This article delves into the security challenges faced by the current market, exploring the security risks accompanying the rapid growth of Web3 users. By analyzing security solutions proposed by companies like Goplus, we further understand how to support the widespread application of Web3 from aspects of compliance and security.

Web3 Security — The Hidden Hundred Billion Dollar Market

Analyzing the Web3 Security Landscape

Author’s Note ✍🏻

Once, the Greeks built a wooden horse and offered it to the city of Troy. The people of the city saw it as a symbol of peace, unaware of the threat hidden within.

With the successful launch of Bitcoin ETF, more and more new users and funds are pouring back into Web3, and the heating market seems to indicate that the future of Web3 towards widespread application is one step closer. However, the lack of policies and security vulnerabilities remain the main obstacles to the widespread adoption of cryptocurrencies.

In the crypto world, hackers can profit directly from attacking on-chain vulnerabilities, sometimes earning millions or even billions of dollars. Meanwhile, the anonymity of cryptocurrencies creates conditions for hackers to evade capture. By the end of 2023, the total locked value (TVL) of all decentralized finance (DeFi) protocols was about $4 billion (currently $10 billion), while in 2022 alone, the total value of tokens stolen from DeFi protocols reached $310 million, accounting for 7% of the above value. This number fully illustrates the severity of security issues in the Web3 industry, like the sword of Damocles hanging over our heads.

It’s not just the on-chain environment; security issues at the Web3 user end are also significant. According to data from Scam Sniffer, in 2023, 324,000 users had their assets stolen due to phishing attacks, with a total stolen amount of $295 million. Both in terms of scope and amount, the impact is severe. But from the perspective of users, security incidents themselves have a lag — users often find it difficult to fully realize the seriousness of potential risks before accidents occur. Therefore, people often fall into the “survivorship bias,” overlooking the importance of security.

This article delves into the pressing security challenges facing today’s market, particularly in light of the rapid growth of Web3 users. By dissecting the security solutions proposed by companies like Goplus, we gain a deeper understanding of how to bolster the widespread adoption of Web3 through compliance and enhanced security measures. We argue that Web3 security represents a vast, yet untapped market worth billions, and as the Web3 user base continues to expand, the demand for user-centric security services is poised for exponential growth.

Early Insights:

1.Unveiling Threats in Web3 Security: Exploring a Lucrative Market

1.1 Safeguarding Assets

1.2 Ensuring Behavioral Security

1.3 Enhancing Protocol Security

Analyzing the Web3 Security Landscape
Next-Gen Security Solutions: Safeguarding the Future of Web3
Conclusion

With a total word count of 5400 words, this article should take approximately 12 minutes to read.

Unveiling Threats in Web3 Security: Exploring a Lucrative Market:

Presently, Web3 security products predominantly fall into three categories: ToB, ToC, and ToD. B2B solutions primarily focus on product security audits, conducting penetration tests and providing audit reports to fortify product defenses. On the other hand, B2C solutions aim to safeguard users’ security environments by capturing and analyzing real-time threat intelligence and delivering detection services through APIs. Additionally, ToD (Developer) tools cater to Web3 developers, offering automated security audit tools and services.

Security auditing is a necessary static security measure. Almost every Web3 product undergoes security audits, and the audit reports are made public. Security audits not only allow the community to verify the security of protocols for a second time but also serve as one of the foundations for users to trust products.

However, security audits are not omnipotent. Given the market trends and the current narrative, we foresee that challenges to user security environments will continue to rise, mainly manifested in the following aspects:

Safeguarding Assets:

Each market cycle launches ushers in the issuance of new assets. With the rise of ERC404 and hybrid tokens like FT and NFT, the issuance of on-chain assets continues to evolve, posing escalating challenges to asset security. The complexity introduced by mapping and integrating different asset types through smart contracts expands the attack surface for hackers. For instance, attackers can disrupt asset transfers by exploiting specific callback or tax mechanisms, potentially leading to direct DoS attacks. Traditional security audits struggle to address these complexities, necessitating real-time monitoring, warnings, and dynamic interception solutions.

Ensuring Behavioral Security:

Statistics from CSIA reveal that 90% of network attacks originate from phishing attempts. This trend holds in the realm of Web3, where attackers target users’ private keys or on-chain funds through phishing links or scam messages on platforms like Discord, X, and Telegram.

On-chain interactions have a steep learning curve, which is inherently counterintuitive. Even an offline signature can result in losses of millions of dollars. Do we know what we are authorizing when we click on that signature? On January 22, 2024, a cryptocurrency user fell victim to a phishing attack, signing a Permit signature with incorrect parameters. After obtaining the signature, the hacker used the authorized wallet address to transfer $4.2 million worth of tokens from the user’s account.

Weaknesses in the user-side security environment can also lead to asset loss. For example, when a user imports a private key into an Android-based wallet app, the private key often remains in the clipboard of the phone after copying. In this scenario, when opening malicious software, the private key can be read and automatically used to transfer assets from the wallet or steal the user’s assets after a latency period.

As more and more new users enter Web3, security issues in the user-side environment will become a significant concern.

Enhancing Protocol Security:

Reentrancy attacks remain one of the biggest challenges to protocol security. Despite the adoption of numerous risk control strategies, events involving such attacks still occur frequently. For example, last July, Curve suffered a severe reentrancy attack due to a compiler flaw in its contract programming language Vyper, resulting in losses of up to $60 million, which raised widespread doubts about the security of DeFi.

Although there are many “white-box” solutions for contract source code logic, events like the Curve hack reveal a significant issue: even if the contract source code is flawless, compiler issues may lead to differences between the final runtime and the expected design. Converting contracts from source code to actual runtime is a challenging process, with each step potentially leading to unexpected problems, and the source code itself may not fully cover all potential scenarios. Therefore, relying solely on the security of the source code and compiler level is far from sufficient; vulnerabilities may still appear due to compiler issues.

Therefore, runtime protection will become necessary. Unlike existing risk control measures that focus on the protocol source code level and take effect before runtime, runtime protection involves protocol developers writing runtime protection rules and operations to handle unforeseen situations during runtime. This helps in real-time assessment and response to runtime execution results.

According to the predictions of Bitwise, a cryptocurrency asset management company, the total value of cryptocurrency assets will reach $16 trillion by 2030. If we quantitatively analyze from the perspective of security cost risk assessment, the occurrence of on-chain security incidents almost leads to a 100% loss of assets, so the exposure factor (EF) can be set to 1, and thus the single loss expectancy (SLE) is $16 trillion. With an annualized rate of occurrence (ARO) of 1%, we can obtain an annualized loss expectancy (ALE) of $160 billion, which is the maximum value of the cost of security investment in cryptocurrency assets.

Given the severity, frequency, and high-speed growth of the market scale of cryptocurrency security incidents, we can foresee that Web3 security will be a hundred billion dollar market, growing rapidly with the expansion of the Web3 market and user base. Furthermore, considering the massive growth of individual users and the increasing concern for asset security, we can anticipate a geometric growth in the demand for Web3 security services and products in the C-side market, representing a blue ocean market that is yet to be fully explored.

Analyzing the Web3 Security Landscape

With the continuous emergence of security issues in Web3, there’s a noticeable increase in demand for advanced tools that can protect digital assets, verify NFT authenticity, monitor decentralized applications, and ensure compliance with anti-money laundering regulations. Statistics indicate that the primary sources of security threats facing Web3 currently include:

Protocol-targeted hacker attacks
User-targeted scams, phishing, and private key theft
Security attacks targeting the blockchain itself

To address these risks, companies in the current market primarily focus on offering services and tools in two main tracks: ToB testing and auditing (Pre-Chain) and ToC monitoring (On-Chain). Compared to ToC, players in the ToB track have been in the market for longer and continue to see new entrants. However, as the Web3 market environment becomes more complex, ToB audits are gradually struggling to cope with various security threats, highlighting the increasing importance of ToC monitoring and thus driving its demand.

ToB:

Representative companies in the current market, such as Certik and Beosin, offer ToB testing and auditing services. These companies mostly provide services at the smart contract level, conducting security audits and formal verification of smart contracts. Through pre-chain methods, such as wallet visualization analysis, smart contract vulnerability analysis, and source code security audits, these companies can detect smart contract vulnerabilities to some extent and mitigate risks.

ToC monitoring is executed on-chain, involving risk analysis of smart contract code, on-chain states, user transaction metadata, transaction simulation, and state monitoring. Compared to ToB, C-side security companies in the Web3 space were established relatively later, but they have witnessed remarkable growth. Services provided by Web3 security companies like GoPlus are gradually being applied across various ecosystems within Web3.

Since its establishment in May 2021, GoPlus has experienced rapid growth in API daily calls, from a few hundred queries per day initially to twenty million calls per day during market peaks. The following graph illustrates the change in Token Risk API calls from 2022 to 2024, showcasing the growth rate of GoPlus’s importance in the Web3 domain.

The user data module introduced by GoPlus has become an integral part of various Web3 applications, playing a crucial role in top market websites like CoinMarketCap (CMC), CoinGecko, Dexscreener, Dextools, leading decentralized exchanges like Sushiswap, Kyber Network, and wallets like Metamask Snap, Bitget Wallet, Safepal.

Moreover, this module has been adopted by user security service companies like Blowfish, Webacy, and Kekkai, indicating the crucial role of GoPlus’s user security data module in defining the security infrastructure of the Web3 ecosystem and its significant position in contemporary decentralized platforms.

GoPlus primarily offers the following API services, providing comprehensive insights into user security data through targeted data analysis of multiple key modules. This aims to preempt evolving security threats and address the multifaceted challenges of Web3 security.

Token Risk API: Evaluates risks associated with different cryptocurrencies.
NFT Risk API: Assesses risks associated with various NFTs.
Malicious Address API: Identifies and flags addresses associated with fraud, phishing, and other malicious activities.
dApp Security API: Provides real-time monitoring and threat detection for decentralized applications.
Approval Contract API: Manages and audits smart contract invocation permissions.

In the C-side track, we’ve also observed Harpie. Harpie focuses on protecting Ethereum wallets from theft and collaborates with companies like OpenSea and Coinbase. They’ve safeguarded thousands of users from scams, hacking attacks, and private key thefts. Their product approach encompasses both monitoring and recovery. They monitor wallets to identify vulnerabilities or threats, promptly notify users upon discovery, and assist in remediation. They respond promptly to users who have fallen victim to hacking attacks or scams, helping salvage their assets. Their efforts have been highly effective in enhancing Ethereum wallet security.

Additionally, ScamSniffer provides services in the form of a browser plugin. This product conducts real-time checks through a malicious website detection engine and multiple blacklisted data sources before users open links, safeguarding them from malicious website impacts. During online transactions, it detects scams like phishing to protect user asset security.

Next-Gen Security Solutions: Safeguarding the Future of Web3

To address issues such as asset security, behavioural security, protocol security, and on-chain compliance needs, we’ve delved into the solutions offered by GoPlus and Artela. These aim to understand how they support large-scale Web3 applications by maintaining user security environments and on-chain operating environments.

User Security Environment Infrastructure

Blockchain transaction security forms the cornerstone of security for large-scale Web3 applications. With frequent on-chain hacker attacks, phishing attacks, and rug pulls, ensuring on-chain transaction traceability, identification of suspicious on-chain behavior, and security assurance of user profiles are crucial. Based on this, GoPlus has launched the SecWareX platform, the first comprehensive personal security detection platform for Web3.

SecWareX is a Web3 personal security product built on the SecWare user security protocol, providing a one-stop, comprehensive security solution that includes real-time identification of on-chain runtime attacks, early warnings, timely interception, and dispute resolution. It also supports customized security interception strategies for asset issuance contracts tailored to specific scenarios.

For user behavior security education, SecWareX introduces the Learn2Earn program, cleverly combining learning security knowledge with token incentives, allowing users to enhance their security awareness while earning tangible rewards.

Funds Compliance Solutions

Anti-money laundering (AML) is one of the most pressing needs on public blockchains. On public chains, analyzing factors such as transaction sources, expected behavior, amounts, and frequencies can help identify suspicious or abnormal behavior promptly. This aids decentralized exchanges, wallets, and regulatory agencies in detecting potential illegal activities like money laundering, fraud, and gambling, and taking timely measures such as warnings, asset freezes, or reporting to law enforcement to strengthen DeFi compliance and large-scale application.

With the continuous enrichment of on-chain behaviors, Know Your Transaction (KYT) for decentralized applications will become an indispensable prerequisite for large-scale applications. GoPlus’s Malicious Address API is crucial for exchanges, wallets, and financial services operating in Web3 to comply with regulatory requirements and ensure their operations, highlighting the intrinsic connection between regulatory compliance and technological progress in the Web3 field. It underscores the importance of continuous monitoring and adaptation to safeguard ecosystem integrity and user security.

On-Chain Security Protocols

Artela is the first Layer1 public chain native to support runtime protection. Through EVM++ design, Artela’s dynamically integrated native extension module Aspect supports adding extension logic at various points in the transaction lifecycle, recording the execution state of each function call.

When a threatening reentrant call occurs during callback function execution, Aspect detects and immediately withdraws the transaction to prevent attackers from exploiting reentrancy vulnerabilities. For example, in protecting against reentrant attacks on Curve contracts, Artela provides a chain-native protocol-level security solution for various DeFi applications.

As protocol complexity and compiler diversity increase, the importance of on-chain runtime protection solutions, as opposed to static checks of contract code logic in “white-box” solutions, becomes more pronounced.

Conclusion

On January 10, 2024, the SEC officially announced the approval of the listing and trading of a spot Bitcoin ETF, marking the most significant step toward the mainstream adoption of cryptocurrency assets. As policy environments mature and security measures strengthen, we will inevitably witness the arrival of large-scale Web3 applications. If large-scale Web3 applications are the turbulent waves, then Web3 security is the sturdy dam built to protect user assets, withstand external storms, and ensure everyone safely navigates through each wave.

Disclaimer：

This article is reprinted from [ BuidlerDAO], All copyrights belong to the original author [BuidlerDAO]. If there are objections to this reprint, please contact the Gate Learn team, and they will handle it promptly.
Liability Disclaimer: The views and opinions expressed in this article are solely those of the author and do not constitute any investment advice.
Translations of the article into other languages are done by the Gate Learn team. Unless mentioned, copying, distributing, or plagiarizing the translated articles is prohibited.