According to the Global Web3 Security & AML Report 2022, the Web3 industry registered 167 major attacks in 2022. The total loss incurred in the Web3 attacks amounted to almost $3.6 billion, which is 47.4% higher than in 2021.
Web3 is a catchy term that defines the next iteration of the internet. Based on decentralised ledgers and databases distributed over nodes, Web3 was designed to counteract the risks of centralization, monopolisation, and security issues associated with Web2.
The global Web3 market has been introducing new definitions for digital assets and transactions with blockchain, NFTs, cryptocurrencies, and DeFi solutions. With a market cap of around $27.6 billion, the Web3 market is expanding at a radical pace.
If the concept of Web3 seems like a light-year-away idea, we suggest reading this article: ‘What is Web3?’.
As an innovation built on new technologies, Web3 encompasses both new benefits and risks. The new iteration of the internet is intended to be transparent, decentralised, and resistant to censorship and centralization. The trustless nature of blockchain technology means that users have to trust only the underlying code, smart contracts, and crypto wallets.
However, transparent blockchains come with particular security and privacy tradeoffs. While decentralisation is the most important feature of Web3 and blockchain technology, at the same time it presents a double-edged sword; with decentralisation, there is a higher degree of data protection, also a more personal risk on the side of users.
Web3 has revolutionised the internet, but it is not risk-free. Even though it fixed some flaws associated with Web2, it still couldn’t manage to avoid certain security risks and face some new forms of cyber-attack, as well.
Apart from a number of scams that threaten the cyber security of the new technology, we should lay down a brief explanation of systematic risks. Systematic risk refers to an ecosystem-wide risk that is out of user control but may impact overall security, such as economic downturns and technical failures.
Widespread economic downturn and the volatility of the crypto market is a common problem the crypto community has been battling. Additionally, some pieces of legislation present a threat as being unfavourable to Web3 or the crypto market as a whole.
Microeconomics currency and financial assets are embedded in many Web3 applications and innovations. This amounts to unforeseen factors that may change the overall risk calculation. The Web3 embedded economic architecture provides more incentives for cybercriminals, compared with traditional IT and cloud deployment.
While the crypto market volatility is a long-standing and common issue within the crypto environment, many broad blockchain networks have also been fighting against technical failures. Technical failures can be divided into traffic overloads and general technical problems of blockchain networks such as untrustworthy node operators.
Web3 and decentralised networks based on blockchain technology promised an exciting future in terms of data protection and security, but no technology is 100% safe. At the moment and due to a design trade-off, there are new threats on the crypto horizon.
The detailed overview of the state of security and development of Web3 and various blockchain technologies provides good reasons to learn about potential threats. Since Web3 is still in its early stage of development, it is essential to assess emergent risks that fall into four main categories.
Blockchain technology is based on greater control of end-user nodes and no centralised oversight. Questions regarding data availability emerge such as how depending on nodes for data availability may affect applications in case data becomes unavailable.
While blockchain transactions are encrypted and data decentralisation reduces single points of attack or failure, it exposes data to a number of risks. Less centralised oversight raises particular concerns about end-point attacks, service availability exploits, and traffic blocking.
Another issue is linked to data reliability. Even though the decentralised nature of the Web3 network decreases censorship, there are ongoing issues regarding data authenticity and accuracy. Currently, it is ambiguous how possible disruptions to zero trust and gatekeeping might affect the reliability of data, along with the artificial intelligence that absorbs it.
Last but not least, data manipulation emerged as a serious issue. Risks related to data manipulation include, for example, the following activities:
- Injecting malicious scripts into a wide range of programming languages used in Web3 to execute commands
- Intercepting unencrypted data transmitted across the decentralised network
- Unauthorised access to data and malicious actors impersonating the end-user node
Web3 typically involves multiple, personally managed wallets that cannot be restored. That creates a certain level of vulnerability to social engineering hacks. Many blockchain-related attacks, similar to traditional cyber-attacks, focused less on the technology itself and more on human vulnerabilities.
Apart from stealing private keys, entry points for malicious actors are endpoint vulnerabilities, along with social engineering of employees or other personnel. For example, the South Korea-based cryptocurrency exchange Bithumb lost $31.5 million due to hackers compromising an employee’s computer.
Alongside traditional social engineering attacks, such as social media scams and phishing attacks, Web3 brings to the table several new methods. Since there is no centralised oversight, these risks may be a bit intense as users must take responsibility for data security and do their own research. Limited awareness of Web3 security risks makes users vulnerable targets for a bunch of trending scams and security breaches.
Cryptojacking occurs when threat actors quietly install crypto-mining software on users’ computers and networks. Basically, it refers to a type of attack whereby perpetrators hijack a computer’s resource to mine cryptocurrencies. In fact, the most popular coin mined in this manner was Monero (XMR).
Tech giants such as Google and Amazon are also on high alert due to cryptojacking threats to their cloud servers. Compromised cloud instances were used for mining. It was pointed out that this type of attack is gaining popularity and user awareness is the secret ingredient of cyber defence.
Unlike most other cybercriminals, cryptojackers prosper by being stealthy and undetectable over long periods of time. Users might think that their devices are getting old and slow while cryptojackers are executing a long-term stealth attack.
Attacks are typically run by crews that take over enough devices to create a larger cryptojacking network which is efficient in generating income. The malware typically resides in compromised versions of legitimate software. Therefore, security scans are less likely to flag it as a threat.
Back in 2021, the Binance Smart Chain (BSC) protocol PancakeBunny suffered a $200 million flash loan attack, losing over 700,000 BUNNY and 114,000 BNB tokens. The loss was permanent. Such an attack revealed the ugly side of DeFi. Flash loan attacks have been making headlines since DeFi gained popularity in 2020.
Flash loan attacks are becoming a severe problem in the crypto, specifically the DeFi space. It is a type of DeFi attack where a malicious actor takes out a flash loan from a lending protocol and uses it for the purpose of market manipulation.
If you are new to the crypto world, you probably wonder what a flash loan is. Flash loans refer to a new sort of uncollateralized loans enforced by smart contracts. Opposed to secure loans which require collateral, uncollateralized loans logically don’t.
For example, you want to borrow $2000 from a bank. Some banks will lend you money on the sole basis of a good track record of paying. Now imagine you need a broad amount, let’s say $50,000. When it comes to broad sums, banks usually require you to provide collateral such as a piece of real estate, a vehicle, or something else to protect themselves.
Let’s explain it further using the Pancake Bunny example. The hacker first borrowed a broad amount of BNB tokens through Pancake Swap and used it further to manipulate the price of USDT/BNB and BUNNY/BNB in its pools. Therefore, the attacker managed to steal a big amount of BUNNY, and dumped it on the market which caused the price to crash. And then, the hacker paid the debt back by using PancakeSwap.
Ice phishing is a term that refers to attackers convincing users to sign a transaction that delegates approval of the users’ tokens to malicious actors. Unlike traditional phishing attacks that try to access sensitive information such as passwords or private keys via phishing websites, ice phishing is a scam found only in the Web3 environment.
Due to the requirement for investors to sign many permissions to DeFi protocols, ice phishing emerged as a considerable threat. The perpetrator needs to make the user believe that the malicious address that they are granting approval is totally legitimate. Once the user approves permissions, user funds are at high risk of being lost.
A real-life example of the ice phishing scam is the 2021 BadgerDAO case. Perpetrators managed to compromise the front end of BadgerDAO to attain access to a Cloudflare API key and injected malicious scripts. Customers with high account balances were asked to sign fake transaction approvals.
Smart contracts are agreements written by code that are immutable and come with a tamper-proof promise. The smart contract logic hack is a new threat that targets the vulnerabilities of smart contracts.
Such hacks have been used to exploit a number of functions and services, for example, interoperability, project governance, crypto wallet functions, and financial transaction services.
Let’s lay down a real-life example. Parity created multi-signature software wallets for the management of Ether cryptocurrency. Multi-signature wallets were essentially smart contracts built on an open-source basis that required more than one private key before the cryptocurrency could be approved for transfer.
However, an unknown perpetrator managed to steal 150,000 Ethers worth approximately $30 million at the time by exploiting the fallback function and the delegate call in the smart contract library.
Web3 features such as data minimization, ID portability and user-controlled wallets some of Web2’s dark sides such as privacy and confidentiality risks, and provided users with bigger control over their data and assets. On the other hand, anonymity, pseudonymity and self-sovereign identity (SSI) have a dark side as well.
The transparent and auditable nature of public blockchains comes with several privacy and security trade-offs as well. Apart from the fact that these technologies require complex onboarding processes and education, the new iteration of the internet led to many questions regarding privacy.
For example, which information is stored on chain, and which is stored off chain?
The pseudonymity part amounts to data gaps regarding compliance and allegedly opens doors for money laundering. On the other hand, decentralised identities make it difficult to verify personally identifiable information which presents a problem to contemporary data protection regulations such as the GDPR.
Anonymity is a cool thing until bots cause confusion and the crumbling of social norms. That is a lesson that Web2 taught us. It would be a bit naive to think that removing intermediaries and giving back power to the hands of the users wouldn’t present some kind of trade-off. In the long run, anonymity raises questions of liability and consumer protection.
Many security practices from Web2 can be translated to Web3 such as two-factor authentication, strong passwords, and being cautious and educated when it comes to phishing scams and other threats. Web3 introduced a number of new risks, but there are steps you can take to protect yourself and your valuable assets.
Opposed to centralised exchanges, it is more secure to store digital assets in a self-custody wallet that provides full control over your private keys. Typically, private keys are backed up with a seed phrase, a unique set of 12 or 24 words in a particular order that grants access to the crypto wallet address. In simple words, it’s a human-readable version of the private key.
To ensure an extra layer of security, you can store your recovery phrase somewhere in the physical world or even store multiple copies of the phrase in different places. Keep in mind that each copy should be stored safely.
Whether it is ice phishing or traditional phishing, the main rule is to avoid suspicious emails or messages. Many of these attempts seem legitimate. It would be wise to double-check when someone is asking you for your private key, seed phrase, or some kind of permission. You can always contact the company directly.
Another option is to obtain a self-custody hardware wallet also known as cold storage. Even though hardware wallets are very secure, you should keep them safe and protect yourself from social engineering attempts. Remember that hackers thrive on human vulnerabilities.
Smart contracts are a relatively new type of technology and they can have errors in their code. Cybercriminals focus on finding errors in smart contract codes to steal funds. Since smart contracts are self-executing, a failure in code could affect end-users negatively.
Most smart contracts are open-source projects and are checked by regular security audits. However, a large portion of users don’t have the required degree of technical knowledge to evaluate code.
Nevertheless, DYOR (Do Your Own Research) is a golden rule of thumb in the crypto world. You can start by double-checking URLs for decentralised services you use and sticking with well-known applications that contain a decent track record of cyber security.