The term Web3 was coined by Ethereum co-developer Gavin Wood in 2014, to describe “a decentralized online ecosystem based on the blockchain,” as opposed to “big Tech” providers like Google and Facebook that dominate Web 2.0. That is a broad concept, but what Web3 actually looks like, or will look like in the future, is still in flux.
So early in its development, moving into Web3 is a high-risk undertaking. However, for some businesses, the rewards of embracing it are strong enough to face potential Web3 cybersecurity risks. Though this is often framed in terms of cryptocurrency prices, the benefits go deeper. For example, with digital identity remaining a prime concern due to continuing remote work, verifiable decentralized identity infrastructure is an exciting application of Web3.
Read on to find out more about the state of Web3, the promise of Web3, and the security implications.
What Does Web3 Look Like?
Web3 attempts to provide ways for individuals or organizations to retain more control over their data and their online identities and to conduct activities and transactions without the need for centralized corporations or governments. This concept is beginning to emerge in several different ways, most prominently:
- Instead of centralized technologies like OAUTH, the protocol that undergirds activities like logging into multiple services with a Google account, Web3 encompasses self-sovereign identity for authentication. This is beginning to emerge in cases such as the European Self-Sovereign Identity Framework, an ongoing attempt to deploy self-sovereign identity in the European Union.
- Web3 pioneers are figuring out how to eschew centralized banks, instead using decentralized finance (DeFi) techniques to conduct transactions using cryptocurrencies and record them on public blockchains such as Ethereum, instead of going through traditional financial institutions to complete and note them. Smart contracts are used to complete transactions and even resolve disputes in a transparent manner.
- Some are even using Web3 to try to replace traditional corporations with Decentralized Autonomous Organizations (DAOs), which depend on smart contracts instead of traditional corporate charters to define their operation and achieve social or economic goals.
More applications of Web3 technologies will be developed to the point of usability in the coming years, but these are the main technologies that businesses are exploring today.
What Is the State of Web3 Cybersecurity?
Cryptographic protocols and implementations form the base of Web3, and they are by nature complex. Even well-tested, widely adopted protocols like SSL and TLS have been subject to attacks over the years, even with the extensive study of the protocols.
There has been even less time to study blockchain so far, and though Web3 applications are being created and launched into production, many do not come with formal security proofs and are not subject to security audits. Thus, there is often not the base level of assurance that they are sound, the same as there would be with a better tested technology or cryptographic protocol. Attackers know this, and they are compromising Web3 organizations in a range of ways related to the protocols themselves, applications built over the blockchains, or the ways Web3 participants conduct their activities.
Sometimes, cryptocurrency security issues seep all the way down to the underlying cryptography. For example, in 2018, a vulnerability was identified in Zcash that would have allowed an attacker to create counterfeit Zcash. Though it was believed to have been remediated before anyone did so, it underscores the possibility that cryptographic flaws can lead to both financial and reputational harm.
Vulnerabilities can be in the protocols themselves, but also in applications built on top of blockchains. For example, when The DAO, an early DAO, had $15 million worth of Ethereum stolen due to a vulnerability in a smart contract, the Ethereum community voted to do a complete hard fork of their blockchain in order to restore the stolen cryptocurrency.
However, users of a blockchain cannot guarantee that a vote to hard fork to reverse a compromise will happen. A blockchain cybersecurity risk, to which many are vulnerable by design, is the 51% Attack. Changes to a blockchain have to be approved by a majority of the processing power on the blockchain. If malicious actors gain control of that majority, they can rewrite parts of the blockchain, allowing cryptocurrency to be spent more than once. For example, in early 2019, over $1 million worth of Ethereum Classic was double-spent after a 51% attack.
Sometimes, compromise can happen due to technologies off the blockchain. Members of CityDAO, a group working to implement real estate ownership on the blockchain, had $95,000 worth of Ethereum stolen from them in a social engineering attack. An attacker was able to compromise an administrator’s Discord account. They pretended to be the administrator, claimed that they were doing a “land drop,” and made off with the Ethereum that members used to buy this fake land.
The CityDAO issue skirts another interesting issue arising with Web3: as much as decentralization is the motivation for many people and organizations to get into Web3, decentralization is not always achieved. In that case, DAO members were targeted by a hijacked account on the Discord chat platform. Other sacrifices in decentralization include mobile wallet APIs managed by centralized entities, since mobile devices often cannot connect to a blockchain’s network and perform tasks.
How Do We Move Forward Into Web3?
Web3 technologies are actively emerging. Businesses and customers alike are thinking about whether they want to adopt blockchain technology or do business with companies that are embracing it. When making this choice, don’t forget to ask the tough questions.
These questions include evaluating whether Web3 technology is the right one to solve a problem or expand a service offering. It also includes performing a thorough security assessment of the platform, its dependencies, and how it has been implemented.
If you are considering Web3 technologies, you should make sure that you have access to the necessary expertise to evaluate how they will affect your security posture, and to implement technologies correctly. This requires a broad range of expertise, including in cryptography, software engineering, and security engineering.
Many businesses do not have this kind of expertise on staff, but working with a trusted partner can help you assess your risk and face Web3 cybersecurity with confidence.
Security Compass Advisory has a history of tracing the cutting edge of technology. Our consultants are continuously researching the security aspects of new technologies, experience that matters when investigating such a rapidly emerging concept as Web3. Learn more about our emerging technology consulting services and see how you can put this expertise to work for your business as you consider the future of Web3.