Tl;dr
The immutable nature of the blockchain and culture of open-source development provides an opportunity for web3 security to be proactive and prevention-focused.
We are seeing novel security solutions for web3 infrastructure, smart contract code, protocol logic, and ecosystems to prevent and mitigate security threats.
Investing in these solutions and the teams building them will help to ensure the security and integrity of web3 while supporting its continued growth.
By Jonathan King, Steven Willinger
The web3 application ecosystem is made up of interoperable protocols, powered by smart contracts, that rely on the underlying infrastructure of the host blockchain and the internet. As the web3 ecosystem continues to grow, security solutions need to keep up with the pace of innovation. Those needs include security solutions that can protect against infrastructure attacks, smart contract code vulnerabilities, and protocol logic errors. Additionally, there is a need for solutions that can help to mitigate the impact of ecosystem attacks, such as real-time threat detection and incident response systems.
With that, let’s explore the growing web3 security stack and core security considerations at each stage of the web3 development lifecycle.
Security in web3 Cybersecurity involves a range of technologies, processes, and policies that are used to protect data, systems, devices, and networks from attack, damage or unauthorized access. In web3, data is stored on the blockchain's immutable ledger, so if an attack is recorded on the blockchain, it usually cannot be reversed. Also, many web3 applications are open-source, which creates an opportunity for malicious actors to analyze the code for vulnerabilities and plan exploits well in advance. Given that context, we can categorize the most common web3 security attack surfaces into four layers: infrastructure, smart contract language, protocol logic, and ecosystem.
Source: Kofi Kufuor, The State of Crypto Security (Oct 2022)
With this framing in mind, let’s take a (non-exhaustive) look at the evolving web3 security stack layer by layer (* denotes Coinbase Ventures portfolio company).
Infrastructure
At the very beginning of the web3 developer lifecycle (i.e., system design), it’s important for developers to identify and prioritize potential security threats. Once developers decide which blockchain protocol to build on, the next step is to decide how their application will securely interact with the underlying blockchain. This is where infrastructure primitives come into play.
Wallet & Private Key Management: Recently, there’s been increasing adoption of cryptographic wallet security solutions like multi-party computation (MPC). MPC wallets help eliminate the risk of storing private keys in one single place. Rather, the private key is broken up into shards, encrypted, and divided among multiple parties. These parties will independently compute their part of the private key shard they hold to produce a signature for authenticating transactions without revealing their encryption to the other parties. Companies like Coinbase, Fireblocks and Fordefi offer MPC wallet infrastructure that allow consumers and institutions to transact in DeFi across multiple chains while keeping their assets secure.
Access Management: Access management is a security process that enables developers to regulate which users or wallet accounts can sign and execute transactions. Companies like web3auth* and Moralis* provide developer tooling for authenticating and verifying the identity of a user. Companies like District Labs help developers automate permissions and control who has access to a wallet or smart contract capabilities.
Consumer Security: Consumer security is an emerging primitive consisting of solutions that scan, simulate, analyze, and protect user interactions with web3 applications. Companies like Harpie*, ChainPatrol*, and Blowfish integrate with blockchain wallets to provide “firewall-like” capabilities to detect fraudulent transactions and prevent hacks, scams and theft.
Monitoring & Observability: Monitoring and observability is another emerging primitive consisting of platforms that continuously analyze the health, reliability, and uptime of the underlying infrastructure services powering their web3 applications. Companies like Tenderly*, Metrika*, and Scale3 offer a variety of tools for monitoring the performance of blockchain networks, analyzing user interactions with smart contracts or identifying bad method calls to RPC node infrastructure.
Smart Contract and Protocol Logic
During the development, testing, and deployment phase, developers should make use of existing smart contract standards and evaluate the security assumptions of protocol integrations. It’s also important to create comprehensive documentation of the code and set up test environments with easy-to-run test suites to simulate production behavior. Finally, developers should dedicate time to discovering bugs in their code through internal and external code reviews and consider creating programs that incentivize their user community to improve security on open source codebases. The following primitives help to facilitate these processes and mitigate potential vulnerabilities within the smart contract code or protocol logic.
Security Testing Tools: Security testing tools consist of frameworks and solutions designed to help developers perform blockchain security testing more effectively. For example, Mythril and Slither are static analysis frameworks that detect vulnerabilities in smart contracts written in the Solidity coding language. OpenZeppelin provides reusable, battle-tested smart contract templates so developers don’t have to build security mechanisms from scratch. Companies like Pwned Nomore provide automated bug-hunting engines that automatically search for potential vulnerabilities in a developer’s codebase.
Formal Verification: Formal verification involves a range of technologies and processes that use algorithmic logic to check smart contract properties against specific inputs for the purpose of exploring all possible behaviors of the code. This is an emerging primitive, in which companies like Certora* and Runtime Verification offer services and tooling to developers for proving the security and correctness of smart contracts prior to deploying to production.
Audit Service Providers: Audits are external security assessments of a project codebase, typically requested and paid-for by the project team. Audits detect and describe (in a report) security issues with underlying vulnerabilities, potential exploit scenarios, and recommended fixes. Companies like ChainSecurity, Halborn, and Trail of Bits routinely perform audits of smart contracts and protocol upgrades across various blockchain ecosystems. As testing frameworks and security tools mature, we expect audit service providers, like Certik*, to begin externalizing their in-house tools as SaaS applications for self-service consumption.
Bug Bounty Platforms: Bug bounty programs incentivize security researchers to discover and responsibly disclose vulnerabilities in open-source smart contracts and web3 applications. Security researchers typically receive a reward from project teams based on the severity of the vulnerability. Companies like Immunefi and Code4Arena provide bug bounty hosting, consultation and program management services to web3 project teams.
Ecosystem
Finally, once a smart contract or protocol is deployed to production (i.e., mainnet), it’s important for developers to implement systems that can monitor those smart contracts and critical operational components for suspicious activity based on known threat models. In the event of any security issues, developers should make use of solutions and processes that enable an immediate response. The following primitives help to facilitate real-time security monitoring, incident forensics and emergency response.
Protocol Risk Management: Protocol risk management solutions offer tooling for automating risk management, optimizing capital efficiency and simulating protocol performance against extreme market conditions. Companies like Chaos Labs* and Gauntlet Network* offer platforms that leverage simulation tools to optimize a protocol’s key parameters to improve capital efficiency while minimizing risk.
Threat Intelligence: Threat intelligence is data that is collected, processed, and analyzed to understand a cybercriminal’s motives, targets, and attack behaviors. For example, Forta Network* and Apostro* aggregate and monitor events and activities happening on smart contracts or blockchain protocols that may indicate potential security threats or vulnerabilities. They then generate alerts based on triaged incidents and potential attack patterns to help developers prevent or minimize loss of funds.
Blockchain Forensics: Blockchain forensics involves processes and technologies for detecting, investigating, containing and remediating cyber security threats impacting blockchain networks or web3 applications. Chainalysis and TRM Labs offer blockchain intelligence and risk management solutions for monitoring, detecting, and investigating cryptocurrency fraud and financial-related crime.
The future of Web3 Security
The infrastructure, smart contract, protocol logic and ecosystem solutions mentioned above make up the growing web3 security stack. Although the framework and layers we highlighted will likely remain unchanged, we continue to see new security primitives emerge and expect the entire stack to evolve in the coming years.
It’s critical for developers and protocol teams to choose solutions and implement robust security measures that best prevent and mitigate security threats. While there’s no silver bullet to eliminating all potential threats in web3, we expect the industry’s security posture to drastically improve over time as these solutions mature, new standards emerge and gain adoption, and project teams increasingly shift towards a security-first culture.
Coinbase Ventures will continue to invest in exceptional founders who share Coinbase’s mission of creating more economic freedom in the world. In the web3 security stack, we want to invest in teams with deep web2 or cryptonative security expertise who are building scalable solutions that ensure the security and integrity of the web3 ecosystem. Specifically, if you’re building developer tools that automate security testing and audit processes, monitoring platforms that enable proactive threat detection and prevention, or tools that enhance identity management and access control mechanisms, we would love to hear from you - JK’s DMs are open!
— Disclosures and footnotes
*The following Coinbase Ventures portfolio companies appear in the above landscape: Apostro, Cashmere Finance, Certik, Certora, ChainPatrol, Chaos Labs, Dynamic, Gauntlet, Forta, Gnosis Safe, Harpie, Metrika, MinervaAI, Momentum Safe, Moralis, Tenderly