Charting The Web3 Security Landscape
In web3, no issue gets as much attention as security—across blog posts, Twitter threads, and podcasts everyone has different opinions on how to make web3 safe. But many conversations miss an important point: web3 security is mostly immature, not inherently broken.
Perhaps the numbers tell a different story (over $12 billion lost to crypto theft), but this is inevitable where high-value applications use open-source codebases and operate on public blockchains. Not only do attackers have enough time to inspect contract code for vulnerabilities, but the irreversibility and pseudonymity of transactions stunt traditional incident response mechanisms.
This doesn’t mean the problem of web3 security is intractable, though. In fact, we have witnessed the influx of new, cutting-edge solutions designed to safeguard the web3 ecosystem against different security threats. These include tooling for detecting and mitigating code vulnerabilities, proactively monitoring and responding to attacks, increasing transaction security, and many more.
In this post, we discuss various components of the emerging web3 security stack for the benefit of readers. Are you a web3 developer, investor, C-suite executive, or an end-user? Reading this article can inform your decision to invest in web3 security solutions that provide additional safety from malicious actors.
Defining the web3 security stack
The web3 security stack refers to various services and tools that protect crypto applications and organizations (and their users/customers) against malicious attacks. As highlighted in The State of Crypto Security, such attacks exploit defects in smart contract programming languages, business logic errors, and compromised infrastructure (among others).
At a high level, the web3 security landscape is (currently) made up of the following verticals:
- Smart contract audit services
- Formal verification
- Crowdsourced security (bug bounties and audit contests)
- Threat monitoring and incident response
- Blockchain forensics (KYC + AML)
- Protocol risk management
- User security
In subsequent sections, we’ll briefly describe each category and highlight how services and tools in those categories contribute to the objective of improving web3 security.
Note that the Diligence Security Tooling Guide covers the topic to an extent, but our analysis here is more comprehensive and covers new categories.
Smart contract audit services
Audits are independent assessments of a project’s smart contract systems to help improve overall security. Smart contract companies, like ConsenSys Diligence, often combine manual code reviews and automated vulnerability scanning to analyze contract code for potential attack vectors.
Audits typically conclude with clients receiving a report containing auditors’ observations about the system’s security. In many cases, an audit report will highlight security issues found while inspecting the project’s codebase and make recommendations for fixing such issues before launching an application for public use.
While manual inspection of contract code by expert auditors is beneficial, it can be difficult to scale—forcing projects to endure long delays before deploying to mainnet. However, more audit companies are now applying their expertise to developing proprietary and open-source software designed for automatic vulnerability detection. Such tools can be used by development teams to aid testing and ensure auditors are free to focus on errors missed during automated testing.
For example, Diligence offers a suite of automated testing tools including symbolic execution (Mythril), static analysis (Surya) and greybox fuzzing (Diligence Fuzzing). Similarly, Trail of Bits offers Echidna (property-based fuzzing), Slither (static analysis), and Manticore (symbolic execution). Pwned No More (a team of web3 security auditors) is also working on an automated fuzzing engine that uses artificial intelligence to optimize code analysis.
Audits can discover errors in a smart contract that may cause incorrect behavior at runtime, but they cannot prove a smart contract will always execute correctly. However, formal verification can prove a smart contract adheres to the specifications provided and provides stronger guarantees of a protocol’s security and reliability.
Formal verification requires translating a smart contract’s code into an abstract mathematical representation (called a formal model) and creating a formal specification that describes the contract’s desired behaviors. Using techniques like automated theorem proving and model checking, formal verification engineers can check if the formal model of a contract matches the specification (deriving mathematical proof of a contract’s correctness).
Companies that offer formal verification services for smart contracts include Runtime Verification, ConsenSys Diligence, and Veridise. Adoption of automated verification tools is also growing. For example, Cerotra allows developers to create contract-related using the Cetora Verification Language (CVL) and formally prove those assertions using Certora’s proprietary formal verification tool. (Scribble—another offering from Diligence—provides similar functionality.)
Crowdsourced security can refer to many things—for example, it could mean inviting a large group of people (ie. a “crowd”) to test mission-critical systems for hidden vulnerabilities. It can also refer to incentivizing third parties to responsibly disclose security issues discovered in an application to developers.
Crowdsourced security in web3 takes the form of bug bounty programs and audit contests. While each type of program has some distinctions, they usually revolve around the same goal of harnessing communities to collectively secure applications. For example, bug bounties reward security researchers (monetarily) for finding bugs in smart contracts—with rewards increasing according to the severity of disclosed vulnerabilities.
Immunefi is perhaps the most dominant player in the space and has recently raised funding to expand its service offerings (beyond the usual: hosting bug bounties and providing triaging/consultation services). Hackenproof, HackerOne, and Bugcrowd are other bug bounty platforms incentivizing whitehat hackers to assist project teams in detecting vulnerabilities and avert costly exploits.
Code4rena and Secure3 an alternative to traditional audits by coordinating audit contests. Although highly experimental, audit contests provide some benefits like lower wait times and access to a diverse network of security experts. Other platforms like Sherlock are combining decentralized auditing and insurance coverage to create a more compelling business proposition for clients.
Threat monitoring and incident response
Due to the nature of public blockchains (censorship-resistant and decentralized), web3 applications cannot rely on traditional methods of detecting and preventing attacks. For instance, developers cannot restrict individuals (even high-risk types) from interacting with on-chain applications, freeze/reverse malicious user operations, or take servers offline.
The only alternative is to invest in solutions for gathering information about attacks before they happen, and quickly respond to mitigate losses for users. Proactive threat prevention in web3 deserves a post of its own, but it suffices to say threat detection and emergency response services are highly valuable for developers building with a security-first mindset.
Forta incentivizes bot operators to monitor on-chain activity for high-risk transactions that can negatively impact protocols’ security. Tenderly Alerts is another monitoring service that alerts users to suspicious operations involving certain smart contracts and wallet addresses.
The OpenZeppelin Defender suite also provides incident response tooling for web3 project teams. This includes integrations with multisig wallet infrastructure and a private relayer service to streamline approval and execution of emergency actions (eg. pausing a protocol).
Interestingly, some companies are integrating artificial intelligence and machine learning (AI/ML) to provide advanced smart contract monitoring services. Forta, which we described earlier, is one startup pursuing this route—the same as Cyvers and Hypernative. In these cases, trained AI models can analyze data from a variety of on and off-chain sources to detect anomalies in real time and assist teams in reacting to attacks and preventing exploits before they happen.
Interlude: On the limitations of proactive threat monitoring
Although proactive threat monitoring is useful, it may not always be enough to prevent or mitigate attacks for different reasons. For example, deploying an upgrade or pausing your protocol may require extensive deliberation and approval by a DAO. This would inevitably slow your team’s response times, more so if executing defensive actions involves coordinating team members located in different timezones.
Additionally, past efforts to prevent hacks often benefit from public visibility into Ethereum’s mempool (which allows teams to frontrun exploit transactions). However, growing adoption of transaction privacy mechanisms (eg. Flashbots) will likely reduce the effectiveness of this tactic in the future.
Blockchain forensics companies provide resources for analyzing blockchain data and detecting financial crime involving cryptocurrencies. Common use cases include tracing the flow of funds after crypto hacks and scams or de-anonymizing criminal actors (by linking addresses to real-world identities). Blockchain forensics companies also assist DeFi protocols in recovering stolen funds before they’re laundered through exchanges and mixers.
Elliptic, Chainalysis, and CipherTrace (owned by payments giant MasterCard) are the best-known examples of blockchain analytics firms. Merkle Science, which raised seed funding earlier this year, and TRM Labs are also other players in the industry.
Blockchain forensics also plays a key role in reducing entry barriers for traditional finance (TradFi) institutions who have historically avoided DeFi due to compliance issues. With deep insights into cryptocurrency transactions and user profiles—provided by blockchain analytics tools—businesses can easily monitor and restrict activities that run afoul of anti-money laundering (AML) regulations. Some examples:
- “Know Your Token” (KYT): Solidus Labs provides compliance services for crypto companies and recently acquired TokenSniffer as part of a recent expansion. The firm now enables centralized exchanges and TradFi institutions to detect scam contracts and prevent interactions with blacklisted tokens using its proprietary technology.
- “Know Your Wallet” (KYW): Blockchain analytics firms like Coinfirm, TRM Labs, and AnChain help companies inspect and block transactions from addresses linked to bad actors. These products also use AI to build predictive engines capable of identifying unknown addresses and transactions that may be suspicious.
Protocol risk management
With audits and bug bounties becoming a standard in web3, the rate of exploits caused by code vulnerabilities is expected to decrease. However, attackers are now resorting to hacks that exploit economic mechanisms (cf. Mango Finance exploit and Euler Finance hack).
As such, teams must start adopting solutions that improve cryptoeconomic security guarantees for users. These tools are often grouped under protocol risk management as they enable protocol developers to optimize for efficiency and incentives while safeguarding against attacks linked to adversarial or volatile market conditions.
Gauntlet Networks and Chaos Labs (both of whom count DeFi blue chips like Aave, Maker, and Compound as clients) are driving the adoption of risk management in DeFi projects. Apostro is another risk management platform for DeFi protocols that helps with monitoring market conditions, detecting price oracle deviations, and enforcing strict conditions on liquidity.
While web3 empowers individuals to own their data, it places a greater responsibility on end-users to secure assets. Still, even advanced crypto users find OpSec (operational security) difficult—especially as scammers and fraudsters refine old tactics and evolve new ones. This is why consumer security solutions that help users, investors, and institutions safeguard digital assets have a compelling value proposition.
For sake of clarity, we define user security as a collection of tools that monitor and safeguard user interactions with web3 applications. We see fraud prevention, transaction safety, and private key management as the most dominant verticals in this category.
- Transaction safety: These applications provide real-time risk assessment of transactions and flag/block risky operations that could result in loss of funds. Examples include CoinCover, Redefine, Blowfish, and Harpie.
Transaction explainability is a closely related idea and another important area of user security. A minimum requirement for safety is that users should know what is going in and out of a wallet before approving transactions. This is where integrating tools like WalletGuard—capable of providing human-readable insights into transactions—becomes necessary.
Asking users to sign random blobs [of data] is unacceptable, and I often find myself unable to interpret data provided by my Ledger wallet (it doesn’t even show which wallet is signing a transaction 😱). There is a lot of work still to be done here. — Joran Honig, security auditor at ConsenSys Diligence
- Fraud prevention: Tools for detecting malicious contracts and tokens, social media scams, phishing websites, social engineering schemes, and more. Yakoa, ScamSniffer, MobyMask, ChainPatrol, and Shield are some notable initiatives in this category.
- Secure key management: Private keys and seed phrases are notoriously difficult to secure and create a single point of failure for wallet owners. Multisignature wallet technology and multiparty-computation (MPC) eliminate the safety risk associated with centralized storage of private keys and seed phrases. Popular multisig wallet providers include Safe and BitGo, while Qredo, GK8, Fordefi, and Fireblocks are examples of MPC wallet-as-a-service providers.
The road ahead for web3 security
Web3 security is still growing, as seen in projects’ focus on pre-launch audits and low adoption of DevSecOps best practices. Still, we expect that adoption of the tooling discussed in this article will grow as product teams in web3 start building with a security-first approach.
Certain layers of the web3 security stack are still underutilized—a trend which will likely change as the industry matures. In particular, DeFi projects may start to broaden the scope of security activities to include proactive threat monitoring and response and automated risk management (instead of merely focusing on vulnerability assessments).
We also expect to see more audit companies build products that help developer teams to automate and scale security testing. ConsenSys Diligence is already blazing this path with the release of Diligence Fuzzing—a cutting-edge tool for detecting smart contract vulnerabilities that uses advanced property-based analysis.
Finally, on-chain user security will become increasingly important as web3 adoption grows. This presents a valuable opportunity for services that keep web3 users (and their assets) safe to scale and build sustainable economic models over time.