Traditional Security - the next frontier for Web3 Security

1. Smart Contract Security peakage

As we speed run through the 2024 state of Web3 security, we can say with confidence that smart contract security is at its peak. Woot woot! Remember those old days when unaudited code would reach +$100M in TVL only to get exploited and subsequently immortalized on an ever evolving Rekt leaderboard? That won't happen again!

We've had for a few years now, thanks to Immunefi and some strong DeFi protocols, bug bounties of over $1M in maximum rewards for critical vulnerabilities found in the wild. LayerZero has famously launched a staggering record-breaking $15M bug bounty, showing their great commitment to security and putting their money where their mouth is.

But bug bounties are for live production code with real economic value at risk. Now we're starting to see more and more money being allocated preemptively, before a protocol goes live. We've now had many +$1M audit contests, and the limit is continuously being pushed.

Furthermore, anyone who studies a historical repertoire of vulnerabilities found in smart contract audits (Solodit is a phenomenal one) can see with clarity how much vulnerabilities have matured in complexity. Where you used to see classic price manipulations or reentrancy bugs, you now see highly complex business logic bugs which often intertwine various vulnerabilities to eventually achieve the most impactful attack vector possible. Big difference!

2. What's still missing in Web3 Security?

Though smart contract security has reached a state where you don't face palm when you read through the latest critical vulnerability found in a protocol (on the account of it being highly complex, instead of ridiculously obvious), we still can say that we have a little bit of a problem with hacks. How come? Well, according to the Q2 Crypto Losses report by Immunefi, there's been a 112% increase in total losses on Q2 2024 compared to Q2 2023, reaching the modest quantity of $572,688,861. Impressively, only 1.5% of that is caused by fraud, the remaining being hacks.

So yeah, there's something weird going on, it seems.

When we go deeper into the report, we understand that actually 70% of hacked funds in Q2 2024 came from successful exploits targeting CeFi. If you just look at DeFi, you actually see a 25% decrease compared to Q2 2023.

I often here about this weird ongoing trend of Web3 in general desperately needing Web2 people. "We need to hire Web2 UX designers" they say, or "We need to find Web2 security talent". I don't fully subscribe to this trend, but I do subscribe to a more fundamental underlying truth that the Web3 space does need more experienced people. And in the context of cyber security, there's something still desperately needed in the Web3 security space which is known by most Web2 security researchers: infrastructure and organization-level security. I'll call it traditional security.

It's not just CeFi who needs it. The second largest DeFi hack of Q2 2024 was due to a malicious takeover of a dormant privileged account. Here's what Mitchell Amador had to say about this quarter's losses report:

"This quarter highlights how infrastructure compromises can be the most devastating hacks in crypto, as a single compromise can lead to millions in damages. This was evident during this quarter, where losses surged primarily due to hacks targeting CeFi infrastructure, surpassing DeFi, despite a smaller number of hacks in that sector. Robust measures to safeguard the entirety of the ecosystem are crucial."

The criticality of infrastructure in the Web3 space is not something new. We've known that at least since the infamous Ronin bridge hack of ~$624M due to a multisig compromise. But we can say there's good evidence that we haven't gone a long way in terms of infrastructure and organizational security. There's immense pressure for a protocol to have their smart contracts audited and provably secure. But close to zero pressure for a protocol to provide evidence on their infrastructure security posture, or any security compliance at the organizational level.

So while a smart contract audit is an incredibly powerful assurance and security effort, it's not the whole picture on the huge majority of cases. Sure, there's a handful of immutable and infrastructure-independent protocols. But the remaining ones offload security concerns to administrative privileges, multisigs, and infrastructure whose liveliness is critical. That's not to say they suck for being like this, rather the point here is that there are a lot of potential security holes beyond the smart contract layer.

3. What do?

At least right now, I'm not going to provide a list of chat-GPT tips on how to strengthen one's security posture at the organizational and infrastructure levels. You can find that... well... by asking chat-GPT, really. I will do instead something much easier for myself and much more difficult for the readers - a call to action.

The next level of security standards that the Web3 industry should adopt is infrastructure level security accountability. This is provably crucial to building secure protocols with hundreds of millions in funds. But also, it's a sort of accountability that protocol users should start demanding for. If it becomes a differentiating factor when it comes to user adoption, it most certainly will start to gain traction much like smart contract security did.

What do we want to see now? Protocols advancing to deeper levels of security reporting. Perhaps some form of infrastructure security review report, maybe beyond traditional security compliance. Maybe new compliance frameworks. The world is Web3 security's oyster. I guess we'll know we're maturing when we start seeing "DM for infrastructure audits" bios. What a world that would be.