Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways

LAS VEGAS—So-called Web3 ventures have suffered enough meltdowns to keep an entire site (“Web3 is going just great(Opens in a new window)“) busy chronicling them in multiple posts per day. But what has made this category of sites providing cryptocurrency and other services based on blockchain technology seem so snakebit?

A briefing at the Black Hat information-security conference here outlined common aspects to recent high-profile Web3 hacks that have resulted in the theft of hundreds of millions of dollars’ worth of cryptocurrencies. The single biggest factor: how quickly an attacker can turn a vulnerability into money.

“Simple mistakes can have immediate and devastating consequences,” said Nathan Hamiel, senior director of research at Kudelski Security(Opens in a new window). “Gone In 60 Seconds isn’t just a terrible Nicolas Cage movie, it’s also what happens to all your money.”

It doesn’t help, Hamiel continued, that so many Web3 developers lack experience and are building on new platforms in public view. And Web3 apps that bridge different blockchains and such competing cryptocurrencies as Ethereum and Solana or integrate self-executing “smart contract” blockchain apps get especially complex. 

“Each of these components expands your attack surface,” he said. 

And while it might be tempting to point and laugh, Hamiel urged security professionals to pay attention because of the possible collateral damage, the high bug bounties now offered (in May, blockchain bridge service Wormhole paid $10 million for a vulnerability disclosure(Opens in a new window)), and the risk of nation-state attackers using these ill-gotten gains to underwrite hostile real-world activities.

Hamiel then walked the audience through four recent Web3 hacks.

• A developer for Nomad Bridge, another cross-chain service, mistakenly had a value initialized to zero, which resulted in the bypass of message authorization and the loss of some $190 million in tokens(Opens in a new window). Meaning: “All you had to do was capture a successful transaction, replace the wallet address, and broadcast it on the network.”

• Cryptocurrency wallet service Slope Wallet enabled verbose logging in a mobile application, which resulted in the private keys and mnemonics of wallet holders being synced to a cloud service, after which thieves made off with about $4.5 million(Opens in a new window) in Solana tokens. And, Hamiel noted, the developers hadn’t used the verbose logs for debugging or analysis: “They were collecting all of this verbose information and they didn’t even look at it.” 

• Ronin Network, an Ethereum “sidechain” for the Axie Infinity play-to-earn game, had a developer fall prey to an involved spear-phishing attack in which he was sent a fake offer letter as an attached file. That allowed the attackers–apparently the North Korean-linked Lazarus hacking group–to take over a majority of Ronin’s nine “validator” nodes and steal about $622 million in Ethereum and USD Coin, the largest cryptocurrency heist to date. Ronin noticed this six days later.

• An Ethereum-based protocol called Beanstalk got taken over when an attacker took out a flash loan to buy a controlling stake in this “distributed autonomous organization” and vote to send themself $182 million(Opens in a new window). Hamiel noted that the attacker’s use of an emergency protocol required him to wait for 24 hours to get the proceeds, but still nobody noticed. 

An immature approach to security runs through so many of these stories, Hamiel said. Web3 operations don’t hire security experts, they try to build trust by making their code immutable as an entry in a blockchain and therefore unpatchable. They don’t engage in basic risk mitigation like placing limits on funds transfers, or they think a one-time security audit will square things away.

In fewer words, it’s a lack of imagination, a fundamental part of proper threat modeling. Said Hamiel: “These projects aren’t doing the most basic things like asking what happens when something goes wrong.”