Web3 isn’t taking cybersecurity seriously enough
Back in early 2022, hacks in crypto were certainly not rare, but their magnitude appeared dimmed by overall industry growth, adoption and the innovation of new, cutting-edge projects.
But the effects of exploits are clearer today than ever before: Q3 was dubbed 2023’s most damaging yet, with over $700 million in losses through various hacks and scams.
Unfortunately, this hasn’t come as a complete surprise, as companies in the crypto space are largely responsible for their own cybersecurity failings.
Private capital investment in Web3 has slowed, with VCs exercising caution in light of the ongoing market headwinds. Companies have transitioned back to building and developing as a priority, with a spotlight on robust and secure infrastructure in a bid to entice financial backing.
The state of cybersecurity in the crypto and blockchain space over the past five to ten years is far from reassuring. While the concept of blockchain itself is founded on principles of decentralization and cryptographic security, the broader ecosystem surrounding it remains riddled with vulnerabilities.
Despite the push for increased protections in 2022, cybersecurity is still Web3’s biggest pain point.
The market adapts
In 2022, companies had too few security engineers to audit their infrastructure. Even as they hired entire teams of engineers to prevent future hacks, the market then crumbled and priorities shifted.
Many of the security engineers who were hired to respond to the initial problems were no longer qualified or experienced enough to respond to issues arising from new technologies and new systems. These companies now find themselves with more sensitive information, bigger vulnerabilities in their base code and fewer capable individuals to handle them. We can see this
through the emergence of new attack vectors, such as DeFi exploits and supply chain attacks.
Many audit companies have seen significant layoffs as the expertise of many of their teams is no longer adequate. Blanket security services simply do not cover the breadth necessary to properly identify all vulnerabilities. In addition, the market is small and available contracts are shrinking.
And while cyberattacks have been on a continuous rise since 2022, the “retail” audit market has shrunk significantly from what it was in previous years. As companies are forced to tighten their budgets, they seem to be willing to sacrifice structural integrity for growth.
In response, we’ve seen the rise of community-driven solutions such as Code4rena and Sherlock, companies that outsource auditing project chunks to outside coders and security engineers. While this is certainly an interesting and resourceful response at a time of need, it is not, however, a long-term solution, as it comes with no small amount of uncertainty and lacks guaranteed quality.
The real differentiator now is who is capable of creating their own, new cybersecurity tools. This is a trend born from Web2, where everyone attempts to establish a cybersecurity ecosystem by scaling their services and product lines. As Web3 matures and evolves, more solutions are required in the same way.
Building habits to safeguard trust
The current state of cybersecurity in the blockchain and cryptocurrency space is a double-edged sword, marked by both progress and persistent challenges.
On one hand, blockchain technology offers inherent security benefits through its decentralized and immutable ledger, making it difficult for malicious actors to tamper with transaction data. Additionally, cryptographic techniques at the core of cryptocurrencies provide robust protection against counterfeiting.
However, these advancements in themselves have not guaranteed a secure ecosystem. Vulnerabilities in the surrounding infrastructure — such as wallets, exchanges, smart contracts and the human factor — will continue to expose users to substantial risks.
Companies and CEOs are being too short-sighted, ignoring the necessary follow-through to safeguard the entirety of their systems and confidently ensure their own — or worse — their customers’ assets.
There seems to be a fundamental lack of awareness that security in the blockchain space requires a 360-degree approach and consistent follow-up to ensure the growth of a company or product. It’s a mistake for companies to seek out security reviews to address only the one specific vulnerability that led to a hack.
Following notable hacks of the last few years, over half of the companies had not had a security audit. Of those who did seek out an audit, hardly any thought to pursue a follow-up after they made alterations to the code.
The goal now is to develop good cybersecurity habits to give the industry a chance to bounce back, build on the technology it has introduced and give itself a chance to deliver up to its potential. Groups like the Open Web Application Security Project are important for the industry to maintain those good habits with initiatives like outlining cybersecurity standards — something that simply didn’t exist before.
As is the case with any industry, a proven expertise in the subject matter has no substitute. New technologies, such as zk proofs and liquid staking, are primed to integrate with systems throughout the industry — meaning auditing will once again require capable experts who can anticipate these security needs.
Foresight and effective planning in this rapidly evolving industry are also still paramount: No one security review guarantees peace of mind. The industry and the tools that comprise it are constantly evolving, and understanding how to foresee this and plan for regular auditing can go a very long way in mitigating risk. That is what cybersecurity should be all about — mitigating risk as much and as often as possible.
Sipan Vardanyan is co-founder and CEO of Hexens, a cybersecurity solutions firm securing the world’s next-generation organizations by combining research and attacker mentality to reduce risk and fortify code.