Security Risks Facing Web3 Developers
Security vulnerabilities and data breaches continue to plague application developers. As long as there are bugs, this is unlikely to change. The Identity Theft Resource Center reports that 2021 represented an all-time high for reported data compromises. Open source took a beating from the Log4j incident at the end of last year. Web3 is not immune to security challenges and, indeed, it may be surfacing new ones as more decentralized applications (dApps) emerge.
In an interview for The New Stack, I asked Ryan Spanier of Kudelski Security to highlight some of the key challenges facing Web3 developers. He said, “One of the biggest challenges is balancing the time to do security well versus the demands to shorten time to market. FOMO [fear of missing out] drives developers and teams to capture markets as quickly as possible because generally, the first viable project to provide a necessary function in blockchain has massive overnight success.”
Web3 architecture is different from traditional IT and cloud deployments. One of the big differences is the financial incentives associated with an attacker finding a Web3 exploit.
“In Web 2.0,” explained Spanier, “they [attackers] had access to sites and services, but less clear paths to monetary gain (at least initially). There is also a significant total value locked in blockchain applications that can be attacked directly, even on chains that are, in some cases, only months old. This provides an environment with plenty of incentives for attackers and a huge surface area to secure in a short amount of time.”
A Notable Web3 Security Breach
Blockchains have already seen some significant security breaches during the relatively short lifespan of the underlying technologies. One recent incident involved the Wormhole bridge, which is an interoperability protocol that allows users and decentralized applications to move assets between blockchains. Due to a vulnerability in the way a smart contract function was implemented, a malicious actor was able to mint 120,000 ETH (approximately $360 million as of this writing) in exploiting a bridge to the Solana blockchain.
@kelvinfitcher has an excellent thread breaking down how this exploit works that will make sense even if you’re brand new to smart contracts.
Alright. I figured out the Solana x Wormhole Bridge hack. ~300 million dollars worth of ETH drained out of the Wormhole Bridge on Ethereum. Here’s how it happened.
— smartcontracts (@kelvinfichter) February 3, 2022
I had wrongly viewed exploits like the one targeting Wormhole as victimless crimes. After all, if a compromise manifests some artificial currency, who gets hurt? The reality is very different. “Wrapped Ethereum” (wETH), which is a version of ETH, was removed from the Wormhole bridge, meaning that users who had legitimately created bridge transactions would find their wETH gone when they tried to recover it. An investment firm, Jump Crypto, came to the rescue with funding to help protect the ecosystem (and, no doubt, its own investments in the ecosystem).
.@JumpCryptoHQ believes in a multichain future and that @WormholeCrypto is essential infrastructure. That’s why we replaced 120k ETH to make community members whole and support Wormhole now as it continues to develop.
— Jump Crypto 🦬 (@JumpCryptoHQ) February 3, 2022
Spanier highlights some key questions developers should be asking as part of their release process: “Is it worth a 2-3 month delay in release to get a third-party code audit? What about slowing down development to ensure adequate review of all critical code changes before a commit? It’s really tough to balance, and investors see and expect quick returns.”
If investors need to routinely bail out Web3 projects to the tune of hundreds of millions of dollars, they may be willing to trade a slower development cycle to achieve fewer exploits. Even so, there are still challenges that intermediary protocols like Wormhole face.
“If your application creates intermediate currencies that are redeemable for ‘real’ assets,” said Spanier, “then you may be vulnerable to attacks that exploit this process if there are logic or code errors. This could be true of any application that decouples an actual asset and a representative asset. Any dApp project with this model must ensure absolute consistency across their different ledgers. This is not a trivial process.”
Onboarding Security Professionals to Web3
One of the challenges to securing dApps in the new Web3 world is engaging security professionals in a meaningful way. A number of the cybersecurity experts I follow on Twitter have been dismissive of Web3 and blockchain technologies as fads at best and scams at worst. I asked Spanier what it will take to get more of these folks to engage with Web3.
“For security professionals, here’s some advice to figure out if blockchain security interests you,” he replied. “Treat your initial plunge as an exploratory journey. Look at different security issues that have manifested themselves in the past, be they with smart contracts or core blockchains. These projects are mostly open, so you can look at their Github issues and patches. Review vulnerability write-ups and deconstructions of previous attacks. Projects affected by a compromise will typically post detailed write-ups. This would be a good start.”
There’s a lesson for developers here too. Because so much of what’s being developed for Web3 is done in a very public way, there’s an opportunity to avoid the mistakes of others. As you develop, consider doing a review of mistakes made by others a part of your release process. All code has the potential for bugs, but if you can learn from someone else’s mistakes, you just might avoid making a nine-figure one of your own.