Anna Collard, SVP Content Strategy and Evangelist, KnowBe4 Africa
In its simplest form, Web3 stands for a new and more egalitarian version of the internet – one that is built on blockchain-based infrastructure and where cryptocurrencies, tokens and NFTs are built into the platforms maintained by the nodes of a peer-to-peer network. A more complicated way to think about Web3 is an internet that is decentralised and owned by the users, instead of controlled by a few companies. Critics say this is technically not possible to achieve and also not necessarily in the interest of the mainstream users. Centralisation happens organically in all eco-systems and for good reasons: to simplify, to improve efficiency, to bring down costs, to connect or to provide a level of control. And let’s face it, not every person will be keen on writing their own code, distributed apps (dApps) or hosting their own nodes.
A key component in the growth of Web3 has been DeFi or decentralised finance, which is Web3’s version of a more transparent financial system. It provides financial instruments such as decentralised exchanges, payments, investing, lending, borrowing and staking solutions.
The innovation in Web3 and Defi offer great opportunities to both new and traditional financial institutions alike, however, they also bring with it a number of cyber risks and scams.
For consumers, there is the risk of falling for typical social engineering attacks such as phishing and fake investment scams. There is also specific malware that is written to target people who play in this space. For example, the Clipper malware targets cryptocurrency wallet addresses during a transaction. A wallet address is like the cryptocurrency version of a bank account number. And when the affected user applies copy paste, Clipper replaces this address with the address of the attacker.
Another major risk to consider is that distributed apps and smart contracts are code that is written by people and people make mistakes, resulting in software vulnerabilities.
According to a report from Immunefi, in the first quarter of this year alone, the total loss due to DeFi hacks has come to $1.2 billion. The attack against the Axie Infinity Ronin bridge, which resulted in a loss of $600 million, made up a big chunk of that.
One major problem with DeFi is that many of the new protocols being launched have code vulnerabilities that hackers are able to exploit. According to Chainalysis’, twenty-one percent of all hacks in 2021 took advantage of these code exploits. And according to Global Financial Stability Report by the IMF, in most cases, more than 30 percent of the deposit of the platform was lost or withdrawn after a cyber attack. Cyber attacks not only steal assets but also undermine the reputation of a platform, often triggering withdrawals by investors, as they fear not being able to redeem their deposits.
There are also business logic loopholes such as in the case with the $182 million flash loan attack against Beanstalk, which is a credit-based stable coin protocol project based on Ethereum in April this year.
Flash loans work through liquidity protocols, which allow users to borrow and settle large amounts of virtual funds instantaneously in a single transaction without providing any collateral. Smart contracts enforce the terms of these loans, and the entire process of borrowing and repaying the loan happens almost instantly.
The attacker took out a flash loan from a liquidity protocol and then used these funds to obtain voting rights in the Beanstalk DAO – voting powers were based on the amount of tokens held – change one of the emergency governance mechanisms and through that was able to siphon funds into this his or her wallet. After that, the attacker repaid the flash loan and kept the rest of the stolen funds.
The opportunities for fraud, direct access to money and non-retaliation makes this space so attractive to cybercriminals. This explains why syndicates such as the notorious Conti ransomware-as-a-service group want in on the action. Evidence from the ContiLeaks earlier this year showed that “Stern”, one of the alleged leaders of the Conti gang requested his team to research different crypto schemes. He went as far as sponsoring $100,000 for a writing competition in the crypto space to identify local talent.
Organisations that are interested in getting involved need to assess what could be at stake, where vulnerabilities are, make sure that developers are adequately trained as well as smart contracts audited in depth before going live with any projects.
The rapid changing pace of the ecosystem makes it also challenging from a regulative point of view. More cooperation between stakeholders from the protocols, security practitioners and regulators is needed to solve these challenges, legitimise Web3 and DeFi and to help make it a safer space for both platforms, individual and institutional investors as well as consumers alike.