There are web3 proponents who will say that the decentralized web provides greater resiliency and security compared to Web 2.0 thanks to its underlying blockchain-based technology.
Web 2.0, which first debuted in the early 2000s with a focus on user-generated content, rich user interfaces, and cooperative services, has also brought with it a new wave of security threats, including malware, phishing, social engineering, identity theft, cross-site. scripting, SQL injection, and data leaks, to name just a few.
Web3, a term that encompasses various technologies such as cryptocurrencies, NFTs, and DAOs, certainly sounds like it will make such threats a thing of the past: web3 not only gives people more control over their data, but is based on distributed technologies. , like blockchain, to smooth out the many flaws of its predecessor.
In reality, however, web3 is no more secure than Web 2.0 and is already creating a new playing field for opportunistic cybercriminals. This is because while it represents a change in what the Internet can do and will be used for, it doesn't change the way it fundamentally works.
new and unimproved
While promising to be fully decentralized, web3's user-facing components are primarily powered by Web 2.0 technology, such as APIs and artifact connection endpoints, despite being built on blockchain technology. This means that users of web3 services and decentralized applications, or “dApps”, continue to rely on legacy technologies to conduct transactions, and ultimately means that web3 is vulnerable to all the classic security issues that plagued its predecessor. , from DNS hijacking to script traversal. Web3 companies also have to communicate with their users, primarily through Web 2.0 technologies such as email or online messaging, which are also prone to legacy security issues.
Perhaps unsurprisingly, web3 phishing has also occurred. While attackers have previously focused on gaining access to information such as a user's login details, they are now turning their attention to users' cryptocurrency wallets and private keys.
Humans will always be vulnerable to manipulation, which is why hackers will continue to employ this simple but effective technique: data shows that phishing campaigns that abuse of web3 platforms increased almost 500% in 2022, while a recent report by Immunefi, the bug bounty and security platform, revealed that the crypto industry incurred losses of $3.9 billion in 2022 due to various incidents related to hacking, fraud and scam.
This is perhaps best evidenced by several major web3 attacks in recent months. One of the most infamous was an attack on Axie Infinity's Ronin network, in which the attackers stole $625 million. The hackers, identified by the US government as the North Korean-backed Lazarus Group, reportedly targeted employees of Axie Infinity developer Sky Davis with a bogus job offer via LinkedIn .
Last year, attackers also breached Nomad, an interchain messaging protocol, to steal nearly $200 million in digital assets. According to security logs, an update to one of Nomad's smart contracts made it easier for users to falsify transactions, allowing a bad actor to withdraw funds that did not belong to them.
decentralized threats
The Nomad hack demonstrates that web3 is not only vulnerable to existing Web 2.0 security flaws, but also presents its own category of vulnerabilities, a fact recently highlighted by malware researcher Marcus Hutchins in a social media video in which he claims that web3 is in fact less secure than Web 2.0.
Smart contracts are self-executing programs that run on a blockchain and are used to automate the execution of various functions, such as financial transactions. If a smart contract contains a vulnerability, an attacker can exploit it to steal funds. Bugs in smart contracts were also responsible for the theft of $31 million of MonoX in 2021.
Vulnerabilities in decentralized applications are also a major concern: even though they are built on top of blockchain platforms, they are subject to security risks such as denial-of-service (DDoS) attacks, hacking attempts, and exploits. Security experts have also sounded the alarm about many other problems unique to web3 technology, such as cross-chain bridging failures and attacks on governance processes, all of which require specialized knowledge and expertise to address.
However, the novelty of these technologies, coupled with the fact that many security professionals are highly skeptical of web3, means that organizations in this space may struggle to find the right skills to maintain web3 security.
It is not a solution for everything
Web3 has been a key driver for startups and venture capital in recent years: Web3 startups globally raised a record $29,2 billion in 2021, and while that dipped slightly the following year, they still raked in $21,5 billion in 2022. With that in mind, it's perhaps no surprise that web3 technologies have been rapidly adopted by startups, many likely unaware of the potential benefits. security risks.
To ensure that they do not fall victim to the web3 security breach, it is key that startups prioritize security from the outset and embrace the security-by-design methodology. Bogdan Botezatu, director of threat research and reporting at cybersecurity firm Bitdefender, said this should include conducting risk assessments during product and service design stages, following best practices for secure software development, such as source code auditing, regular penetration testing, and hiring, internal or contracted security teams (if they can find the relevant skills).
“One wrong click or missed security update can result in a network compromise, data breach, or asset theft,” Botezatu said. “Both centralized and decentralized fintech companies have a higher level of risk due to the immediate monetization opportunities potential cybercriminals have.”
Web3 has a lot of potential and promises to give everyday users more power and inspire next generation companies, products, services and experiences. However, at the end of the day, software is software, and web3 is as secure as we make it out to be.
