Wei Lien Dang is a general partner at Unusual Ventures, leading investments in security, infrastructure software and developer tools. He was previously co-founder of StackRox, a cloud-native security company acquired by Red Hat.
In both Web 1.0 and Web 2.0, security models changed in tandem with application architectures to help unlock entirely new economies. In Web 1.0, Secure Sockets Layer (SSL) was pioneered by Netscape to provide secure communication between user browsers and those servers. Trusted Web 2.0 intermediaries such as Google, Microsoft, Amazon and certificate authorities played a central role in driving implementation of Transport Layer Security (TLS), the successor to SSL.
The same will happen for web3. This is the key reason why investment in new web3 security companies increased last year more than 10x to over $1 billion.
The success of web3 hinges on innovation to solve new security challenges created by different application architectures. In web3, decentralized applications or “dApps” are built without relying on the traditional application logic and database layers that exist in Web 2.0; instead, a blockchain, network nodes, and smart contracts are used to manage logic and state.
Users still access a front end, which connects to those nodes, to update data such as publishing new content or making a purchase. These activities require users to sign transactions using their private keys, typically managed with a wallet, a model that is intended to preserve user control and privacy. Transactions on the blockchain are fully transparent, publicly accessible and immutable (meaning they cannot be changed).
Like any system, this design has security trade-offs. The blockchain does not require actors to be trusted as in Web 2.0, but making updates to address security problems is harder. Users get to maintain control over their identities, but no intermediaries exist to provide recourse in the event of attacks or key compromises (e.g., how Web 2.0 providers can revert stolen funds or reset passwords). Wallets can still leak sensitive information like an Ethereum address – it’s still software, which is never perfect.
The success of web3 hinges on innovation to solve new security challenges created by different application architectures.
These trade-offs rightfully prompt significant security concerns, but they should not stymie web3 momentum and, practically speaking, they are unlikely to.
Consider the parallels to Web 1.0 and Web 2.0 again. The initial versions of SSL/TLS had critical vulnerabilities. Early security tooling was rudimentary at best and became more robust over time. Web3 security companies and projects like Certik, Forta, Slithe, and Securify are the equivalents of the code-scanning and application security testing tools that were originally developed for Web 1.0 and Web 2.0 applications.
However, in Web 2.0, a substantial part of the security model is about response. In web3, where transactions cannot be changed once executed, mechanisms must be built in to verify if transactions should happen in the first place. In other words, security has to be exceptionally good at prevention.
This means the web3 community has to figure out how best to technically address systemic weaknesses to head off new attack vectors that target everything from cryptographic primitives to smart contract vulnerabilities. In parallel, there are at least four initiatives that would advance a preventative web3 security model:
Source-of-truth data for vulnerabilities
There needs to be a source of truth for known web3 vulnerabilities and weaknesses. Today, the National Vulnerability Database provides the core data for vulnerability management programs.
Web3 needs a decentralized equivalent. For now, incomplete information lives scattered across places such as SWC Registry, Rekt, Smart Contract Attack Vectors and DeFi Threat Matrix. Bug bounty programs such as those run by Immunefi are meant to surface new weaknesses.
Security decision-making norms
The decision-making model for critical security design choices and individual incidents in web3 is currently unknown. Decentralization means that no one owns the problems, and the ramifications for users can be significant. Examples such as the recent Log4j vulnerability are cautionary tales for leaving security up to a decentralized community.
There needs to be greater clarity regarding how decentralized autonomous organizations (DAOs), security experts, providers such as Alchemy and Infura, and others collaborate to manage emergent security issues. There are applicable lessons from how large open source communities have formed the OpenSSF and CNCF advisory groups and established processes to tackle security issues.
Authentication and signing
Most dApps, including the most prominent ones, today do not authenticate or sign their API responses. This means that when a user’s wallet retrieves data from these apps, there is a gap in verifying that the response is coming from the intended app and that the data has not been tampered with in some way.
In a world where apps do not employ basic security best practices, it is left to users to determine their security posture and trustworthiness, a task that is practically impossible. At a minimum, there need to be better methods to surface risks to users.
Easier, user-controlled key management
Cryptographic keys underpin users’ ability to transact in the web3 paradigm. Cryptographic keys are also notoriously hard to manage properly; entire businesses have been and continue to be built around managing keys.
The complexity and risk involved with managing private keys is the primary consideration that drives users to choose hosted wallets rather than non-custodial ones. However, the use of hosted wallets leads to two tradeoffs: they result in new “intermediaries” like Coinbase, which detract from the fully decentralized direction of web3; and they restrict users’ ability to take advantage of all that web3 has to offer. Ideally, further security innovation will provide users with both better usability and protections for non-custodial scenarios.
It is worth noting that the first two initiatives center more around people and processes, while the third and fourth initiatives will require technological changes. Getting new technology, nascent processes, and a large number of users aligned is what makes figuring out web3 security hard.
At the same time, one of the most encouraging changes is that web3 security innovation is happening in the open, and we should never underestimate how that can lead to creative solutions.