Certik’s Director of Security Operations, Hugh Brooks, has highlighted the importance of security testing in Web3. Brooks pointed out that security is an important primitive within the Web3 space, noting why protocols should prioritize this.
According to Brooks, Certik, a security audit firm, tracked 31 significant incidents in August, with the Nomad $190 million exploit being the most significant and interesting. As a result, the blockchain bridge had lost millions of dollars to not one hacker, as is often the case, but several persons who capitalized on a single vulnerability.
Interestingly, Brooks highlighted the impact of Web2 on Web3, citing the instance of the Solana hack. The Solana exploit caused the seed phrases of wallets to be leaked, giving the hacker access to them. In Brooks’ words;
“Everyone needs to realize that true decentralization in 2022 is a dream and will continue to be one until Web3 no longer relies on Web2 infrastructure. Your dApp likely utilizes files that are stored on various servers. It’s a bit of Web3 and a whole lot of Web2.”
Brooks further emphasized that security testing is a continuous process. He mentioned that while the Slope team had done security testing of the app and audits, they hadn’t done so with every release. Thus, the hack stemmed from a vulnerability they failed to detect.
Per Brooks, hacks occur with improperly audited projects. Therefore, companies must complete exhaustive checks when considering external vendors or risk damage from else’s mistakes.
“There was no flaw in Solana itself. Initially, everybody thought there was some mistake in Solana. It was difficult at first to tease out what was going on there. And it wasn’t until the community got together… (that) they were able to start narrowing it down.
“But it is the kind of thing that regular mobile application security testing would have caught.”
Web3 Can Borrow a Leaf from Web2
Traditional companies, especially those in cybersecurity, prioritize their internal security processes. In the same vein, Web3 companies should prioritize their processes.
Brooks faults Web3 companies in this regard.
“There’s been this big move and shift… where people are looking at security from the lifecycle of when they start coding that mobile app to when we put it out there. “And then every release, it goes through essentially, that same kind of testing.
“You don’t see that yet in many of the Web3 worlds. Web3 people with great ideas also do a mobile app or a web app. They’re not bringing on the kind of security, and few people are experts to do the security testing they need.”
Based on the influx of funds that Web3 witnesses, security is paramount. Slight security negligence could lead to loss of funds on a large scale. Bank applications are tested at every level in traditional finance. However, DeFi protocols fall short in that area.
Blockchain Bridges: A Case for Security
Blockchain bridges are no exception regarding security. While they allow interaction between several blockchains enabling the seamless transfer of multiple tokens, they falter on security. The solution to this, according to Brooks, is testing and more testing by multiple sources.
“You can guarantee the hackers are looking at it. Then you need to be red teaming and have blue teams on your team that can manage when things go bad. Security is always cat and mouse, and you must be doing that life all the time.”
Over $1.4 billion has been lost to hackers through blockchain bridges since the start of the year, indicating that Web3 security has been below par. Prioritizing security through periodic security testing can assist in limiting these exploits.