People take security for granted when it comes to managing their assets, but it’s not their fault. Traditional finance institutions encourage this disposition, offering to take the burden of security away in exchange for a fee and control over customers’ assets. Web3 presents an opportunity to change this dynamic, putting control back into the hands of users and expanding access to digital ownership. But Web3 infrastructure is still wrought with security issues, from lost keys to compromised hardware and full-scale hacks.
This year has seen a significant number of exploits, with over US$667 million in assets lost due to hacks so far. It seems like every week we see another hack or exploit — such as the one suffered by decentralized exchange Curve Finance just days ago. If Web3 is going to position itself as a reliable alternative to traditional finance, paving the way for mass adoption, the industry needs to solve its security problem and do a better job protecting users.
Building a secure foundation
First and foremost, the onus is on developers to create and maintain reliable platforms. The reality is that many Web3 projects are rushing to market, prioritizing expediency over security. Unfortunately, even the smallest mistake in code can make an ecosystem vulnerable to malicious actors. As a result, the industry suffers from widespread security breaches, which cause significant damage to users and ruins credibility over time. The silver lining, however, is that as developers, we can learn from these mistakes, and establish protocols to prevent future exploits.
Responsible development requires significant investment in security at the early stages of a project to build a solid foundation for scalability. Recruiting a strong team of developers to the auditing team, conducting multiple tests and audits pre-launch, and anticipating security breaches are key steps for fraud and exploit prevention.
Sourcing resources
In the world of Web3, credibility is best generated by the test of time. While initial audits and formal verification are critical for building a foundation of trust, it is important to note that audits will still not prove the absence of bugs, and developers need to continually conduct tests to bolster security. This requires a community-wide effort with multiple hands on deck, sharing expertise, and working together to generate trust in the ecosystem.
Furthermore, development teams need to be responsive when bugs are flagged. In too many scenarios, significant resources are put into identifying these issues, then followed by delays in fixing bugs, leaving a project vulnerable to attack. Ultimately, this comes down to having the right resources to dedicate time to security.
Bug bounty programs represent an innovative Web3 security solution, encouraging any developer interested to try their hand at breaking the system for a financial reward. This is an effective method for projects without the internal resources to leverage the power of external security researchers who can review code, identify potential bugs, and develop fixes before these issues affect user experience or security.
Outside of bug bounty programs, whitehat hackers are another novel group in Web3 security in comparison to legacy security structures. These “ethical hackers” act without a preset bounty and raise interesting challenges for projects exploring how to interact with and motivate them. They also present legal challenges, acting when nobody has asked you to act could be considered “illegal” in the current Web2 system. Those who can lead initiatives that establish a better legal foundation to make it easier and more appealing for white hat hackers to dedicate time to their projects stand to benefit. This may be through the allocation of part of the “rescued” funds as a reward. Once developed, this template could then be easily applied to any project, incentivizing greater collaboration in Web3.
What about robot auditors?
With advancements in generative artificial intelligence revolutionizing the way we work, one would hope that this technology could make the job of developers easier, too. After all, round-the-clock monitoring and crisis response requires a significant allocation of resources. Unfortunately, the technology is just not there yet.
Many hacks happen because developers repeat the same mistakes. The current challenge is how to properly feed code to artificial intelligence so that the technology understands all interactions. Due to the complexity of logic flows in code, this has not been made possible. Until this technology improves, it is up to developers to build trust on their own platforms.
User education remains paramount
In addition to building and maintaining secure platforms, improving accessibility and providing user education remains critical for preventing exploitation.
So far this year, users have lost over US$40 million in assets due to exit scams, highlighting the need for better guidance in this arena. When it comes to self-custody, there are no “rollbacks,” and users are ultimately responsible for their own funds. But that doesn’t mean developers can’t make it easier for users, empowering them with the tools to securely manage their own assets.
A lot of Web3’s usability problems are skin-deep, coming down to poor user interfaces, confusing web copy, and a lack of clear guidelines and directions. By improving user experience, creating intuitive interfaces, deploying clear and simple language, and providing better customer support, Web3 platforms can help prevent their users from falling for scams or exploits.
In addition, key management is a significant barrier to ownership and self-custody, with Chainalysis estimating that 23% of Bitcoin may be gone forever due to lost keys. Smart accounts are already improving user experience, providing features like key recovery, which allows users to retrieve lost keys without the use of centralized third-party custodians. Multi-signature wallets, which give more than one user access to a wallet, also help by allowing a friend or collaborator to serve as an additional guardian. Armed with these tools, users can take security into their own hands, enjoying a better experience of digital ownership.
Toward a multi-layered approach
One of the key benefits of decentralization is ensuring no single point of failure. Likewise, any platform’s approach to security should be multi-faceted. Starting with a strong foundation, Web3 projects should prioritize security in recruitment and development. Building trust takes time, and as such monitoring code and continuing testing for vulnerabilities is a necessity. At the same time, developers cannot forget the importance of user education for preventing security breaches and losses due to user error. Creating accessible, user-friendly platforms is the best way to prevent this issue. With a combination of tactics, developers can combat Web3’s security problem, securing the path to mainstream adoption.