Viewpoint: The key to Web3 security lies in prevention, with four major solutions to build an innovative security model

Author: Wei Lien Dang, General Partner at Unusual Ventures, leading investments in security, infrastructure software, and developer tools

Source: Techcrunch

Compiled by: Richard Lee, Chain Catcher

In Web1.0 and Web2.0, security models evolved alongside application architectures to help unlock entirely new economies.

In Web1.0, the Secure Sockets Layer (SSL) was pioneered by Netscape to provide secure communication between users' browsers and those servers; trusted Web 2.0 intermediaries like Google, Microsoft, Amazon, and certificate authorities played a central role in driving the implementation of Transport Layer Security (TLS), the successor to SSL.

The same will happen in Web3. This is a key reason why investment in new web3 security companies increased more than tenfold last year, totaling over $1 billion.

The success of Web3 depends on innovative security models that can address the new security challenges posed by different application architectures. In web3, decentralized applications (Dapps) are built not relying on the traditional application logic and database layers present in Web2.0, but instead depend on blockchain, network nodes, and smart contracts to manage logic and state.

Users can still access front ends connected to these nodes to update data, such as posting new content or making purchases. These activities require users to sign transactions with private keys, which are typically managed by wallets, a model designed to protect user control and privacy. Transactions on the blockchain are completely transparent, publicly accessible, and immutable (meaning they cannot be changed).

Like any system, this design also has security trade-offs. Blockchains do not require trust in participants like Web 2.0, but it is more difficult to make updates to address security issues. Users can maintain control over their identities, but in the event of an attack or key leakage (for example, how Web 2.0 providers recover stolen funds or reset passwords), there is no intermediary to provide recourse. Wallets may still leak sensitive information such as Ethereum addresses—after all, it is software, and software is never perfect.

These trade-offs naturally raise significant security concerns, but they should not hinder the momentum of web3 development; in fact, they are unlikely to.

Consider the similarities between Web 1 and Web 2. The initial versions of SSL/TLS had serious vulnerabilities. Early security tools were at best rudimentary and became more robust over time. Web3 security companies and projects like Certik, Forta, Slita, and Securify are comparable to the code scanning and application security testing tools initially developed for Web1.0 and Web2.0 applications.

However, in Web2.0, a large part of the security model was about response. In web3, once a transaction is executed, it cannot be changed, and mechanisms must be built in to verify whether a transaction should have occurred in the first place. In other words, security must be very good at prevention.

This means the Web3 community must figure out how to technically best address systemic weaknesses to prevent all new attack vectors targeting everything from cryptographic primitives to smart contract vulnerabilities. At least four initiatives can advance a preventive web3 security model:

1. Source-of-truth data for vulnerabilities

For known web3 vulnerabilities and weaknesses, there needs to be a source of truth. Today, the National Vulnerability Database provides core data for vulnerability management programs.

Web3 needs a decentralized equivalent. Currently, incomplete information is scattered across places like the SWC registry, Rekt, smart contract attack vectors, and DeFi threat matrices, with bounty programs run by Immunefi aimed at exposing new weaknesses.

2. Security decision-making norms

The decision-making models for key security design choices and individual incidents in web3 are currently unclear. Decentralization means no one is accountable for these issues, which can have a huge impact on users. Recent examples like the Log4j vulnerability serve as cautionary tales of leaving security to decentralized communities.

There needs to be a clearer understanding of how decentralized autonomous organizations (DAOs), security experts, providers like Alchemy and Infura, and others collaborate to manage urgent security issues. Lessons can be learned from how large open-source communities formed OpenSSF and CNCF advisory groups and how they established processes to address security issues.

3. Authentication and signatures

Today, most DAPPs, including the most well-known ones, do not authenticate or sign their API responses. This means that when a user's wallet retrieves data from these applications, there are gaps in verifying whether the response comes from the expected application and whether the data has been tampered with in some way.

In a world where applications do not adopt basic security best practices, it is nearly impossible for users to determine their security posture and trustworthiness. At the very least, there needs to be better ways to expose risks to users.

4. Simpler, user-controlled private key management

Cryptographic private keys underpin users' ability to transact in the web3 paradigm. It is well known that managing cryptographic private keys correctly is also very challenging. Entire businesses have been built around key management.

The complexity and risks of managing private keys are the main considerations driving users to choose custodial wallets over non-custodial ones. However, using custodial wallets brings two trade-offs: they create new "intermediaries," like Coinbase, which undermines the fully decentralized direction of web3; they also limit users' ability to engage with web3 matters. Ideally, further security innovations will provide users with better usability and protection in non-custodial scenarios.

Conclusion

It is worth noting that the first two initiatives are more about people and processes, while the third and fourth initiatives will require technological change. Aligning new technologies, emerging processes, and a large user base is what makes understanding web3 security challenging.

At the same time, one of the most encouraging changes is that web3 security innovation is happening openly, and we should never underestimate the creative solutions this will bring.