After a relatively quiet year on the frontier of Web3 security, a new crypto bull market has brought a fresh yet predictable spate of attacks on DeFi protocols. Security firm Halborn reports eleven hacks totaling losses of over $100 million in March. But in 2024 – must it still be so? DeFi’s explosive emergence in the summer of 2020 put the condescending “not your keys, not your crypto” mantra to bed once and for all, as it became clear that code vulnerabilities in decentralized protocols were as enticing to hackers as centralized exchange wallets. A wave of attacks necessitated an improvement in industry standards, such as the use of code libraries and independent auditors to root out weaknesses.
Nevertheless, Web3 has so far missed the comprehensive and more strategic approach to cybersecurity that’s characteristic of the Web2 sphere – but it’s hardly surprising. Web2 can adopt a response-focused approach to security since events can be rolled back to the last backup, centralized servers can be shut down if necessary, and permission-based systems are designed to exclude bad actors. Web3 systems are simply constructed differently.
However, if Web3 security has been somewhat lackluster to date, here in cyber-centric Tel Aviv, I’m seeing signals of an emerging segment that looks far better equipped to handle the growing hacker problem. I reached out to Omri Lahav of Blockfence, a threat-mapping layer that uses AI to scan on-chain and prevent cyberthreats before they become an incident. He explained some of the challenges:
“Web3 requires a completely different approach. It introduces new threats, risks, and attack vectors, along with very high financial stakes. This is accompanied by numerous new building blocks being added to the ecosystem daily, leading to various integrations between them (meaning a significant increase in potential vulnerabilities), while, on the other hand, attracting many inexperienced users.”
Effectively, the new generation of Web3 security firms are getting smart to succeed. Rather than re-engineering the Web2 approach for an entirely new technology, they’re using the resources they have within the blockchain environment. Vast quantities of public on-chain data illustrate how actors operate and combined with the growing capabilities of AI, can enable real-time monitoring and threat response.
The type of response is also key, though, since in a decentralized environment where smart contracts execute automatically, alerts may not be sufficient to prevent an incident. Oren Fine, co-founder and CTO at SphereX, shared a recent case study where his project had successfully showcased its on-chain protection solution for smart contract code, deploying a protected demo version of Thirdweb’s DropERC721 contract, which had been compromised in the production version. The SphereX version proved immune to the abuse that occurred during the exploit. Fine elaborated to me:
“In terms of security, Thirdweb was doing the maximum possible with the tools they had available. They provided basic smart contract templates, were audited multiple times by numerous auditors, and were using code libraries from OpenZeppelin’s – undoubtedly the top Web3 security firm. Even if a customer like Thirdweb was choosing to use a monitoring solution, in the best-case scenario, they would receive an alert that their protocol was attacked, usually after the fact. Only a security solution that’s active during runtime, can harden the code, and block malicious transactions BEFORE they’re finalized could have prevented this attack.”
The recent uptick in attacks suggests that this new generation of “intelligent” Web3 security is still very much emerging – but sorely needed. With many analysts still predicting further gains in the crypto markets and funds inevitably flowing into DeFi, it will be intriguing to see if demand for these new tools and methods grows in correlation.