Since the accelerated development of the web3 industry in 2017, a staggering $10 billion has been stolen, with $7.1 billion of it occurring in 2021 and 2022 combined [1]. Centralized exchanges, smart contracts, decentralized exchanges, bridges, hot wallets, hardware wallets, and layer 2 solutions – every building block within the web3 ecosystem has faced hacking incidents at least once since the industry's inception. The "Crypto Asset Catalog of Attack" report [2] offers readers valuable insight into the architectural design of the ecosystem's various components and how they interact with one another. Moreover, the report highlights notable hacks targeting each component. In conclusion, every element in the web3 ecosystem is susceptible to potential risks, with significant implications for both users and projects. In this article, we will discuss the significance of standards and the best practices that both users and projects can implement to ensure their funds remain secure and protected.
Figure1 - Vulnerable components in Web3 Architecture Diagram [1]
- [1] Crypto-Crime-Report - Chainalysis- https://go.chainalysis.com/2022-Crypto-Crime-Report.html
- [2] Catalog of Attacks on Crypto Asset - Campus Cyber - online - english - https://campuscyber.fr/resources/catalogue-dattaques-sur-les-crypto-actifs/
The industry has been working diligently to address and mitigate security risks for all vulnerable components within the ecosystem. To ensure the robustness of smart contracts, projects can utilize risk assessment APIs based on technical and on-chain analysis, decentralized applications can rely on monitoring and alerting tools for detecting malicious transactions, as well as automated incident response frameworks for tackling incidents efficiently and in a timely manner. Additionally, to address risk associated with wallets, various types have been developed to tackle the single point of failure inherent in private keys.
Monitoring and alerting tools play an essential role in helping users and projects detect hacks as early as possible. For example, within the BNB Chain ecosystem, early detection of a hack can lead to the confirmation of malicious activity and subsequent blacklisting of the hacker's address. This ensures that the stolen funds become locked permanently, thereby discouraging hackers from targeting the ecosystem.
However, is that sufficient? How can best practices and standards contribute to enhancing the situation?
Considering the growth and evolution of the industry, it is evident that we are moving in a positive direction. The accelerated expansion between 2020 and 2021, and continuing into 2022, demonstrates progress. However, the $3.8 billion in losses indicates that there is still work to be done to address security challenges. Some of which could have been prevented if projects were following best practices and standards.
Similarly to what already exists in the traditional IT industry, standards have been developed to create a consistent framework, best practices, and guidelines with the goal of improving efficiency and interoperability but also, ensuring secure ways to implement certain solutions.
From a security perspective standards are responsible for:
1. Ensure safety and reliability: By providing consistent guidelines, these standards help ensure the safety of products, services, and processes, reducing potential risks and failures.
2. Enhance consumer satisfaction and protection: Standards set benchmarks for quality and performance, ensuring that customers receive reliable products and services. This increases customer confidence and ultimately helps protect the consumer.
The ecosystem has been focusing on developing and implementing rigorously tested and proven solutions. Initiatives like Ethereum Request for Comments (ERC) and Binance Improvement Propositions (BIP) help create standardized approaches to common challenges. These instances emphasize the commitment of industry professionals who have meticulously designed and established comprehensive solutions that address foundational patterns and use cases, such as utility token standards (ERC20) and Non-Fungible Tokens (ERC721). In addition to ensuring security, these solutions guarantee that your application is compatible with others that utilize the same patterns.
Innovation is indeed essential for the industry's growth and development, but it's crucial to understand the risks associated with introducing new solutions. It is advisable to use existing secure, audited, and battle-tested standards whenever possible.
Risk associated with innovation
Despite the well-established ERC20 standard, the BEC token project in 2018 opted to include a new feature in their token – the "BatchTransfer" function. This feature allowed users to send tokens to multiple recipients at once, potentially reducing transaction fees. However, the implementation possessed a critical flaw, an integer overflow that enabled the hacker to exploit the token contract and mint 10^58 tokens (1 followed by 58 zeros), and subsequently dump them on the market, which significantly affected the token's price and put the project at risk.
In conclusion, while innovation is essential, developers must thoughtfully assess the risks and balance the advantages of incorporating new features against employing proven, tested industry standards.
Best Practices and Standards
In this section, we will explore some of the best practices recommended for end users to protect themselves, as well as standards being proposed in the BNB Chain ecosystem for web3 projects to secure both their project and user funds.
Best Practices for Users
Users are targeted by a multitude of threats: phishing attacks, social engineering attacks, malicious websites, and scam projects. Therefore, it's crucial for users entering the web3 space to understand the basics of security to protect themselves.
Figure 2 - Crypto User
1. Safely storing their seed phrases or keys
To securely store your seed phrases, you can either use a reliable hardware wallet or, if you're more technically inclined, encrypt the seed phrase with a strong password and save it on an USB drive or hard drive used for this purpose.
2. Utilize Multiple Wallets
It's essential to create and use multiple wallets – one for holding your investments and another for daily activities. You can top up the latter as needed for interacting with projects, decentralized applications, and more. In case of any mishaps, this approach ensures you don't lose all your funds.
3. Prefer Smart Contract or MPC Wallets.
If you are aware that a decentralized application has safely integrated Smart Contract Wallets, prioritize using this type of wallet, as it offers enhanced security.
4. First time using a Decentralized Application, Check for scam
When using a Decentralized Application for the first time, be cautious of scams. Verify the website address with crypto scam databases like Cryptoscamdb and look for key performance indicators that suggest a supportive community is behind the project.
5. Ice-Phishing
Always review the transaction details before signing. Refrain from signing transactions that do not display accurately in your wallet.
6. Often remove your approvals.
When granting approvals to decentralized applications for managing specific tokens, remember to revoke their access afterward. If a smart contract with approval gets compromised, attackers could manage your tokens without further consent. Utilize tools like BSC Allowance Checker or Etherscan Revoke to manage these permissions.
7. Verify copied addresses before sending funds
Always verify addresses before sending a transaction, as malware that alters copied values has been widely used to target crypto users. This type of attack replaces the intended recipient's address with one controlled by the attacker.
In another scenario, you might be targeted by address poisoning, where a malicious actor sends a 0 BNB transaction to add a deceptive address to your transaction history.
Standards for Projects
Projects must prioritize implementing best practices for both user safety and their own success. In the following, we will outline some of the top practices and standards currently promoted within the BNB Chain Ecosystem.
Figure 3 - Web3 Project Teams
Audits and Bounty Programs
Projects are advised to undergo three separate audits from different companies prior to significant releases. Auditing firms have the expertise to identify complex vulnerabilities, including sophisticated business flows or systemic risks affected by market conditions, which can be difficult for developers to test or conventional scanning and fuzzing tools to detect. Additionally, projects should participate in bug bounty programs, such as Immunefi.
Security by design
Projects should emphasize proactively identifying vulnerabilities by moving security to early stages in the project. Utilize vulnerability scanning tools and develop an extensive collection of test cases to detect issues as early as possible. Encourage peer reviews and continuous training on recent vulnerabilities to improve security measures.
Smart Contract Access Control
For smart contracts, it's crucial to properly manage privileged roles such as owner, operator, and governor. These roles often have access to sensitive functionalities, including pausing the contract, retrieving tokens, and upgrading the contract. Typically, these roles need to be assigned to an address. In this situation, it is recommended to use smart contract wallets to mitigate a single point of failure. If a private key is compromised, a hacker cannot access the privileged features. This significantly reduces the risk, as seen in a similar scenario with the Ankr hack.
Oracle in DeFi
For DeFi projects, ensure a usage of a secure Oracle for asset price calculation or a secure mechanism to calculate asset price such as Time-Weighted Average Price
Tokenomics and Business
To prevent business impact because of market risks, it is essential to maintain a token with strong liquidity and transaction volume to safeguard against price manipulation, as seen with instances like Mango Markets.
Web3 Security Framework Collaboration
Together with the security service providers, AvengerDAO has come up with comprehensive checklists for Web3 security practices tailored for web3 projects. Please refer to the AvengerDAO Web3 Security Framework for more information in the link below:
https://github.com/bnb-chain/avengerdao/tree/main/Web3%20Security%20Frameworks
And you like to collaborate in this initiative or If you like to collaborate.
Authored by AvengerDAO.