Web3 security opportunities and the lessons we must learn from Web2

Although much of the initial hype around the crypto-economy hinged on the use of blockchain technology, in the last couple of years (especially after the decentralized finance boom of 2020) more and more people have begun to realize that the ongoing Web3 revolution is much broader than its underlying technology .

To put it another way, Web3 represents an entirely new paradigm for the World Wide Web (Web2)—one rooted not only in the ethos of decentralization and shared ownership of data, but openness.

But like any other technology, Web3 also has its share of problems. As this sector has grown in recent years, so has the entry of bad actors and hackers. Since these individuals are financially incentivized to carry out their nefarious plans, it is possible for them to illegally obtain millions of dollars via a single exploit, which is completely unheard of in the world of traditional Web2 systems.

To elaborate, although there are several well-established security/privacy systems in the Web3 market today (such as OpenZeppelin’s secure contract library, Immunefi’s bug bounty, Peckshield’s fraud token and phishing site protection), it continues to face an increasing number of hacks, seemingly every month. For example, earlier in October, Binance’s BSC Token Hub bridge was drained of more than $500 million after hackers were able to forge artificial withdrawal certificates. Similarly, Axie Infinity’s Ronin bridge was hacked earlier this year for $650 million.

How can Web3 become more secure?

Right off the bat, it’s worth mentioning that no single magic solution can make Web2 and Web3 systems completely airtight. However, we can use a layered, comprehensive security approach to minimize risk, including monitoring and incident response.

In this regard, real-time decentralized threat detection networks capable of strengthening the security of Web3 platforms – while providing blockchain activity monitoring – can be of great benefit. Moreover, incorporating features such as community incentivization can be useful because they allow the participants of these platforms to shape the future of the network and own the value they generate.

That said, analyzing the similarities and differences between Web2 and Web3 can reveal great opportunities to strengthen and innovate in Web3 security. So, without further ado, let’s jump right to the heart of the matter.

A look at the similarities between Web3 and Web2

Many have argued that blockchain transactions have a high degree of atomicity; But when it comes to Web2 systems, hackers have to go through a whole series of complicated steps to facilitate their illegal actions. Essentially, atomicity refers to the idea that a single transaction contains many different actions, all of which must be correct in order to be accepted. In other words, if any individual part of the transaction is incorrect or inconsistent, the entire transaction will fail.

That said, when it comes to Web3 platforms, attackers still need to complete several stages of action – including financing, preparation, exploitation and finally, laundering the ill-gotten funds. But each of these steps allows security vendors to monitor, prevent, and mitigate potential attacks.

Another important similarity between Web2 and Web3 is the element of socially engineered attacks. As the digital infrastructure underlying Web3 still lags behind its centralized counterpart, better solutions are required to make social engineering attacks more difficult within Web3.

The distinctions

When discussing Web2 technologies, the issue of “attacker/defender imbalance” is always important since an attacker only needs to be right once, while security defenders need to be right all the time. But with the distributed setup of Web3 systems, the tables are turned: while an attacker only needs to be right once, only one of the many thousands of defenders needs to be right at least once.

In addition, data in blockchains is available to all network participants – unlike how Web2 systems work since only selected parts of information are made public, especially from a security point of view. Thanks to the distributed nature of Web3, the potential to foster innovation by the wider security research community (via the use of different approaches) is much greater.

Another clear difference is that in the case of Web3, it is easier to assess losses because all of an attacker’s transactions are available on a public ledger. As a result, it is possible to develop superior risk quantification models capable of providing robust cyber insurance and protocol risk mitigation strategies.

Finally, attacks in the Web3 realm have a form of finality, thanks to the immutable nature of the blockchain. But when it comes to Web2, things are much grayer as stolen details (such as personal credentials) can lead to continued uncontrolled losses. Therefore, in Web3, this is likely to lead to new mitigation strategies and give rise to cyber insurance adoption in the near to medium term.

What lies ahead for the Web3 ecosystem?

As is probably clear by now, the Web3 technological paradigm stands to completely revolutionize how people around the world operate on a daily basis; but at the same time it also faces several challenges. That said, in recent years an increasing number of skilled developers have entered this rapidly evolving niche, helping to innovate and solve many of the pressing security challenges facing Web3 users today.

Christian Seifert is a security researcher in the Forta community who previously worked for 14 years with cyber security at Microsoft.