Web3 security is a mess. Here’s how to fix it

Second in a two-part series. Read the first part here.

Blockchain tech has inherent infosec value, Web3 isn’t just a fad, and security professionals need to start learning about these emerging technologies, as I laid out in my first post in this series. But there will be bumps on the road to securing this burgeoning ecosystem, where multimillion-dollar heists still happen with alarming frequency. Here’s how to get started:

A few years ago, when I ran a boutique cybersecurity consulting firm, I worked with several companies in the blockchain and cryptocurrency spaces. My cofounder and I typically found cultures with low respect for established program-level information security methodologies, such as NIST guidelines, which help some of the largest and most mission-critical organizations in the world keep their assets safe.

We noted an inefficient tendency to “reinvent the wheel” and often encountered resistance to proven approaches to infosec from other industries. However, the organizations that had been successful in hiring a few security professionals focused the bulk of their efforts on secure engineering and security architecture, which seem to be the most appropriate methods of shifting security as far “left” as possible to manage limited industry resources for Web3 companies: specialized security workers.

New opportunities

This culture appears to be changing, as evidenced by the growing numbers of infosec jobs posted in the Web3 field, and the massive, growing losses from the successful exploitation of blockchain and smart contract vulnerabilities. While companies in Web2 can often afford to shrug off breaches due to mitigating factors such as standardized cyber insurance and the lack of significant, long term repercussions to corporate bottom lines, Web3 organizations can’t ignore security issues due to their existence as highly targeted entities within highly adversarial, high assurance environments. A single bug can lead to the immediate loss of millions of dollars, or even the dissolution of an entire organization due to a total drain of funds.

Against that backdrop, bug bounty rewards in Web3 have reached blisteringly high numbers. In a guide to submitting bugs on Immunefi, the largest Web3 bug bounty platform, the company states, “Some whitehats come to Web3 having been poorly treated and underpaid in Web2, and they bring that attitude to Immunefi — not knowing that they now have far more rights and respect than before”.

As renowned hacker Jay Freeman recently said after claiming a $2 million bounty for a single security vulnerability: “And yet, we see crypto project after crypto project trying to externalize the cost of their core design to people being only indirectly compensated, rather than building a team around mathematicians, economists, and security experts.” While policy and regulatory changes are surely on the way — and with those, compliance requirements likely to match those seen in traditional finance — there will be a corresponding infosec-shaped hole in the industry that must eventually become filled with a pipeline of highly technical, long-term strategists as opposed to the current system of external auditors and bounty hunters.

Security firm Hacken described its outlook for the Web3 industry in a recent report, projecting increasing regulatory security requirements and the standardization of regular security audits over the next five years.

There is also a burgeoning niche market of “blockchain intelligence” or “cryptocurrency forensics” firms on the market with names like Chainalysis, CipherTrace (recently acquired by MasterCard), Elliptic, and TRM Labs (funded by the likes of Andreesen Horowitz, JP Morgan, Paypal, and Salesforce). These companies use both specialized software and human analysts to detect and track threats, and they are reminiscent of early Web2 cybersecurity firms like Mandiant and Foundstone, which evolved significantly over the years.

 1_CyMQY1F6ykTITBIfY8UkJA
Andrei Zverev/Flickr

What’s different?

Blockchain is transparent, open and often immutable, which is a whole new way of looking at things for anyone used to closed databases and opaque operations. Blockchain and crypto companies tend to focus less on the protection of intellectual property versus a typical Web2 company. Code is often open source and audited with public results to inspire confidence.

Web2 security practices can be focused on “right of boom,” dealing with the aftermath of an incident rather than avoiding it in the first place. Infosec for Web3 should shift toward code, engineering, and architecture, focusing on prevention rather than response.

Web3 ecosystems are inherently more open. Projects typically host open communities on Discord and spaces on Twitter. Web3 project managers @lennysan and @0xshah described their transition to the internet ecosystem in a blog post that calls for a complete paradigm shift away from the current tech work patterns. They credit the lack of a surveillance/data collection-driven ecosystem underpinning Web3, the immutability of code and the need to ensure code is as bug-free as possible at the time it ships.

The upshot is that there are serious infosec, privacy, and surveillance implications to Web3, and infosec pros will be critical to establishing industry standards in advance of — and in addition to — regulatory requirements.

The talent is flowing

Not only are smart people rushing to work in Web3, some of the best hackers in the world already work on Web3 problems and research full time. For example:

Infosec pros should be familiarizing themselves with various “Layer 1” blockchains such as Bitcoin and Ethereum, privacy coins of particular relevance to our field such as Monero and Zcash, as well as understanding more about what these blockchain layers, coins, altcoins, and tokens even mean.

The time of a serious incident, such as a ransomware attack, surreptitious cryptomining, or finding critical data for sale on the dark web, is not the right moment to familiarize yourself with crypto. Infosec pros need to start learning sooner to become cryptocurrency-capable in future security cases and investigations.

Here are some tips and resources for those seeking to learn more:

  • Check out the blogs of security companies writing Web3 security research, as well as the voices of activists who say these technologies have the potential to empower people and support digital rights and free expression.
  • Try setting up a wallet and moving funds in and out. Review those transactions on that chain’s ledger. Learn about the terms “KYC” and “AML.” Consider buying a hardware wallet. Learn about key management. Learn about storage mechanisms such as IPFS and Arweave. Read token standards.
  • Learn about the major smart contract platforms, their execution environments, and relevant programming languages. Run a few dApps. Want to build? Consider running through a couple Buildspace tutorials or joining a resource group like Developer DAO or Surge. Read a guide to secure smart contract development. Learn about development risks. Check out blockchain specific security repositories on Github like awesome-ethereum-security and awesome-evm-security.
  • Consider participating in a CTF, or two, or three, or fifty! Investigate open bounties on Immunefi.
  • Review calls from security companies for standardization in cryptocurrency-related threat intelligence. Think about how to monitor wallets for various blockchains, and how to get that data.
  • Understand the common vectors and methodologies for phishing, especially threats on Discord and Twitter. Learn about NFT wash trading and other scams and red flags. Review previous large hacks and recent scams. Keep an eye out for the reported use of cryptocurrency in the cybercrime ecosystem. Consider setting news alerts.
  • For larger organizations, ensure cryptocurrency handling is built into security incident response planning, and that business and technical procedures are in place for any incident with a crypto component. Marsh’s guide to ransomware response is handy and comprehensive.
  • Consider reading the following reports for further information regarding the state of crime in cryptocurrency ecosystems:

· Chainalysis’ “The 2022 Crypto Crime Report

· Quill Audit’s “Blockchain Security Outlook 2021

· Certik’s “The State of DeFi Security 2021

1_MPFnGS52KcNuHc04fg0INg 
ETH/Public Domain

A long road ahead

There are no silver bullets in infosec, and blockchain is no exception. Decentralized systems are subject to similar risks as other computers. Blockchain is high-assurance software that is not intrinsically secure — but it does lay a foundation for secure transactions at scale, and this capability is vital to continue scaling internet services. It’s also important to remember that decentralized technologies don’t automatically create decentralized power; there is a long way to go in that area. Security pros can help by promoting the building of equitable power structures into Web3 systems and recognizing that security and privacy are critical features of such systems.

As tech strategists Scott Smith and Lina Srivastava wrote in the Stanford Social Innovation Journal, “If Web3 presents a chance to fix our collapses, it needs a value system that is integral, not optional. This means that social good must be integral not only to the ethos but also to the architecture and rule-sets of any new web or technological paradigm.”

Despite their clear potential, these technologies have no inbuilt capacity to support human rights or democracy. Security practitioners can help integrate positive values as a natural extension of our desire to protect people.

We can do it as soon as we overcome our reluctance to begin the work of securing our collective Web3 future.

Jackie Singh is a director for the nonprofit Surveillance Technology Oversight Project and an active member of the Web3 community. A U.S. Army veteran and former defense contractor, Singh previously founded a boutique cybersecurity consultancy, Spyglass Security, and worked as lead cyber incident responder for the Biden-Harris presidential campaign.