Cloud Hosting

As web3 grows, so do the risks associated with decentralized applications (dapps). Here, we share practical advice to mitigate these risks.

At the forefront of emerging web3 technologies are decentralized applications, often called dapps. They use interlinked smart contracts to do specific tasks within the app, running on blockchain as code snippets. They are like a bridge between the current Internet (Web 2.0) and the developing web3.

Dapps leverage blockchain technologys inherent security, transparency, and indelibility to empower users with enhanced privacy and greater control over their data and digital assets.They function as the blockchain counterpart of traditional apps, covering social media, finance, gaming, and more.

Though the way you use a dapp might look similar to regular apps, whats happening behind the scenes is different. Instead of being stored on one big server, dapps are spread across many computers called nodes on a blockchain network.

The swift expansion of web3 has transformed the technological terrain. Yet, its also brought new security challenges.

Amongst the most prominent security risks associated with web3 and decentralized applications are phishing attacks. These occur when malicious actors create fraudulent websites or social media accounts to trick users into disclosing their private keys or other confidential information.

Another closely related threat is social engineering, a deceptive method cybercriminals use to trick users into sharing their login credentials.

Some security shortcomings stem from the interaction between web3 and Web 2.0 infrastructures, while others are inherent to protocols like blockchain and IPFS (InterPlanetary File System).

Web3 relies on network consensus, which can slow down fixing these and other vulnerabilities.

Some main security risks include:

On Nov. 17, 2023, blockchain security platform Immunefi unveiled its report on the root causes of the most damaging vulnerabilities in web3.

The report, announced at Web Summit 2023, attended by crypto.news, introduces a new vulnerability classification standard for web3. The research indicates that the root causes of hacks fall into three discernable categories:

While smart contract protocols often receive ample attention, Immunefi pointed out that the danger might lie in the overlooked infrastructure level.

According to the report, almost half of all monetary losses from hacks in 2022 were caused by infrastructure issues such as poor private key handling. Moreover, it found that nearly 37.5% of all incidents were due to developer mistakes in smart contracts concerning access control, input validation, and arithmetic operations.

The platforms CEO, Mitchell Amador, emphasized that even a well-designed smart contract could be compromised if the underlying infrastructure is vulnerable, leading to substantial losses.

Blockchains are open and permissionless environments. That means you are not just protecting against someone who has managed to sneak into your infrastructure like you were in traditional web, youre protecting against anybody who can see your contracts, anybody who can mess with your product.

Sharing his thoughts with crypto.news, Alex Dulub, founder of Web3 Antivirus, a blockchain security firm, pointed out that the real threat for web3 and decentralized apps lies in vulnerabilities arising from incomplete smart contract logic.According to him, while developers may use specific requirements to define how smart contracts work, theres always a risk of them being used in unintended ways.

Dulub noted that hackers are being more creative, experimenting with smart contracts and projects, searching for inconsistencies to exploit.

Unfortunately, detecting such complex issues with automatic tools or analyzers is nearly impossible. The best approach? Consider rigorous testing, careful logic development, analysis of all potential usage scenarios, thorough auditing, and implementing a bug bounty program.

His concern was echoed by Sipan Vardanyan, co-founder and CEO of cybersecurity firm Hexens, who said that a hackers job is to find what is not intended and to create new and more sophisticated vectors of attack.

Just knowing whats happening out there is absolutely crucial because its a small field and news travels fast, so all you have to do is keep your hand on the pulse.

Immunefis report shows that from January to October 2023, the web3 sector saw financial setbacks of more than $1.4 billion caused by 292 separate instances of fraud and hacking.

The report also indicated that hacks outweighed fraud regarding the cause of financial losses.

In October 2023, analysts attributed about $16 million in losses to hacking incidents, with defi platforms being the primary choice of attack for hackers and fraudsters.

Overall, in the third quarter of 2023, Immunefis analysis identified 74 hacks and scams, leading to a total loss across the web3 ecosystem of $685 million.

The amount involved $662 million lost in 47 hacking incidents and $22 million in 27 incidents of fraud. Two projects, the Mixin Network and Multichain, witnessed most of the losses in Q3 2023, amounting to $200 million and $126 million, respectively.

Per Immunefi, the figures reflect an almost 60% surge compared to Q3 2022, when bad actors made off with about $428 million.

The Mixin and Multichain heists comprised more than 47% of all losses in the third quarter of 2023. In that period, hacking was the primary cause of losses, accounting for 96.7% in comparison to scams, frauds, and rug pulls, which made up only 3.3% of stolen funds.

Additionally, attackers targeted Ethereum (ETH) and BNB Chain (BNB) the most, with Ethereum suffering 33 incidents, while BNB Chain faced 25.

There was also a significant spike in the number of web3 attacks, with the number of single incidents increasing 147% year-on-year from 30 to 74 in Q3 2023.

Overall, the period has witnessed the highest loss in 2023, most of it stemming from attacks by the Lazarus Group, who reports allege are behind high-profile attacks on CoinEx, Alphapo, Stake, and CoinsPaid.

In the attacks, the North Korea-linked group stole $208,600,000, representing 30% of the total losses in Q3 2023.

From a year-to-date perspective, the crypto ecosystem reported losses of $1,410,669,002 across 292 incidents. The third quarter of 2023 was particularly severe, with losses exceeding $340 million in September and $320 million in July.

Here are the measures web3 users can take to protect themselves and their assets from bad actors:

Ensuring web3 security is not a one-time task but a continuous process that involves proactive risk identification, strategic choice of blockchain design, regular audits, and constant learning.

Follow this link:

Staying safe in web3: your guide to dapps security - crypto.news