Web3 security projects highlight the need for more security proactivity in DeFi
July 14, 2022
More proactivity is needed when it comes to security in the DeFi space to protect users and projects alike. This was one of the main messages sounded by all the web3 cybersecurity projects highlighted in this AMA. As usual, we know that there are busy people out there who don’t have the time to listen to AMAs, so here you’ll find a round-up of all the important things that were discussed.
Guardians of the Blockchain: On scam tokens and contracts
Guardians of the Blockchain are trying to implement an AI-based solution to enable more flexible research on projects so that it is easier to notice any threats. “Think of the classic [scams] out there or the classic threats or fake, scam tokens or contracts,” Will said. The project would enable you to know when there are badly coded contracts.
“What we came up with was an idea that you could [...] help someone do their own research. It's powered by artificial intelligence and it aggregates all the latest data with machine learning” and helps protect users as a “pre-Do-Your-Own Research (DYOR),” Will said.
Interlock: Protecting DeFi users from major threat vectors – phishing and social engineering
Turning on to Interlock($ILOCK) Andrew pointed out that we are trying to “eliminate one of the major threat vectors”, which is “the human element of clicking on bad links and malicious pages”, he said. “So [we are] protecting users from some of the most common scams which have plagued the Web2 space and that are [...] one of the biggest challenges in Web3,” Andrew remarked. This would be done with Interlock’s Visual AI and enterprise-grade technology, while protecting users’ anonymity and sovereignty over their own data.
Rick concurred, adding that the goal of Interlock is to first tackle the most basic things in cybersecurity which “what I learned over the course of 15 years [working in cybersecurity] are still the most successful” ways of obtaining funds maliciously. He also noted that the project not only protects individuals but also has a B2B side as a form of threat intelligence. “Every piece of threat data that's created [... is] information that's usable, private and anonymous and is then delivered to [...] enterprises that need that data to keep themselves more secure,” he said.
The KYC Alliance: Honeypot scams investigations
For his part, Chris from The KYC Alliance remarked that he investigates how these phishing scams work. He keeps a couple of honeypot scam accounts on social media and messaging apps to bait scammers into contacting him. “Whenever I get those cold DMs that either say that I've won money at their exchange or somebody just saying hi and initiating a conversation, I will roll the roll along with it, talk to them, and kind of present myself as the perfect mark that they're looking for so that I can see what these conversations [lead to… and] document them,” he said.
He revealed that sometimes they have a slow build-up in order to “build a rapport with you”. It starts off with “chit-chat” and a “general innocent-seeming conversation” until they slowly introduce their scams such as fake DAOs intended to steal your funds. In the bear market, he noted a change that instead of promising wild 100x gains, it has shifted to zero investment–where someone is guided to think that they have won money from a certain exchange.
Functionland: Cloud-data security and autonomy
Switching to Functionland, they noted that their main priority is keeping people’s data secure and preventing it from being exploited by big tech companies, “including those which are sometimes considered to be the face of Web3,” Ehsan said.
“What we are solving at Functionland is the monopoly of data by, essentially, the big tech corporations. What we'll be going after is providing the ability to the consumers to start owning their own data and by owning we don't mean only tokenized owning, we also mean the physical owning,” Keyvan said. This will be done by creating pools with “whatever hardware device you have” and if you have extra storage, you can contribute to the data pool for cloud storage “in a P2P” manner. “We need to guarantee that data is always encrypted; no one can access it,” Ehsan remarked.
Hacken: Measuring project security
Vulnerabilities in projects themselves are something that Hacken intends to look at “in different application levels like smart contracts, web applications, the apps, protocols [themselves],” Yev remarked. One of their main security assurances is to “measure different projects in terms of security, which helps newcomers or other investors to check the security part of every project and what their attitude towards security is.”
She also noted that from research they conducted, they found out that a whopping 30% of audits that crypto projects claim to make are “not relevant” and pose a security risk for the user as well as the project. This does present a chance for users to think that they invested in a safe project because the project would claim that they would have been audited, but the audit itself wouldn’t be up to high standards.
Code4rena: Community-driven prevention
Vee from Code4rena said that they are promoting a community-driven approach to Web3 security. “Usually, we think of code as a logical and mechanical thing, but there are actually many emotions involved with it […] the possibility of a hack in that regard is everyone's worst nightmare.”
“Developers fear that they will be publicly embarrassed by a hack, and auditors are stressed out that they are missing something. So, in Code4rena we are changing this by creating a really open community where everyone can learn and share their burden. At the same time, ensuring that great results are being made and altogether we aim to make Web3 a safer place for all,” she remarked.
Lossless: Help for stolen funds
Lossless is aiming to offer a solution to stolen funds and hacks with their protocol. “We work with token owners as the primary contact. [...] Project founders and such [...] integrate our piece of code into their smart contracts, which then gives us the power to see their transaction fees. By us, I don’t mean Lossless team [... or] our developers, but actually the community. Since the protocol is driven by a network of basically security experts, developers, and by whitehat hackers and such people who are able to read the transactions and to see the signals”. When a possible hack happens, they are able to notice that something is not appearing right.
Lossless provides the opportunity to stop these kinds of malicious transactions which result in losses not only for the project itself and its funds but for the holders themselves as well. “So what happens is a person who sees that the transaction is actually a malicious one is a result of a hack that person is able to stake lossless tokens and in this way stop the transaction,” Monica said.
A change of mentality is needed: Proactivity is required
In this part of the session, the speakers highlighted a number of things that need to be addressed in terms of security:
Audits need to be taken seriously
Problems highlighted in audits need to be addressed
Less focus on marketing audits, but rather on solving issues
More proactivity to prevent hacks
Awareness that hacks often cost more than taking security measures
Chris from the KYC alliance noted that the general mentality is that “investors and senior leadership alike are more than willing to do anything they can to prevent something bad from happening again. But that willingness isn't there to prevent something bad from happening the first time.”
“They think that it won't happen to them and that what they have in place is adequate; that they're too smart and they're too clever. It's just it's not an issue that's on their mind until they get hit. And then that's when they want to dump time, money, and resources into preventing it from happening again,” he remarked. This is the biggest mental block to get over when it comes to security, he said.
Andrew agreed with this point, remarking that from a psychological perspective, “marketing cybersecurity products is like insurance”, where people are more prone to take “the reactive solution” rather than the proactive one. “It's not on their radar until it happens to them,” he said.
Yev noted that usually, protocols request something related to security for three main reasons. The most common is oftentimes because they were hacked, secondly because “they were forced to do so” by regulators, and thirdly, “in really rare cases”, because they are aware that security is important. She said that projects must keep in mind that “if we are talking about audits or bug bounties, the cost of that is way way less than the potential damage.”
Monica also pointed out that during the bull market, multiple projects were being released at very high speed. Security “[... was] nowhere near the pace at which projects [were] being brought to life”, which rendered projects prone to attacks.
Projects currently “do not have the luxury of picking yet there's no luxury to pick somebody from the industry that will help them to cover security in one or another angle, be it an audit, be it an integration of a protocol, be it a proper development of a smart contract, etcetera. So it's more about still establishing what the proper process is of creating a project in the first place and placing security among one of the two dos and that it's not a ‘nice to have bullet point’, but it's an ‘actual must’,” she said.
Will also remarked that the demand from the everyday retail user to have a project audited is growing. “If you look at some of the telegram groups, often one of the first questions that the team has been asked in these communities was ‘who have you been audited by?’ So I think the users have become more aware now [...] I think the everyday crypto users are going to be demanding and want to see that there has been an audit [... and that] it was on the to-do list from the start and it’s not reactive.”
Audits need to also be taken more seriously, Chris suggested. Audits have become “kind of a badge of honor for the projects to have had them done. [...] I think there needs to be much better calm around what their audit contained.” He mused that this could be put in a form of a communication and marketing package “so that the retail investors can better understand what [the audit] actually means” and what the results of the audit actually say.
Yev said that although auditors provide a score for retail investors, after the audit, “a lot of projects just don’t fix issues” as the audit “stamp” is what they care for most.
If you would like to listen to the full conversation, you can find it here:
Here’s a little information about our wonderful guests in todays Tapx Talks: Securing Web3 👇 https://t.co/IImsysDpLo