A lot of Web3 adoption today is sought by Web2 companies who want to add web3 native features to their existing products. But wait, what does the web3 revolution brings to the table?
To understand the vitality that Web3 possess, let’s trace the progression achieved by web iterations over the years.
Web1 – popularly addressed as a Static web, doesn’t facilitate interaction, but companies created static pages for content consumption. Then evolved the Web2, offering scope for the interaction of users with the liberty to add and create content on web platforms.
The next phase of maturation is where the control over the data is handed to users, with no centralized parties having the hang of user information. That marks the dawn of web3!
It is worth taking a moment to look at the security transformations to better understand the infrastructure of the different web versions.
Web1 used a Secure Socket Layer (SSL) to establish secure communication between browsers and servers. Web2 intermediaries like Google, Facebook, etc., who had access to the user information, adopted Transport Layer Security (TLS).
Whereas the security of Web3 does not rely on database layers but puts the smart contracts to manage the logic and state of the execution. Placing the data control in the user’s hands brought decentralization into play, thus demanding a whole new level of security amendments.
Now is the time when the emphasis is moving from Web2 to Web3. This necessitates the need to do a comprehensive security analysis of the existing Web2 internet vs newly-found web3 for better clarity.
This blog aims to highlight the security part elaboratively. Let’s just get in!
Cybersecurity Concerns In Web2
The second generation of the web, which represented a transition from static web pages to the dynamic web, led to open communication between the web communities. With the improvisations in the functionality, many issues surfaced in Web2.
Though Web3 is far ahead of web2 in all aspects, it’s important to dust the web2 security to understand how similar attacks are being tried on web3, causing security breaches.
Architectural Layers Of Web2 Cybersecurity
And so here we go– top Web2 security vulnerabilities.
Lack of authentication controls: Web2 distributes the rights over the content to many users and not specifically to a selected number of authorized people. Thus, this gives a very good chance for any less-experienced user to negatively influence the overall system.
For example, an attacker can log in to the site, disguising themself to be an authenticated user to post fake information and carry out unauthentic administrative activities.
Cross-site request fraud: The user visits the website that appears normal but within which lies the malicious code that directs to an unintended website. An example of this is the vulnerability in Twitter which favoured site owners to extract the Twitter profiles of users who visit their website.
Phishing is the greatest headache at all times and that which is most extensively deployed in web2 and web3, though the attack pattern might vary slightly. Phishing attacks don’t rely on software weakness, but the attackers exploit the lack of user awareness here.
Generally, the attacker sends an email to the victim asking for sensitive information. This leads to the victim landing on fraudulent sites, resulting in effective results for the phishing attacks.
Information integrity: Ensuring data integrity is a crucial element of security because misleading information creates an impact that is not any less of a hack.
For example, Wikipedia, the site used by a fairly enough number of people, mistakenly announced the death of Senator Kennedy prematurely. These kinds of inaccurate data would cause a larger distortion in consuming authentic content from the web.
Insufficient anti-automation: Web2’s programmable interfaces facilitated hackers to automate attacks easier, such as the CSRF attacks and automated retrieval of user information. Information leakages where sensitive data are inadvertently published on the sites are also common in web2.
Having looked upon the Web2 security threats, let’s find how the approach of web3 aims to resolve the data-related hurdles and takes the internet forward in its functioning.
Web3 has opened up users to a vast arena of opportunities to monetize and interact with their peers without the need for intermediaries. Blockchain networks and smart contract account for most of the decentralization brought about by the new phase of the internet revolution.
The removal of the central point of control in Web3 narrows down the linked attacks and thus contributes to increased security than what is there currently. Another advantage is the reduction in costs by cutting down the share that goes to intermediaries.
As it favours peer-to-peer interaction, it gives additional control over the data they want to acquire. Also, the data here are encrypted with security and privacy in mind, so no information is accidentally leaked to any other parties.
Cybersecurity Concerns In Web3
Web3 is no longer an alien concept as it has already been firmly entrenched among the wider public. In some countries, even virtual currencies are backed and issued by Central Bank Digital Currencies (CBDC).
Apparently, the rampant growth also means bringing with them novel security threats. Let’s understand the emerging threats of Web3.
Architectural Layer Of Web3 Cybersecurity
Information authenticity – Matter of question
In the decentralized data management infrastructure, information’s sanctity and originality remain a puzzle. There is no accountability for the accuracy of the information, so it could also be the biggest source of false information.
Blockchain Vulnerabilities – Inevitable
The nodes control blockchain networks. But when more than 51% of the blockchain is controlled by malicious actors, the ever-so-secure blockchain becomes susceptible to manipulation, leading to crypto heists and money thefts.
Phishing threats – an evergreen hack
As we discussed earlier, phishing threats are nothing new, but how it is being used in web3 is likely to inflict heavy losses. The concept is the same, wherein malicious links are sent to users through emails and fake announcements with links posted on social media channels like Discord, Instagram, Twitter, etc.
Here are a few instances of phishing attacks. In 2021, cryptocurrencies were robbed from 6000 customer accounts at Coinbase, $1.7M worth of NFTs of OpenSea users were lost to phishing attacks, profiles of celebrities were hacked to circulate phishing links so on and so forth are making news headlines now and then.
Rug Pulls: Events of rug pulls are more closely associated with DeFi projects wherein the development team suddenly abandons the investors by withdrawing all of its liquidity. Not researching much about the project or the FOMO triggers the investors to invest in illegitimate projects later to find their funds are gone by in a matter of moments.
Web3 Security Threats Inherited From Web2
Having touched upon both the web2 and web3 security, there are lessons to be learnt from web2 vulnerabilities to safeguard the future of the internet. Provided the decentralized nature of Web3, ensuring the robustness of smart contracts and blockchain protocols are critical.
But then, web3 projects still leverage certain web2 frameworks for additional functionalities. Attackers are making use of this and exploiting the web2 vulnerabilities in the web3 space. Quoting here a few instances of such happenings.
Google Tag Manager Exploit
KyberSwap, a decentralized exchange, lost $265,000 due to Google tag manager vulnerability (GTM). GTM is a tag management system for adding and updating digital marketing tags for tracking and site analysis.
In the KyberSwap incident, the hacker managed to access its GTM account through phishing and inserted malicious code. And the result is a compromised front end which led to the loss in dollars. The underlying cause is the act of phishing.
Domain Name System Exploit
In 2022, yet another web2 vulnerability brought a $570,000 loss to Curve Finance, a decentralized exchange. This time it was Domain Name System (DNS) cache poisoning by the hackers, which redirected users to a fake copycat site instead of the authenticated Curve Finance site.
DNS is a tool that directs users to the site they type in their search. By creating a replica of the Curve Finance site, the hacker tricked users into visiting that and made them approve the malicious contract on the home page. On approval of the contracts’ usage in the wallets, the user’s funds were drained to about $570,000 altogether.
So, the takeaway is to be mindful of the Web2 security vulnerability while launching projects in the web3 spaces.
Why are projects entering from Web2 to Web3?
“The Web3 use cases are mostly promoted as offerings within the Web2 use cases already in distribution,” says an expert.
A lot of users now prefer not to exist in a world with bad UX but rather have complete control of their data. Web2 companies are finding a lot of interesting bits and pieces in Web3 that are more appealing to the users and thus want to inherit them in their platforms.
For example, Brands like Facebook and Twitter introduce the adoption of NFTs in their platforms, having realized their potential use cases. The current trend is that Web2 companies drive web3 adoption much more.
Hear Out What The Numbers Have Got To Say On The Status Of Web3 Security
- The most common hacking techniques in Web3 continue to be contract vulnerability exploit that account for 45.8% and flash loan attacks.
- Losses from rug-pull incidents in 2022 alone amounted to approximately $34,266,403, and more instances of phishing attacks were observed in Discord servers.
- Half of the attacked projects have not been audited.
Do We Have A Choice For Mitigating Risks And Ensuring Web3 Security?
Why not? There are ample practices to curb the occurrences of security breaches, and that’s the best part about Web3. Web3 has already marked its prominence, and its pressing concerns extend the scope for strengthening security and effectiveness.
Engage In Security-by-design Principles
While structuring the product and frameworks, developers should have a security mindset to minimize attack surface areas, secure defaults, zero-trust frameworks, and so on.
Paying Attention To Web3 Market Dynamics
Web3 is beyond technology and includes several legal, cultural and economic dynamics that should be considered before inculcating certain configurations and integrations.
Collaborating Intelligence With Leading Security Resources In The Industry
Collaborating with industry peers or attending cyber-risk management programs helps increase awareness to mitigate emerging threats. Security guidance published on open-source platforms like GitHub or OODA Loop can be put to good use.
Independent Analysis And Audit Of Smart Contract Code
After the completion of the development process, the evaluation of the code should be done to address the faults beforehand rather than in the heat of the incident. Auditing services give specialized attention to attack vectors, privacy protections, etc., in the code, which the project team tends to overlook while developing.
How Quillaudits Helps To Securely Enter Into The Next Reality Of The Internet?
QuillAudits is a one-stop destination for web3 cybersecurity solutions. The scope of service offerings is stretched extensively to secure web3 projects and investors from all angles. Here’s an insight into knowing the diversified services that we provide.
Smart contract Audits
We follow a comprehensive approach to auditing smart contracts developed for different blockchains like Ethereum, Solana, Polygon, etc. We employ state-of-the-art techniques to investigate the code for security flaws and potential vulnerabilities.
After reviewing, our auditing experts share a detailed report along with security recommendations to overcome the potential risks in smart contracts. Thereby increasing the likelihood of the project’s success.
Since the booming Web3 space is not regulated well enough, rug pulls are quite common and thereby abandoning investors with worthless tokens. Our due diligence services offer protection against rug pulls by doing thorough research on the project and recommending safer investment options.
Our KYC services involve doing a background check for the project to acknowledge its legitimacy. Thereby that help owners establish their project reputation and flaunt them in front of their communities.
What can web3 do that web2 cannot?
The most significant benefit of web3 over web2 is the complete control of the data. Web3 opens up users to a vast arena of opportunities to monetize and interact with their peers without the need for intermediaries.
Is Web3 secure?
Since web3 stores information on the distributed ledger, they are more secure than any traditional application. However, there are threats specific to web3 which can be mitigated by following the right practices. Know more about this by reading the blog.
What are the concerns about web2 that web3 addresses?
Though there are several advantages of using web2, there are issues like equal access, information control, copyright issues, privacy, security, etc. Web3 tries to resolve all of them through blockchain technology.
Why is Web3 future?
Many users now prefer not to exist in a world with bad UX but rather have complete control of their data. Web2 companies are finding a lot of interesting bits and pieces in Web3 that are more appealing to the users and thus want to inherit them in their platforms.