Pioneering the Path to Web3: Part 2 — Security
The full article was originally published by Nakama Labs on Medium. Read the full article here.
Pioneering the Path to Web3: Part 2 — Security
In recent years, the advent of Web3 has revolutionized the way we interact with the digital world. Web3 represents a paradigm shift from the traditional Web2 environment, where centralized entities held control over our data and online experiences. Unlike Web2, Web3 enables users to act as their own custodians, granting them greater autonomy and ownership over their digital lives. This shift has far-reaching implications for security, as it introduces a new set of challenges and opportunities.
While some well-known security threats from Web2 persist in the realm of Web3, the transition to decentralization introduces unique risks that require careful consideration. In this article, we will explore the most common security issues faced in the Web3 landscape. Furthermore, we will examine the effective strategies and best practices employed by Nakama to mitigate these risks, thereby ensuring a secure and trustworthy environment for all our users.
Threat models are systematic approaches used to identify, evaluate, and understand potential risks, vulnerabilities, and motivations of attackers in order to develop effective security measures.
In comparing threat models between Web2 and Web3, there are several notable differences due to the contrasting nature of the two environments.
In Web2, the primary threat models revolve around centralized systems and the vulnerabilities associated with them. Common threats include data breaches, where centralized entities become targets for hackers seeking to gain unauthorized access to user data. Other threats include identity theft, phishing attacks, fraud (such as FTX and Celsius), human error and social engineering, which exploit the centralized nature of user authentication and communication channels.
While many threats from Web2 still persist in Web3, such as data breaches and social engineering (most commonly in the form of phishing and impersonation targeting users rather than centralized entities), additional risks emerge due to the unique characteristics of decentralization, which we discuss below:
Smart contract security
Smart contracts eliminate the need for centralized control. They enable automated, self-executing agreements on blockchain networks, reducing reliance on intermediaries. This decentralized approach ensures transparency, immutability, and trust, transforming traditional processes and centralized control into tamper-resistant, programmable actions governed by predefined conditions.
However, with great power comes great responsibility, as smart contracts can be susceptible to vulnerabilities and exploits that can lead to significant financial losses and compromise the integrity of the entire system.
The risks associated with smart contract security include coding errors, design flaws, and malicious attacks. Even a single line of flawed code can result in catastrophic consequences, such as funds being locked or stolen.
To make well-informed investment choices, it’s wise to avoid committing significant funds to platforms with unaudited or inadequately reviewed smart contracts. This precautionary approach minimizes the potential risks tied to vulnerabilities and contributes to establishing a more secure investment landscape.
At Nakama, we ensure robust security measures, including:
- Rigorous code audits
- Comprehensive testing
- Ongoing vulnerability assessments to all of our dApps
- Forked battle-tested code
We partnered with the leading security audit firm HashEx to ensure the safety and security for Deepr Finance and look forward to announcing another crucial security-related partnership soon for Virtue is a Liquity fork which has been audited by Trail of Bits, Coinspect and been battle-tested for over 2 years which at its peak held over $4.5 billion in assets.This commitment to rigorous security practices underscores our dedication to providing a trustworthy and secure environment for our users and stakeholders in the Web3 ecosystem.
Flash loan attacks
Flash loan attacks have emerged as a notable concern within the Web3 ecosystem, particularly in the realm of DeFi. They involve exploiting the ability to borrow and repay cryptocurrency within a single transaction. Malicious actors use this to manipulate decentralized financial systems and temporarily acquire funds they wouldn’t otherwise have, often causing disruptions.
To mitigate these threats, it is imperative for users to exercise vigilance when engaging with unfamiliar smart contracts. Additionally, platforms operating within the Web3 space should proactively establish and enforce robust security measures. At Nakama we’re implementing mechanisms that restrict the potential impact of flash loan attacks, such as
- Using Oracles from Pyth to aggregate prices over a range of sources both on- and off-chain
- Ensuring the use of collateral which is highly liquid with low volatility
- Implementing limits to lending markets where appropriate using risk modeling
- Relying upon forked code which is audited and battle-tested over three years
DeFi platforms depend on oracles to fetch information and aggregate pricing data from both on- and off-chain, which is essential for pricing collateral and debt within lending markets correctly. If these oracles are tampered with, it can result in the distorting of asset prices, putting DeFi platforms at risk of manipulation and other malicious activities.
At Nakama, we’re implementing Oracle services from Pyth which have a proven track record. We’ll ensure we support a pricing data stream together with the IF to ensure risk of downtime is minimal and once available will look to implement a second oracle service provider as a backup.
Bad debt risk
A significant concern emerges when the collateral used to secure a DeFi loan falls short of adequately covering the loan amount, leading to potential bad debt exposure for the protocol. This risk could impact the protocol and lending market participants which may lead to measures such as depleting insurance reserves or introducing new tokens to mitigate losses.
To mitigate this risk at Nakama, we employ vigilant collateral monitoring mechanisms, prioritize assets with high liquidity and stability, provide liquidation services in partnerships with leading Dexes and demonstrate the involvement of proficient teams, thereby fortifying the system against the potential fallout of bad debt scenarios.
It is worth noting that during the crypto price crash which followed Luna/Alameda/3AC black swan events, the DeFi lending market was extremely resilient with very little bad debt incurred. In comparison, Web2 centralized services, such as FTX and Celsius which were not transparent and acted fraudulently, failed.
Bridge malfunction and hack risks
The possibility of bridge malfunctions, causing temporary fund unavailability due to issues within Routers or MPC Networks, raises concerns over seamless cross-chain transactions. Additionally, the potential for bridge hacks, leading to fund losses from attacks on involved chain contracts or the messaging/relayer layer, highlights the security vulnerabilities of interconnected systems.
To navigate these risks, a proactive approach involves thorough reviews of the teams and audit reports associated with bridges.
Furthermore, opting for assets natively minted on their respective blockchains, when possible, rather than relying on wrapped tokens from a bridge, can significantly bolster the overall security and reliability of cross-chain operations.
One of the main reasons why Nakama is building on top of Shimmer is that the network’s goal is to eliminate the need for costly and insecure bridges, enabling unhindered cross-chain interoperability through bridgeless asset transfers. Check this article for more information on the bridgeless asset transfers on Shimmer.
Hacking and security breaches
In Web3, users take on the role of custodians for their own assets, necessitating diligent measures to ensure the security of their wallets and personal information. Failing to do so exposes them to the risk of malicious hackers gaining unauthorized access to their valuable assets.
To safeguard against this, employing hardware wallets or other secure wallet solutions to safeguard private keys becomes paramount. Additionally, maintaining a vigilant watch over account activities for any signs of suspicious behavior and implementing two-factor authentication (2FA) whenever feasible serve as vital precautions in fortifying the protection of user assets and data.
In our commitment to maintaining a secure environment, we at Nakama prioritize robust security standards for our team, thus ensuring that all team member’s accounts are kept as safe as possible.
Phishing and social engineering attacks
Phishing and social engineering attacks in Web3 present unique challenges compared to Web2. While traditional Web2 platforms have seen various forms of phishing attacks through email or fake websites, Web3 introduces additional risks due to the interaction with decentralized applications and the handling of valuable assets.
In Web3, attackers can target users through malicious smart contracts, fake token sales, or impersonation of dApps. To mitigate these risks, users should exercise caution when interacting with unfamiliar dApps, double-check contract addresses and URLs, and use wallet software with robust security features.
Additionally, adopting multi-factor authentication, staying informed about the latest security practices, and promoting user education on recognizing and reporting phishing attempts are crucial steps to enhance security in the Web3 ecosystem.
Users must also exercise caution in deciding whom to trust and should prioritize reaching out to the official Discord servers or X (Twitter) accounts to avoid falling prey to impersonators.
Exit scams and rug pulls
DeFi comes with a potential risk where projects may initially attract investments, only to abruptly shut down or engage in fraudulent activities, jeopardizing users’ funds.
To safeguard against such scenarios, a cautious approach is advised. Prior to investing, thorough research into the project’s team and their reputation is essential. Additional research into the smart contracts deployed can identify whether the team has the ability to remove funds from users, such as removal of liquidity or minting more tokens and dumping. Moreover, exercising restraint by refraining from committing significant sums to newly launched projects lacking an established track record can serve as a prudent mitigation strategy, helping to mitigate potential losses and ensure a more secure investment journey.
The Nakama team boasts a well-known presence and a substantial history within the IOTA and Shimmer communities, ensuring that the project is devoid of the risks associated with anonymity. The team also focuses on auditing its code with trusted third parties who would identify any risks within the smart contracts.
The future of Web3 security
As the Web3 landscape continues to evolve, security measures will become more sophisticated to address the unique challenges posed by decentralized technologies. One key aspect of the future of Web3 security is the development of enhanced consensus mechanisms and cryptographic protocols that ensure the integrity and privacy of transactions and data. Innovations such as zero-knowledge proofs, secure multi-party computation, and privacy-preserving smart contracts will play a crucial role in strengthening security in Web3.
Moreover, decentralized identity and authentication systems will gain prominence, allowing individuals to maintain control over their personal data and ensuring secure and seamless interactions within the decentralized ecosystem. The integration of decentralized identifiers (DIDs) and verifiable credentials will enable users to establish trust and authenticate their digital identities without relying on centralized authorities.
The advancement of automated risk monitoring in Web3 not only enables real-time surveillance of decentralized networks and transactions but also guarantees a safer environment by proactively identifying and mitigating potential threats, thereby enhancing the overall security and trustworthiness of the decentralized web.
As Nakama looks towards the future of Web3 security, our commitment remains steadfast in integrating the latest security practices, conducting thorough audits, and fostering community-driven governance. By embracing these principles, we strive to create a secure and trusted environment that empowers our users to fully embrace the potential of Web3 while safeguarding their assets and data from emerging security threats.