Cybersecurity is taking center stage as the Web3 ecosystem extends its tentacles and decentralized applications (dApps), blockchain, and smart contracts become mainstream. Widely touted the future of the internet, Web3 is often described as a series of open-source and interconnected decentralized applications powered by blockchain computing architecture.
Blockchain, cryptocurrency, and NFTs (all key Web3 components) will help plug some of today's internet's security, scalability, and privacy gaps. The decentralized and trustlessness nature of Web3 will partly facilitate this, offering users greater transparency and control.
Until then, Web3 players must grapple with new and unique security challenges. If vulnerabilities in decentralized finance (DeFi) platforms, NFT marketplaces, and blockchain-based systems are discounted, they could lead to substantial financial losses and sustained brand damage. According to a blockchain monitoring firm, over US $1.1B of cryptocurrency was lost from Web3 cybersecurity incidents in the first half of 2024 alone.
Unlike large enterprises with significant cybersecurity budgets, most Web3 startups and projects must deploy security controls on their infrastructure with extreme frugality. But not all hope is lost. In the following section, I provide five low-cost cybersecurity strategies that Web3 companies can implement to enhance their cyber resilience while keeping expenses in check.
1. Strong Identity and Access Management
Blockchain, the bedrock of Web3 and its decentralized ecosystem, relies on managing dispersed identities and controlling access to sensitive data and resources. Whether securing private keys, user wallets, or admin interfaces, poorly thought-through identity and access management (IAM) can open doorways for threat actors to exploit and gain unauthorized access to sensitive data and valuable financial assets. Here are three low-budget solutions to nail down your IAM:
- Self-Sovereign Identity (SSI): Implement decentralized IAM solutions, such as ION (Identity Overlay Network), which empower users to control their identities and credentials without relying on centralized authorities. Because users have complete control over whom they choose to share their data, SSIs doubly address security and privacy concerns.
- Multi-Factor Authentication (MFA): Enforce MFA for users and administrators using low-cost or free solutions such as Google Authenticator, Authy, and LastPass. For higher-risk Web3 applications, consider hardware keys like YubiKey, Google Titan security key, and OnlyKey. By generating one-time passwords on a hardware device logically isolated from the internet, hardware tokens are much harder to compromise than soft tokens. According to Microsoft, MFA reduces the risk of unauthorized access by more than 99%.
- Least Privilege Policies: Reduce the attack surface by granting users the minimum access required to conduct their jobs. Additionally, restrict access to superuser accounts, as they can give the attacker deeper access to Web3 applications when compromised.
These simple yet effective solutions fortify the first line of defense, ensuring only authorized users can interact with the system. Each solution can also be accessed cheaply or for free, reducing the cost of cyber security.
2. Smart Contract Auditing and Crowdsource Security Testing
Smart contracts, blockchain-based self-executing programs, are the heartbeat of many Web-3 applications. However, these programs are also susceptible to exploitable flaws, such as well-documented reentrancy attacks and integer overflows. Once threat actors exploit these common vulnerabilities, they can drain funds or debilitate essential services. A case in point is the audacious attack on Beanstalk Farms, where threat actors pocketed a staggering $182 million in one fell swoop. The fast-paced nature that characterizes the Web-3 ecosystem can entice some companies to adopt the deploy-now, patch-later attitude, but the risks far outweigh the benefits. Here are three simple but cost-effective measures to mitigate this risk:
- Automated Smart Contract Auditing Tools: Deploy automated tools like Consensys Diligence Fuzzing, Mythril, Slither, and Echidna to scan smart contracts for vulnerabilities, augmenting manual audits. Any high and critical flaws identified during the audit must be patched before systems are deployed into the production environments, which is classic security by design principle.
- Open-Source Audits and Community Reviews: Leverage the power of open-source communities to review your smart contracts cost-effectively. Platforms like GitHub enable peer reviews and bug reporting. Open-source communities bring a depth and breadth of expertise beyond what Web3 companies could ever build internally, thus increasing the probability of identifying serious flaws before the bad guys do.
Since Web3 is based on decentralized principles, applying the same approach to security makes logical sense. Crowdsourcing security efforts spreads the cost of security audits and bug bounties across a broader network, lowering the cost of security while boosting the quality of your cyber assurance work. Several platforms support this approach, but here are two common ones: Immunifi and Code4rena, which facilitate cost-effective, decentralized smart contract auditing and independent code verification reviews.
- Penetration Testing: Conduct basic penetration testing using open-source frameworks like OWASP ZAP at least every six months to simulate actual attacks, identify weaknesses, and mitigate them.
3. Secure Wallets and Key Management
Wallets are at the core of Web3 architecture, whether for holding user funds, interacting with smart contracts, or handling governance tokens. Cryptography and private keys are also fundamental components of digital wallets. Insecure key management practices can lead to losing control over assets, as private keys are the proverbial keys to the kingdom within the Web3 ecosystem. Hardware wallets and multi-signature solutions are relatively low-cost compared to potential losses from compromised keys. The options below are good starting points to consider.
- Hardware Wallets: Hardware wallets provide secure offline storage for private keys. Users and developers should use hardware wallets such as Ledger or Trezor to manage high-value assets and administrative keys.
- Multi-signature Wallets: Tools like Gnosis Safe and Argent require multiple approvals for any transaction, reducing the risk of a single compromised key resulting in asset loss.
- Threshold Cryptography: Tools like Shamir’s Secret Sharing use cryptographic techniques to split keys among multiple parties, preventing single entities from completely controlling private keys.
4. Blockchain Analytics and Monitoring Tools
Real-time monitoring and analytics can help Web3 companies detect suspicious activities and minimize downstream impacts to their systems and customers. For Web3 applications, monitoring on-chain transactions and wallet activity is crucial for identifying abnormal patterns that might indicate a breach or exploit. There are two ways to achieve this:
- Transaction Monitoring: Set up automated alerts to report critical transactions, large withdrawals, or unusual activity to detect and prevent fraud. Automated reporting, augmented by human monitoring, can also help Web3 companies comply with the punitive anti-money laundering (AML) and counter-terrorism financing (CTF) requirements.
- Open-Source Monitoring: Leverage open-source blockchain monitoring tools to track decentralized finance (DeFi) activity and alert project owners about potential attacks.
Improve Cyber Resilience Without Breaking the Bank
By adopting these four low-cost strategies—strong identity and access management, smart contract auditing, secure key management, and blockchain analytics — Web3 companies can significantly improve their cyber resilience without breaking the bank. After all, cyber risk management is about striking the right balance between business opportunities and risk.
