Security is of utmost importance when it comes to developing Web3 decentralized applications (dApps). These dApps, which operate as code snippets on blockchains, pose distinct security challenges that developers and users need to tackle.
Key security risks and considerations include phishing attacks, vulnerabilities in smart contracts, frontend and API vulnerabilities, among others.
Speaking at Breakpoint, 2023, Piotr Cielas, Director of Security, Halborn spoke on how developers can create Dapps that are efficient to avoid security breaches at the Breakpoint event organized by Solana.
Halborn is a blockchain security firm that provides full-stack security solutions for Web3 and blockchain projects. The company, which has partnered with Chainalysia, offers a range of services, including smart contract audits, penetration testing, code reviews, and incident response.
Halborn’s expertise in security architecture and research-backed insights provide proactive and adaptive security frameworks for Web3 projects.
The company’s preventative solution includes initial risk assessments, architecture security reviews, cloud configuration, DevOps, logical network segmentation, smart contract and infrastructure audits, and pen testing.
Piotr highlighted the significance of data in bug forecasting and drew parallels to Bayesian probability in mathematics. By analyzing historical data, security experts can detect patterns and predict the likelihood of future bugs in projects.
He emphasized that traditional scoring systems used by security providers may have limitations in terms of effectiveness. This underscores the need for a more nuanced and sophisticated approach to enhance security measures.
Redesigning the System: Blockchain Vulnerability Scoring System
Recognizing the limitations of existing systems like the Common Vulnerability Scoring System (CVSS), the director introduced a new approach: the Blockchain Vulnerability Scoring System.
The Common Vulnerability Scoring System (CVSS) is an industry-standard method for assessing the severity of computer system security vulnerabilities, providing a numerical score and qualitative representation to help organizations prioritize and manage their vulnerability remediation processes.
The Blockchain Vulnerability Scoring System combines the structure of CVSS with blockchain-specific metrics to provide a more tailored and accurate assessment of vulnerabilities. The key metrics include exploitability, impact on deposit and yield, reversibility, and scope.
He also noted that vulnerabilities have varying impacts on deposit and yield, with 80% of projects remaining unaffected. However, when vulnerabilities do influence yield, the repercussions can be substantial, significantly impacting project treasuries.
This analysis offers developers valuable insights, allowing them to prioritize and address potential vulnerabilities based on their severity and impact.
Piotr mentioned common business logic-related vulnerabilities, providing bug and fix examples. He covered issues such as account owner check missing, arbitrary program invocation, PDA signature hijacking, account type confusion, remaining accounts, and account info in contexts.
