CertiK released its Q2 report on the 7th of July, after what by all accounts has been a devastating quarter for the web3 ecosystem. With the persistent bear market, the Luna/Terra collapse, and the failures of Three Arrows Capital and Celsius, Q2 of 2022 will certainly be remembered as a pivotal moment for web3.
In understanding the state of the web3 space, our Q2 report provides a useful lens through which we can see some of the underlying trends in web3 security. Time and again, our data shows how web3 security breaches and vulnerabilities are often the level at which the wider trends in crypto reveal themselves, and because of this, it provides vital insight into where the space is headed, and the problems it will have to resolve for it to progress.
To that end, this article will spotlight three of the key takeaways from our quarterly report, and unpack their implications for the future of web3.
Social Media is Becoming The “Achilles Heel” of Web3
For all the negative press around the security vulnerabilities of web3, the growing trend of phishing attacks show how, often, it is web3’s reliance on web2 technologies that is to blame rather than an inherent flaw in web3 itself.
The fact is, one of the primary weaknesses of web3 technology is its overreliance on web2 infrastructures. This includes NFT marketplaces, wallets, and yes, social media platforms, all of which provide hackable points of entry into otherwise secure web3 technologies.
Frustratingly, this trend is getting worse. Our data recorded 290 attacks, an increase of over 170% when compared with the 106 recorded in Q1 of 2022.
That so many of these accounts targeted projects' Discord servers highlights both the dependence of NFT project’s on the platform for marketing and connecting with their audiences, but also the huge security risks that this dependence entails.
What’s frustrating about these hacks from a web3 security perspective, is that the hackers are deploying the tried and tested tricks of web2 that exploit centralization and human error as a starting point, and are then using this to make lateral moves to exploit web3 in turn.
This trend sheds light on the two conflicting narratives in web3. One in which blockchains are lauded as the most secure way to store and share data; and another that describes the so-called “wild west” of crypto, with vast amounts of money and assets being lost to theft or fraud every year. This data helps shed light on these two narratives by showing how, often, it is web3’s reliance on the increasingly outmoded web2 infrastructure that is responsible for web3’s bad reputation.
In this we see how the future of a secure and stable web3 relies on projects repairing their fraught relationships with many of the outmoded and vulnerable infrastructures of web2. This does not necessarily mean leaving the technologies behind altogether, but instead finding a way to continue to interact with them without the vulnerabilities that they currently come with.
This is important not only for the security of individual projects, but also for the wider adoption of web3 technologies as a whole. Indeed, the prevalence of phishing attacks suggests that much of web3’s negative reputation as a digital ‘wild west’ arises from the points where it relies on web2. This drives home how web3 security depends on it moving further away from, rather than returning to, the centralized practices of its predecessors.
Uptick in Attacks Show How Flashloans Continue to be Sticking Point
Of course, phishing attacks can not only be to blame for the concerns around web3 security. Our data also shows an increase in an attack vector that is native to web3: flashloan attacks.
With a total of $308,579,156 lost as a result of flashloan attacks, Q2 saw the highest amount lost to flashloan attacks ever recorded.
To put this number in perspective, this marks an over 2000% increase from the previous quarter.
It is important to note that these numbers have been significantly skewed by the biggest flashloan attack on record, in which Beanstalk Farms lost $182 Million in an attack that accounts for 59% of the total amount lost across the whole quarter. However, even without the Beanstalk Farms hack, Q2 has still been a far more devastating quarter than Q1 for flashloan attacks. Indeed, taken together, these numbers show not only that flashloans are becoming more common, but that they are also potentially becoming more lucrative.
Using Q1 and Q2 as baselines, we can forecast nearly $656M in losses to flashloan attacks, which is a 78% increase in loss over the previous year.
Preventing this will rely on projects across the web3 ecosystem to take a more proactive approach to their security. In practice, this means deploying the full stack of web3 security tools available, from regular and thorough smart contract audits, to blockchain analytics tools that help projects stay on top of suspicious activity.
Alongside this, there is also a pressing need for the web3 security industry to continue to hone and develop tools that help prevent flashloan attacks, and equip projects with the detection tools they need to stay secure. Flashloan attacks are a broad and growing category in which we see hackers continually finding new ways of leveraging flashloans to exploit vulnerabilities. Because of this, web3 security companies need to be even more adaptable than the hackers in imagining new attack vectors and detecting vulnerabilities, so that they can remedy them before they are exploited.
The Numbers Don’t Lie: 2022 is Already The Most Expensive Year for Web3 Ever
Our data shows how over $2 Billion has been lost in Q1 and Q2 alone, meaning that 2022 has already lost more to hacks and exploits than the entirety of 2021.
This staggering figure means that 2022 is already the most expensive year for web3 by far. If these numbers continue, this year is set to see a 223% increase in the funds lost to attacks when compared with 2021.
These are dire figures, yet they should serve as a rallying cry for everyone serious about the future of blockchain technology to press harder in creating a secure web3 ecosystem.
On top of the vital tools of smart contract audits and blockchain analytics tools that have already been mentioned, the future of web3 security lies in the better implementation of decentralized practices both at the technological level, and at the level of team organization.
Rugpulls and phishing attacks in particular often occur as a result of centralization and single-points of failure that allow both hackers and bad-faith founders to quickly make away with a project’s funds. Whilst some centralization may inevitably be required of some web3 projects, the risks can be curbed by fostering practices of decentralization around these centralized points. In practice, this includes measures such as introducing multi-sig authentication around any account with access to privileged controls, and revoking access to these accounts after each use.
Furthermore, projects should foster cultures of transparency and accountability around their teams. Not only does this increase investor trust in the authenticity of a project, it also works to improve the perception of web3 as a whole. Indeed, rugpulls and exit scams have are a large part of web3’s negative reputation and, whilst rugpulls are in fact down by 42% from last quarter (likely a result of the more ‘weathered’ investors braving the bear market), they still continue to be one of the most popular forms of attack.
Saving The Web3 Ecosystem
Our report provides context for the storm that web3 is currently weathering. Yet, ultimately a security report can only diagnose a problem and provide advice on how to proceed; it is down to the individuals committed to the future of web3 to take the necessary steps to make the change. If there is one thing that recent events have shown, it is that the stability of individual web3 projects is inextricably linked to the stability of web3 as a whole. Because of this, securing the web3 ecosystem will always be a collective effort. No one can say for sure when the current bear market will end, but what is clear is that it will be the projects that treat their security as a priority now that put themselves in the best position to flourish when the market improves, and ensure they play an active role in achieving mass adoption.