Web3 isn’t taking cybersecurity seriously enough

I have noticed a clear progression and build up to the dire situation we are currently facing with crypto cybersecurity

article-image

Midjourney modified by Blockworks

share

Back in early 2022, hacks in crypto were certainly not rare, but their magnitude appeared dimmed by overall industry growth, adoption and the innovation of new, cutting-edge projects. 

But the effects of exploits are clearer today than ever before: Q3 was dubbed 2023’s most damaging yet, with over $700 million in losses through various hacks and scams.

Unfortunately, this hasn’t come as a complete surprise, as companies in the crypto space are largely responsible for their own cybersecurity failings.

Private capital investment in Web3 has slowed, with VCs exercising caution in light of the ongoing market headwinds. Companies have transitioned back to building and developing as a priority, with a spotlight on robust and secure infrastructure in a bid to entice financial backing.  

The state of cybersecurity in the crypto and blockchain space over the past five to ten years is far from reassuring. While the concept of blockchain itself is founded on principles of decentralization and cryptographic security, the broader ecosystem surrounding it remains riddled with vulnerabilities. 

Despite the push for increased protections in 2022, cybersecurity is still Web3’s biggest pain point.

The market adapts

In 2022, companies had too few security engineers to audit their infrastructure. Even as they hired entire teams of engineers to prevent future hacks, the market then crumbled and priorities shifted.

Many of the security engineers who were hired to respond to the initial problems were no longer qualified or experienced enough to respond to issues arising from new technologies and new systems. These companies now find themselves with more sensitive information, bigger vulnerabilities in their base code and fewer capable individuals to handle them. We can see this 

through the emergence of new attack vectors, such as DeFi exploits and supply chain attacks.

Many audit companies have seen significant layoffs as the expertise of many of their teams is no longer adequate. Blanket security services simply do not cover the breadth necessary to properly identify all vulnerabilities. In addition, the market is small and available contracts are shrinking. 

And while cyberattacks have been on a continuous rise since 2022, the “retail” audit market has shrunk significantly from what it was in previous years. As companies are forced to tighten their budgets, they seem to be willing to sacrifice structural integrity for growth. 

In response, we’ve seen the rise of community-driven solutions such as Code4rena and Sherlock, companies that outsource auditing project chunks to outside coders and security engineers. While this is certainly an interesting and resourceful response at a time of need, it is not, however, a long-term solution, as it comes with no small amount of uncertainty and lacks guaranteed quality. 

The real differentiator now is who is capable of creating their own, new cybersecurity tools. This is a trend born from Web2, where everyone attempts to establish a cybersecurity ecosystem by scaling their services and product lines. As Web3 matures and evolves, more solutions are required in the same way.

Building habits to safeguard trust

The current state of cybersecurity in the blockchain and cryptocurrency space is a double-edged sword, marked by both progress and persistent challenges. 

On one hand, blockchain technology offers inherent security benefits through its decentralized and immutable ledger, making it difficult for malicious actors to tamper with transaction data. Additionally, cryptographic techniques at the core of cryptocurrencies provide robust protection against counterfeiting. 

However, these advancements in themselves have not guaranteed a secure ecosystem. Vulnerabilities in the surrounding infrastructure — such as wallets, exchanges, smart contracts and the human factor — will continue to expose users to substantial risks.

Companies and CEOs are being too short-sighted, ignoring the necessary follow-through to safeguard the entirety of their systems and confidently ensure their own — or worse — their customers’ assets. 

There seems to be a fundamental lack of awareness that security in the blockchain space requires a 360-degree approach and consistent follow-up to ensure the growth of a company or product. It’s a mistake for companies to seek out security reviews to address only the one specific vulnerability that led to a hack.

Following notable hacks of the last few years, over half of the companies had not had a security audit. Of those who did seek out an audit, hardly any thought to pursue a follow-up after they made alterations to the code. 

The goal now is to develop good cybersecurity habits to give the industry a chance to bounce back, build on the technology it has introduced and give itself a chance to deliver up to its potential. Groups like the Open Web Application Security Project are important for the industry to maintain those good habits with initiatives like outlining cybersecurity standards — something that simply didn’t exist before. 

As is the case with any industry, a proven expertise in the subject matter has no substitute. New technologies, such as zk proofs and liquid staking, are primed to integrate with systems throughout the industry — meaning auditing will once again require capable experts who can anticipate these security needs.

Foresight and effective planning in this rapidly evolving industry are also still paramount: No one security review guarantees peace of mind. The industry and the tools that comprise it are constantly evolving, and understanding how to foresee this and plan for regular auditing can go a very long way in mitigating risk. That is what cybersecurity should be all about — mitigating risk as much and as often as possible.



Don’t miss the next big story – join our free daily newsletter.

Tags

Upcoming Events

Hilton Metropole | 225 Edgware Rd, London

Mon - Wed, March 18 - 20, 2024

Crypto’s premier institutional conference returns to London in March 2024. The DAS: London Experience: Attend expert-led panel discussions and fireside chats Hear the latest developments regarding the crypto and digital asset regulatory environment directly from policymakers and experts.

Salt Lake City, UT

WED - FRI, OCTOBER 9 - 11, 2024

Pack your bags, anon — we’re heading west! Join us in the beautiful Salt Lake City for the third installment of Permissionless. Come for the alpha, stay for the fresh air. Permissionless III promises unforgettable panels, killer networking opportunities, and mountains […]

recent research

Research report - cover graphics (1).jpg

Research

In this report, we dive into crypto private market data to gather insights on where the future of the industry is headed. Despite a notable downturn in private raises, capital continues to infuse promising projects that aim to transform payments, banking, consumer experiences, community, and more, with 2023 being the fourth-largest year for crypto venture capital.

article-image

Opinion: Even though I didn’t pay for my “Diamond Hands” burger with BTC, don’t let that fool you into thinking that crypto’s development is futile

article-image

The results mark “a major positive inflection point,” one analyst says, as the exchange carries net income momentum into a crypto rally

article-image

While the slate of 10 US spot bitcoin funds have tallied $4.6 billion of net inflows thus far, half of the field is lagging the leaders

article-image

Trading volumes totalled $154 billion in Q4, including $125 billion in institutional volume

article-image

DeFi on Bitcoin is all the rage right now and Stacks is positioned to benefit

article-image

The Boston Globe reports that lawyer John Deaton is weighing a possible bid