Web 3.0 security: expectations and reality

Hacken TokenHacken Token
Web 3.0 security: expectations and reality
self.hacken1m ago
# Web 3.0 has become one of the most frequently used word combinations in 2021 Industry leaders and experts are actively discussing Web 3.0 during international conferences, meetups, round tables, etc. Web 3.0 is revolutionizing the Internet. It is a decentralized web with virtual assets at its core. Web 3.0 is likely to become the new reality even in the short-term perspective. Today we live at the time of Web 3.0 transformation. The new technology brings numerous opportunities to both companies and users. The key features of Web 3.0 are decentralization, permissionless, wide adoption of AI, virtual reality, transparency, and security. The last feature is crucial. There will be real mass adoption of Web 3.0 technologies only when they are secure for users. Let’s analyze the state of Web 3.0 security by comparing it with the ideal scenario. ## Web 3.0 cybersecurity: expectations In Web 3.0, users will have full control over their identity and data. They will be able to use their tokens to influence the development of the communities and companies. Web 3.0 is focused on ending the monopolism of tech giants in the context of owning users’ data. In the Web 3.0 future, users will not share profits with any intermediaries, it will be a user-centered future since smart contracts on the blockchain will eliminate the need for any central authority. Blockchain networks will prevent any possible manipulations from the side of corporate players in the decision-making processes. As a result, Web 3.0 will be the future free of corruption, with minimal negative human influence in ratings and fund management and business development processes. In Web 3.0, there won’t be any need for privately-owned data centers since information will be spread among many devices. In the ideal Web 3.0 environment, users will have access to all security information about industry players. Investing in Web 3.0 will not be like entering the dark forest and hoping for the best. Users will have full control over the security policies implemented by their projects. Also, Web 3.0 projects will focus on educating users on cybersecurity. As a result, the cases of rug pulls and scams will become extremely rare or even disappear since users will be able to detect scammers before investing any money. There will also be standards, both formal and informal, forcing projects to invest in cybersecurity. The recent movements across governments worldwide related to the legalization of virtual assets suggest that there will also be regulations governing what security testing every project depending on its sphere of business needs to undergo. Thus, Web 3.0 should be transparent, free of scams and fraudulence, and security industry to win users’ trust and create the conditions for real mass adoption. **Are we so far from this ideal future?** ## Web 3.0 cybersecurity: reality Unfortunately, we are still far away from the ideal Web 3.0 cybersecurity future. According to the recent [cybersecurity report](https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises/) by Identity Theft Resource Center, the number of data compromises in 2021 was 68% higher compared to 2020. Generally, there were 1,862 cases of data compromises which are 23% more compared to the all-time high recorded in 2017 (1,506). The share of cases involving sensitive information is above 80%. According to Chainalysis, in 2021, the volume of crypto crime reached [$14B](https://blog.chainalysis.com/reports/2022-crypto-crime-report-introduction/) of which $7.8B were lost as a result of scams. Cryptocurrency theft reached $3.2B in 2021 of which $2.3B were stolen from DeFi protocols. The key reason behind the majority of hacks was errors in smart contracts. In Q1 2022, the volume of assets stolen from DeFi platforms was [$1.2B](https://finance.yahoo.com/news/1-2-billion-lost-hacks-133135580.html) (+692% compared to the same period in 2021). As DeFi gets bigger, the number of sophisticated hacks will likely increase. Even the ecosystem of decentralized autonomous organizations is at risk. In March 2022, Ronin blockchain on which Axie Infinity game runs experienced a hack resulting in the loss of [$625M](https://www.theverge.com/2022/3/29/23001620/sky-mavis-axie-infinity-ronin-blockchain-validation-defi-hack-nft). The hack of DAO is an alarming sign since DAO is a key component of Web 3.0 protocols and companies. Ronin is an example of a sidechain, the key advantages of which are lower costs and faster transactions. However, often, this is achieved by sacrificing security. Web 3.0 is still vulnerable to security issues. The rapidly increasing number of decentralized applications only expands the scope of the problem since many projects fail to take adequate security measures before official release. Projects make a choice between entering the market before their competitors or investing time and money in cybersecurity. Some projects prioritize hype over security. When speaking about user experience, one of the main concerns is privacy. Today’s blockchains are “pseudonymous”, where users are identified by a public key, an alphanumeric string of characters. Associations between activity in a transaction and metadata may undermine privacy. Blockchain forensic firms such as CipherTrace and Elliptic use the digital ledgers to trace financial activity on the blockchain. Currently, privacy is not prioritized in Web 3.0 since that is difficult to guarantee. Making privacy tools scalable is hard work. According to [the investigation](https://brave.com/research-paper-privacy-and-security-issues-in-web-3-0/) by Brave Research, several out of 78 analyzed DeFi sites rely on third parties and even occasionally leak users’ Ethereum addresses to these third parties, in most cases, API and analytics providers. Also, many sites embed third-party scripts. There is a risk that these scripts may phish a user by initiating fraudulent wallet transactions. Among the 78 sites analyzed by Brave Research, 66% embed at least 1 third-party script from a total of 34 third parties. 41 DeFi sites embed at least one script provided by Google. Although Web 3.0 is mostly about decentralization, projects heavily rely on centralized solutions such as Infura, the platform allowing DApps to quickly access Ethereum without running Ethereum’s node locally. Infura is an infrastructure as a service product. However, for the last few years, Infura has experienced several serious incidents. For example, in November 2020 it [went down](https://www.theblockcrypto.com/post/84232/ethereum-infrastructure-provider-infura-is-down) because it was not running the latest version of the Geth client. The over-dependence on Infura may affect the decentralized nature of Web 3.0. In terms of authentication-over-wallet, most of the distributed applications nowadays delegate this task to MetaMask. This may be explained by the suggestion that technological systems have a built-in bias towards centralization. *Thus, the modern state of Web 3.0 cybersecurity does not allow us to suggest that Web 3.0 is free of risks. However, every technology passes a few stages of evolution and the same applies to security. The higher the level of security in Web 3.0, the faster the rate of its adoption worldwide.*