Web3 Security Distilled 2.0

The problem of security has recently become very urgent due to the enormous number of hacks and security incidents in the Web3 sphere.

Everyone has very different ideas and suggestions on this topic, so we will only attempt to describe a portion of them today. Therefore, below you will see not a typical article but a systematization of knowledge (SoK)!

How long are you in cybersecurity? Please tell me a bit about yourself and your experience in this questionnaire that I put together with my friends!

So, what are the chances of enhancing current techniques with additional security, and how precisely is the security of the protocol formed in terms of audit and logic? We also encourage you to read our earlier article, which contains a wealth of auditors’ and developers’ useful advice:

Web3 Audits, Bug-Bounties, CTFs: Introduction

Blockchain technology has garnered significant attention in various industries for its ability to provide transparency, security, and immutability to data. With it, security issues in Web3 are new and distinct from those in Web2. So, what are the main problems with Web3 audits today?

In the beginning, I would like to express my heartfelt gratitude to the Web3 Security builders, community, bug-bounty hunters, everyone who supports its vibes and the authors of all resource materials!

This time, I will be drawing on the work of other authors, which, of course, I will let you know. In my previous article, I tried to highlight a few basic flaws, but I still missed some crucial ones. Much thanks to the author of the following article for some of the inspiration I received for the present article:

But I would like to raise another important point. Logically, cybersecurity must be considered on every level of project development — with contests on the guard at the initial stage, followed by audits, and then bug bounties — at the final stage. No doubt, a new generation of cybersecurity products are already on the way that will cover all these aspects in one user-friendly interface.

Certain layers of the web3 security stack remain underutilized, which will most likely change as the industry matures. DeFi projects, in particular, may begin to broaden the scope of security activities to include proactive threat monitoring and response, as well as automated risk management (rather than focusing solely on vulnerability assessments).

All this leads us to the idea that in the end it will be important for the project to have multiple levels of protection — several audits from different companies and several bug-bounty programs on platforms with different features:


Web3 Audits: Curse or Blessing?

The massive number of hacks and security incidents in the Web3 sphere, as I previously stated, have made the issue of security extremely urgent.

Everyone has very different ideas and suggestions on this topic… With all said, there are a couple of major strategies. Web3 projects typically hire companies to audit their smart contract code and review the project to provide a stamp of approval.

Another approach, which is often used in conjunction, is to establish a bug bounty program that provides incentives for benign hackers to use their skills to identify vulnerabilities before malicious hackers do.

There are major issues with both approaches. — CT

Complexities and vulnerabilities are brought about by the existence of multiple dependencies, including oracles, blockchain networks, and hosting services, as well as the lack of centralized governance. It is more difficult to identify and mitigate these particular security threats without a standardized security framework.

For example, what if the project refuses to pay a white-hat payout? Can bug-bounty platform do something? Surprisingly, but in the old-fashioned platforms it is real, in part, so — to raise confidence in the eyes of bug-bounty hunters and were created new sites where the payment is provided initially that creates a sense of trust. However, this can be dealt with, for example, by publicity: bug-bounty-wall-of-shame.github.io — officercia.eth

Nowadays, in my opinion, the ability to effectively inform clients of the specifics and status of an audit is seriously lacking in traditional auditing firms. Clients are often unaware of the precise steps taken during the audit or the process’s current status as a result of this lack of transparency. This lack of visibility consequently leads to a variety of problems.

It hurts me to see some protocols paying for audits for marketing purposes rather than security. — gogo (@gogotheauditor) May 17, 2023

Comprehensive audits are frequently unaffordable for startups due to traditional auditing firms’ high service fees. These costs are typically determined by the project’s complexity and scope, as well as by the auditing firm’s standing and size. There is also such an awesome thing as a skin-in-the-game auditing mechanism.

I highly recommend that you read the following study, which in my opinion is the most revealing of aspects of the changes in the sphere in 2022–23:

One may even state that existing solutions like manual audits, static analysis, and fuzz testing lack mathematical soundness and scalability…

As you now know, there isn’t a single button or service that will solve all security issues, but there are things we can work toward. At the same time, there have already been dozens of vulnerabilities discovered using Web3 bug-bounty platforms! That said, Web3 bug-bounty programs also can be (and they actually are) an effective way to incentivize the identification and reporting of vulnerabilities in blockchain protocols and decentralized applications.

Today we’ll continue our discussion of the issues with current audits’ state by explaining why q/a in Web3 is totally impossible and how to enhance current solutions while preserving a balance between the client, the customer, and the bug-bounty platform.

We hope you will enjoy our highly stoichiometric discussion today because I’ll also be letting you know about a promising project called Remedy!

Additional layer of protection — Bug-Bounty Programs

Web3 security is still developing, as shown by projects’ emphasis on pre-launch audits and the low adoption of DevSecOps best practices. However, I believe that adoption of the tooling covered in this article will rise as product teams in web3 start creating with a security-first mindset.

As Mudit Gupta so aptly noted in his recent EthCC talk, nothing is truly secure. It makes sense to add a bug bounty program as an additional security measure because you need as many eyes as possible on your code. By doing this, you encourage numerous security researchers with a range of skill sets to bug-proof your project.

How long are you in cybersecurity? Please tell me a bit about yourself and your experience in this questionnaire that I put together with my friends!

Back on topic, depending on the project or platform that is offering the reward, the specifics of web3 bounty programs can change. Web3 bounties often function by giving contributors access to web3 projects that require their expertise. Contributors can then use this access to find defects in the web3 project, fix them, or add new features. Once their contribution has been approved by the project management team, they will be rewarded.

While some web3 bounty programs reward bug finders with money, others might place more of an emphasis on more imaginative incentives, such as public notoriety or first access to web3 goods or services. Web3 bounties are a fantastic method for web3 developers to get active in the Web3 community and make additional money, regardless of the sort of award.

According to Readme Security, bug bounty rewards in Web3 have reached blisteringly high numbers. When used properly, bug bounties give members of the hacker community incentive to inspect your code for critical flaws. A useful strategy is to set the payout of a bug bounty program in proportion to the amount of funds at stake. Described as the “scaling bug bounty(opens in a new tab)↗”, this approach provides financial incentives for individuals to responsibly disclose vulnerabilities instead of exploiting them.

In conclusion, Web3 bounty platforms are the ideal place to start whether you’re a web3 developer searching for new challenges or simply want to support open-source projects. There may be literally no better way to find bugs than to expose interfaces to the general public. When attackers and defenders have access to the same information, it levels the playing field in a way that sharpens focus on prevention instead of response. That would allow our industry to address systemic weaknesses over time.

Six Stages of Securing Your Smart Contract —by Orb

  • Research: what infrastructure to use, discuss how to design and correctly implement the smart contracts, and document;

  • Develop: Developers implement research and write the system’s code;

  • Test: Testing software to find bugs, problems, and improvement areas;

  • Deploy: Deploying software onto main-net for production;

  • Monitor: Developers evaluate and modify the system to ensure it performs its intended functions;

  • Incident Response: The acting stage involves monitoring and reacting to a bug report or an ongoing exploit.

Having these different stages allows you to approach the security of your smart contracts effectively while also focusing on other parts of the building process. From myself, I would add another stage:

  • A proper, fully automated bug-bounty: This part involves extensive work with the codebase, documentation, and community outreach.

Overall, Web3 represents a paradigm shift in the way we think about the internet. By prioritizing decentralization, trust, and user empowerment, it aims to create a more open, inclusive, and equitable digital ecosystem that aligns with the original vision of the internet. In my opinion, we must follow the same paradigm in our approach to Web3 security and Web3 Bug Bounty!

Remedy: the Ultimate Web3 Security Ecosystem

The next generation of Web3 security platforms will go beyond current limited solutions, applying advanced tools and technologies and providing superior usability to all industry players. My good friends are about to launch a promising web3 cybersecurity project, which in my opinion will be the ultimate game changer for the whole industry. They intend to revolutionize the project’s cybersecurity lifecycle and become a one-stop point for assets and data protection.

Uniting over 13 years of web2 and web3 expertise, the team is strategically positioned to address decentralized security issues. They seek to promote innovation and strengthen security practices through cutting-edge tools and training. They also take aim at the root issues undermining the industry by enhancing transparency, raising standards, and offering advice.

While details are not yet publicly disclosed, the vision seems impactful to me from insights shared so far. The team demonstrates a deep understanding of the most pressing pain points around security that developers and users face today. Their solutions could provide a welcome relief from those fronts — officercia.eth

This crucial effort adopts a broad perspective. Their objective is to build a thorough security ecosystem that will strengthen protection across web3 and increase its scaleability. It is clear that the team is passionate about meaningfully enhancing security and giving back to the community. It will be exciting to follow this project’s work transforming and elevating security practices across the evolving web3 landscape. Their ambition and expertise inspire optimism about progress.

So that, I’d like to invite you to monitor their Twitter, Telegram & Discord for updates as the project develops. A stronger, safer web3 that lives up to its full potential will rely on efforts like this one:

Thank you!

By the way, there are some vacant slots now so if your project needs an audit — feel free to write to us, visit our public reports page here!

Support is very important to me, with it I can do what I love — educating users!

If you want to support my work, you can send me a donation to the address:

Stay safe!

Subscribe to Officer's Blog
Receive the latest updates directly to your inbox.
Mint this entry as an NFT to add it to your collection.
This entry has been permanently stored onchain and signed by its creator.