In the midst of the bear market and regular hacks, it seems like barely a week goes by without a headline declaring ‘crypto chaos’ and the end of web3.
In the context of this market, it is more important than ever that the web3 security industry continues to hone the technologies and practices that contribute to a strong security posture.
This means seeking out methods beyond the existing tools of smart contract audits and blockchain analytics, to deploy testing that further mirrors the attack vectors projects face in the wild.
Audits will always be necessary to mitigate as a means of mitigating the majority of vulnerabilities through rigorous reviews and finding reports. However, there’s no escaping the fact that hackers are often one step ahead when it comes to primal knowledge of what's possible in terms of exploits after a project has launched.
This is partly a problem of success. As a radically new industry with a growing multitude of technologies and functionalities, web3 is expanding the ways individuals can interact, communicate and share value online. Yet this expansion inevitably brings with it novel vulnerabilities and attack vectors that hackers will seek to exploit. We see this most clearly in the development of recent technologies such as cross-chain bridges, and of course, the infamous flash loans– all new and innovative and complex technologies that have led to large losses.
Because of this, anyone claiming that their service provides the “be-all-and-end-all” of web3 security is at best naive, and at worst, has a severely limited view of the potential of web3 technology, and the possible ‘zero day’ vulnerabilities on the road to mass exploit.
In short, web3 is not singular, and neither should web3 security. Instead, the methods we use to detect and prevent attacks need to be as sophisticated as the hackers, end-to-end, and as varied as the ecosystem we strive to protect.
The advent of blockchain technology presented a radically new challenge for computer scientists and developers interested in cybersecurity. Just as consensus and the decentralization principles of blockchains offered an innovative resolution to many of the longstanding security concerns associated with Web2, it also brought with it an array of new vulnerabilities and attack vectors that had to be addressed if blockchains were to achieve their potential.
In today's web3 world of fast-paced, continuous integration and development, the principle and tools around end-to-end security are becoming more important. Security tools such as smart contract code audits, KYC verification of project owners and founders, and on-chain monitoring of threats - post-project launch - are now table stakes.
Yet, as hacks continue to proliferate, web3 projects must continue to seek out new and unconventional ways to protect against attack.
One of these methods is bug bounties, the process by which web3 projects offer rewards for so-called "ethical or white hat hackers" to find potential exploits before a malicious hacker does. This approach turns a security defense strategy on its head - fight fire with fire, man against man, not just man against machine (web3 security software).
Bug bounties are increasingly being used by web3 projects as a part of their security posture, a way of crowdsourcing the collective knowledge of the web3 community to secure its ecosystem. By enlisting a collective of diverse and separate individuals, it is a process that is especially suited for a technology that places such a large store in using wide networks and decentralization as a form of protection
This offers an advantage on two key fronts:
Firstly, it offers the best way to simulate an attack. When launching a project and opening it up to public scrutiny, it is suddenly under the glare of potentially millions of eyes, many of whom are now incentivized (through a bounty reward) to find a way to exploit it.
While end-to-end web3 security services are essential to detecting and preventing attacks, the sheer number of hackers working to find new vulnerabilities and ways to exploit them is hard to match.
By opening up a project to a wide network of ethical hackers and incentivizing them to seek out attack vectors, bug bounties provide a test environment that’s as close as possible to real life.
In this way, they function as a kind of vaccination for web3 projects. Just as vaccines work by simulating illnesses in the body, bug bounties work by inviting ethical hackers to try and break through a project's defenses in a controlled way, and consequently teach projects how to defend themselves in the future.
Secondly, in addition to aiding in simulating an attack, bug bounties also crowdsource one of the most vital factors at work in both the attack and defense of web3: human ingenuity.
The fact is, no matter how much technology or AI you throw at web3 security, the human element in both defense and attack is indispensable.
Those of us in web3 security understand that, while a useful tool, the technologies built to secure web3 are only as good as the imagination and creativity of the humans who design and apply them.
At the other end, of course, are the hackers themselves, who are able to imagine and adapt their attacks in ways that AI, or an inexperienced set of security professionals are not able to.
While bug bounties make a lot of sense as part of continuous security assessment, they have yet to be formalized as a tool within web3 security. Ultimately it is up to security vendors who offer this as part of their end-to-end security portfolio and the web3 security industry to take point on this and find the most effective way to deploy bug bounties as part of their offer. As the funds lost to exploits continue to mount, novel attack detection systems such as this cannot come soon enough.