Web3 urgently needs a paradigm shift in its security approach | Opinion
Disclosure: The views and opinions expressed here belong solely to the author and do not represent the views and opinions of crypto.news’ editorial.
In the past twenty years, the banking sector has undergone a transformation in fraud detection and prevention. Initially, fraud analysts acted as old-style investigators, relying on intuition and direct communication, often collaborating with law enforcement to identify and address fraud. With fewer payment options like bank transfers, credit cards, and checks, fraud was simpler to detect and control. Merchants employed secure transaction services to verify cardholder identity, while banks often used blunt, rules-based mechanisms to tackle fraud, ignoring the nuances of cardholder profiles and behavior.
You might also like: Scammers on the rise: three on-chain cybersecurity predictions for 2024 | Opinion
Fast forward to today, and the landscape is dramatically different. The transition to EMV chip cards for Card Present transactions has shifted the focus to online and mobile channels. As payment methods diversified, fraud also evolved, adapting to the digital realm and our hybrid lifestyles. This process necessitated a strategic shift in fraud prevention departments, prompting the adoption of new technologies to detect and prevent emerging threats.
As the banking system in its current configuration is heavily centralized, monolithic, and averse to changes, tackling these challenges is not an easy task. Bank infrastructures are accustomed to closed ecosystems where detecting fraud is simpler due to the high availability of customer profiles and habits. The concept of a malicious actor is unknown. In simple words, if someone is trying to make an unauthorized payment on your behalf, the bank detects it not because they can identify a bad actor but because they know you and that the payment doesn’t match your behavior.
Now, we’re witnessing similar processes in web3. The disruption brought by web3 opens up numerous vulnerabilities. Currently, the focus is on patching these vulnerabilities through smart contract audits and bug bounties. However, users are often left to fend for themselves against ever-evolving scams and attacks. As in the banking sector, many security measures in web3 are retroactive, focusing on investigating what went wrong rather than preventing it. In addition, it is difficult to create standard profiles for users; the blockchain is liquid, and the same user can use different addresses to perform various tasks, for example, one for holding and one for trading.
User experience in web3
Addressing web3 security issues requires an integrated approach with core infrastructure, much like the evolution of security in the banking and cashless payment industries.
In this environment, expecting every web3 user to navigate the “UX hell” of working with investigation agencies and security solutions is unrealistic. Some users have taken matters into their own hands by installing security extensions to protect their wallets. However, the necessity for such measures indicates a fundamental flaw: security is not the default state in web3, which it should be.
Comparing the current state of web3 to a dangerous street full of criminals, we can see that instead of eliminating the possibility of crime and making the whole street safer, we give body armor to every neighbor and ensure they keep paying taxes. Moreover, simply providing guns or armor to ordinary people will not inherently make them more secure. Any malicious actor with greater street wisdom and gun expertise can easily circumvent these basic self-defense measures, leaving the average person still vulnerable and inadequately protected.
Consider the example of the Angel Drainer attack on Balancer in September 2023. Attackers hijacked Balancer’s DNS, compromising its interface and leading to phishing attacks on users’ wallets. Over 1,500 victims lost a minimum of $350,000. Would installing security extensions or MetaMask snaps on each of these 1,500 wallets have been an effective defense? There is no certainty. Most security solutions are based on blacklists that include addresses of already-known scams.
The outdated security tools
In a sense, most of the protections available are just a modern version of anti-virus: they need to know the existence of a virus to release protection against it. As we wrote above, blockchain is liquid: the user uses multiple addresses for their duties so that a scammer can switch addresses with the same facility; when a scam address has been identified, the scammer has a new one, still undisclosed. Moreover, the time to detect a scam with high likelihood is long, as it needs human investigation and a critical mass of victims to be effectively detected.
We also need to realize that the more defenseless users are the ones who are not aware they are dealing with a web3 app at all, as it will more and more happen in the future, where a web2 interface will be just the friendly gate to a web3 application. If web3 natives are victims of scams, for web2 users, it will be a bloodbath.
This looming threat underscores the need for a paradigm shift in how we approach security in the digital realm. In web2, security models primarily focus on reaction to attack, but web3, where transactions are irreversible, demands a security architecture that emphasizes prevention. The current government’s focus on anti-money laundering and tax evasion overlooks the need to protect users from scams. There’s more concern about the minority involved in illicit activities than the majority who risk losing their funds in scams.
Let’s consider a few examples. Wallets are not legally responsible for preventing—or at least attempting to prevent—transactions that lead to the total withdrawal of funds. The majority of wallets simply do not prioritize this issue. There is no financial benefit in protecting customers, nor is there any penalty for failing to do so. Decentralized exchanges can trade various types of tokens, including ‘sh*coins’ and ‘memecoins.’ While many of these may be legitimate, albeit lacking in fundamental value, others are explicitly designed to manipulate buyers and orchestrate theft through rug pull or honeypot attacks. A study found that the amount stolen in these scams varied widely, ranging from approximately $3,000 to $12,000,000.
Despite obvious risk patterns, such as anonymous teams or projects with the most liquidity in one wallet, DEXs often do not flag these tokens as dangerous. This situation has led to a dichotomy where web3 projects must either submit to regulations that do not adequately address the risks posed by third parties and bear the full brunt of SEC scrutiny or operate in the shadows, effectively being unaccountable for any harm to users as long as they derive value. There is a pressing need to extend regulatory frameworks to encompass the protection of users from risks not just within the projects themselves but also from those originating externally.
Security in the digital realm of web3
For a genuinely secure web3 environment, security must be integrated into the very fabric of the ecosystem, ensuring users don’t need to arm themselves for protection. We must shift from reactive to proactive security measures, creating a safe and secure environment by default. It is not just a dream; it’s a necessity for sustainable growth and trust in web3 technologies.
The key to achieving this lies in integrating security directly into the core infrastructure of web3. Security should not be an afterthought or an additional layer users must opt into; it must be inherent in the technology itself. This solution requires a collaborative effort from all stakeholders in the web3 ecosystem—from developers and platform providers to regulatory bodies and end users.
Users should create a strong sense of urgency among all web3 builders; they should demand solutions that not only offer basic functionality like swaps or transactions but also take responsibility and ensure protection.
Infrastructure providers, such as those offering Node-as-a-Service, must ensure their systems are fortified against attacks. They should provide secure, reliable access points to the blockchain, ensuring that transactions and data are analyzed and protected at all times and by default. RPC and Node providers are the key players here, as they can multiply access to security protocols to all their customers and, therefore, protect all their end users.
We must create the same safe environment by incorporating security at a very low infrastructure level. RPC providers should be the main multipliers of such measures, with transaction security checks as a by-default state in every RPC API. Imagine if all Ethereum Node providers incorporated a security solution to ensure no malicious transactions are accepted in the mainnet. This bold but strong movement would make the entire EVM ecosystem a secure and safer place. It won’t happen until it makes business sense and we have the proper legislation and priorities in lawmakers’ minds.
Regulatory bodies play a crucial role; they must broaden their scope to include user protection in the web3 space. Regulations should encourage the implementation of robust security measures while preserving decentralization as the heart of web3. Let’s stop giving body armor to everyone and chasing after tax evaders; instead, let’s focus first on creating a safe environment.
In conclusion, the evolution of web3 security should transition from reactive, isolated measures to proactive, integrated solutions. By embedding security into the core infrastructure and engaging all stakeholders in this effort, we can cultivate a web3 environment that is innovative, decentralized, and, crucially, safe and trustworthy for all users. Committing to this path secures not only our digital assets but also the trust and confidence that are fundamental to the success and growth of this revolutionary space.
Read more: Stop kicking the can on web3 development if we want adoption to grow | Opinion
Kirill Tiufanov
Kirill Tiufanov is a serial founder of multiple deep-tech companies and is currently the CEO and co-founder of Polyzoa, a dynamic and adoptive security layer for web3 infrastructure providers. Polyzoa protects the web3 ecosystem from scams and threats by offering non-intrusive security to end users, hassle-free integration for projects, and scalable, beneficial solutions for infrastructure providers.