Banner_Security_WEB3_01_C_v1 (1).png

TL;DR

This report touches down on:

Authors

*More info, full report access and download soon.

Executive Summary

This report provides a holistic representation of the Web 3.0 cybersecurity sector to paint a realistic image of the current conditions, identify the direction of growth and areas that are lacking, and provide a market analysis and an evaluation of the impact on adjacent areas. Key terms referring to the nature of Web 3.0, the underlying technologies of blockchain/smart contracts, and the different security practices are introduced and explained. Web3 security is categorized into three main components; smart contract security, cross-chain security as well as physical security with each explained. The report also provides an analysis of the current market size, the active players of the security sector, and a projection for the next few years, identifying the factors catalyzing growth. The penetration of traditional web2 financial institutions is considered through the analysis of specific TradFi companies, their security services, and the strategies employed. An analysis of past exploits showcases the importance of cybersecurity in web3, the infancy of the sector, and the need for a global standard of practice. The importance of security is widespread across a plethora of verticals with fundraising and venture capital investment being two areas of exploration in the report. The impact of smart contract auditing is scoped through the lens of finance by exploring the investments of the two most prominent web3 VCs. It is evident that security increases funding, invites users to the ecosystem, and opens the door for regulative measures that will help web3 become a mainstream industry.

Introduction

Bitcoin's launch in 2008 as the first ever peer-to-peer electronic cash system, laid the foundations for a new era in the world of electronic transactions; one that is open-source, encrypted, purely digital, and promisingly decentralized. In fact, it allowed users to engage in online payments directly from one party to another erasing the need for a third party to confirm the transactions (e.g. financial institutions) and replacing it with a public ledger, the blockchain. A network of interconnected computers became responsible for validating the transactions according to a consensus model. In other words, users were given the infrastructure that would allow them to confirm and validate their transactions [1].

In 2015, Ethereum launched, adding a second layer on top of peer-to-peer transactions with its groundbreaking introduction of smart contracts. That is, automated pieces of programmable code that once deployed on the blockchain become immutable. From then onwards, smart contracts have become the prime facilitator of innovative ideas as they are constantly expanding the spectrum of possibilities of blockchain technology. An era that once started with peer-to-peer electronic payments is growing into a digital renaissance where almost anything can be programmed into a smart contract; from financial transactions and cryptocurrencies to NFT art, real estate, and the possibilities are endless [2].

Under this premise, the decentralized nature of the new era of the Internet, also referred to as Web 3.0, is changing all the processes involved, with the security of smart contracts, digital funds, and assets being no exception. In contrast to the traditional centralized paradigm (Web 2.0) where information is monopolistically held in privately owned servers and secured by privately developed software, in the world of Web 3.0, open-source and publicly accessible blockchain architectures are replacing centralized servers, altering the established modus operandi. Consequently, cybersecurity gets reinvented with smart contract auditing getting summoned among the core industry best practices. Instead of law-binding contracts safeguarded by a joint system involving lawyers, notaries, economists, and auditing firms, now automated digital contracts get executed as soon as the predetermined parameters get fulfilled, constituting programmers as the new-age auditors primarily responsible for securing the smart contracts and ensuring user-friendly, safe, and secure transactions.

The aims and objectives of this report are to analyze security in the world of Web 3.0, providing the reader with background information on related core concepts, while also elaborating on smart contract auditing, best practices, and market leaders. Given that auditing in Web3 is still in its infancy, the information presented in this report is subject to the small amount of data that is publicly available, a fact that confirms the very infancy of the sector while also reflecting the current average view; one that undermines and overlooks the importance of audited code.

The following sections will touch upon common (cyber)security issues that have often led to smart contract exploits and loss of funds, and attempt to present an analysis of the Web3 auditing market. In conclusion, the report aspires to provide adequate insights that showcase the importance of robust security as well as the impact of smart contract auditing on users, developers, investors, and regulators.

Basic Terminology

While auditing is a rather well-known term used to refer to the systematic and independent examination of books, accounts, documents, and financial statements of an organization to determine the accuracy and reliability of its financial records, in the context of Web 3.0 it’s redefined. It’s a manifestation of the same thing, but given its decentralized nature, here it encapsulates the evaluation of decentralized systems, smart contracts, blockchain networks, and associated digital assets.

In an analogy, the financial processes, and records of a traditional company are those aspects that when monitored rightly constitute the company “secure”. In Web3, given the transparency of financial transactions and the fact that everything runs on code, a project’s security is, mainly, the security of its code.

Before delving deeper, it’s important to define and establish some core concepts that will help the reader connect the dots and understand the origins and implications of security in Web 3.0.

To begin with, the term Web 3.0 refers to the next generation of the internet, built on decentralized technologies such as blockchains. Unlike Web 2.0, where central authorities control data and services, Web 3.0 aims to empower individuals and promote peer-to-peer interactions.

At the core of it are distributed ledgers that record and verify transactions across a network of computers, also known as blockchains, providing transparency, immutability, and security by utilizing cryptographic algorithms. Users can interact with the new Internet through decentralized applications (dApps), which run on the blockchain and offer various functionalities, ranging from financial services to decentralized social networks [3].

For such interactions to happen, Web3.0 introduces the concept of digital wallets, accounts, and addresses, that is, digital tools that allow users to securely store and manage their blockchain-based assets, e.g. cryptocurrencies and non-fungible tokens (NFTs), while also enabling them to interact with dApps, sign transactions, and maintain control over their digital assets. More specifically, an account is an entity that has a balance and can send/receive transactions. It is similar to a bank account, just without the bank component. Accounts have addresses, much like a bank account has an IBAN address, that can be used for sending and receiving funds. Lastly, wallets are products that let users interact with their accounts, e.g. view balances, engage in transactions, store/view/sell NFTs, and more. Essentially, a wallet is a prerequisite for Web3 interactions acting as a unique identification number, access point, and balance simultaneously.

There are various types of wallets, but the main typology distinguishes between custodian/non-custodian wallet providers. On one hand, users can find custodian wallet providers of the likes of Binance and Coinbase, who essentially have pre-made wallets that get assigned to each new user. Centralized services make it easy for newcomers to interact with the Web3 industry, as an email and a password are usually enough to create an account with the respective platform, while in the case of forgetting your password, the provider can recover it for you, meaning that they can practically access your wallet at any given moment. Naturally, this seemingly easier process comes at the cost of one’s anonymity and lack of true ownership of assets, considering there is a centralized point of authority that decides what you’re eligible to do and what is out of reach, similar to traditional asset management institutions.

On the contrary, decentralized wallet providers value anonymity and decentralization, therefore, a different process is required to create/use/secure a decentralized wallet. Instead of registering with the usual mail and password procedure, decentralized wallet providers generate a wallet address that once created belongs to the wallet user only. Being decentralized first, such wallet providers have no custody whatsoever of the wallet and its contents, thus, the wallet owner is the one and true owner of the respective wallet. Ultimately, security comes down to two unique passwords (the seed phrase, and the private key), and only these can be used to recover one’s wallet or import it to another device and/or platform. Essentially, the person who owns these keys has truly exclusive access to the respective wallet, thus, safely storing these keys (preferably somewhere offline) becomes paramount [4].

Smart Contracts are self-executing agreements written in code that automatically execute predefined actions once specific conditions are met. They run on blockchain networks and eliminate the need for intermediaries in transactions. Smart contracts are transparent, immutable, and tamper-proof, as their execution and outcomes are recorded on the blockchain. Their native properties distinguish them from traditional legal contracts as they are a) decentralized, meaning that they operate on a distributed network rather than a central authority b) deterministic, ensuring that the same inputs will always produce the same outputs, and c) self-enforcing, as they automatically execute actions without the need for manual intervention.

Consequently, the implementation of smart contracts has enabled a wide range of applications, including decentralized finance (DeFi), supply-chain management, digital identities, and more. They streamline processes, reduce costs, and enhance trust among participants by removing intermediaries and enabling automated, trustless interactions [5].