Web3 Security: The Hidden Trillion-Dollar Market

Article: @BuidlerDAO

Author: @Henry

Layout: @Lexi @createpjf

Note: The article represents personal views and does not constitute any investment advice.
Once, the Greeks offered a giant wooden horse to the city of Troy. The people inside believed it to be a symbol of peace, unaware of the threat it concealed.

With the successful launch of Bitcoin ETFs, more and more new users and funds are flowing back into Web3, and the warming market seems to indicate that Web3 is one step closer to large-scale application. However, the lack of policies and security risks remain the main obstacles to the widespread adoption of cryptocurrencies.

In the crypto world, hackers can directly profit millions or even hundreds of millions of dollars by exploiting on-chain vulnerabilities, while the anonymity of cryptocurrencies creates conditions for hackers to escape unscathed. By the end of 2023, the total locked value (TVL) of all decentralized finance (DeFi) protocols was approximately $4 billion (currently $10 billion), and in 2022 alone, the total value of tokens stolen from DeFi protocols reached $310 million, accounting for 7% of the aforementioned value. This figure fully illustrates the seriousness of security issues in the Web3 industry, like the sword of Damocles hanging over our heads.

Not only is the on-chain environment a concern, but the security issues on the Web3 user side are also significant. According to data released by Scam Sniffer, in 2023, 324,000 users had their assets stolen due to phishing, with a total stolen amount reaching $295 million, which is serious in terms of both the scope of impact and the amount involved. However, from the user's perspective, security incidents have a lagging nature—before an incident actually occurs, users often find it difficult to fully realize the severity of the potential risks. Therefore, people often fall into "survivorship bias," overlooking the importance of security.
This article starts from the current security challenges faced by the market and explores the security risks brought about by the rapid growth of Web3 users. By analyzing security solutions proposed by companies like Goplus, we further understand how to support the large-scale application of Web3 from compliance and security perspectives. We believe that Web3 security is an underexplored multi-billion dollar market, and as the Web3 user base continues to expand, the demand for user-side security services is showing an exponential growth trend.
Article Overview:

1. Hidden Threats and the Billion-Dollar Market

   1.1 Asset Security

   1.2 Behavioral Security

   1.3 Protocol Security

2. Analysis of the Web3 Security Track

3. Next-Generation Security Products: Safeguarding Large-Scale Applications of Web3

4. Conclusion

The full text is 5400 words, with an estimated reading time of 12 minutes.

Hidden Threats and the Billion-Dollar Market

Currently, the product forms of Web3 security mainly focus on ToB, ToC, and ToD. The B-end primarily involves security audits of products, conducting penetration tests and producing audit reports, mainly providing security protection on the product side. The C-end focuses on protecting the user security environment, providing detection services through real-time capture and analysis of threat intelligence via APIs, thus ensuring security protection on the user side. ToD (Developer) mainly targets developer tools, providing automated security audit tools and services for Web3 developers.

Security audits are a necessary static security measure. Almost every Web3 product undergoes a security audit and publicly discloses the audit report. Security audits not only allow the community to verify the security of the protocol but also serve as one of the foundations for users to build trust in the product.

However, security audits are not a panacea. Given the market development trends and current narratives, we foresee that the challenges to user security environments will continue to rise, mainly reflected in the following aspects:

Asset Security

Every market cycle is accompanied by the issuance of new assets. With the popularity of ERC404 and the rise of hybrid FT and NFT tokens, the issuance of on-chain assets is becoming increasingly innovative and complex. The challenges to the security of new asset types are growing day by day. As different asset types are mapped and integrated through smart contracts, the complexity of the system increases, and correspondingly, its security faces greater challenges. This complexity provides attackers with a broader attack space; for example, by designing specific callback mechanisms or tax mechanisms, attackers can interfere with asset transfers or even launch direct DoS attacks. This makes traditional asset issuance contract security audits and formal verification methods, such as Pre-Chain approaches, increasingly difficult. Solutions with real-time monitoring, alerts, and dynamic interception are urgently needed.

Behavioral Security

Data provided by CSIA shows that 90% of cyberattacks begin with phishing. This is equally true for Web3, where attackers target users' private keys or on-chain funds by sending phishing links or scam messages through platforms like Discord, X, and Telegram, guiding unsuspecting users to make erroneous transfers, interact with incorrect smart contracts, or install malicious files.

On-chain interactions have a high learning curve, which is inherently counterintuitive. Even an offline signature can lead to millions of dollars in losses. When we click to sign, faced with various input parameters, do we really know what we are authorizing? On January 22, 2024, a cryptocurrency user fell victim to a phishing attack and signed a Permit signature with erroneous parameters. After obtaining the signature, the hacker used the wallet address authorized by the signature to withdraw tokens worth $4.2 million from the user's account.

The weakness of the user-side security environment can also lead to asset loss. For example, when users import their private keys into an Android app wallet, the private key often remains on the phone's clipboard after being copied. In such cases, when malicious software is opened, the private key can be read, and the wallet's on-chain assets can be automatically detected and transferred, or stolen after a latency period.

As more and more new users enter Web3, security issues on the user side will become a significant hidden danger.

Protocol Security

Reentrancy attacks remain one of the biggest challenges facing protocol security today. Despite numerous risk control strategies being implemented, incidents involving such attacks still occur frequently. For example, in July of last year, Curve suffered a severe reentrancy attack due to a compiler flaw in its contract programming language Vyper, resulting in losses of up to $60 million, which also led to widespread questioning of DeFi's security.

Although there are many "white-box" solutions targeting contract source code logic, hacker incidents like Curve reveal an important issue: even if the contract's source code is correct, compiler issues can lead to discrepancies between the final execution results and the expected design. The process of "transforming" contracts from source code to actual runtime is fraught with challenges, and each step may introduce unforeseen problems, while the source code itself may not cover all potential scenarios. Therefore, relying solely on the security of the source code and compilation layer is far from sufficient; even if the source code appears flawless, vulnerabilities may still quietly emerge due to compiler issues.

Thus, runtime protection will become necessary. Unlike existing risk control measures that focus on the protocol source code layer and take effect before execution, runtime protection involves protocol developers writing runtime protection rules and operations to handle unforeseen situations during execution. This helps in real-time evaluation and response to execution results.

According to predictions by crypto asset management company Bitwise, the total value of cryptocurrency assets will reach $16 trillion by 2030. If we quantitatively analyze from the perspective of Security Cost Risk Assessment, the occurrence of on-chain security incidents leads to nearly 100% asset loss, so the exposure factor (EF) can be set to 1, making the single loss expectancy (SLE) $16 trillion. When the annualized rate of occurrence (ARO) is 1%, we can derive the annual loss expectancy (ALE) to be $160 billion, which is the maximum value of security investment costs for cryptocurrency assets.

Based on the severity, frequency, and rapid growth of the market scale of cryptocurrency security issues, we can foresee that Web3 security will be a multi-billion dollar market, growing rapidly alongside the Web3 market and user scale. Furthermore, considering the significant growth in the number of individual users and the increasing focus on asset security, we can anticipate that the C-end market for Web3 security services and products will experience exponential growth, representing an untapped blue ocean market.

Analysis of the Web3 Security Track

As Web3 security issues continue to emerge, there is a noticeable increase in demand for advanced tools that can protect digital assets, verify the authenticity of NFTs, monitor decentralized applications, and ensure compliance with anti-money laundering regulations. Statistics show that the current security threats faced by Web3 mainly come from:

• Protocol-targeted hacking attacks

• User-targeted scams, phishing, and private key theft

• Security attacks on the chain itself

To address these risks, companies in the current market mainly focus on ToB testing and auditing (Pre-Chain) and ToC monitoring (On-Chain) to launch corresponding services and tools. Compared to ToC, players in the ToB track have been in the market longer and continue to see new entrants. However, as the Web3 market environment becomes more complex, ToB auditing is gradually struggling to cope with various security threats, highlighting the growing importance of ToC monitoring and its increasing demand.

• ToB

Currently, companies like Certik and Beosin represent the ToB market, providing testing and auditing services. These companies mainly offer services at the smart contract level, conducting security audits and formal verification of smart contracts. Through these Pre-Chain methods, such as wallet visualization analysis, smart contract vulnerability security analysis, and source code security audits, risks can be reduced to some extent.

• ToC

ToC monitoring is executed on-chain (On-Chain) through risk analysis, transaction simulation, and state monitoring of smart contract code, on-chain status, and user transaction metadata. Compared to ToB, Web3's C-end security companies were generally established later, but their growth rate is quite impressive. Services provided by Web3 security companies like GoPlus are gradually being applied across various Web3 ecosystems.

Since its establishment in May 2021, GoPlus has seen a rapid increase in daily API calls for its applications, from a few hundred queries per day initially to 20 million calls per day during peak market periods. The following chart shows the change in Token Risk API calls from 2022 to 2024, demonstrating the growth rate of GoPlus's importance in the Web3 field.

Its user data module has gradually become an essential component of various Web3 applications, playing a key role in top market websites like CoinMarketCap (CMC), CoinGecko, Dexscreener, Dextools, as well as leading decentralized exchanges like Sushiswap and Kyber Network, and wallets like Metamask Snap, Bitget Wallet, and Safepal.

Additionally, this module has been adopted by user security service companies like Blowfish, Webacy, and Kekkai. This indicates the significant role of GoPlus's user security data module in defining the security infrastructure of the Web3 ecosystem and proves its importance in contemporary decentralized platforms.

GoPlus primarily offers the following API services, providing comprehensive insights into user security data through targeted data analysis of multiple key modules to guard against evolving security threats and address the multifaceted challenges of Web3 security.

• Token Risk API: Used to assess risks associated with different cryptocurrencies

• NFT Risk API: Used to summarize the risks of various NFTs

• Malicious Address API: Used to identify and label addresses associated with fraud, phishing, and other malicious activities

• dApp Security API: Provides real-time monitoring and threat detection for decentralized applications

• Approval Contract API: Used to manage and audit smart contract call permissions

In the C-end track, we also noticed Harpie. Harpie focuses on protecting Ethereum wallets from theft and has collaborated with companies like OpenSea and Coinbase to protect thousands of users from scams, hacking, and private key theft. The products launched by this company tackle security threats through both "monitoring" and "recovery," monitoring wallets for vulnerabilities or threats, and immediately notifying and assisting users in fixing issues upon detection; they also respond promptly when users become victims of hacking or scams, saving assets. This dual approach effectively prevents attacks and addresses security emergencies, achieving significant results in Ethereum wallet security.

Additionally, ScamSniffer provides services in the form of a browser plugin. This product can conduct real-time detection through a malicious website detection engine and multiple blacklist data sources before users open links, protecting them from malicious website impacts. During online transactions, it provides detection against phishing and other scam tactics to safeguard user assets.

Next-Generation Security Products: Safeguarding Large-Scale Applications of Web3

In response to the aforementioned issues of asset security, behavioral security, protocol security, and the need for on-chain compliance, we have conducted in-depth research on the solutions provided by GoPlus and Artela, aiming to understand how they support the large-scale application of Web3 by maintaining user security environments and on-chain operating environments.

1. User Security Environment Infra

   Blockchain transaction security is the cornerstone of the security of large-scale Web3 applications. With frequent on-chain hacking attacks, phishing attacks, and rug pulls, ensuring the security of transaction traceability, identification of suspicious on-chain behaviors, and user profiling capabilities is crucial. Based on this, GoPlus has launched the first all-scenario personal security detection platform, SecWareX.

   SecWareX is a Web3 personal security product built on the SecWare user security protocol, providing a comprehensive, one-stop, all-encompassing security solution that includes real-time identification of on-chain runtime attacks, proactive alerts, timely interceptions, and post-incident dispute resolution, while supporting customized security interception strategies for asset issuance contracts tailored to specific scenarios.

   For user behavior security education, SecWareX cleverly combines learning security knowledge with token incentives through its Learn2Earn program, allowing users to enhance their security awareness while also receiving tangible rewards.

2. Compliance Solutions for Funds

   Anti-money laundering (AML) is one of the most urgent needs on public blockchains today. By analyzing factors such as the source, expected behavior, amount, and frequency of transactions on public chains, suspicious or abnormal behaviors can be promptly identified, aiding decentralized exchanges, wallets, and regulatory bodies in detecting potential illegal activities such as money laundering, fraud, and gambling, and taking timely measures such as warnings, freezing assets, or reporting to law enforcement, thereby enhancing the compliance and large-scale application of DeFi.

   As on-chain behaviors continue to diversify, Know Your Transaction (KYT) for decentralized applications will become an indispensable requirement for large-scale applications. GoPlus's Malicious Address API is crucial for exchanges, wallets, and financial services operating in Web3 to comply with regulatory requirements and ensure their operations, highlighting the intrinsic connection between regulatory compliance and technological advancement in the Web3 space, and emphasizing the importance of continuous monitoring and adaptation to ensure the integrity of the ecosystem and the safety of its users.

3. On-Chain Security Protocols

   Artela is the first public chain Layer 1 to natively support runtime protection. Through EVM++ design, Artela's dynamically integrated native extension module, Aspect, supports adding extension logic at various points in the transaction lifecycle, recording the execution status of each function call.

   When a threatening reentrant call occurs during the execution of a callback function, Aspect detects it and immediately rolls back the transaction, preventing attackers from exploiting reentrancy vulnerabilities. For example, to replicate the reentrancy attack protection of the Curve contract, Artela provides a chain-native level protocol security solution for various DeFi applications.

   As the complexity of protocols and the diversity of underlying compilers increase, the importance of "black-box" solutions for on-chain runtime protection becomes increasingly prominent compared to "white-box" solutions that only conduct static checks on contract code logic.

Conclusion

On January 10, 2024, the SEC announced the approval of the listing and trading of spot Bitcoin ETFs, representing the most significant step toward mainstream adoption of cryptocurrency assets. As the policy environment matures and security measures continue to strengthen, we will eventually witness the arrival of large-scale applications of Web3. If the large-scale application of Web3 is the surging waves, then Web3 security is the solid dam built to protect user assets, resisting external storms and ensuring that everyone can smoothly navigate through each wave.