In six months, losses exceeded $2 billion, and the blockchain security sector is being frantically pursued by capital

Author: Flowie, Chain Catcher

Acala was hacked, resulting in the issuance of over 1.2 billion stablecoins AUSD, and a large-scale theft of Solana ecosystem wallets… It is not an exaggeration to say that half of the hot topics in blockchain in the first half of 2022 were contributed by security issues.

According to the security report released by Certik, in just the first six months of 2022, blockchain and Web3 projects lost over $2 billion due to hacking and exploitation of vulnerabilities, surpassing the total for the entire year of 2021.

As security issues erupted, many project teams had to arrange for security audits of their smart contracts, but they might have to wait for up to six months. Even after the audits are completed, as everyone has seen, they still face the risk of being attacked.

Blockchain security is undoubtedly a necessity, but the reality is that both project teams and ordinary users seem to find it difficult to feel secure.

In this context, we observe that new security service providers are emerging one after another. As of now, in 2022, several domestic and foreign security companies such as Carret, BlockSec, Secure3, Halborn, and Redefine have received significant funding, with Certik raising funds in nearly four rounds over the past year, indicating the market's fervor.

In this article, we attempt to examine the current state of security "guardians" and the dilemmas facing blockchain security as a whole. How is the industry landscape evolving?

Still "Pioneering" Blockchain Security Services

The "barbaric" growth of blockchain has led to a simultaneous surge in security demand, but security services have not kept pace.

Zhou Yajin, co-founder of BlockSec, mentioned, "It has become a norm in the past two years for smart contract security audits to have a waiting period of 2-3 months, and many projects' security audit services are even queued for up to six months." According to data from Chengdu Chain Security, in the second quarter of 2022, nearly half of the attacked projects had not undergone security audits.

Despite the influx of security service providers, Thomas from YM Capital believes that "there are not enough service providers with real supply capabilities and a certain brand influence, only about a dozen globally." Zhou Yajin thinks that while there are some well-known companies like Consensys Diligence, Trail of Bits, Chain Security, and Certik that entered the market earlier, their market share is still not very large, and the entire market remains quite fragmented.

Moreover, in specific sub-sectors, the players entering the market have not adequately covered different needs, mostly "competing" in security audits with clear revenue models and good cash flow.

In fact, similar to traditional internet security, blockchain security services can be roughly divided into B2B and B2C. In the B2B sector, the security of a blockchain project is divided into pre-chain and post-chain phases. Pre-chain mainly involves the security audit of smart contract code, while post-chain includes attack tracing, threat intelligence, and real-time monitoring. In the B2C sector, it mainly involves the security of user wallets, NFTs, and various assets.

Zhou Yajin believes that in the entire security service market, the security of DaPP developers operating in the B2B sector and the security of users' wallets and NFTs in the B2C sector are both relatively blank markets. "Blockchain security services are almost still in a pioneering state."

Why is Supply and Demand Imbalance the Norm?

The reasons behind the supply-demand imbalance are not difficult to understand. Firstly, the open-source nature of the blockchain industry and its current stage of development have led to a "barbaric growth" in the demand for blockchain security services.

Thomas from YM Capital's basic judgment on betting on the blockchain security track is that "compared to traditional internet security, blockchain security is more of a necessity."

On one hand, the blockchain industry places great importance on code openness, which allows most project source codes to be accessible to everyone, providing hackers and technical personnel with more natural convenience to discover vulnerabilities; on the other hand, the current low barriers to entry for blockchain projects and the lack of regulation result in varying quality among project teams, necessitating security audits and other means for both project teams and users to provide security endorsements.

Additionally, a significant pain point for Web3 security services compared to Web2 is that attackers can profit by exploiting vulnerabilities. In the Web2 world, attackers can profit by shutting down major services, stealing data, or selling malware, but the returns are still limited. However, in the Web3 world, since blockchain code links various complex economic and financial scenarios directly associated with users' cryptocurrency assets, a single vulnerability can easily yield millions or even tens of millions of dollars in profit for attackers. "Under the supervision of the community, every iteration of blockchain security products requires a complex explanation process, making it difficult to quickly iterate products compared to traditional internet, thus necessitating more careful consideration of product security before launch."

In such a context where security is more of a necessity, blockchain products have a high demand for security and a strong willingness to pay. According to data disclosed from Certik's Series B funding, Certik's revenue grew 12 times in 2021, and profits increased by 3000 times.

In the context of wild growth on the demand side, the supply side also faces many limitations.

Similar to the early days of traditional internet security, where manual methods were used to match attack methods in local databases, most service providers find it nearly impossible to achieve standardized automation in security audits, meaning that supply capacity is heavily constrained by human resources.

Even if human resources can be relied upon, finding enough qualified security audit talent is a huge question mark. Contract audits need to be tailored to specific business scenarios, and the auditing capabilities required differ across various blockchain chains and scenarios, making qualified audit talent very scarce. Many technically capable auditors may prefer to work as independent hackers or white-hat hackers, as both attacking smart contracts and submitting vulnerabilities for bounties can yield more substantial rewards. This year, there have already been multiple instances of bug bounties exceeding one million dollars in the blockchain industry.

Compared to the complete imbalance in supply and demand, Mike, founder of Go+ Security, sees a more core issue in the mismatch of the supply-demand structure of security resources, leading to low matching efficiency.

When we talk about security issues, it seems that we often place the burden of security audits on security defenders. However, conducting self-tests, optimizing contract design, improving code quality, and performing vulnerability scans throughout the entire development process can significantly reduce the workload of audits if appropriate tools or services are available. "A current industry situation is that many professional security auditors waste a lot of energy on very low-level code errors."

"Standardization" is the Core Competitiveness

In the current market, where there is much room for imagination and blue ocean, whether for new or old players, we observe that aside from iterating on security technology itself, they are primarily seeking greater opportunities in two pain points: one is to launch more standardized and automated products to reduce marginal costs and break development bottlenecks; the other is to cover more segmented scenarios or specific links to capture more security budgets.

From the perspective of Certik, which has seen the most vigorous financing momentum, in addition to pre-chain security audits, Certik has also launched the Skynet SaaS platform for 24/7 continuous operation post-chain to defend against security threats. OpenZeppelin uses gamification techniques to identify security vulnerabilities in smart contracts, providing services like "Defender" to help projects automate smart contract management and create automated scripts.

Recently, BlockSec, which just completed a new round of financing, will not only provide pre-chain security audit services but also offer real-time security monitoring services for blockchain projects post-chain.

"Currently, blockchain security audit projects are still primarily based on equity financing for listing. If they cannot launch standardized automated SaaS products, it is basically impossible to successfully complete a listing." Kenneth from Mirana Ventures believes this is also one of the driving factors for product SaaSification. "However, the blockchain iteration is too fast, there are many segmented scenarios, and the issues surrounding attack events are complex. Some SaaS-like software providing security services have not been accepted by the market, and most are still case by case, which also provides many opportunities for new entrants to overtake."

In addition to applying for manual audits, more and more project teams are also seeking automated audits simultaneously.

To pursue greater automation, the commonly used method in the industry is formal verification, which defines security rules in advance and then proves that the client's code complies with these rules, thereby avoiding security vulnerabilities that violate these rules.

However, Zhou Yajin, founder of BlockSec, believes that many security vulnerabilities are related to the specific business scenarios of smart contracts, and merely ensuring code correctness does not guarantee the overall security of the smart contract. Additionally, the formal verification rules themselves need to be customized for the project. Therefore, in practice, BlockSec adopts an "offensive" approach to conduct code audits, combining techniques such as attack surface extraction and analysis with automated fuzzing.

Mike, founder of Go+ Security, shares a similar view. Currently, the industry's understanding is that formal verification has not yet found a clear method to improve technical efficiency and is still difficult to replace manual audits, occupying a relatively low proportion in the entire audit process.

In the absence of a good solution for automation, the design of the audit process in traditional security audit companies is actually the core competitiveness of the audit firms. "For example, Quantstamp conducts three-line audits simultaneously. The core point in business representation is to invest enough manpower to conduct thorough audits to ensure good security outcomes, and then use service cases to endorse themselves."

For B2B blockchain security service providers, in addition to technical capabilities, brand capability is also a core competitiveness. How to effectively operate communities and strategic partnerships to showcase their security strength to the market is particularly important.

In contrast to the traditional internet security path that initially focused on B2C security, blockchain security is still primarily concentrated among project teams, while B2C security services are relatively quiet.

However, a few entrepreneurs have chosen to engage in C-end business, with Mike from Go+ Security being one of them. Go+ Security connects to Web3 applications through a dynamic risk detection platform via data APIs, covering users' risk scenarios and identifying potential asset and behavioral risks in real-time, such as token and NFT detection based on contracts, as well as phishing websites, phishing emails, and community scams based on user usage scenarios, providing security protection for users while also addressing the user-side risks that were difficult to manage in Web3 applications.

Mike believes that although traditional internet experience shows that only a small number of users are willing to pay for security, Web3 users have a clearer revenue model for purchasing security services. This is somewhat akin to the necessity of insurance when buying a car; security services may become an essential service for all Web3 users in the future. The core of B2C is actually security traffic and data, and the business logic differs from the B2B model of charging service fees per project. Expanding data scale is key. "The entire technical architecture for B2C needs to be fast; new attack methods emerge daily, and identifying and locating them is crucial. The security engine runs hundreds of strategies and dozens of detection types, so how to produce accurate results within two seconds may be the key to B2C security." Expanding data scale relies not only on good product services but also on the development and aggregation of the ecosystem.

Whether in B2C or B2B, or whether they can break through standardization, Kenneth from Mirana Ventures believes that the key is still people. SaaS software also requires human development, so the project's current ability to expand its workforce is also very critical. "The founding teams of the invested BlockSec and Secure3 have academic and university backgrounds, which can cultivate some high-end talents specifically for blockchain security and also have advantages in labor costs."

Currently, market players are making efforts not only in standardization and automation but also in depth of business, and some small but exquisite strategies have emerged.

For example, there are some new auditing companies in North America that focus on refined audits, primarily serving innovative businesses like StepN and BanklessDao. This segment of the market is difficult for traditional auditing companies to chew on or may not be cost-effective, as they need to make many complex modifications to match innovative businesses.

Additionally, there are entrepreneurs targeting very specific pain points like anti-cheating to enter the security service market. Many GameFi projects need to spend 50% of their R&D resources on anti-cheating measures, but this layer may evolve into a data service layer similar to an intervenable API, allowing professional anti-cheating third-party services to help projects handle these issues more efficiently.

Two Gray Areas: Charging and Accountability

In addition to product standardization, there are also some unclear payment and responsibility allocation models.

Although blockchain projects have a high willingness to pay for security services, it does not mean they are willing or able to spend large amounts on security budgets. Even if a vulnerability protects a significant amount of assets for platform users, how much of a percentage security service providers can take and how they charge are still questions.

The common charging models for traditional projects can be roughly categorized into three types: one is charging service fees per project or through a SaaS model. The second is taking a certain percentage commission based on the protected project's grid assets. The third is providing security APIs and charging based on the number of calls. For token projects, they may also achieve payment through built-in token models, but there are currently no mature practices for this.

Zhou Yajin stated that code audits are usually charged based on the project's size and per instance. For data monitoring after smart contracts go live, a subscription model is adopted, such as annual fees. For loss recovery services, in addition to the subscription model, fees are also charged based on the percentage of the recovered amount.

However, Kenneth from Mirana Ventures believes that "there is actually no clear charging standard in the industry. Although everyone emphasizes launching SaaS, the charging is still case by case, and similar projects may end up paying significantly different amounts, which is not conducive to market expansion."

In addition to the lack of standardized charging models, who will be held accountable when security audits or protective projects suffer attacks? Currently, most attacked projects have completed security audits, and many have received upgrades from well-known security companies, yet they still fall victim to attacks.

Kenneth mentioned that in traditional auditing services from the Big Four accounting firms, once issues arise, there are third parties to establish a set of top-down rules to clarify the responsibilities of the project and the service provider. Currently, blockchain security services have not established such a set of rules. "Even if such rules emerge in the future, the lack of legal and regulatory frameworks, along with the differences in rules across different countries and regions, will also pose challenges for accountability and liability."

Ecosystem and Segmentation Will Be the Trend

"From the market share perspective, blockchain security services and traditional internet security will ultimately have a similar landscape, still led by a few top players." According to Zhou Jinya, founder of BlockSec, blockchain security will first consolidate a few leading players in the code audit track.

Even if leading players emerge, they are likely to be regionally dominant players. Kenneth from Mirana Ventures believes that, as seen from the recent sanctions against Tornado Cash for anti-money laundering, security services will likely expand from code auditing to other services related to privacy data, which will be heavily restricted by local policies, and many data-related businesses cannot cross borders.

As the market landscape stabilizes and matures, Thomas from YM Capital states that, based on the development experience of Web2, there are numerous merger opportunities in the security business itself, including horizontal and vertical mergers. In the future, security companies may also break through the boundaries of security and expand into other data-related business directions.

From the current situation, many so-called Web3 security companies still have a very Web2 mentality, essentially just transitioning their client services from Web2 to Web3. Thomas from YM Capital hopes to see whether there are more decentralized companies or organizations in a Web3 form, or channels that can build a decentralized security network.

Mike, founder of Go+ Security, also believes that there will be leading companies in different segments of security, but compared to traditional internet security services, it will be more ecosystem-oriented rather than relying on a single leading company to monopolize the entire market.

The blockchain security track is a very large market, but to fundamentally solve the problem, it is necessary not only to rely on security audit companies to clear vulnerabilities as much as possible before project launches but also to have independent researchers like white-hat hackers continuously discover vulnerabilities based on bounty models after launch. Additionally, efforts in regulatory mechanisms and user education are needed to form a comprehensive and full-cycle security assurance mechanism for blockchain projects.