Don’t be afraid, in fact, the world of Web 3.0 is very safe

“The ETH in my wallet is gone!”

Today, DeFinance founder Arthur said on social media that he was under a spear phishing attack. Arthur clicked on a PDF document in an email that resembled the official address of the Defiance Capital cooperative asset management platform, which resulted in the theft of his hot wallet and the loss of a large amount of NFT and other assets worth over 400 ETH.

The world of Web 3.0 does not seem to be safe, and our on-chain assets seem to be threatened everywhere. Indeed, from an upper-level perspective, on-chain applications not only need to consider loopholes in application logic, but also potential attack paths (preemption, etc.) at the consensus layer of the subordinate chain. In addition, we also need to keep our eyes open to see the interactive front end and prevent all kinds of phishing links. The most fatal point is that once the transaction is guaranteed to be liquidated, the rollback cost is extremely high. In this way, the overall security level of Web3.0 is not as good as that of Web2.0.

But from a lower-level perspective, in theory, Web 3.0 should be more secure. For example, on-chain decentralized parallel execution creates a trustless execution environment for on-chain applications. DoS attacks commonly encountered by Web2.0 applications are also solved by the Gas mechanism. The open source of the protocol also gives users the “right” to DYOR before using it, etc…

This article comes from Tal Be’ery, the co-creation of ZenGo, an encrypted wallet. The article provides a detailed interpretation of the inherent security advantages of Web3.0, and proposes potential solutions to existing problems. The Rhythm Research Institute has translated the full text:

I know this sounds absurd, after all, Web3 security is a big laughing stock in tech right now, and Web3 lost over $10 billion to security breaches last year. However, I think the current situation should be phased, not continuous, and once Web3 applications become more mature, they will outperform many “traditional applications” in terms of security.

Definition of Web3

Before we start discussing Web3 security, we need to define it first. We can temporarily define Web3 as an application that relies on “smart contracts”, whose business logic and storage are done on the blockchain. Therefore, Web3 currently mainly includes DeFi applications and NFTs, but can expand to more areas in the future.

Don't be afraid, in fact, the world of Web 3.0 is very safe

Web3 Triangle

After defining Web3, we can start discussing its security, which mainly includes the security of smart contracts. For simplicity, we will only discuss smart contracts on Ethereum , but I believe the conclusions apply to other similar systems and blockchains as well.

Web3 security has inherent advantages

Imagine a Web3 software environment without malware, denial-of-service attacks, and other types of attacks. Let’s take a look at Web3 that realizes the security utopia:

– Web3 is immune to injection attacks: with traditional web applications, all parameters are sent as strings. This design flaw is the core reason behind most traditional web application vulnerabilities, including SQL injection and command injection, which allow attackers to smuggle unintended input into underdeveloped web applications. In contrast, due to the strongly typed nature of Web3, such unexpected input (eg, a string when expected is a number) will fail immediately, and Web3 applications do not need to do anything special Prepare.

– Web3 is more resistant to denial of service attacks: although these attacks are not smart, because they usually rely not on “brain power”, but on the “brute force” of botnet armies to send garbage to the target at a lower cost traffic, but they are still a major problem for traditional web applications. In contrast, Web3 applications do not suffer from this, because the blockchain sets high transaction fees to prevent overuse, making it impossible for DoS attackers to start.

In addition to the above points, Web3 has shown good security in other areas (for example, in response to software supply chain attacks). However, just doing the above points is already quite powerful.

But in addition to the above technical advantages, Web3 also has some conceptual security advantages given its complete openness and transparency. Long before the advent of Web3, the open security concept had many advocates in the security field, believing that it had advantages over “covert security”. Web3 takes the idea of ​​open security to the extreme: In Web3, not only is code open source by convention, but binaries are by definition also public on the blockchain and can be verified as the result of published source code . Also, by definition, all code executions (transactions) are public and can be verified and reviewed by anyone.

Theoretical advantages are not practical advantages

If the security of Web3 is much better than traditional applications in theory, why is the security of DeFI applications still inferior to traditional banking applications in practice?

I don’t think it’s because of how poorly Web3 security itself is, but because it operates in such a hostile environment that it’s easier for attackers to make money from hacking. Web3 applications are dealing with “liquid funds” all the time, because the transfer of funds on the blockchain is almost instantaneous and immutable; while in the traditional banking system, even if the banking application is hacked, in The property involved in these malicious transactions can be recovered before the attacker cashes in.

Specifically, we can look at one of the largest bank hacks – the 2016 Bangladesh Bank hack. Attackers used malware to infiltrate banks and send fraudulent SWIFT wires in an attempt to steal $1 billion. To actually get the $1 billion, the attackers need to look to a specific date, which coincides with a bank holiday, to give them enough time to cash out. They also need to be prepared ahead of time at a Philippine bank capable of handling large wire transfers to cash out the funds before the wire transfers are returned. In the end, the attackers got “only” $60 million of the $1 billion, not because the bank’s software was more secure, but because the environment was looser, giving the defenders enough time to recover the wire.

Therefore, we can conclude that in order to defeat the attacker, we need to buy more time for the defender.

To do this, we need to reduce the detection time of an attack, or extend the time before a transaction is reversible, or both.

I am very optimistic about our community’s ability to improve attack detection time, because there are already some security companies (such as peckshield) that can make use of the above-mentioned blockchain transparency and “open security” based on public data. Warning. From the recent hacks and their postmortem analysis, nothing prevents the analysis from happening in real-time as the transaction executes (even as a “together” in the transaction execution node’s mempool). When we integrate such an advanced early warning system into the contract, it may be sufficient to prevent such malicious transactions, as recently shown by projects such as

Even today, cashing out is not as easy as it seems. Some Crypto Tokens have set up their own blacklists to freeze the assets of listed users. Additionally, to cash in fiat, attackers often need to resort to centralized exchanges, which are becoming more regulated and adding KYC (know your customer) and blacklisting features that thwart attacks to be fulfilled. As a result, some attackers today prefer to return most of the hacked funds, keep only a small portion, and launder the funds into a “bug bounty” issued by the hacked application. As with the recently seized Bitfinex hacked funds, these hackers have a hard time cashing out large sums of Crypto. To be sure, cashing out will only get harder.

Conclusion: we will succeed

While Web3’s security is far from enough, as it continues to improve, it has the potential to become a security shield for our digital activities in the future. As with most revolutionary technologies, the more feature-rich Web3 is, the more of a problem its security has always been. However, in the future, with the financial support of venture capital and successful Web3 projects, security system talents will continue to flow into the field of Web3 from traditional security products. I believe that the security of Web3 can be fully exerted by then.

Web3 and Crypto technologies touch many disciplines in computer science and economics, and I only know the security field. I believe that Web3 will bring a major breakthrough in security, and I am also convinced that it can improve other areas that I do not understand.

Or in Web3 lingo, WAGMI (we all make it!).

Posted by:CoinYuppie,Reprinted with attribution to:
Coinyuppie is an open information publishing platform, all information provided is not related to the views and positions of coinyuppie, and does not constitute any investment and financial advice. Users are expected to carefully screen and prevent risks.

Like (0)
Donate Buy me a coffee Buy me a coffee
Previous 2022-03-22 09:52
Next 2022-03-22 09:53

Related articles