In the rapidly evolving landscape of Web3, security has become a paramount concern. The recent report by Chainalysis, which highlights the loss of over $3 billion to smart-contract exploits in 2022, underscores the immaturity of the security ecosystem and the underutilization of security practices in this new era. This article, presented by 1 Dot Media, delves deep into the world of Web3 security, elucidating the fundamental differences between Web2 and Web3 technologies, and how they create both opportunities and challenges in safeguarding user data and assets on the blockchain.
The global cybersecurity market is currently estimated at approximately $167 billion, as reported by McKinsey. As Web3 continues its ascent along the adoption curve, it will encompass not only financial data but also non-financial data. Consequently, a similarly substantial market for Web3 security is expected to emerge.
Web3 security is not inherently broken, but rather, it is in a state of continuous development. Presently, the ecosystem consists mainly of semi-mature Web3 security companies, with a significant focus on smart contract audits as their primary value proposition. Auditing, while indispensable, is a manual process that scrutinizes a project's code to identify security vulnerabilities. However, it's crucial to note that even audited smart contracts fell victim to hacks, with 167 major breaches occurring in 2022, as revealed by the Beosin Web3 Security Report. This alarming statistic underscores the urgent need for the expansion of security infrastructure and automation in the Web3 space.
To understand the evolving landscape of Web3 security, we can categorize it into three main segments: auditing, tools, and communities.
Auditing
Auditing is a cornerstone of Web3 security, and several companies are dedicated to this crucial task. Auditing involves a meticulous examination of a project's code to identify vulnerabilities and potential security threats. While it plays a pivotal role, the fact that even audited contracts have been compromised highlights the necessity for additional security measures.
Tools
In the realm of tools, numerous innovations are contributing to the security of Web3 applications. These tools aim to integrate security into the development process itself, fostering a "security-first" mindset among developers. For instance, Certora, a company in CoinFund's portfolio, offers tools for securing smart contracts through formal verification strategies. These tools aim to minimize vulnerabilities before deployment, ultimately enhancing security. Other pioneering projects such as Enigma Labs and their Dev0x tool, which orchestrates security product orchestration, are pushing the boundaries of innovation in this space. Moreover, transaction and ecosystem testing and simulation tools like Tenderly, Chaos Labs, and Gauntlet are enabling developers to manage and predict smart contract behavior before deployment, further bolstering security.
Continuous/Runtime Monitoring
Monitoring plays a vital role in Web3 security, with companies like Chainalysis and TRM Labs leading the way in post-mortem AML detection and investigation. However, there is a notable gap in the market for runtime monitoring solutions designed for proactive security exploit prevention. Companies such as Forta and CyVers are bridging this gap by offering real-time monitoring with predictive capabilities for detecting and preventing exploits. Forta, for example, operates as a distributed network for continuous runtime monitoring, while CyVers leverages machine learning to automatically detect attacks on behalf of exchanges, custodians, and DeFi protocols. These solutions represent a significant step forward in securing Web3 assets.
Security Networks/Communities
Web3 thrives on community engagement, and the security sector is no exception. Various types of communities, including developer communities (e.g., Developer DAO), investor communities (e.g., FlamingoDAO), and financial infrastructure communities (e.g., SyndicateDAO and Juicebox), are forming to strengthen Web3 security. One noteworthy example is ImmuneFi, which has raised $24 million for its Series A. ImmuneFi harnesses the power of the community by incentivizing a network of white-hat hackers to identify vulnerabilities in smart contracts. Other initiatives, such as Code4rena, Secure3, and PwnedNoMore, are following a similar path, illustrating the potential of community-driven security solutions.
Consumer and Institutional Transaction Security Solutions
User-facing transaction and wallet security products are crucial components of Web3 security. These solutions are purchased by dApp and protocol users, as well as wallets themselves, to enhance security. While wallets can incorporate security features into their products, specialized security solutions with proprietary algorithms for risk detection stand out. For instance, Redefine provides real-time transaction risk assessments and alerts, combining real-time transaction simulation and monitoring to deliver security alerts directly to users. Other solutions like Shield, Hexagate, and Web3Builders' TrustCheck focus on protecting transactors, ensuring that Web3 assets remain secure.
Going Beyond Auditing
While auditing remains a vital aspect of Web3 security, it is clear that additional layers of security are necessary. Some auditing firms are recognizing the need to expand their offerings by incorporating process automation tools for auditing and DevOps. Companies like Quantstamp and Sherlock are exploring the intersection of security auditing and asset insurance, showcasing the industry's commitment to comprehensive security solutions.
To guide the development of Web3 security, several key thesis points have emerged:
Identification of Key Security Stakeholders
In the Web3 landscape, developers, projects, and users are the most critical stakeholders for security solutions. Unlike Web2, where businesses were primarily responsible for user data protection, Web3 empowers users to secure their assets directly. Therefore, solutions must cater to the unique needs and motivations of these stakeholders.
Prevention, Mitigation, and Response
Security in Web3 necessitates a multifaceted approach that goes beyond pre-launch auditing. Given that code can never be completely free of vulnerabilities, real-time exploit mitigation and response mechanisms are essential. These proactive measures are as crucial in Web3 as they are in Web2.
Combining Traditional Security and Web3 Expertise
The security market is highly competitive and constantly evolving. To succeed, security companies require founders who possess deep expertise in both traditional security and the emerging Web3 security landscape. This blend of knowledge enables them to address novel challenges effectively.
At 1 Dot Media, we are committed to investing in companies that advance Web3 security. We look for teams with deep expertise in Web2 security, coupled with a profound understanding of the cryptonative perspective. Moreover, we seek products and networks that can scale in tandem with the evolving technology. In a market where thousands of solutions will be created, we aim to partner with founders who aspire to become industry-leading standards as Web3 security matures.
Web3 security is a dynamic and evolving field, driven by innovation and community collaboration. As the adoption of Web3 technologies continues to grow, the importance of robust security measures cannot be overstated. The Web3 security landscape encompasses auditing, innovative tools, proactive monitoring, and thriving communities, all working together to safeguard user data and assets. At 1 Dot Media, we are dedicated to supporting and investing in the growth of Web3 security, and we welcome innovative teams to join us in this endeavor.
In the ever-changing landscape of Web3, staying ahead of security threats is paramount. As we move forward, we anticipate exciting developments that will further fortify the foundations of Web3 security.
*Disclaimer: The views expressed in this article are those of the individual 1 Dot Media personnel quoted and do not necessarily reflect the views of 1 Dot Media or its affiliates. This content is provided for informational purposes only and should not be construed as legal, business, investment, or tax advice. Readers are advised to consult their own advisors for specific matters. References to securities or digital assets are for illustrative purposes only and do not constitute investment recommendations or offers to provide investment advisory services.*