Do End User Scams and Phishing Attacks in Web3 Get Enough Attention?
Christian Seifert, a cybersecurity specialist, claims that end users in the bitcoin industry are subject to various attacks that are frequently undetected. It is essential to address Web3 technologies’ security issues and boost end users’ confidence in these systems if widespread adoption is to take place.
Choose your poison from phishing, vulnerabilities, malware, and centralization.
According to Seifert, there are many assaults aimed toward protocols in the Web3 domain. And often, only the largest hacks—like the Ronin bridge attack in March of this year and Wintermute in September—are reported.
Cybercriminals frequently target Web3 businesses with the intention of stealing the private keys linked to their protocol addresses. These keys can be obtained through phishing scams or by taking advantage of flaws that give attackers access to the addresses. Updates to the protocols are typically used to address these vulnerabilities as the industry becomes aware of them.
Some protocols leave their contracts un-updated, making them open to assault. In addition to these dangers, a variety of malware exists that has the ability to modify transaction addresses or steal private keys.
However, Seifert countered,
One thing to bear in mind is that protocols shouldn’t be set up so that they depend on the trust of one developer or address.
No single individual should have the authority to, for instance, alter a contract’s role. Instead, it ought to be managed by a mechanism like a multi-sig, where a decision is approved by a group of people or a community because then “even if I am infected with malware and my private key is compromised, I alone cannot do anything,” as the saying goes.
The issue of a blockchain being able to be paused is connected to this. For instance, according to its CEO, prominent cryptocurrency exchange Binance halted Bitcoin (BTC) withdrawals in June due to a backlog. And it’s not the only one; many people decide to do this when they are attacked.
Seifert claimed that pausing at the blockchain’s base layer is problematic because it “illustrates the centralized nature of that specific blockchain.”
However, pausing on the application layer is a different matter and is required to safeguard user cash when under attack, according to him. For instance, a pause feature might only affect transactions above a given threshold rather than the protocol as a whole.
According to Seifert, “the purpose of these steps is to minimize the attack or slow it down while allowing legitimate users to continue using the protocol.”
The expert also stressed the importance of transparency in security implementation, giving consumers access to all available data on security measures so they may determine whether or not to utilize the protocol. He contended,
“Security by obscurity is not the way to go.”
Crimes against end users that are frequent but underreported
Seifert said that “it’s a combination,” but that it has a bad effect in any case when asked if the continued survival of Web3 is threatened by these disruptive attacks or if it is simply a teething problem. Adoption will surely suffer as a result.
For instance, a user who witnesses the theft of their cryptocurrency or non-fungible token (NFT) frequently “doesn’t grasp what occurred; they’re essentially presented with an empty wallet,” said Seifert, adding:
“I think that this does not increase the likelihood that those folks stay in Web3. And so I think victims in particular will probably turn away from Web3. Many of these stories are being shared online, and that does not instill a lot of confidence.”
Decentralized finance (DeFi) and noncustodial solutions are now more widely trusted, according to the expert, as a result of the recent wave of project failures and bankruptcies, particularly the collapse of the FTX exchange.
But dishonest people may be found anywhere there is money. Users are likely to adopt noncustodial characteristics and engage in DeFi in greater numbers because they have been withdrawing money from centralized exchanges; however:
“I am sure that attackers will try to take advantage of that. I think there’s going to be extensive push around phishing, rug pulls, all scams that are impacting end users.”
Therefore, there needs to be a stronger security layer that would alert a user about a potentially hazardous action, more user education, and usability improvements for the end users, such as more user-friendly wallets, simpler products, and solutions that make it easier for end users to navigate Web 3. Attackers are utilizing these products and transactional intricacies that are beyond the comprehension of the typical user, according to Seifert.
“Even big wallet providers need to adopt extensive security features to protect end users.”
Seifert has observed over the past several years “a multitude” of security services that are emerging on the market to assist end users and protocols in protecting themselves, but at the same time, the business is still very young.
According to Seifert, a thorough security plan should include the following:
Auditing: Audits are the most widely used method for securing a protocol; instead of trying to invent the wheel, use the template libraries that have already undergone audits to get rid of numerous known problems;
Bug bounties: The use of bounties is growing, with security researchers producing excellent work in an ethical manner; a protocol should encourage potential attackers to cooperate rather than to work against it;
monitoring: once the protocol has been implemented, monitoring is crucial since it will give time for action to be taken to mitigate an attack;
incident reaction capabilities: essential for being able to act and safeguard the funds, whether automated or manual;
pause functionality: as previously said, this aids in preventing additional fund drain;
“Ideally, these should be integrated from day one. But a lot of the protocols are small teams, innovating rapidly, and they want to be quick to market. And security as a result in that environment is not a top priority.”
However, as they enter the market and, should they be successful, experience growth in both user numbers and total value locked (TVL), the risk profile of this protocol alters.
“Attackers see how many digital assets are in the protocol, and you will become a target. And you need to adopt a comprehensive security strategy once you become a risk.”
In the meantime, we’re observing a concentration of security services in managed service providers in the Web2 sector, where a small firm can request that such a provider safeguard them. Seifert added, “And I anticipate there will be something comparable in the Web3 space. The industry will need to develop solutions to reduce the problem of centralization there.
Attacks are a major issue for both users and protocols, and the market is starting to acknowledge this. As a result, there is “a flurry” of businesses, decentralized autonomous organizations (DAOs), and communities developing security services.
Seifert continued, “I therefore very much think that security will be more developed in the Web3 arena in five years, and we’re starting to see that.”