Throughout most of the year 2024, it seemed as though I was residing in the future. Notably, Google introduced a quantum computing chip capable of executing computations that would take a conventional computer more time than the universe has been in existence. Additionally, Waymo’s self-driving vehicles transported around 150,000 individuals on a weekly basis. Moreover, AI models such as AlphaFold were making significant strides in solving intricate biological puzzles with remarkable accuracy.
In contrast to the rapid advancements in various other fields, certain areas within our own industry seem to have stagnated, particularly when it comes to security matters. Even as cutting-edge technology revolutionizes numerous industries, the security aspect of web3 continues to be plagued with persistent issues.
As a researcher delving into the world of web3, I’ve observed that the transition from the centralized structure of Web2 to the decentralized architecture of Web3 has significantly broadened the scope for potential attacks. While decentralization is indeed the cornerstone of Web3’s innovation, it paradoxically introduces a security challenge: the very openness and distribution that empowers users also expands a constantly vulnerable attack surface. Given the enormous volume of transactions, amounting to hundreds of billions annually, the importance of securing this system has never been more critical.
Despite a rapid expansion in potential vulnerabilities and massive funds transiting through these systems, our sector persists in relying on traditional, manual security assessments as its bedrock. This method, once considered the pinnacle of web3 security, has been found woefully inadequate and outmoded. The facts bear this out; an overwhelming 90% of exploited contracts have already undergone audits.
In the same way that web2 software development progressed from relying solely on manual testing to incorporating numerous tools such as continuous integration, automated testing, and runtime monitoring, the evolution of web3 necessitates a comparable shift in our approach to development, aiming for deployment to a wide audience.
Web3’s unique challenges
The current state of smart contract security measures raises significant concern, considering the potential severity of a web3 security incident. Here are three primary factors contributing to this:
1. Lack of standardization and best practices in the development and deployment of smart contracts.
2. Insufficient testing and auditing of smart contracts before they are launched on the blockchain.
3. The complexity of smart contract code, which makes it challenging to identify vulnerabilities and fix them promptly.
- Immutability: When you deploy a smart contract, its code becomes permanent—immutability is a core feature, not a bug. This means that, unlike web2 applications, where developers can quickly patch vulnerabilities, fixing smart contract flaws requires complex coordination across the entire protocol.
- Visibility: Compounding this challenge is the public nature of blockchain code, where potential attackers have visibility into the source code. If vulnerabilities exist, bad actors can (and will) find them.
- Direct control over assets: Most critically, web3 vulnerabilities put actual assets at immediate risk. While web2 attacks typically target data, smart contract exploits result in direct, often irreversible, financial losses.
The unique qualities that make web3 revolutionary – its permanence, openness, and user control over assets – also necessitate a fundamental shift in our approach to security.
Why audits alone fall short
To make things crystal clear: I’m not disputing the importance of audits, as they are crucial for ensuring secure smart contracts. However, relying solely on audits isn’t the best approach. When audits are our only safeguard, user assets remain vulnerable. The Euler Finance hack in 2023 serves as a stark reminder; despite ten separate audits, the losses amounted to over $200 million.
One significant challenge with depending on human audits is that even the most skilled auditors can miss certain issues; humans are prone to errors. As smart contracts grow in complexity, each added feature creates more potential vulnerabilities, making it extremely difficult for any manual inspection to locate every possible weakness. The fact that a project might undergo ten separate audits and still get hacked demonstrates this issue – it’s not a matter of the auditors’ abilities but rather the intrinsic limitations of manual evaluation.
The case for proactive security
Essentially, our field’s overreliance on audits has fostered an unaccountable standard for web3 security, where actively securing smart contracts is rare rather than commonplace. The understanding that web3 progressed while security was neglected is what sparked the inception of Olympix, a developer-focused web3 security platform, in 2022, designed to help coders secure their work as they create it.
Our objective is to automate a significant portion of the audit procedure, identifying 20-50% of potential vulnerabilities ahead of the initial audit. This approach enables security specialists to concentrate on uncovering critical and innovative vulnerabilities rather than addressing routine issues. The system is proving effective; an assessment within our organization revealed that in Q3 ’24, approximately $60M worth of contracts that had previously been audited would have been safeguarded from exploitation if the teams had employed our tools. This figure encompasses high-profile hacks such as Pendle ($6.5M) and LIFI ($600K). Nevertheless, it’s important to note that advanced tools like Olympix are not a comprehensive solution. The complexities of Web3 necessitate a sophisticated, multi-layered approach that integrates proactive, developer-focused tools with traditional audits, bug bounty programs, and on-chain monitoring to establish multiple layers of protection.
The path forward: From reactive to proactive
Consider your current security strategies. Are they primarily based on occasional assessments? Do your security measures align with the intricacy and risk associated with the projects you’ve implemented? It seems likely that many organizations still have a significant discrepancy between their security practices and the required level of protection.
In 2025, we possess all the necessary technology to revolutionize web3 security. The means for securely implementing smart contracts are available now, and solutions like Olympix are among those tools at our disposal.
I strongly feel that the future of our field will be shaped by trust, particularly in safeguarding the assets that others rely on us to hold. Web3 indeed brings transformation, but it’s also demanding. Given the significant value at play, the resilience and durability of web3 rest on our shoulders. Let’s take action to ensure a secure future for ourselves.
Channi Greenwall, the visionary behind Olympix, heads a dynamic organization specializing in advanced security solutions for web3 development. To date, Olympix has safeguarded over $10 billion worth of assets across various protocols, a testament to its effectiveness. In just a few short years, the platform is trusted by more than 30% of Solidity developers for smart contract security. Before her tenure at Olympix, she honed her skills in creating essential security frameworks at JP Morgan Chase. Her subsequent role was as a product manager at Security Scorecard. She boasts a BS in Computer Science and an MS in Security Engineering from NYU.
Read More
- 15 Charged for converting Drug Cartels’ Cash into Cryptocurrency in U.S.
- XRP Price Eyes $2 Support Level Amidst Market Correction
- OREO Unveils Six New Products for 2025
- PYTH PREDICTION. PYTH cryptocurrency
- ‘Fast and Furious’ Star Paul Walker Remembered 11 Years After His Death
- Apple Lands Anya Taylor-Joy Led Drama ‘Lucky,’ Based on Bestseller
- Google’s Willow Quantum Chip Sparks Bitcoin Security Debate
- TROTOAR Gallery Bridges Local and Global Art with ‘That’s What’s Up!’
- Russell T Davies Says He “Kind Of Hopes” The Streaming Bubble Will “Pop”
- India signals no fixed timeline for crypto rules, calls for global alliance
2025-01-08 16:34