of the projects and communities worth mentioning when it comes to sniffing out suspicious projects even before they launch. They have a great Telegram community that is usually active whenever a user requests info about a smart contract, and if the project in question is on a well known and active chain Rug Doc will do a free evaluation of their contracts on their site.
Trustfull web3 developers
Web3 teams, particularly those looking to launch a project that is mainly based on existing libraries of code, should seriously consider leveraging Solidity libraries and no-code tools like Thirdweb, Bunzz or our very own DeFi Builder for several reasons.
Using established libraries and trusted tools can significantly reduce the risk of security vulnerabilities and exploits. Freelancer talent, while often skilled, can introduce uncertainties and inconsistencies in code quality, potentially leading to vulnerabilities that could be exploited. Not to mention the big question mark you will always have about their identity, location, moral practices and dedication to work.
Moreover, no-code tools simplify the development process, making it more accessible and efficient for both experienced developers and those new to Web3 technologies. This approach not only enhances security but also streamlines project development, reducing time-to-market and ensuring a more reliable and robust foundation for Web3 applications. Some of the mentioned projects also feature fully audited code libraries, and have active bug testing programs going on. Go the safe route, and spare your money, time and future potential losses for you and your investors.
Post Mortem Web3 Report
In the rapidly evolving world of web3, post-mortem explanations following an exploit of a DeFi protocol are of paramount importance. These analyses provide a transparent breakdown of what went wrong, helping both developers and users understand the vulnerabilities that led to the incident. Moreover, they foster trust within the community, demonstrating a commitment to rectify mistakes and prevent future breaches. Just as crucially, they contribute to the collective knowledge base of the web3 ecosystem, enabling other projects to learn from and avoid similar pitfalls, thereby strengthening the overall security and resilience of decentralized platforms.
The Path Forward for Investors and Developers
While the Web3 space presents challenges, it’s important to recognize that these challenges are not insurmountable. Developers can proactively strengthen the security posture of Web3 projects through rigorous smart contract auditing, secure coding practices, community-driven security efforts, and staying updated with the latest security developments. For investors, this means that projects with robust security measures in place are more likely to offer a safer investment environment.
Staying informed, conducting due diligence, and adopting a cautious yet optimistic approach will empower both developers and investors to navigate the Web3 landscape confidently. In conclusion, the Web3 landscape is evolving, along with its security challenges. As an investor or developer, your commitment to staying informed, vigilant, and security-focused will play a pivotal role in securing investments, contributing to the growth of the Web3 ecosystem, and being part of an exciting journey into the future of blockchain technology.
Stay informed, stay secure, and continue to be a part of the exciting journey that is Web3.
Directual can be considered more of a bridge app between web2 and web3, allowing mostly Web3 integrations and payments for traditional marketplaces, auction sites or any e-commerce related platforms.