Advocates of web3 will tell you that the decentralized web brings greater resilience and security compared to Web 2.0 thanks to its underlying blockchain-based technology.
Web 2.0, which first debuted in the early 2000s with a focus on user-generated content, rich user interfaces and cooperative services, also brought with it a new wave of security threats, including malware, phishing, social engineering, spoofing, cross-site scripting, SQL injection and data breaches, to name just a few.
Web3, a term encompassing several technologies such as cryptocurrencies, NFTs and DAOs, certainly gives the impression that it will make such threats a thing of the past: Not only does web3 give people more control over their data, but it relies on distributed technologies, such as blockchain, to smooth out the many flaws of its predecessor.
In reality, however, web3 is no more secure than Web 2.0, and it’s already creating a new playground for opportunistic cybercriminals. That’s because although it represents a shift in what the internet can do and will be used for, it doesn’t change how the internet fundamentally works.
New and unimproved
While it promises to be fully decentralized, web3’s user-facing components mainly operate on Web 2.0 technology, such as APIs and endpoints, despite being built on blockchain technology. This means that users of web3 services and decentralized apps, or “dApps,” continue to rely on legacy technologies for making transactions and ultimately means that web3 is vulnerable to all of the classic security issues that plagued its predecessor, from DNS hijacking to cross-site scripting. Web3 companies also have to communicate with their users, mostly through Web 2.0 technologies such as email or online messaging that are also prone to legacy security issues.
Perhaps unsurprisingly, web3 phishing has also arrived. While attackers have previously focused on gaining access to information such as a user’s login details, they are now turning their attention to cryptocurrency wallets and users’ private keys.
Humans will always be vulnerable to manipulation, and that’s why hackers will continue to employ this simple but effective technique: Data shows that phishing campaigns abusing web3 platforms increased by almost 500% in 2022, while a recent report from Immunefi, the bug bounty and security platform, revealed the crypto industry incurred losses of $3.9 billion in 2022 due to various hacking, fraud and scam-related incidents.
This has perhaps best evidenced by several major web3 attacks in recent months. One of the most infamous was an attack on Axie Infinity’s Ronin Network, in which attackers stole $625 million. According to reports, hackers — identified by the U.S. government as the North Korea-backed Lazarus Group — targeted employees of Axie Infinity developer Sky Davis with a fake job offer via LinkedIn.
Last year, attackers also breached Nomad, a cross-chain messaging protocol, to steal almost $200 million in digital assets. According to security records, an update to one of Nomad’s smart contracts made it easy for users to spoof transactions, enabling a bad actor to withdraw funds that didn’t belong to them.
Decentralized threats
The Nomad hack demonstrates that not only is web3 vulnerable to existing Web 2.0 security flaws, but it also introduces its own category of vulnerabilities, a fact that was recently highlighted by malware researcher Marcus Hutchins in a social media video in which he claims that web3 is in fact less secure than Web 2.0.
Smart contracts are self-executing programs that run on a blockchain, and they are used to automate the execution of various functions, such as financial transactions. If a smart contract contains a vulnerability, it can be exploited by an attacker to steal funds. Bugs in smart contracts were also responsible for the theft of $31 million from MonoX in 2021.
Vulnerabilities in decentralized applications are also cause for significant concern: Although built on top of blockchain platforms, they are subject to security risks such as denial-of-service (DoS) attacks, hacking attempts and exploits. Security experts have also sounded the alarm about many other issues unique to web3 technology, such as flaws in cross-chain bridges and attacks on the governance processes, all of which require specialist knowledge and expertise to address.
However, the newness of these technologies, paired with the fact that many security professionals are highly skeptical of web3, means that organizations in this space may find it difficult to find adequate skills to keep web3 secure.
It’s not a fix-all
Web3 has been a fundamental driver for startups and venture capital over the past few years: Web3 startups globally raised a record $29.2 billion in 2021, and while that dipped slightly the following year, they still raised $21.5 billion in 2022. With that in mind, it’s perhaps no surprise that startups have been quick to embrace web3 technologies, many likely unaware of the potential security risks.
To ensure they’re not falling victim to the security downfall of web3, it’s key that startups prioritize security from the outset and embrace the methodology of security by design. Bogdan Botezatu, director of threat research and reporting at cybersecurity firm Bitdefender, told TechCrunch that this should include carrying out risk assessments during the product and service design stages, following best practices for secure software development such as source code auditing, regular penetration testing and hiring in-house or for-hire security teams (if they can find the relevant skills).
“One wrong click or one missed security update can result in network compromise, data breach or theft of assets,” Botezatu said. “Both centralized and decentralized fintech companies have an increased risk level due to the immediate monetization opportunities that potential cyber-criminals have.”
Web3 has a lot of potential, promising to give ordinary users more power and to inspire next-generation companies, products, services and experiences. However, at the end of the day, the software is software, and web3 is only as secure as we make it.