Cracking the Code: Hexagate's Insights on Web3 Cybersecurity
In this article we draw comparison to Web2 security frameworks, discuss the unique technological features that require a nuanced approach to cybersecurity in Web3, assess the current state of Web3 cybersecurity, and share our thoughts on the future.
“Blockchain” and “Cryptocurrency” and ‘Web3’ are synonymous and news cycles often focus on the actions of bad actors, financial losses and volatility in cryptocurrency. This obscures blockchain’s broader potential as a technology that enhances the security and privacy of digital transactions irrespective of the area of application. The features of the technology, namely disintermediation, accessibility, immutability and control, provide transformational benefits to the governments, financial institutions, and supply chains adopting blockchain technology at a rapid pace. While these defining characteristics are the reason blockchain technology is considered so revolutionary, paradoxically, its traits introduce unique complexities for cybersecurity experts to tackle.
This is especially important in Web3. Web3 is a catch-all term for the vision of a decentralized and open web. At its core, Web3 uses blockchains, digital assets (tokens, cryptocurrencies, NFTs) and smart contracts to give power back to its users. Today, Web3 applications include capital markets, real-estate, social media, gaming, art and more.
The emergence of new technologies has always required an evolution in cybersecurity approaches. From the first computer, to the internet, digitalised databases, and credit cards, cybersecurity experts have found ways to defend against viruses and malicious actors seeking data, influence and financial assets, and established best practices, frameworks, regulation and legislation.
What does this look like in Web3? In this article we draw comparison to Web2 security frameworks, discuss the unique technological features that require a nuanced approach to cybersecurity in Web3, assess the current state of Web3 cybersecurity, and share our thoughts on the future.
Hexagate was established with the purpose to provide Web3 organizations the power to protect their users from cybersecurity threats. Since its inception in 2022, Hexagate has successfully shielded chains, protocols, and bridges against financial, governance, and malicious threats, and currently protects over $15 billion digital assets. Hexagate offers a Web3 Security and Analytics API, and security advisory services alongside its core product the Hexagate Security Platform. Today, the Hexagate Security Platform provides coverage akin to ‘run-time’ security for Web2 applications, specifically for smart contracts and digital assets.
Established Cybersecurity Framework
Firstly, let’s look at what constitutes a security stack. The NIST Cybersecurity Framework illustrates how layers of security solutions should work together to minimize the risk of cyberthreats. It’s a straightforward and easy-to-understand model that should be used by any organization in any sector and focuses on five core components: identify, protect, detect, respond and recover.
Identify entails determining what the critical functions are and what cybersecurity risks could disrupt them. Understanding what you are protecting is the first step!
Protect supports the ability to limit or contain the impact of a potential cybersecurity event. Examples of these are audits, which is where most security budgets are focused today.
Detect includes having the relevant measures in place to quickly uncover threats and other risks. This includes continuous monitoring and threat hunting to identify unusual activity and potential attacks.
Respond focuses on implementing relevant measures to take action against threats that have made it past preventive tools. This includes response planning, threat analysis and mitigation.
Recovery includes having the tools and strategic plan in place to restore any capabilities or services after a cybersecurity incident. This includes forensics, asset recovery and security improvements.
Unique Features of Web3 and Blockchain Technology
Here we explore the defining characteristics of Web3 and blockchain technology:
Blockchain Transactions are Immutable
In Web2, security models primarily focus on response and recovery, but blockchain transactions are irreversible and the pseudonymity of transactions stunt traditional incident response mechanisms. Blockchain security architecture therefore needs to emphasize protection to catch incidents before they happen.
Web3 is Open
Centralized Web2 services don't function with publicly visible code, whereas in Web3 high-value applications use open-source codebases and operate on public blockchains. This means it is publicly available and is continually vetted by a community of developers who review the code for bugs, vulnerabilities, and other issues. At the same time, hackers and malicious entities can continuously examine the code and find vulnerabilities to exploit. Priority must therefore be given to code security and detecting emerging threats as they happen.
Blockchains are Composable
The composability of blockchains and smart contracts introduces complexities that make securing them a challenge. Composability allows different applications and protocols to seamlessly connect and create powerful applications, but this extends the attack surface and can create vulnerabilities. The idiom applies that ‘a chain is no stronger than its weakest link’, so Web3 organizations must prioritize identifying all on and off-chain dependencies and have relevant measures in place to quickly detect 3rd party threats.
Web3 Applications are Censorship-resistant
Due to the nature of public blockchains (censorship-resistant and decentralized), Web3 applications cannot rely on traditional methods of detecting and preventing attacks. For instance, developers cannot restrict individuals from interacting with on-chain applications or freeze/reverse malicious user operations. It’s therefore imperative that Web3 organizations continuously monitor for potentially malicious behavior and detect bad actors to protect their protocols from attack.
Web3 is Decentralized
A unique risk to blockchain organizations exists within decentralized governance structures that give decision-making power to token holders. Attackers are able to manipulate any blockchain project by gaining enough voting rights or influence to enact a malicious proposal. One of the most significant examples would be the Ethereum-Based Stablecoin Protocol Beanstalk, where an attacker recently stole $181 million by manipulating governance. Blockchain organizations need to identify this as a security risk and prioritize detecting potential threats and responding appropriately.
State of Web3 Security
Cutting-edge solutions designed to safeguard the web3 ecosystem against different security threats exist throughout the security stack. These security competencies have emerged over a short span of time and have protected billions in value, millions of users and thousands of blockchain organizations. There are many reputable auditors protecting code, Security Platforms like Hexagate’s that monitor, detect and mitigate threats, and forensic firms and the Web3 community recovering more losses than ever before.
However, across the Web3 space, we observe many incomplete security stacks. Currently, the focus is on patching vulnerabilities through smart contract audits and bug bounty programs, then investigating what went wrong. In Web3, where code is visible and transactions are irreversible, security architectures must emphasize prevention. We explore 3 reasons for incomplete security stacks below.
Firstly, we believe the absence of standardized security standards tailored to the uniqueness of Web3 is the main prohibitor to security tool adoption. As explored previously, Web3 organizations face a range of new security challenges comparable to Web2 counterparts. Whilst The NIST Cybersecurity Framework should still be followed, it needs more ‘meat on the bones’ to be actionable. With security standards, Web3 organizations can secure their organizations by design at the conception stage, ensure appropriate budgets are available and allocated appropriately throughout the security stack, and facilitate knowledge sharing by helping to ensure a common understanding of concepts, terms, and definitions.
Secondly, we believe that the culture of growth over security means security can be an afterthought. Chainalysis wrote that DeFi vulnerabilities stemmed from protocol operators focusing primarily on growth, and not enough on implementing and maintaining robust security systems. We observe that when protocols are in the maturation stage, security becomes a priority, and the full security stack is in place.
Lastly, inertia. Protocols invest considerable resources into security, but overallocate to audits and bug bounties which look to identify 1st party code vulnerabilities on static state code. The slew of hacks on audited protocols show that code errors can easily slip through the cracks. Sadly, many organizations only take action after a compromise. Insanity is doing the same thing over and over and expecting different results, so it’s unfortunate to see that this has not triggered a behavior change or budget revisions to cover other parts of the security stack. Protocols should sustain momentum after achieving a successful audit, and continuously tune their security programs to meet the increasing threats to their organization.
Future of Web3 Security
The mounting pressure from institutions, legislators, and consumers will motivate blockchain organizations to elevate their security practices. Over the next few years, we are likely to see organizations evolve their approaches to gain a competitive advantage. DeFi protocols, bridges and Layer-2s are likely to be the first organizations to implement full security stacks to protect the increased volume of capital they’re expected to hold and process as the industry grows exponentially.
In the upcoming years, the Web3 community and organizations will collaborate to establish Web3 cybersecurity standards akin to those which exist in Web2. This will lead to changes in budget allocations towards detection and prevention, increased knowledge sharing, and cultivate a culture of security that will secure not just our digital assets but create the trust and confidence essential for the success and growth of this revolutionary space.
As more apps launch and interoperate with on and off-chain partners, there is a risk that more vulnerabilities are introduced to the system. We therefore envisage that special attention will be given to ensuring interoperability and composability while maintaining security.
Our exploration into securing Web3 underscores the importance of adapting cybersecurity practices to the unique features of blockchain technologies. The future of blockchain security relies upon establishing security standards specific to Web3, fostering a cultural shift that prioritizes security alongside growth, and overcoming the inertia that often follows successful audits.
As the Web3 ecosystem continues to develop and mature, blockchain security companies will evolve in tandem. We will see auditors become more sophisticated, forensics firms recover more funds, and companies like Hexagate increase the coverage of its monitoring tools, enhance its detection abilities, and establish reliable threat mitigation approaches for emerging threats like atomic hacks. For a secure future, we must collectively address current challenges and prepare for the future through continuous product development, knowledge sharing, and commitment to blockchain security as a shared responsibility.
Hexagate offers a Web3 Security and Analytics API, and security advisory services alongside its core product the Hexagate Security Platform. Today, the Hexagate Security Platform provides coverage akin to ‘run-time’ security for Web2 applications, specifically for smart contracts and digital assets. The Hexagate Security Platform's core capabilities—Invariant Monitoring Engine, Real-Time Threat Monitoring & Detection, and Threat Remediation & Incident Response—directly address the vulnerabilities of blockchain technology. It’s our mission to provide security solutions for blockchain organizations irrespective of their size or stage so they can confidently navigate the complexities of Web3 securely.
Get in touch to explore how Hexagate can support your Web3 cybersecurity needs.