I recently spoke with Andrew Beal, the spokesperson of Forta, on Web3 security, the rise in DeFi hacks, and where blockchain protocols are going wrong.
Q: Welcome, Andrew. Before getting into specifics, can you give us an overview of the Web3 industry’s security infrastructure.
Hey, thanks for having me.
So in terms of security infrastructure, let’s partition this discussion. There’s smart contract security, and there’s traditional Web 2 security, and teams need to invest in both.
I break smart contract security up in two buckets - pre-deployment security and post-deployment security. Before you deploy your smart contracts, you should leverage templates to the extent possible, and get multiple, independent code audits.
After you deploy, it’s common practice to put a bug bounty program in place to encourage white hats to identify vulnerabilities. The other two pillars of post-deployment security are real-time monitoring and alerting, and incident response. The Forta Network, for example, monitors on-chain activity in real-time for threats and anomalies, but there is a close relationship between the alerts emitted by Forta and the incident response function. Alerts are only helpful if teams can timely respond to them.
You also can’t forget about the Web 2 components - every project has to secure their website, emails accounts, private keys, physical infrastructure, etc. A lot of hacks are the result of poor security practices in these areas.
We see a lack of understanding and an underinvestment from teams across the board. If you look at the data from Chainalysis, hackers stole $14 billion in 2021. In absolute numbers, losses rose by 79% from 2020. Now we think most of these attacks were preventable.
Q: Why do you say these Web3 attacks and hacks are preventable? Can you explain why some Web3 protocols fail to prevent these attacks in some instances?
First, a lot of hacks occur because teams aren’t following best practice with respect to their “Web 2 components” - private key management, account security, access controls, etc. There’s nothing Web 3 about these, and simply following best practice would have prevented them.
Second, there’s a misconception that most smart contract exploits are atomic - meaning they occur in a single block. Over 50% of exploits actually occur over several blocks. We can dissect the anatomy of a Web3 attack into four phases, known as the “kill chain”.
In the first stage (Funding), attackers gather funds to pay transaction fees for high-volume trades and accumulate collateral for loans. In the second stage (Preparation), attackers often deploy special smart contracts used to carry out the attack. In the third stage (Exploitation), hackers execute the attack by draining funds from smart contracts or user’s wallets. And finally, in the fourth stage (Money Laundering), attackers launder stolen proceeds through privacy protocols like Tornado Cash.
If you identify an exploit attempt early enough in the kill chain, you have an opportunity to prevent it. Today, the only means of prevention are either pausing the protocol, or frontrunning the malicious transaction. In the future, we expect there to be more mechanisms for incident response, which may include things like transaction simulations, and user and contract reputation systems.
Q: What is the modus operandi of Forta? How does Forta prevent Web3 attacks?
Forta is a decentralized network for monitoring, detecting, and alerting users about potential threats and anomalies. Forta monitors and protects over $36 billion across Ethereum, Polygon, Binance Smart Chain, Arbitrum, Optimism, Avalanche, and Fantom. We have a vast network of 12,000+ Scan Nodes executing over 1,000+ Detection Bots to monitor, alert, and prevent Web3 attacks.
There are two primary components to the Forta Network - bots and scan nodes. Bots are pieces of code that act like little virtual security cameras, monitoring something specific on-chain. Scan nodes are like the alarm system behind the scenes that run the bots against each block of transaction. If a bot finds what it’s looking for in a block, the node running that bot emits a public alert.
Forta’s role in attack prevention is to detect threats and other malicious activity as early as possible. By alerting our users as early as possible, they have an opportunity to take preventative action.
Q: Can you elaborate on some of Forta's techniques for preventing Web3 attacks? How are Forta’s monitoring systems different from other monitoring protocols in the market?
The Forta developer community has built bots leveraging a variety of techniques to monitor and detect threats. One of these techniques is Attack Simulation. The bot simulates an attack, mimicking the exploit transaction locally before it happens on-chain.
Another strategy used is Time Series Analysis, where Bots map historical data variance within a fixed time frame. This helps create a ‘normal range’ and bandwidth within which the data can fluctuate without generating any alerts. However, when the value deviates from the expected range, the bot generates an alert. Time series analysis provides efficient threat detection, as it can ignore routine spikes and variabilities.
More and more bots are also using data science and machine learning techniques.. For example, our Anomalous Token Transfers Detection Bot uses the Isolation Forest ML algorithm to identify abnormal transaction activity for ERC-20 token transfers. Similarly, bots use the StackingClassifier to create clusters and label wallet addresses based on transaction activity.
Q: How do you envision the future of Web3 security? Will Web3 attacks cease to exist with the emergence of security and monitoring networks?
The answer to your second question is no; attacks won’t go away. In fact, they will evolve and get more sophisticated over time. Our detection and prevention techniques will also improve. This is the nature of any adversarial environment. To your first question around the future of Web 3 security, I think it requires a combination of upfront prevention and real-time detection.
There are things we can do up front to identify bad actors and malicious transactions, such as requiring transactions above a certain dollar amount to be simulated before they are broadcast and included in a block. At some point in the future, I expect we’ll have better on-chain reputation systems for both users and EOAs, which should make it easier to identify suspicious actors and contracts. In conjunction with upfront prevention, teams should also be investing in real-time detection capabilities, because no matter how hard you try, you won’t be able to prevent every single attack.