Uncategorized / Web3 Security: Best practices for a privacy-conscious future
Web3 Security: Best practices for a privacy-conscious future
Omatech Web3
28/12/2022
The Web3 ecosystem faces many security challenges, including those inherited from Web2 and those from new attack vectors. Implementing best practices like intelligent contract audits, blockchain analytics, real-time monitoring, and more meaningful to promote a secure Web3 ecosystem is essential. Omatech Web3 recognizes that and has developed critical Web3-related security infrastructure products and services, including custodial solutions based on multi-party computing (MPC), management systems wallet management, and many other products and services.
Web3 allows us to reimagine the Internet and rebuild platforms using new principles. However, as a nascent industry, Web3 has also ushered in a new kind of cyber threat, from smart contract vulnerabilities to runaway withdrawals.
To help our users and project founders better navigate this ever-changing ecosystem, the Omatech team is happy to share their industry insights into the Web3 security landscape and other technologies. Best method.
Web3 Security Industry Overview
Web3 threats are evolving rapidly. The bad guys choose the most economical and effective attack methods, such as using malicious smart contracts on the user interface. Many Web2 threats, such as spoofing, SIM hijacking, malware, and bot attacks — continue to be used in Web3.
However, compared to Web2 security solutions, there are few security tools to prevent such hacks in Web3. In the Web2 enterprise world, we have anti-virus software, a firewall, a cloud security suite, and a VPN or Zero Trust for network access. In Web3, most projects only use single-layer security solutions, which are not enough to prevent attacks.
According to a PwC report, blockchain technology is expected to boost global gross domestic product (GDP) more than 25 times to $1.76 trillion (1.4% of global GDP) by 2030. But As blockchain adoption expands, so does the rate of theft.
Hackers exploiting vulnerabilities in intelligent contracts caused more than $1.3 billion in damage in 2021 (up 250% compared to 2020) and $1.8 billion in the first five months of 2022 (up 138 percent from 2020). % compared to 2021). While we see Defi growth (16x total locked value) and an increase in cross-chain count, new vulnerabilities also lead to more thefts and hacks.
Nguồn: CertiKNguồn: Defi Pulse
Total year-to-date (YTD) losses in 2022 amount to a whopping 2,338,910,183 USD, with around 377 attacks recorded; More than $2 billion was lost due to hacking in the first seven months of the year. Most DeFi companies rely on auditing firms to review and verify smart contract codes before deployment, but these smart contracts are still vulnerable. There are four types of attacks: big hacks, quick loan attacks, get-and-go attacks, and NFTs.
Big hack
One of the most notorious hacks of the year was that of the Ronin network, with a loss of $624 million. Phishing attacks targeting Sky Mavis employees, in which hackers representing a fake company contact them via LinkedIn and conduct mock interviews with people who show interest.
The hackers — later discovered to be the Lazarus group from North Korea — sent a document containing malware to a senior engineer who opened it on a company laptop. This allows hackers to access and infiltrate enough validating nodes to steal funds.
A recent major incident involving the Nomad cryptocurrency bridge occurred in August 2022. Miners withdrew approximately $190 million from the blockchain protocol, took advantage of the Nomad bridge vulnerability, and tricked it into sending stored tokens. Stored without the appropriate permission. This incident resulted in a protocol upgrade of Nomad.
In February 2022, the Wormhole Bridge was audited and approved by Neodyme. However, the project was still hacked and, as a result, suffered more than $320 million in damage.
Quick loan attacks
Quick loan attacks have dropped heavily from an all-time high of $300.5 million in April 2022 to $700,000 in August 2022, a drop of almost 100%. The most significant attack in August 2022 occurred on XStable, where the attacker made around $366,975 through price manipulation.
Since then, the XStable protocol has self-destructed. However, the most prominent instant loan attack to date involved the Beanstalk DeFi project. The protocol of this project was robbed of $182 million in April 2022.
Take the money and run away.
Runaways and scams have also recorded a marked decline, dropping 74% from $38.7 million in July 2022 to $10 million in August 2022. The most significant runaway case involved. To Turkish crypto exchange Thodex, defrauding more than 400,000 Thodex investors worth about $2.6 billion after suspending trading.
NFT
In August 2022, a fake Twitter account mimicking a project called We All Survived Death sold 155 fake NFTs worth 11.7 ETH. Another incident occurred when hackers stole 4 NFT Bored Ape and one NFT Otherdeed, totaling 289.7 ETH (about 455,000 USD).
These attacks emphasize the importance of smart contract audits before deployment. Project founders should stay vigilant by taking precautions to protect their users.
Nguồn: CertiK
Dynamic Analytics: Determined to Fight Cyber Threats
As smart contract implementations and bridges become more common, securing Web3 will become increasingly complex. As a result, on-chain alerts backed by sophisticated artificial intelligence (AI) have become a trusted way to ensure real-time threat detection and containment.
In the recent hacks mentioned above, projects were taken advantage of even though they audited their smart contract code for six months. Therefore, project founders should incorporate additional layers of security for the project’s entire life.
Jason Jiang, Sales Manager at CertiK, said that “about 60% of projects do not perform pre-launch audits”. This is an alarming trend as most intelligent contract code is open source and largely immutable. A vulnerability in the system can lead to more than 10 million USD in damages.
Huagang Xie, CEO of Ancilla, emphasized the importance of embedding security measures right from the project’s design phase. At this stage, project founders should exploit tested libraries, understand security threats, and follow intelligent contract code review best practices.
Real-time monitoring must be performed after the project has been audited. Founders should focus on understanding what is going on with the project, who interacts with the smart contracts, who can attack the project, and what the following risks are. Ancilla’s website even has a famous saying by Sun Tzu: “Know yourself, know people, win a hundred battles.”
According to Nicholas Chiu, Chief Operating Officer of Salus Security, “when hiring Web3 developers, project founders should ensure that developers respect security because the code they design determines the security of user assets and information”.
About CertiK
CertiK is a leading security platform that analyzes and monitors blockchain protocols and DeFi projects using formal verification and AI technology. The team assisted Binance listed projects in identifying vulnerabilities in the on-chain intelligent contract code.
Recently, CertiK has consolidated its Skynet product with more features to provide CertiK Alert Service both on-chain and off-chain. These features include in-depth crash analysis, psychosocial analysis, and liquidity monitoring.
Web3 is a new engineering stack, and CertiK is addressing the challenge by providing safety-critical services. Web3 has achieved a security rate of more than 99.9%, secured nearly $300 billion in crypto assets, served more than 3,200 customers, and performed over 250 monthly audits.
About Ancilla
Ancilia is a real-time behavior-based threat detection and prevention platform. Ancilia’s platform collects on-chain and off-chain data and provides in-depth analysis through a threat detection engine. Compared to existing solutions, this platform can protect Web3 projects throughout the entire project lifecycle.
Some of the platform’s key features include intelligent contract security analysis, malicious and anomalous activity detection, asset protection and monitoring, governance process monitoring, quality assurance, and monitoring. External data and prevent malicious activity.
Ancilia is currently in beta with a small team that secures information assets with adaptive machine learning, continuous monitoring, rapid breach detection, and more.
About Salus Security
Salus Security is a comprehensive blockchain cybersecurity company that provides automated smart contract audits and expert manual audits. Salus provides cutting-edge blockchain security solutions that help customers lead in their industries and unlock the potential of Web3 by building trust in technology and infrastructure.
Salus can handle the most complex security issues in the industry based on its extensive experience in both traditional and blockchain security. Salus aims to provide security services to everyone to secure the future digital economy.
Conclusion: State of Security in Web3
Keeping Web3 secure rests with cryptocurrency companies serving millions of users globally. Projects should use reputable domain name management providers and conduct regular smart contract audits to ensure maximum security.
Users should protect their funds by not clicking on suspicious links, periodically clearing the DNS cache, and regularly scanning for harmful programs on the device:
Store all private keys securely.
Never use your desktop clipboard to copy keys or back up your wallet on any cloud software.
Choose the most reputable platform to reduce the risk of partners.
Ensure the operating system is secure by installing security tools such as anti-virus and anti-phishing software.
Use Burner wallet with a minimum amount to mine NFT or do any transaction on a decentralized application (DApp).
If you want to build a secure Web3 platform, contact Omatech Web3 today. Our experts can make your dream project a reality.