What will security and threat prevention look like in Web3?

Some say it’s here already. Others say it’s partway there. Still others contend that it’s a long ways off. 

In any case, the underlying fact is indisputable: Web3 is the next iteration of the internet — the evolution from passive use in Web1, to the ability to actively contribute in Web2, to complete data ownership. 

But, while touted for its decentralization and user- (and data-) centricity, when it comes to security and threat detection, “Web3 is outgunned, plain and simple,” asserts Christian Seifert of Forta Network. “We need new, faster and more surgical threat prevention measures, and we need them now.”

So the question is: Just what might security and threat prevention look like in Web3?

But first: What exactly is Web3?

Put simply, Web3 is the internet without a centralized control mechanism. Its backbone is blockchain, a technology described by Gartner as an “expanding list of cryptographically signed, irrevocable transactional records shared by all participants in a network.” 

Blockchain is based on the broader concept of distributed ledgers. Each record contains a timestamp and reference links to previous transactions. 

As ReportLinker asserts: “Using blockchain technology, Web 3.0 can revolutionize internet usage. It can give the internet an entirely new dimension.”

The firm predicts that the global Web3 blockchain market size will reach $12.5 billion by 2028, representing a compound annual growth rate (CAGR) of more than 38%. 

A web built on decentralized identity constructs

Avivah Litan, Gartner distinguished VP analyst, described the internet of the moment as “Web 2.5.” 

Web2 customer identity services and traditional enterprise identity and access management (IAM) frameworks “are no longer scalable,” she said. Also, some Web2 digital asset custody services — especially those that are not regulated — are no longer trustworthy. 

Web3 will ultimately support user ownership of data and algorithms through decentralized identity (DCI) constructs, tokenization and self-hosted wallets, she explained. These decentralized systems ultimately remove the need for repeated identity proofing across services, and support common authentication services by removing the need for multiple credentials.

And the Web3 era is swift approaching: Gartner predicts that by 2025, at least 10% of users under 20 years old will have a decentralized identity wallet on their mobile device for managing their identity attributes and making verifiable claims.

Blockchain vulnerabilities

But just because blockchain data is cryptographically secured doesn’t mean data is always legitimate, Litan pointed out. 

“There are plenty of points of vulnerability in [blockchain] networks,” she said. 

Notably, there are five top blockchain security threat vectors: 

• User vulnerabilities such as stolen or fake identity, insecure endpoints or weak credential management (passwords, private keys) lead to user account takeover. (Potential solutions include identity proofing, endpoint protection, user authentication.) 

• API and Oracle vulnerabilities including bugs, exploits and invalid data lead to account takeover and incorrect smart contract execution. (Possible solutions: decentralized consensus of data reads and writes, cross-checks on data validity)

• Off- and on-chain data vulnerabilities around data security, data confidentiality and data integrity and validity lead to process failure and data compromise. (Potential solutions: storing data off-chain, privacy-preserving protocols, user access control) 

• Smart contract vulnerabilities including bugs, exploits and unauthorized execution lead to theft and information manipulation.

• Node vulnerabilities including insider threat, data exposure and distributed app exposure lead to financial/value theft and data compromise and information manipulation.

Litan pointed out that smart contracts are a type of blockchain record that contain externally written code, and control blockchain-based digital assets. DeFi smart contracts are prime targets: For instance, from January through August 2020, there were six DeFi hacks where smart contract bugs were exploited, with hundreds of thousands of dollars stolen.

Potential prevention measures for this type of attack, she said, include code reviews, baseline smart contract execution and fine-grained smart contract access control. Detection methods, meanwhile, can include behavior anomaly detection, dynamic execution analysis during run time, vulnerability scans and forensic analysis. 

Today’s threat prevention model

Today, Forta’s Seifert explained, protocols primarily rely on smart contract audits for their security.

And, according to Forta research, funds lost in smart contract exploits rose from $215 million in 2020 to an astounding $2.7 billion in 2022.

Therefore, organizations must consider post-deployment security, said Seifert. They must ask themselves, for example: “What happens when their protocol gets attacked due to an unknown vulnerability? Who gets notified? How are those attacks mitigated?”

Furthermore, end users have been mostly left unsupported,” he said. “Phishing and digital asset theft is prominent.”

Much like Litan, he asserts that Web3 has “in part” been realized, “but there is much more work to be done” when it comes to threat prevention.

For instance, many services still rely on infrastructure that creates single points of failure, and user experience is “extremely cumbersome,” thus hindering broader adoption, he said. And, there are many issues regarding privacy and security that have led to the loss of billions of dollars in losses.

The latter factor, particularly, is “eroding trust in Web3,” he said.

Tomorrow’s threat prevention

While current threat prevention is simply to “pause the protocol,” organizations must equip themselves with the ability to identify malicious activity in real time and swiftly respond.

As attacks occur “very quickly,” organizations can prepare by adopting such capabilities and tools as transaction filtering and recoverable tokens, Seifert said.

Because these possible approaches have pros and cons, the industry should proof-of-concept (POC) them with projects in the real world to uncover what works and what doesn’t.

“Those efforts should then result in standards that the broader industry can adopt,” he said.

How can Web3 succeed?

At this point, Seifert said, he doesn’t see any relief from hacks; he predicts that “there will be more pain” before users demand something more secure and robust.

Still, he does anticipate progress in threat intelligence. This needs to be integrated at multiple levels: from wallets to centralized exchanges to NFT marketplaces to infrastructure providers.

There are many parallels in Web3 threat prevention to the traditional security industry, he said. However, he added, there is a general skills shortage, so he encourages more Web2 security researchers to become active in the Web3 space.

Ultimately, “if security issues cannot be solved, I am pessimistic that Web3 can succeed,” he said.