CoinFund: Overview and Thoughts on the Web3 Security Service Track

Original Title: “Web3 Security: Securing the Path to Crypto Adoption”

Author: Isaiah Washington, CoinFund Researcher

Compiled by: Biscuit, ChainCatcher

Chainalysis's 2022 Web3 Vulnerability Report shows that losses from smart contracts exceed $3 billion, revealing the immaturity of the Web3 security landscape and the insufficient learning from security cases. The fundamental differences between Web2 and Web3 technologies create new opportunities for attacking or protecting user data and assets.

According to McKinsey, the global cybersecurity market is currently estimated at around $167 billion. As Web3 achieves mass adoption along the S-curve, this market will encompass both financial and non-financial data, leading us to see at least a Web3 security market on the scale of hundreds of billions.

Web3 security is not broken, but underdeveloped. Compared to the breadth of security solution types in Web2, the current ecosystem of Web3 security companies is just beginning. Among all Web3 security companies that have completed Series A funding or have annual revenues exceeding $3 million, most are service-based, primarily focused on smart contract auditing.

The auditing process involves manually scrutinizing the project's code and marking security vulnerabilities. While auditing is a crucial pillar of Web3 security, there were 167 major hacks in 2022. Half of these targeted audited smart contracts (Beosin Web3 Security Report), indicating a need for more security infrastructure and automation in this field.

Web3 Security Landscape

The business of Web3 security companies can be divided into three main categories: Auditing, Tools, and Community. In the tools and community space, many early activities focus on secure code development, continuous or runtime monitoring, security vulnerability bounties, competitive communities, and transaction security.

Secure Code Development: Security products need to be integrated into developers' workflows. Solutions that help developers build with a "security-first" mindset and prevent them from deploying erroneous code can make auditing businesses more scalable in Web3. CoinFund's portfolio company Certora exemplifies this argument by providing tools that protect smart contracts through formal verification strategies, aimed at minimizing vulnerabilities before deployment and pre-audit. Other innovative examples include ongoing security development tools, such as Dev0x's Enigma Labs, which is designed for developers orchestrating security products. Additionally, there are transaction and ecosystem testing and simulation tools like Tenderly, Chaos Labs, and Gauntlet. These projects allow developers to manage and predict their outputs before formally deploying smart contracts, contributing to the developers' security toolset.

Continuous/Real-time Monitoring: Companies like Chainalysis and TRM Labs have raised $686.5 million for post-facto AML detection, investigations, and data analysis. However, the market for real-time monitoring solutions that proactively prevent security vulnerabilities remains quite lacking. Companies like Forta and Cyvers are filling this gap with features like real-time vulnerability monitoring and prevention detection. Forta is a distributed network for continuous runtime monitoring, while CyVers is a solution that utilizes machine learning to continuously monitor multiple networks and provide attack detection for exchanges, custodians, and DeFi protocols. (See CoinFund's paper on AI for more information on the intersection of AI and crypto). After detection through these solutions, developers can deploy technical solutions like transaction frontrunning programs and automatic circuit breakers to mitigate asset losses.

Security Networks/Community: Web3 is driven by community participation, with major communities categorized into developer communities (e.g., Developer DAO), investor communities (e.g., FlamingoDAO), and financial community infrastructures (e.g., SyndicateDAO, Juicebox). It is foreseeable that future security solutions and platforms can better gather and mobilize professional security personnel to protect Web3. For example, ImmuneFi, which recently raised $24 million for its Series A, is identifying vulnerabilities and bugs in smart contracts by creating and incentivizing a network of white-hat hackers, leveraging community power to protect Web3 code. To date, Immunefi has facilitated over $65 million in bug bounty payouts to white-hat hackers. Other similar early examples include Code4rena, Secure3, and PwnedNoMore. Forta's distributed network can incentivize security experts or enthusiasts to build and deploy detection bots, smart contracts, etc., to alert users about contract risks and respond to malicious smart contracts.

Consumer and Institutional Transaction Security Solutions: User-facing transaction and wallet security products will play a crucial role in the security of Web3 assets. These solutions can also be sold to wallets to enhance their overall user experience. While wallets can also integrate security features into their products, solutions that detect risks using proprietary algorithms and simplify integration as much as possible will stand out. Redefine is a company exploring this direction, offering real-time transaction risk assessments and alerts that directly convey risk information to end-users through real-time transaction simulations and monitoring mechanisms. Other specialized "firewall" solutions protecting traders include Shield, Hexagon, and TrustCheck from Web3Builders.

Expansion of Auditing Businesses: Generally, auditing firms believe that productization is necessary to make companies more scalable. Halborn, while currently focused on manual audits, is built with the aim of bringing automation tools for auditing and development operations to market. Companies like Quantstamp and CoinFund portfolio company Sherlock are taking another approach, exploring the intersection of security auditing and asset insurance.

Key Components of Web3 Security to Consider

At a high level, several key arguments provoke my thoughts on Web3 security development:

• Identification of Key Security Stakeholders: Web3 fundamentally shifts our view of the target market for security products and services. Web3 developers, projects, and users are the most important customers for security solutions. This differs from Web2, where businesses have legal and economic responsibilities to protect user data. In a world where users own their data, they also face the challenge of protecting it, requiring users to directly safeguard their assets.
• Prevention, Mitigation, and Response: Security is a layered approach (IBM) that requires continuous and proactive security strategies, which current pre-launch audits in Web3 cannot achieve. Code cannot be entirely free of vulnerabilities, necessitating mitigation and response solutions for real-time exploits in both Web3 and Web2.
• Combining Traditional Security and Web3 Expertise: Security has historically been a very challenging and crowded market, with hacking talent and cutting-edge strategies constantly evolving. Despite the thousands of security startups in the market, only a few have breakthrough potential. While Web3 is novel, the fundamental security issues and solutions are well-known. Therefore, security researchers who have spent years understanding technological vulnerabilities will lead the way in protecting Web3.

Investment Opportunities in Web3 Security

Scalable solutions, products, and networks are crucial components in building Web3 security. From an investment perspective, the most attractive teams are those with (1) deep Web2 security expertise and cryptographic perspectives, (2) platforms that can bridge Web3 security protocols with developers, institutions, and individual users, providing value to Web3 security personnel's capabilities, and (3) products or networks that can serve clients based on underlying technologies.

In the Web3 security market, just like in Web2 security, thousands of solutions will be created, though relatively few companies may scale into billion-dollar enterprises. CoinFund aims to collaborate with founders, and we hope to invest in teams that are expanding the Web3 security stack.