Staying safe in web3: your guide to dapps security
As web3 grows, so do the risks associated with decentralized applications (dapps). Here, we share practical advice to mitigate these risks.
At the forefront of emerging web3 technologies are decentralized applications, often called dapps. They use interlinked smart contracts to do specific tasks within the app, running on blockchain as code snippets. They are like a bridge between the current Internet (Web 2.0) and the developing web3.
Dapps leverage blockchain technology’s inherent security, transparency, and indelibility to empower users with enhanced privacy and greater control over their data and digital assets. They function as the blockchain counterpart of traditional apps, covering social media, finance, gaming, and more.
Though the way you use a dapp might look similar to regular apps, what’s happening behind the scenes is different. Instead of being stored on one big server, dapps are spread across many computers called “nodes” on a blockchain network.
The swift expansion of web3 has transformed the technological terrain. Yet, it’s also brought new security challenges.
Risks and vulnerabilities in web3 and dapps
Amongst the most prominent security risks associated with web3 and decentralized applications are phishing attacks. These occur when malicious actors create fraudulent websites or social media accounts to trick users into disclosing their private keys or other confidential information.
Another closely related threat is social engineering, a deceptive method cybercriminals use to trick users into sharing their login credentials.
Some security shortcomings stem from the interaction between web3 and Web 2.0 infrastructures, while others are inherent to protocols like blockchain and IPFS (InterPlanetary File System).
Web3 relies on network consensus, which can slow down fixing these and other vulnerabilities.
Some main security risks include:
- Unencrypted and unverified API queries: Despite everyday awareness about sharing personal information with unverified sources, web3 applications often depend on API calls and responses that do not authenticate the connection ends. Web3 proposes complete decentralization with any network node able to interface with stored data directly. However, web3 application front-ends still need Web 2.0 technologies for user-end interaction. Many web3 API queries are not cryptographically signed, leaving the door open for on-path attacks, data interception, and other threats.
- Protocol and bridge attacks: Not all web3 is built directly on blockchain. Several networks have platforms referred to as layer-2 (L2) constructed on top of them. In addition, since blockchains often operate in silos, developers have created protocols called bridges that aim to enable communication between different networks. Hackers can target both the L2 protocols and bridges as they consider them points of weakness.
- Centralized exchanges (CEXs): While centralized exchanges offer convenience for crypto traders, they are often a target for hackers due to the large volume of funds they hold. There have been several instances where CEXs have fallen prey to cyber-attacks, causing significant losses for their users.
- Account and mobile wallet theft: Stories of crypto or NFT wallet attacks are familiar in the media. These attacks usually occur when hackers gain access to users’ private keys or trick users into handing them over through phishing.
- Malware and keyloggers: These are software tools used by hackers to illicitly access user credentials and private keys.
- Privacy issues with decentralized data storage: Unlike the highly restricted access to databases in the Web 2.0 model, any connected node can access data on a blockchain. It raises numerous security and privacy issues, even if the data is anonymized.
- Delayed updates: The decentralized nature of web3 makes it challenging to swiftly issue security fixes. The entire network needs to approve any changes, which prolongs the presence of security flaws, even after they’re detected.
- Security vulnerabilities in smart contracts: Smart contracts, like any code, can house significant security flaws that could expose user data or funds. Flawed smart contracts have enabled hackers to steal substantial amounts of crypto in recent times.
Smart contract risks: What do experts say?
On Nov. 17, 2023, blockchain security platform Immunefi unveiled its report on the root causes of the most damaging vulnerabilities in web3.
The report, announced at Web Summit 2023, attended by crypto.news, introduces a new vulnerability classification standard for web3. The research indicates that the root causes of hacks fall into three discernable categories:
- Design failures in smart contracts
- Poor coding of the contracts
- Infrastructure weaknesses
While smart contract protocols often receive ample attention, Immunefi pointed out that the danger might lie in the overlooked infrastructure level.
According to the report, almost half of all monetary losses from hacks in 2022 were caused by infrastructure issues such as poor private key handling. Moreover, it found that nearly 37.5% of all incidents were due to developer mistakes in smart contracts concerning access control, input validation, and arithmetic operations.
The platform’s CEO, Mitchell Amador, emphasized that even a well-designed smart contract could be compromised if the underlying infrastructure is vulnerable, leading to substantial losses.
“Blockchains are open and permissionless environments. That means you are not just protecting against someone who has managed to sneak into your infrastructure like you were in traditional web, you’re protecting against anybody who can see your contracts, anybody who can mess with your product.”
Mitchell Amador, CEO Immunefi
Sharing his thoughts with crypto.news, Alex Dulub, founder of Web3 Antivirus, a blockchain security firm, pointed out that the real threat for web3 and decentralized apps lies in vulnerabilities arising from incomplete smart contract logic. According to him, while developers may use specific requirements to define how smart contracts work, there’s always a risk of them being used in unintended ways.
Dulub noted that hackers are being more creative, experimenting with smart contracts and projects, searching for inconsistencies to exploit.
“Unfortunately, detecting such complex issues with automatic tools or analyzers is nearly impossible. The best approach? Consider rigorous testing, careful logic development, analysis of all potential usage scenarios, thorough auditing, and implementing a bug bounty program.”
Alex Dulub, founder of Web3 Antivirus
His concern was echoed by Sipan Vardanyan, co-founder and CEO of cybersecurity firm Hexens, who said that a hacker’s job is to find what is not intended and to create new and more sophisticated vectors of attack.
“Just knowing what’s happening out there is absolutely crucial because it’s a small field and news travels fast, so all you have to do is keep your hand on the pulse.”
Siphan Vardanyan, CEO of Hexens
The current state of dapp security
Immunefi’s report shows that from January to October 2023, the web3 sector saw financial setbacks of more than $1.4 billion caused by 292 separate instances of fraud and hacking.
The report also indicated that hacks outweighed fraud regarding the cause of financial losses.
In October 2023, analysts attributed about $16 million in losses to hacking incidents, with defi platforms being the primary choice of attack for hackers and fraudsters.
Overall, in the third quarter of 2023, Immunefi’s analysis identified 74 hacks and scams, leading to a total loss across the web3 ecosystem of $685 million.
The amount involved $662 million lost in 47 hacking incidents and $22 million in 27 incidents of fraud. Two projects, the Mixin Network and Multichain, witnessed most of the losses in Q3 2023, amounting to $200 million and $126 million, respectively.
Per Immunefi, the figures reflect an almost 60% surge compared to Q3 2022, when bad actors made off with about $428 million.
The Mixin and Multichain heists comprised more than 47% of all losses in the third quarter of 2023. In that period, hacking was the primary cause of losses, accounting for 96.7% in comparison to scams, frauds, and rug pulls, which made up only 3.3% of stolen funds.
Additionally, attackers targeted Ethereum (ETH) and BNB Chain (BNB) the most, with Ethereum suffering 33 incidents, while BNB Chain faced 25.
There was also a significant spike in the number of web3 attacks, with the number of single incidents increasing 147% year-on-year from 30 to 74 in Q3 2023.
Overall, the period has witnessed the highest loss in 2023, most of it stemming from attacks by the Lazarus Group, who reports allege are behind high-profile attacks on CoinEx, Alphapo, Stake, and CoinsPaid.
In the attacks, the North Korea-linked group stole $208,600,000, representing 30% of the total losses in Q3 2023.
From a year-to-date perspective, the crypto ecosystem reported losses of $1,410,669,002 across 292 incidents. The third quarter of 2023 was particularly severe, with losses exceeding $340 million in September and $320 million in July.
How to protect yourself in the web3 space
Here are the measures web3 users can take to protect themselves and their assets from bad actors:
- Stay vigilant against impersonation. Such attempts are a sad reality in the web3 world, and overlooking it can lead to serious consequences.
- Keep track of your account balance. It may seem trivial, but it is a fundamental way to mitigate security threats in the web3 world. As a best practice, after using your wallet signature on any new platform, check your account balance, particularly high-value tokens like Bitcoin (BTC), Ethereum, or stablecoins such as Tether (USDT), which are prone to common hacking attempts.
- If you spot any dubious transactions or unauthorized access, you should report it immediately to your defi institution or dapp platform provider.
- Be cautious when downloading or installing new dapps. Stick to trusted sources when downloading and installing applications, and steer clear of software from unfamiliar or untrustworthy websites.
- Be careful of sites with a spotty reputation, as they may distribute harmful software that could jeopardize your device’s security.
- Given how CEXs are often targets for hackers, experts recommend that users keep their funds in wallets where they have full control over their private keys. To better secure their private keys, web3 users can use hardware wallets or cold storage solutions, which store keys offline, safe from potential keyloggers.
Ensuring web3 security is not a one-time task but a continuous process that involves proactive risk identification, strategic choice of blockchain design, regular audits, and constant learning.