- Hugh Brooks gave us a quick dive into web3 security.
- The CertiK director of security operations highlights the most vulnerable areas to attacks and how the industry can overcome the challenge.
- Brooks maintains an optimistic view of the web3 industry despite the challenges.
Web3 is described as a next-gen internet that prioritises user ownership, privacy and decentralised applications. The industry has emerged as one of the most exciting tech innovations of the past 15 years, starting with the invention of Bitcoin in the late 2000s.
However, just like any other web-based tech, the adoption of web3 has faced significant challenges related to security.
Last year, the world witnessed first-hand how breaches in top web3 companies can affect their ecosystems. Axie Infinity’s Ronin bridge breach in March was the biggest event of the year, with hackers stealing more than $600 million in ETH and USDC.
Crypto research firm Elliptic last August also revealed more than $100 million had been lost through NFT scams, while a lot more went down the drain through rug pulls.
Since then, web3 companies have tightened their security by introducing new tools to protect users from malicious actors. Last November, Yakoa, a web3 startup building NFT detection tool just raised $4.8 million from Collab+Currency, Volt Capital, Brevan Howard Digital and others to accelerate the development of its product.
In May 2022, NFT fraud prevention startup Tovera acquired the NFT fraud detection project SnifflesNFT for an undisclosed price. The acquisition will help Tovera combat forgery in the NFT space.
However, while companies may come up with the right technology to protect users from future crypto exploits, CertiK Director of Operations, High Brooks believes every stakeholder in the web3 ecosystem has a role to play. The users, web3 protocols and marketplaces, as well as, government agencies.
According to the CertiK website, the company has assessed more than $360 billion in market cap worth of companies, serving 3,881 clients in the process. During that time, it detected more than 60,000 vulnerabilities in the audited companies.
Some of the companies in CertiK’s client list include Fetch.ai, PancakeSwap, Polygon, Aave, Apecoin, Aptos, Crypto.com and The Sandbox, among others.
Here is what Brooks said in our latest Q&A.
Please tell us about your journey in cybersecurity and your role at CertiK.
I have worked in the security space for over 25 years, first as a U.S. Marine and then as an internationally recognized expert on cybersecurity, blockchain technology and security, and countering technology use by illicit actors. I have built and consulted on successful products in tech startups around the globe for over a decade, with multi-disciplinary experience in fields such as blockchain, social media, fintech, OSINT, big data, analytics, artificial and swarm intelligence, IoT, crypto, cybersecurity, and mobile security. I have co-authored the book Using Social Media for Global Security and various papers on technology, crime, terrorism, and extremism. I received my Master’s in Security Studies from Georgetown University and his BA from the University of Florida.
What are CertiK’s primary areas of assessment when performing an audit on a web3 product?
Our audits of Web3 projects differ depending on the needs of the client and the structure of the code and/or smart contracts to be audited. In general, however, they follow a similar process:
Environment Setup: CertiK sets up an environment tailored to the specific programming language and blockchain ecosystem in which the Web3 product operates. This ensures accurate and efficient code analysis.
Architecture Review: Auditors scrutinise the project’s architecture, including interactions between components, handling of external inputs, import of libraries, and adherence to coding standards. This understanding allows auditors to identify potential security vulnerabilities.
Threat Modelling: Based on the architecture review, a threat model is created to identify potential vulnerabilities and possible security threats. This provides a systematic approach for identifying and managing project-specific threats.
Static Analysis and Formal Verification: CertiK uses a suite of tools to perform static code analysis and formal verification. These tools can identify insecure code patterns and provide insight into the smart contracts.
Manual Review: While automated tools are powerful, they can’t catch everything. That’s why a critical part of CertiK’s audit process is a manual review, where experienced engineers scrutinise the code line by line.
Unit Testing: Where necessary, unit testing is incorporated to validate the proper execution of a project’s components in response to specific inputs, outputs, and edge cases.
Reporting and Remediation: After the audit, CertiK provides a detailed report of the findings and works with the client on remediation strategies to address identified vulnerabilities.
All these areas of assessment contribute to a comprehensive and thorough security audit, ensuring the highest level of scrutiny for each Web3 product audited by CertiK.
Is blockchain audit a preventive or corrective measure (or both), and how does it guarantee security to users?
Blockchain audits serve both as preventive and corrective measures. They are preventive in the sense that they help identify potential vulnerabilities or weaknesses in the project’s design, architecture, and source code before they can be exploited. This proactive approach can save projects from potential exploits, and by extension, save users from losing their assets or data.
As corrective measures, audits provide valuable insights into existing flaws and vulnerabilities that may have been overlooked during the development process. In response to an audit report, project developers can fix these issues, thereby improving the project’s security and reducing future risk.
However, while audits significantly enhance the security of a blockchain project, they cannot completely guarantee absolute security. As auditors, we cannot force clients to adopt the recommendations we make. This is why we make all audit reports publicly available, so users can see the details of vulnerabilities found and what mitigations have or have not been implemented. It’s also crucial for users to follow best security practices, such as keeping private keys secure and being aware of phishing scams, to protect their assets.
Would you say internet users are safer on web3 platforms than on web2? Please explain.
Web3 platforms offer some distinctive advantages when it comes to security and privacy. In the decentralized Web3 world, users typically have full control over their data, which contrasts sharply with the centralized Web2 model where large corporations control user data. Web3’s use of blockchain technology and cryptography allows for a higher degree of trustless security, where transactions can be verified without a centralized authority. This lessens the risk of a single point of failure, a characteristic flaw in many Web2 services.
However, with the increased control of data in Web3 comes an increased responsibility for users. In many Web3 platforms, if a user loses their private keys, they can lose access to their accounts or assets with no way to recover them, a riskless prevalent in Web2 environments.
Additionally, smart contract vulnerabilities have been exploited in Web3, leading to substantial losses. Because Web3 is still relatively new and rapidly evolving, there are still many unknowns, which in itself can be a risk.
Meanwhile, Web2 platforms have been around longer, are generally more user-friendly, and have well-established protocols for recovering lost data or accounts. However, they are susceptible to centralized data breaches, misuse of personal data, and censorship.
Therefore, the safety of users on Web3 versus Web2 depends largely on the context – whether control of data, susceptibility to centralized breaches, risk of smart contract exploits, or user error are being considered. And, as always, the user’s understanding of and ability to navigate these risks is crucial to their safety in either environment.
What segments of the web3 industry are more vulnerable to attacks and what can web3 companies do to reduce the threat?
In the Web3 industry, areas with complex and interdependent smart contract systems are often more susceptible to attacks. This complexity can inadvertently create security loopholes that may be exploited. Moreover, platforms that hold or transact large values, either in the form of crypto-assets or sensitive data, tend to be attractive targets for attackers.
To reduce the threat, Web3 companies should implement rigorous security practices. Regular, thorough audits are essential to identify and address vulnerabilities in smart contracts and other components. Additionally, these companies should foster a culture of security awareness, ensuring all team members understand the importance of security in their roles. Continuous monitoring, adoption of secure development practices, and proactive incident response are also critical in enhancing security and resilience against attacks.
Would you attribute much of the current crypto winter to crypto exploits or the collapse of major players like FTX? Please explain.
The factors contributing to a “crypto winter” can be multifaceted, and often it’s a combination of various elements, not solely tied to exploits or the collapse of major players.
Crypto exploits can have a significant impact on investor confidence and sentiment. High-profile exploits or hacks not only result in immediate financial loss but also foster scepticism about the security and reliability of blockchain technology, potentially cooling market sentiment.
However, market dynamics in the crypto space are also significantly influenced by macroeconomic factors, regulatory developments, and the broader technology market’s performance. The collapse or troubles faced by major players like FTX could indeed contribute to a market downturn if it leads to broader concerns about the stability and integrity of the market infrastructure.
While crypto exploits and issues with major players can contribute to a “crypto winter,” they are often part of a broader set of factors. It’s the combination of these elements, alongside the inherent volatility of the crypto market, that can lead to prolonged bearish periods.
Is the technology required to secure web3 already here or is there a need for more innovation in the sector?
The technology to secure Web3 is indeed here and has made significant strides over the past few years. We’ve seen the development of robust security practices, powerful auditing tools, and sophisticated mechanisms to protect against various types of attacks. However, the rapid pace of evolution in the Web3 space demands continuous innovation in security technology.
As new use cases, platforms, and technologies emerge within the Web3 ecosystem, so too do new security challenges. Moreover, threat actors are also evolving, using more sophisticated techniques to exploit vulnerabilities. To keep pace with these developments, we need ongoing research and innovation to anticipate potential threats and develop proactive measures to counteract them.
In addition, security is not just about technology, but also about awareness and education. The more users understand about Web3 security risks and best practices, the better equipped they will be to protect themselves.
What is your take on decentralised identities and their role in web3 security?
Decentralized identities (DIDs) are fundamental to the ethos of Web3 and have the potential to greatly enhance security and privacy for users. The central idea behind DIDs is that individuals should have control over their own identities rather than entrusting their personal information to centralized authorities, such as social media platforms, banks, or government institutions. This helps mitigate risks associated with data breaches, identity theft, and misuse of personal information.
However, with DIDs comes the challenge of managing and protecting these digital identities. In a decentralized system, individuals are responsible for securing their own private keys, which can be lost, stolen, or misused if not properly protected. This creates a new level of responsibility and potential vulnerability for users who might not be familiar with effective key management strategies.
How can government security agencies assist in protecting users from crypto exploits?
Self-regulation is the first step for the Web3 industry. This entails setting and adhering to high standards of security and ethical conduct, continuously improving security protocols, sharing information about threats, and fostering a culture of security. Blockchain companies should ensure they’re continually updating and improving their systems to stay ahead of potential threats. Regular audits, like those conducted by CertiK, can play a key role in this self-regulation process by identifying vulnerabilities before they can cause harm to users.
Nevertheless, self-regulation doesn’t mean working in isolation. It’s crucial that the industry also collaborates with government agencies where necessary. This collaboration can take many forms: working together to establish industry standards and best practices, coordinating responses to major security incidents, sharing threat intelligence, and providing input on relevant legislation and regulation.
Anything else related to recent events in web3 you would like to add?
One recent trend that is especially noteworthy is the rise of ‘rug pulls’ and exit scams in the DeFi and NFT spaces. These are malicious acts where project founders or developers abscond with users’ funds or assets, leaving them with worthless tokens. Such actions can damage the reputation of the wider blockchain and crypto community and make users more cautious about engaging with these technologies.
It’s crucial, therefore, that as an industry we strive to enhance transparency, accountability, and trust. This includes making concerted efforts to educate users about potential risks, implementing strong security measures, and conducting regular audits to uncover and address any potential vulnerabilities. At CertiK, we’re committed to doing our part by providing thorough, rigorous audits and helping to raise the standard of security across the industry.
Finally, I’d like to stress that while there may be challenges and setbacks along the way, the potential of web3 is tremendous. By working together to address these issues, I believe we can realize a future where digital assets and decentralized applications are as safe, secure, and trustworthy as they are innovative and transformative.
Stay up to date:
Subscribe to our newsletter using this link – we won’t spam!