Posted on

Web3 needs novel prevention tools for novel attack vectors: AI saves the day

In 2019, a multi-author report flagged over 34,000 poorly-coded smart contracts, which put over US$4 million at risk across protocols on Ethereum. Web3 stakeholders have thus put an almost obsessive focus on clean and bug-free code. They’ve invested massively in security audits, formal verifications, bug bounties, and other ‘hands-off’ methods. 

However, researchers and experts from the Forta Network community point out that robust code isn’t enough for optimal Web3 security. Most exploits have nothing to do with code. They’re market-driven and target components beyond the developer or project owner’s control: third-party oracles, APIs, frontends, private keys, etc. And a ‘hands off’ approach doesn’t work for this reason. 

There’s merit to this claim. It’s further evidenced by reports from firms like Immunefi and Blockchain Security Alliance which revealed that Web3 projects lost over US$3.5 billion to hacks, scams, and breaches in 2022 — a more than 50 per cent increase vis-à-vis 2021. And besides that, the Web3 ecosystem witnessed several high-profile crashes and insolvencies like Terra and FTX, jeopardising trust and confidence.

The Web3 community must thus rethink threat detection and prevention. It’s high time to build and adopt innovative, problem-specific solutions. Leveraging Artificial Intelligence (AI) and Machine Learning (ML) is crucial. But it also requires understanding Web3’s unique security concerns and where it currently stands concerning cybersecurity.

Panic mode and pause the protocol

Most Web3 projects enter into panic mode whenever they see any imminent threat. Their knee-jerk response in such scenarios is to ‘pause the protocol.’ Researchers at the Imperial College of London found that over 50 per cent of the 180+ smart contracts breached between 2018 and 2022 had useless pause functionalities.  

It currently takes around 24 hours to invoke a pause. That’s too slow, significantly, as hackers constantly improve their methods and processes. 

Also Read: How layer-2 rollups boost Ethereum’s scalability for broader Web3 adoption

Protocols usually have to pause everything since they lack targeted mechanisms. It’s a user experience nightmare that affects even legitimate participants for no reason. And this doesn’t help Web3’s goal of bolstering security for long-term, mass adoption.

The one-size-fits-all approach to Web3 threat prevention needs to be revised because each layer of the tech stack has different security requirements. Likewise, each alternative solution has its pros and cons. 

Projects thus need to choose solutions that best suit their risk appetite while prioritising user expectations. And in doing so, transparency is crucial since it enables users to make informed decisions. 

Projects must consider various factors while determining their threat prevention and mitigation strategies. For example, the adopted method should be feasible to increase the cost and friction for users. It’s essential to preserve composability, decentralisation, and robustness without introducing too much complexity or the scope for censorship. And above all, the solution should utilise the latest technologies for maximum potential.

Web3’s unique security concerns

Blockchain ledgers are often public, so anyone can know what each account holds. Vulnerabilities like smart contract bugs or compromised external dependencies can collapse entire financial systems due to knock-on effects. This underlines the unique nature of cybersecurity concerns in Web3. 

Though Web3 eliminates several attack surfaces common in Web2—like corruptible intermediaries, for example—it’s not 100 per cent attack-proof because there are blockchains underneath. On the contrary, Web3 introduces a range of new attack types, such as 51 per cent Attack, rug pull, reentrancy attack, etc. And the incentives to attack Web3 protocols are also more significant than in Web2.

In Web2, attacks like phishing happen via text messages or emails that trap users into sharing personal and identifiable information. In Web3, however, entering malicious sites or approving random EOAs can cause immediate and irreversible financial loss since hackers get access to users’ assets. The stakes are thus high both for attackers and their victims.

Another key challenge for Web3 security is the speed at which hackers invent unforeseen ways to exploit blockchain-based systems. For instance, while Web3 projects increasingly explored cross-chain bridges as a means to better interoperability, hackers managed to breach them and steal over US$1.4 billion. Rapid response and constant vigilance are mission-critical for robust Web3 security.

Threat prevention with AI and ML

AI is more than a cheeky technology coming to take away jobs and spread misinformation or fake news in the media. It’s Web3’s security lifeline, enabling tools to protect millions and billions of dollars worth of user funds. 

Coupled with ML, AI is a critical component of the efficient monitoring systems that leading audit firms like OpenZeppelin, ChainSecurity, MixBytes, etc., highly recommend. 

As Dr. Neha Narula from the MIT Media Lab says, “Machine learning can be used to predict and prevent future exploits. By analysing patterns and trends in data, it can identify potential vulnerabilities before they are exploited. This allows developers to take proactive measures to mitigate these vulnerabilities, making Web3 projects more secure for users.

Moreover, Web3 attacks aren’t usually atomic — they don’t happen in a single block. It’s thus essential to prioritise runtime monitoring, which can increase the chances of dodging attacks. This adds further weightage to the case for real-time security measures in Web3. 

Also Read: Creator economy: How Web3 is changing the game for content creators

Web3’s threat detection capability has improved significantly in recent years, thanks to various innovative projects like Forta, Halborn, and Cyware Labs. From advanced pen-testing and smart contract auditing to real-time ‘Attack Detector’ bots, these projects bolster security vigilance and due diligence in Web3.  However, stopping identified threats’s still a long way to go. 

Flashbots, Mem pools, and zKProofs

Frontrunning exploit transactions was a viable defence against Web3 attacks in the past. But the rise of private mem pools, Flashbots, high-rate L2s, and zkProofs has made this method increasingly challenging and effective. Coordinating block builders and relayers is another option, though temporary. 

That’s where AI-powered automated pausing mechanisms or ‘circuit breakers’ can come in handy, similar to legacy stock markets. They can trigger security responses based on data from monitoring systems, seamlessly connecting prevention and action. This was unthinkable in Web3 so far, but not anymore. 

Further, innovating ways to implement automated circuit breakers specifically, not globally, can finally resolve the utter helplessness with which Web3 projects face attackers today. 

It’s a long game. But with Web3 poised to become a US$6 trillion market by 2030, there’s a good reason to play it well. After all, securing the Internet’s next paradigm and global user community is a question. 

Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic

Join our e27 Telegram groupFB community, or like the e27 Facebook page

Image credit: Canva Pro

The post Web3 needs novel prevention tools for novel attack vectors: AI saves the day appeared first on e27.