Securing Web3: Four Insights from MetaEra Summit

With nearly $5B worth of exploits over the last 24 months, it is clear that security is one of the most existential problems the Web3 faces today.

Simply put, we cannot expect to onboard billions of users into crypto, unless we restore trust in the system.

Given the importance of security to the future of our space, I thought to share these takeaways from MetaEra Summit panel:?

1. New Tech Stack, New Security Vulnerabilities

The main reason why cyber exploits permeate the security space is that Web3 is fundamentally creating a new tech stack - which will take years to battle-test. On the surface, it might seem like we are stating the obvious - after all, this is not unlike the internet in the early 2000s, when SSL/TLS, e-commerce, web hosting, ad-networks, and payment processing systems were built from scratch. What distinguishes Web3 systems is that not only are these systems new, but they are also permissionless.

1. Human Error Is Still #1 Cause of Web3 Exploits?

According to the recent survey by Certik, people error accounts for 59% of all exploits in the Web3 security space in 2022! That is roughly 300 of 500 exploits in terms of actual count are to blame on human error.? Technology exploits and economics exploits represent 21% and 20% respectively. Simply put, despite its complexity and novelty, both technology and economic attacks represent less than half of all attacks in the Web3 space. This means training people and users the basics of Web3, and making the UX fool-proof should be a key priority for leaders in this space.?

1. AI is a Double Edged Sword?

More than $95B has been invested in AI over the last 12 months - can it help make Web3 code more secure? On the one hand, combining AI with traditional program analysis, we can really detect customized logical bugs with 80% precision and and 10-20% false positive rate. For example, recently a critical bug - missed by two official audits - was uncovered by ChatGPT in the Banana Gun contract. AI also helps less experienced developers write code which is more secure, but ultimately experienced devs are still better at picking up bugs. Ultimately, AI tools are also becoming better at social engineering attacks (e.g. using AI for writing physicing emails), which brings us back to the human error factor described above.?

1. We Need a Cross Industry Alliance

As an industry, we need to come together to build better standards for incident detection, prevention, and response. For example, Certik is collaborating with OKLink - a “regtech” product created by OKX - to implement post-incident fund locking practices, as well as Web3 taxonomy for data labeling. The former initiative instructs exchanges, like OKX, to lock the funds after the hacker wallet addresses have been identified as malicious. The latter addresses the inconsistencies that arise from data mis-labeling specifically around incident analysis and anti-money laundering.

TLDR: Better cross-industry standards could significantly reduce the hacks, thefts and reputation damage of the space.?

If you are building a security company in the Web3 space, I want to talk to you!?

***

Subscribe to my newsletter to have my takes on the most important Web3 events delivered directly to your inbox!?