Web3 Is Supposed to Be Secure. What About All These Hacks?
Web3 promised us a new era of privacy and security, but a series of recent major hacks make all that look like a lie.
Hacks remain common in DeFi.
The promise of Web3 is that we'll get all the stuff we like about the internet, but with more privacy and a blockchain-based architecture to keep our data more secure than before.
Well, that's the theory. In reality, Web3 is becoming a security nightmare as a slew of recent hacks has left some wondering if they should just turn our money and data over to Mark Zuckerberg and call it day.
The latest security disaster involves the play-to-earn game Axie Infinity, which is supposed to be the poster child for what Web3 can be. If you missed it, hackers broke into the Ronin "bridge" between Axie and the Ethereum blockchain and robbed it to the tune of $552 million at the time (now worth $630 million, since ETH is up)—a staggering amount even in this crypto gilded age.
Even more shocking is how the attack took place. As Web3 engineer Molly White explains, the crew behind Axie set up the bridge in such a way that it required only nine trusted validators—meaning that a hacker only needed to compromise five accounts to get the keys to the kingdom. And that's what happened. Even worse, it took six days for the Axie team to notice that $630 million worth of Ethereum had been looted and to tell users, whose money is now gone.
If a security team at a bank or a Web2 company behaved this way, they would be fired and face charges of civil or even criminal negligence. But since it's Web3, Axie leadership has offered only vague mumbles to the effect of what a shame this is. (Axie founder Jeff Zirlin tweeted on Tuesday, "It's a hard day," and two hours later, "This is when we show what we're made of.") As Bloomberg's Matt Levine archly observed, "Nobody cares less about information security than the builders of cryptocurrency projects."
The Axie debacle is hardly a one-off. Two months ago, hackers robbed Wormhole, a popular bridge to the Solana blockchain, to the tune of $320 million. Fortunately for users, the venture capitalists beyond Wormhole, recognizing the terrible optics, decided to backstop the losses even as the engineers responsible all but shrugged their shoulders. Last week, $28 million was drained from Solana stablecoin protocol Cashio. Last August, Poly Network was hacked for over $600 million.
There are numerous other examples of Web3 users being robbed because the platforms they use are full of gaping security holes.
Meanwhile, more than two dozen Web3 companies, including Circle and BlockFi, revealed last month that they had been hit by a Web2-style attack. In that case, hackers compromised one of their marketing vendors and made off with a trove of customer data that is already being used to conduct phishing campaigns and other scams.
At this rate, Web3 risks inheriting the worst security failures of the previous internet but none of the accountability. At least big banks have insurance to make customers whole when they're robbed, while Big Tech firms deploy sophisticated security teams to guard their data. Many leading names in Web3, by contrast, appear focused on getting filthy rich by dumping tokens while not giving a fig about users left to navigate a predatory landscape on their own.
The token gold rush has led many to forget the values that gave rise to crypto in the first place. Those include building secure architecture and remembering Ethereum founder Vitalik Buterin's "blockchain trilemma," the notion that it's easy to achieve two of three goals when it comes to decentralization, scale, and security, but very difficult to achieve all three. By the way, Vitalik spoke up about about bridges in January, warning they are simply not as secure as Layer 1 projects like Ethereum or Bitcoin.
And speaking of Bitcoin, I think this is one occasion where the broader Web3 world should consider learning from Bitcoin maximalists. Obnoxious though they may be, the maxis are right that there is nothing more battle-tested and secure than the Bitcoin blockchain—one of the big reasons Satoshi's creation remains the world's most valuable crypto. Web3 founders should take more time to build their projects in a similar fashion rather than hitting the gas in hopes of a quick token payoff. If they don't, Web3 risks losing the little credibility it's built.
This is Roberts on Crypto, a weekend column from Decrypt Editor-in-Chief Daniel Roberts and Decrypt Executive Editor Jeff John Roberts. Sign up for the Decrypt Debrief email newsletter to get it in your inbox every Saturday. And read last weekend's column: Vitalik Is the Crypto Hero We Don't Deserve.
Tim Moseley