In an era where a bug may cost millions of dollars, Web 3.0 also presents challenges for iterative development.
Security concepts evolved with application architecture in both Web 1.0 and Web 2.0 to help open up completely new economies. The Web3 will experience the same situation, but it has significant flaws.
This is the main cause of the more than 10-fold rise in investment in new web3 security businesses last year, which reached over $1 billion.
Like any system, this design has security trade-offs. Unlike Web 2.0, blockchain is more difficult to update the system to fix security issues.
The blockchain does not require actors to be trusted as in Web 2.0, but making updates to address security problems is harder. Users retain ownership of their identities, but in the event of attacks or key compromises, there are no intermediaries to provide a means of redress.
Mechanisms must be included to confirm whether transactions should take place in the first place in web3, since transactions cannot be modified after they have been done. Alternatively, security must be extraordinarily adept at prevention.
Testing Blockchain Systems: Challenges
Blockchain is increasingly being used in different sectors. The issue is that non-cryptocurrency applications frequently use untested, highly experimental applications, making it possible for hackers to identify and exploit vulnerabilities.
It is crucial for testers to carefully evaluate the efficiency of the APIs that interface with the blockchain and to make sure that the necessary inputs and outputs are thoroughly tested in this area. As a result, testers must create data payloads that will cover all possible permutations for their smart contracts.
The Wormhole bridge, an interoperability protocol that enables users and decentralized applications to exchange assets between blockchains, was implicated in one recent incident. Using this bridge to the Solana blockchain, a malicious actor was able to generate 120,000 ETH. And vulnerability existed in the way a smart contract function was implemented. Any dApp project using such a paradigm must guarantee complete consistency between all of their ledgers.
DApps and smart contracts
The majority of dApps, including the most well-known ones, do not yet authenticate or sign their API responses. This means that there is a gap in confirming that the response is coming from the intended app and that the data hasn’t been manipulated in any way when a user’s wallet gets data from these apps. Users must assess an app’s security posture and trustworthiness in a world where apps do not follow fundamental security best practices.
In general, DApps and smart contracts need to be tested using the same techniques as other software products. The technologies are still in their infancy, and the quality of the engineers who created them determines how reliable they are. Thus, they require more frequent and exact tests.
Just a few of the difficulties involved are:
- Blockchain transactions are irreversible and unchangeable, therefore making even a single mistake in the code means creating a new smart contract from scratch.
- Lack of clear instructions, sequential procedures, and guidelines for DApp creation as seen in established technologies
Vulnerabilities in Web3 : DeFi
Hackers have stolen $1.3 billion in the first three months of this year from exchanges, platforms, and private companies; disproportionately, DeFi victims have been hit. DeFi protocols have been the source of nearly 97% of all cryptocurrency stolen in the first three months of 2022, up from just 30% in 2020 and 72% in 2021.
The majority of cryptocurrency hacks were largely the result of security breaches, like the one that Ronin Network witnessed in March 2022. However, the CHAINALYSIS report claims that the biggest thefts are typically caused by faulty code. Sometimes, something as basic as a typo can be exploited by savvy hackers.
Testing is underrated. We learned from our experience insuring smart contracts that test suites are incredibly undervalued by developers. Quality testing decreases risk when introducing new features while saving you and your team time when maintaining code. Additionally, testing is a very marketable talent. Everyone benefits from creating high-quality tests.
The architecture of DeFi applications is very different from that of conventional websites: DeFi applications expose a lightweight front end that connects with a blockchain-based back end utilizing wallet software that runs in the user’s browser, as opposed to a complicated Web front end that talks with a database back end.
DeFi has some complex vulnerabilities, but it’s not always the case. In smart contracts, a minor code error can occasionally snowball into a big catastrophe that compromises assets worth millions of dollars.
Some common coding mistakes include:
- Function permission(modifier)
- Incorrect number of digits
- Missing/incorrect variable value assignment
These flaws can be easily fixed with comprehensive peer reviews, unit testing, and smart contract audits.
Proliferation of NFT blockchains presents QA problems
Over the past year, NFT markets have seen a number of high-profile (and high-value) asset transactions as well as a substantial increase in trade volume. Unfortunately, there has not been any security analysis of these marketplaces yet. Instead, the majority of academic study has been on ways to attack decentralized finance (DeFi) protocols and automated methods to find weak points in smart contracts.
The impact of the risks associated with smart contracts on NFT security is exemplified by one of the latest events involving an attack on the well-known DeFi protocol, Poly Network. Based on flaws in smart contract security, hackers were only able to steal close to $600 million during the attack. Poly Network is not the only example demonstrating NFT weaknesses and security issues.
In 2017, the most well-known NFT project, CryptoPunks, had to deal with the effects of smart contract bugs. A glitch that year on CryptoPunks prohibited the transfer of ETH into the seller’s wallet. Attackers could use the bug to buy CryptoPunks NFTs and take the money out of the contract. As a result, CryptoPunks had to start over with a totally new and updated smart contract.
Onboarding Harbor Team to Web3 projects
The team at Harbor has examined several security problems that have arisen in the past, whether they involved basic blockchains or smart contracts. Malicious smart contracts function exactly like legitimate smart contracts but act in unanticipated ways. The Harbor research team has done extensive study to identify the most prevalent security issues brought on by cryptocurrencies, blockchain technology, decentralized software, and decentralized file storage.