Web 3 Security: Best Practices for a Privacy-Driven Future
The Web3 ecosystem faces many security challenges, including those inherited from Web2 and those from new attack vectors.
It’s important to implement best practices — smart contract audits, blockchain analytics, real-time monitoring, etc. — that are essential in fostering a secure Web3 ecosystem.
Binance has developed key security infrastructure services and products for the Web3 community, including custody solutions based on multi-party computation (MPC), wallet management systems, and more.
Web3 gives us a chance to reimagine the Internet and rebuild platforms using fresh principles. As a nascent industry, however, it has also ushered in a new class of cyber threats, ranging from smart contract vulnerabilities to rug pulls.
To help our users and project founders better navigate this ever-changing ecosystem, Binance Labs is pleased to invite industry leaders and our in-house experts to share their insights on the Web3 security landscape and its best practices.
Overview of the Web3 Security Industry
The Web3 threat landscape is evolving rapidly. Bad actors tend to choose the most economical and efficient ways to attack, such as using malicious smart contracts on the front end. Many Web2 threats — such as phishing, SIM swipes, malware payloads, and bot attacks — continue to be effective in Web3.
In comparison with Web2 security solutions, however, there are not many security tools to prevent such hacks in Web3. In the Web2 enterprise world, we have antivirus software, firewalls, security suites on the cloud, and a VPN or Zero Trust for network access. In the Web3 landscape, most projects employ only single-layer security solutions that are far from sufficient in deterring attacks.
According to a PwC report, blockchain technology is expected to boost global gross domestic product (GDP) by over 25 times to $1.76 trillion (representing 1.4% of global GDP) by 2030. But as blockchain adoption expands, incidences of theft have increased as well.
Hackers exploiting vulnerabilities in smart contracts caused losses of over $1.3 billion in 2021 (up 250% from 2020), and $1.8 billion within five months in 2022 (up 138% from 2021). While we witnessed DeFi growth (total value locked increased 16-fold) and a rise in the number of cross-chains, new vulnerabilities also resulted in more thefts and hacks.
Source: DeFi Pulse.
Total losses year-to-date (YTD) in 2022 amount to a whopping $2,338,910,183, with about 377 attacks recorded; over $2 billion was lost to hacks in the first seven months of the year. Most DeFi companies rely on audit firms to review and verify their smart contract codes before deployment but these smart contracts are still susceptible to hacks, which fall into four categories: major hacks, flash loan attacks, exit scams, and NFTs.
One of the most infamous hacks of the year was that of the Ronin Network, which recorded a $624 million loss. The phishing attack targeted Sky Mavis employees, with the hackers representing a fake company contacting them via LinkedIn and conducting fake interviews with those who showed interest.
The hackers — later found to be North Korean group Lazarus — managed to send a document containing malware to a senior engineer, who opened it on his company laptop. This allowed the hacker to access and compromise sufficient validator nodes to steal the funds.
A more recent major incident involved the crypto bridge Nomad in August 2022. Exploiters drained approximately $190 million from the blockchain protocol, taking advantage of the vulnerability of the Nomad Bridge and tricking it into sending stored tokens without proper authorization. This incident has since led to the upgrade of Nomad’s protocol.
In February 2022, Wormhole Bridge was audited and approved by Neodyme. However, the project was still hacked and as a result, suffered a loss of over $320 million.
Flash Loan Attacks
Flash loan attacks have decreased greatly from an all-time high of $300.5 million in April 2022 to $700,000 in August 2022, a drop of nearly 100%. The most significant attack in August 2022 occurred on XStable, where the attacker made off with approximately $366,975 through price manipulation.
The XStable protocol has since self-destructed. However, the biggest flash loan attack so far involved the Beanstalk DeFi project, whose protocol was robbed of $182 million in April 2022.
Rug pulls and scams have also recorded a pronounced drop, falling 74% from $38.7 million in July 2022 to $10 million in August 2022. The largest exit scam incident involved Turkish cryptocurrency exchange Thodex, which defrauded over 400,000 Thodex investors of approximately $2.6 billion after a trading suspension.
In August 2022, a fake Twitter account imitating a project named We All Survived Death sold 155 fake NFTs worth 11.7 ETH. Another incident took place when hackers stole four Bored Ape NFTs and one Otherdeed NFT, whose total value reached 289.7 ETH (around $455,000 at the time).
These attacks emphasize the paramount importance of smart contract audits prior to deployment. Project founders should remain vigilant by taking preventive measures to protect their users.
Dynamic Analysis: A Deterrent Against Cyber Threats
As smart contract deployments and cross bridges become more common, the Web3 security landscape will grow increasingly complex. In light of this, on-chain alerts backed by sophisticated artificial intelligence (AI) have become a reliable way to ensure real-time threat detection and prevention.
In the aforementioned recent hacks, the projects suffered exploitation even though they had managed to get their smart contract codes audited within six months. As such, project founders ought to incorporate additional security layers across the entire lifecycle of their projects.
Jason Jiang, Chief Business Officer at CertiK, said that “about 60% of projects do not perform an audit prior to product launch”. This is an alarming trend, given that most smart contract codes are open-source and largely immutable. One vulnerability in the system can lead to a loss of over $10 million.
Huagang Xie, CEO of Ancilia, emphasized the importance of embedding security measures as early as a project’s design phase. At this stage, project founders should tap into battle-tested libraries, understand the security threat landscape, and follow best practices to review smart contract codes.
After a project has been audited, real-time monitoring must take place. Founders should focus on understanding what is going on with the project, who interacts with its smart contracts, who may attack the project, and what the subsequent risks are. Ancilia’s website even contains the famous Sun Tzu quote: “If you know your enemy and know yourself, you need not fear the result of a hundred battles.”
According to Nicholas Chiu, Director of Operations of Salus Security, “when recruiting Web3 developers, project founders should make sure that developers have reverence for security, as the codes designed by them determine the security of users’ assets and information”.
Guardrails by Binance to Curb Web3 Security Challenges
Binance has developed several key security infrastructure services and products for the Web3 community, including custody solutions based on multi-party computation (MPC), and wallet management systems.
In addition, Binance also provides automated smart contract scanning, risk-scoring services, bug bounty programs, post-hack support, Red Alarm on the BNB Chain, and more. Our team recognizes that security is a tough job, especially amid the growing popularity of projects and systems. Key security challenges project founders face include:
Securing fundamental IT infrastructure — such as domain name and networking environment — to prevent attacks.
Minimizing the potential exploit of bugs on smart contract logics and codes.
Managing wallets and funds with fewer risks while introducing necessary governance and internal controls on operations.
Binance’s risk management plan extends to projects listed on Binance. Initiatives to enhance the security of our listed projects include a complimentary smart contract audit by CertiK, coupled with security recommendations. Additionally, the Binance team will continue to publish educational articles on how project owners can better prevent DNS attacks.
Since its inception in 2017, Binance has been working hard to tackle security challenges as the industry evolves. Here are some security tips we’d like to share:
Make sure all your team members — not just those in security — undergo training for security fundamentals.
Identify the weakest link in your system, such as excessive permissions for operation teams.
Conduct a regular review of your system and teams, and be adaptive to changes in the Web3 security landscape.
Minimize the risk of attacks by securing wallet key management, administration servers, and code permissions using zero trust and granting access on a need-to-know basis.
First Binance Labs AMA collaboration
We recently invited thought leaders and industry experts to share some best practices and options for securing crypto. Those who missed it may access the recording via this link.
CertiK is a security-first ranking platform that analyzes and monitors blockchain protocols and DeFi projects using formal verification and AI technology. The team has assisted Binance’s listed projects in identifying vulnerabilities in their on-chain smart contract codes.
Recently, CertiK strengthened its Skynet product with more features to make CertiK’s Alert Service available both on-and off-chain. These features include deep-dive incident analysis, social sentiment analysis, and liquidity health tracking.
Web3 is a new technical stack, and CertiK is tackling challenges by delivering safety-critical services. To date, it has achieved a security rate of more than 99.9%, secured close to $300 billion crypto assets, served over 3,200 clients, and conducted over 250 monthly audits.
Ancilia is a real-time, behavior-based threat detection and prevention platform. Its platform collects on-chain and off-chain data and provides an in-depth analysis through a threat detection engine. Compared to existing solutions, the platform can protect Web3 projects through their entire lifecycle.
Some of its key features include smart contract security analysis, malicious and abnormal activity detection, asset monitoring and protection, governance process monitoring, external data quality monitoring and assurance, and malicious activity prevention.
Currently in the closed beta stage, Ancilia specializes in securing information assets with adaptive machine learning, continuous monitoring, rapid breach detection, and more.
About Salus Security
Salus Security is a full-suite blockchain cybersecurity company that provides automated smart contract auditing services and manual expert audits. Salus offers bleeding-edge blockchain security solutions that help clients lead their respective industries and unlock their Web3 potential by building trust into their technology and infrastructure.
Able to take on the most complex security issues in the industry with their depth of experience across both traditional and blockchain security, Salus aims to make security services accessible for all today to secure the digital economy of tomorrow.
Conclusion: Security Hygiene in Web3
The responsibility of ensuring a secure Web3 landscape falls to crypto companies that serve millions of users globally. Projects should use reputable domain management vendors and conduct regular smart contract audits to ensure maximum security.
Users should safeguard their funds by not clicking on suspicious links, clearing their DNS cache periodically, and regularly scanning for harmful programs on their devices:
Store all private keys safely.
Never use your computer clipboard to copy your keys and never back up your wallet on any cloud software.
Choose the most reputable platform to reduce counterparty risk.
Ensure a safe operating system by installing security tools such as anti-virus and anti-phishing software.
Use a burner wallet with minimal funds for mining NFTs or making any transaction on a decentralized app (DApp).
As the venture capital and accelerator arm of Binance, Binance Labs will continue in its efforts to invest in crypto security projects and provide more guardrails for the Web3 industry. For blockchain and Web3 to grow sustainably, we must prioritize building a secure ecosystem first. We hope other projects can learn from the information in this article and focus on the most crucial aspect — protecting our users.