Web3 Security Blog

Web3 Security: Digging to the Roots

In the past twenty years, the banking sector has undergone a transformation in fraud detection and prevention. Initially, fraud analysts acted as old-style investigators, relying on intuition and direct communication, often collaborating with law enforcement to identify and address fraud. With fewer payment options like bank transfers, credit cards, and checks, fraud was simpler to detect and control. Merchants employed secure transaction services to verify cardholder identity, while banks often used blunt, rules-based mechanisms to tackle fraud, ignoring the nuances of cardholder profiles and behavior.
Fast forward to today, and the landscape is dramatically different. The transition to EMV chip cards for Card Present transactions has shifted the focus to online and mobile channels. As payment methods diversified, fraud also evolved, adapting to the digital realm and our hybrid lifestyles. This necessitated a strategic shift in fraud prevention departments, prompting the adoption of new technologies to detect and prevent emerging threats. As the banking system in its current configuration is heavily centralized, monolithic, and averse to changes, tackling these challenges is not an easy task. Bank infrastructures are accustomed to closed ecosystems where detecting fraud is simpler, due to the high availability of customer profile and habits. The concept of a malicious actor is unknown. In simple words, if someone is trying to make an unauthorized payment on your behalf, the bank detects it not because they can identify a bad actor but because they know you, and that the payment doesn't match your behavior.
Now, we're witnessing similar processes in Web3. The disruption brought by Web3 opens up numerous vulnerabilities. Currently, the focus is on patching these vulnerabilities through smart contract audits and bug bounties. However, users are often left to fend for themselves against ever-evolving scams and attacks. As in the banking sector, many security measures in Web3 are retroactive, focusing on investigating what went wrong rather than preventing it. In addition to that, it is difficult to create standard profiles for users; the blockchain is liquid, the same user can use different addresses to perform different tasks, maybe one for hodling and one for trading.
Addressing Web3 security issues requires an integrated approach with core infrastructure, much like the evolution of security in the banking and cashless payment industries.
In this environment, expecting every Web3 user to navigate the "UX hell" of working with investigation agencies and security solutions is unrealistic. Some users have taken matters into their own hands by installing security extensions to protect their wallets. However, the necessity for such measures indicates a fundamental flaw: security is not the default state in Web3, which it should be. Comparing the current state of Web3 to a dangerous street full of criminals, we can see that instead of eliminating the possibility of crime and making the whole street safer, we give body armor to every neighbor and ensure they keep paying taxes. Moreover, simply providing guns or armor to ordinary people will not inherently make them more secure. Any malicious actor with greater street wisdom and gun expertise can easily circumvent these basic self-defense measures, leaving the average person still vulnerable and inadequately protected.
Consider the example of the Angel Drainer attack on Balancer in September 2023. Attackers hijacked Balancer's DNS, compromising its interface and leading to phishing attacks on users' wallets. Over 1500 victims lost a minimum of $350,000. Would installing security extensions or MetaMask snaps on each of these 1500 wallets have been an effective defense? There is no certainty. Most security solutions are based on blacklists that include addresses of already known scams. In a sense, most of the protections available are just a modern version of anti-virus: they need to know the existence of a virus to release protection against it. As we wrote above, blockchain is liquid: as the user uses multiple addresses for their duties, so a scammer can switch addresses with the same facility; by the time a scam address has been identified, the scammer has a new one still undisclosed. Moreover, the time to detect a scam with high likelihood is long, as it needs human investigation and a critical mass of victims to be effectively detected.
We also need to realize that the more defenseless users are the ones that are not aware they are dealing with a Web3 app at all, as it will more and more happen in the future, where a Web2 interface will be just the friendly gate to a Web3 application. If Web3 natives are victims of scams, for Web2 users it will be a bloodbath.
This looming threat underscores the need for a paradigm shift in how we approach security in the digital realm. In Web 2.0, security models primarily focus on reaction to attack, but Web3, where transactions are irreversible, demands a security architecture that emphasizes prevention. The current government focus on anti-money laundering (AML) and tax evasion overlooks the need to protect users from scams. There's more concern about the minority involved in illicit activities than the majority who risk losing their funds in scams.
But what is AML? It's essentially a reactive measure, primarily based on blacklists, to ensure that stolen funds are not cashed out by criminals. Honestly, if my 3 ETH were stolen, it wouldn't make much difference to me whether they end up in someone's cold wallet or are cashed out in North Korea. However, it matters to the government, as taxes are likely not paid on such funds.
Let's consider a few examples. Wallets are not legally responsible for preventing, or at least attempting to prevent, transactions that lead to the total withdrawal of funds. The majority of wallets simply do not prioritize this issue. There is no financial benefit in protecting customers, nor is there any penalty for failing to do so. DEXes can trade various types of tokens, including 'shitcoins' and 'memecoins.' While many of these may be legitimate, albeit lacking in fundamental value, others are explicitly designed to manipulate buyers and orchestrate theft through rug pull or honeypot attacks. A study found that the amount stolen in these scams varied widely, ranging from approximately $3,000 to $12,000,000. Despite obvious risk patterns, such as anonymous teams or projects where the majority of liquidity is held in one wallet, DEXes often do not flag these tokens as dangerous. This situation has led to a dichotomy where Web3 projects must either submit to regulations, which do not adequately address the risks posed by third parties, and bear the full brunt of SEC scrutiny, or operate in the shadows, effectively being unaccountable for any harm to users as long as they themselves derive value. There is a pressing need to extend regulatory frameworks to encompass the protection of users from risks not just within the projects themselves, but also from those originating externally. A proper rebalancing is needed, shifting the focus from protecting the economy to also protecting people.
There are movements into the right direction happening, for example MiCa, but again it’s focused on AML and requirements for service providers to detect and stop criminal crypto flows and comply with anti-money laundering obligations. There is not a single word that decentralized projects should be responsible for end-user protection and must have a primary aim to protect their end customers from unlawful behavior. It appears that the legal system is more designed to protect against users rather than to safeguard the users themselves.
This is where the industry's biggest players must step in to advocate and implement user protection techniques as a standard. To create a safe environment, all infrastructure players must integrate a default layer of security.
Most current security solutions focus on scanning messages in apps like Discord or Telegram, alerting users to suspicious content, or analyzing website authenticity. However, these measures only scratch the surface of what's needed.
For a genuinely secure Web3 environment, security must be integrated into the very fabric of the ecosystem, ensuring users don't need to arm themselves for protection. We need to shift from reactive to proactive security measures, creating a safe and secure environment by default. This is not just a dream; it's a necessity for the sustainable growth and trust in Web3 technologies.
The key to achieving this lies in integrating security directly into the core infrastructure of Web3. Security should not be an afterthought or an additional layer users need to opt into; it must be inherent in the technology itself. This requires a collaborative effort from all stakeholders in the Web3 ecosystem – from developers and platform providers to regulatory bodies and end users.
Users should create a strong sense of urgency among all Web3 builders; they should demand solutions that not only offer basic functionality like swaps or transactions, but also take responsibility and ensure protection.
Infrastructure providers, such as those offering Node-as-a-Service, need to ensure their systems are fortified against attacks. They should provide secure, reliable access points to the blockchain, ensuring that transactions and data are analyzed and protected at all times and by default. RPC and Node providers are the key players here, as they can multiply access to security protocols to all their customers and therefore protect all their end users.
We need to create the same safe environment by incorporating security at a very low level of infrastructure. RPC providers should be the main multipliers of such measures, with transaction security checks as a by-default state in every RPC API. White label or plug-and-play solutions should have security features as part of the main product offering. We need fraud and scam protection to be enabled from the very first day of a user's Web3 experience, starting from users who don’t realize that they are using blockchain technologies under the hood of one or another service. Exactly these people often fall victim to malicious actors, not those advanced enough to install extra protection or avoid clicking unknown links. Imagine if all Ethereum Node providers incorporated a security solution to ensure no malicious transactions are accepted in the mainnet. This bold but strong movement would make the entire EVM ecosystem a secure and safer place. This won't happen until it makes business sense, and we have the right legislation and priorities in lawmakers' minds.
Regulatory bodies play a crucial role; they need to broaden their scope to include user protection in the Web3 space. Regulations should encourage the implementation of robust security measures while preserving decentralization as the heart of Web3. Let's stop giving body armor to everyone and chasing after tax evaders; instead, let's focus first on creating a safe environment.
Let’s take open banking protocol as an example, that was a huge step forward for european fintech space, it made easy and fast payments accessible to everyone within the EU and also fostered a lot of innovations and new startup development. But the key factor was security that goes along with usability. It is an open protocol that has low barriers to entry but maintains high security standards.
In conclusion, the evolution of Web3 security should transition from reactive, isolated measures to proactive, integrated solutions. By embedding security into the core infrastructure and engaging all stakeholders in this effort, we can cultivate a Web3 environment that is innovative, decentralized, and, crucially, safe and trustworthy for all users. Committing to this path secures not only our digital assets but also the trust and confidence that are fundamental to the success and growth of this revolutionary space.

About the Author:
Kirill Tiufanov is a serial founder of multiple deep-tech companies, and currently the CEO and Co-Founder of Polyzoa, a dynamic and adoptive security layer for Web3 infrastructure providers. Polyzoa protects the web3 ecosystem from scams and threats, by offering non-intrusive security to end users, hassle-free integration for projects, and scalable, beneficial solutions for infrastructure providers.
Connect with Kirill on X and LinkedIn.
2023-12-19 11:17