Check out all the on-demand sessions from the Intelligent Security Summit here.
While Q3 of 2022 saw losses down by almost a third compared to the previous quarter, more than $500 million was lost from Web3 protocols over the course of the last three months. Exit scams and flash loan attacks are two of the most common yet most preventable types of exploits we see. Disappointingly, there has been no reduction in the frequency of these incidents over the last few months.
But let’s step back for a second. At this point, it’s become a cliché to say that the internet has revolutionized nearly every facet of our lives. Since the rollout of the World Wide Web to the general public in the 1990s, the ways we work, learn, communicate, shop, sell, and entertain ourselves have permanently changed. Such rapid and radical change has not been without its teething pains as we learn to live with and improve upon the technology we’ve created.
Web3 is the latest iteration of this profoundly revolutionary technology. It promises to rectify many of the problems that have arisen from the corporatization of the internet over the course of the last two decades.
Blockchain technology has the potential to give power back to users in a number of significant ways. Users can secure their data with nearly impossible-to-crack cryptography, choosing whom to give their information to and when. Arbitrary discrimination will become much more difficult, as all users are equal before the rule of immutable, deterministic smart-contract law. And residents of underserved communities will gain access to financial products and services that the developed world takes for granted.
Intelligent Security Summit On-Demand
Learn the critical role of AI & ML in cybersecurity and industry specific case studies. Watch on-demand sessions today.
But until Web3 manages to solve its serious security problem, this promise will remain unfulfilled.
This is cause for concern, not despair. Addressing the security issues that plague the world of Web3 is the way forward, the way to bring its liberating power to the greatest number of people possible. Realizing the full potential of Web3 requires everyone in the industry — users and developers alike — to take security seriously.
That starts with understanding the magnitude of the problem.
2022 is on track to be the worst year on record for Web3 security. In 2022, more than $2.5 billion dollars of value was drained from blockchain protocols. This is more than double the amount lost in 2021, which was nearly triple the amount lost the year before that.
Bridges are still the weakest link
Cross-chain bridges continue to be one of the largest sources of losses. The $1.42 billion lost in 2022 in eight separate bridge attacks represents 56% of the year’s losses. And the average loss of $178 million per bridge incident dwarfs the average of $5.83 million lost in non-bridge incidents.
This reflects two fundamental truths. First, there is clearly huge demand for cross-chain infrastructure. Users want to be able to transact seamlessly on multiple blockchains, taking advantage of the unique value propositions each chain offers. However, it’s evident that many current implementations are not up to the standard of security required in the adversarial blockchain space. And since bridges attract such large demand from users, they are also prime targets for attackers looking to maximize their earnings from a successful exploit.
The state of cross-chain bridges reflects the state of the industry as a whole. There are a number of innovative technological concepts in production — that is, advanced zero-knowledge proofs, or sharding — that aren’t ready to go live just yet. These are groundbreaking new technologies that take time to perfect. Bridges are currently stuck in an awkward middle ground: Eeveloped enough to go beyond just an idea but not quite ready to secure the vast sums they attract.
Lessons (not) learned
In crypto, lessons tend to be learned the hard way. It took just four days from the public disclosure of a vulnerability in a third-party wallet generator tool for it to be exploited to the tune of $160 million. As the saying goes, the worst mistake is one you don’t learn from.
These incidents provide valuable lessons for the whole industry, which is why transparency is so important. Luckily, transparency is one of the core tenets of Web3, and it’s heartening to see the community come together in the wake of an incident to diagnose the vulnerability, rectify it and ensure it doesn’t happen again.
Still, security is a major bottleneck for the industry and it’s delaying the adoption of Web3. Right now, the repeated losses we see from insufficiently-secure protocols mostly hurt retail users and dedicated crypto firms.
But the implications are wider. For this technology to help the most people possible, the current complexity of navigating the world of crypto will need to be abstracted away. This is likely to be done by a new wave of service providers as well as entrenched organizations that understand the benefits of Web3 and recognize the threat it poses to incumbents who are slow to respond. Yet it’s hard to pitch the benefits of Web3 to these organizations when there’s a non-negligible risk of losing all your money or all of your customers’ money.
Again, this should not be seen as a reason to give up, it should be seen as a rallying cry for the entire industry.
The bottom line: Ensuring security evolves alongside technology
Web3 already provides tangible benefits to millions of investors, artists, creators and financially oppressed communities. And the future is even brighter: We’ve only just scratched the surface of what’s possible with this new way of organizing productive energies all around the world.
Any discussion of security would be incomplete without a hat-tip to the projects that do take security seriously, that do protect their users’ funds and do provide real value. These include the blue chip protocols that secure billions of dollars of value and have done so for years without a hitch.
Even during this market downturn, decentralized exchanges are still enabling roughly a billion dollars worth of swaps every single day. And Aave, one of the original DeFi projects, secures $8 billion of value across nearly a dozen blockchains, giving users the power to borrow, lend and utilize their capital most efficiently without ever needing to give their sensitive information to an insecure credit bureau or rely on the potentially discriminatory decision of a mortgage loan officer.
The current prevalence of security incidents is a challenge to the industry, but it’s a more-than-surmountable one. A real and meaningful commitment to security from all participants will ensure that we come out of this battle-hardened and better prepared to show the world the difference this technology can make. It’s a high-stakes, cutthroat environment, but that just means only the strong will survive. And those that do are the projects that can deliver real value to real people even while under constant outside pressure.
That’s the promise of Web3: Decentralized, user-driven services that won’t go dark when you need them most. To deliver on that promise, we need to continue to raise the standard of security across the entire industry, to protect current users and attract the future beneficiaries of this technological revolution.
Ronghui Gu is CEO and cofounder of CertiK.