Table of Contents

Abstract – What is Web3? Introduction

Problems

1. Authenticity and Privacy of Data:

2. Ice-Phishing and wallet theft:

3. API query security risks:

4. Smart contract hacks:

5. Network failure and data loss:

Solutions

1. Decentralized Identifier protocol

2. Hardware wallets and Multi-factor Authentication

3. Parameterized Queries

4. Code Audit

5. Redundant network Structure

Conclusion

Abstract – What is Web3?

Web1 – The Inception of the Internet on January 1, 1983, introduced a new model of communication called Internetwork Protocol (IP). IP bought Websites and web pages. The development of webpages plays a key importance. This version of the web could only ‘represent’ information to the user i.e. only the site administrator could feed and modify it. This version of the web was static and had limited expandability and usability.

Web2 – In early 1999, the next version of the Web emerged, and stood as more ‘dynamic’ introducing interactiveness. The users could now interact with the information, add to it and create content of their own. This bought sites like Facebook in 2004 and Youtube in 2005. Web2 is the current version of the web, one can observe that everything they do on the internet consists of three core improvements; absorbing, interacting, or creating information.

Web3 – The next generation of the web introduces a huge leap in improvement with; decentralization, tokenomics, blockchains, smart contracts, etc. It aims to deliver a core new improvement of enhanced ‘Security’ and seeks to achieve this through a change in the ‘infrastructure’ of the internet with Decentralization aka distributed ledgers. It incorporates the concept of “Owning” the Web as well. With previous iterations, users were limited to absorbing, interacting, or creating information. Tokenomics lets users own data (i.e. data makes up the Web).

Introduction

Web2 introduced the idea of Centralized Security to the Internet with the launch of sites such as; Amazon in 1994, Google in 1998, Facebook in 2004, and Twitter in 2006.

These and similar internet companies offered to store and optimize users’ data for security, improved user experience, and usability.

Users still store their data with such centralized hosts and sites. But, with an increase in users and data – there’s an increasing vulnerability in this model i.e. data, users’ identity, privacy, etc are being routinely compromised. Web3 is posing a solution for this.

Lost security, privacy, and users’ control over data are some of the several Web2 drawbacks it aims to solve. To date, it has seen prolific improvements and support from the Internet, Cryptocurrency, and Blockchain enthusiasts.

But, every iteration has some drawbacks and flaws in the beginning and so does Web3. Unlike Web2, Web3s’ flaws are much more alarming and based on new infrastructure, need to be overlooked asap.

In this Article, the objective is to get Web3’s security flaws in focus, understand their impact on users and aim for the best possible solutions.

Problems

Web3 contains a mix of security risks. It ranges from some Web2 risks, data privacy, and phishing, to some direct monetary risks and hacks, special to decentralized infrastructure. Risks and security flaws have always been part of the Internet and the better we understand and fix them – the better we can scale. Starting with…

1. Authenticity and Privacy of Data:

   The change from centralized storage of data to decentralized and distributed storage of data makes it prone to risks such as; duplication, originality, and malware. The lack of anonymity of data because of a public ledger brings a lack of privacy as well.

2. Ice-Phishing and wallet theft:

   Users connect to the internet in Web3 with digital wallets. These wallets typically store cryptocurrencies, tokens, and other digital assets such as; NFTs. digital wallets (on-device wallets) are highly vulnerable to hacks and theft. A hacker can duplicate a wallet if it gets hold of the “seed phrase” or a key phrase that gives the holder complete power over the various assets and users' identity and is ‘often stored on the devices themselves.’ A hacker can gain access to a user’s data through Ice-phishing as well; in this a hacker makes a user sign a transaction that contains malware.

3. API query security risks:

   APIs play a key role in Web3, enabling interoperability and system expansion. API queries help a user gain access to desired information from an API or make it act. API queries can be exploited to gain access to sensitive information or get control of the entire API of a software system. Web3 doesn’t have security protocols to keep exploiters from doing such acts. This makes the various software systems in Web3 possible victims, and these software systems range from Defi protocols, and users’ wallets to nft marketplaces and bridges between cryptocurrencies.

4. Smart contract hacks:

   A smart contract is a piece of code that processes an action when the condition is fulfilled. The code in a smart contract can be exploited, executing the following activities which can contain the transfer of crucial information or digital funds. Hackers in the past have gained access to numerous smart contracts and one such being; Axie Infinity’s $625 Million hack.

5. Network failure and data loss:

   Nodes on the blockchain run the network. If several nodes are to fail, the network will be impacted (might even collapse) and cause data loss. As the entire data and resources are on networks in Web3, a network failure can cause the Web to lose its data and it is as alarming as it can be.

Solutions

1. Decentralized Identifier protocol - (Authenticity and Privacy of Data)

The decentralized identifier protocol enables a user to create a verifiable identity. This verifiable identity (Decentralized identifier (DID)) can store data and documents (such as; an ID) required by the user to prove certain conditions or ownership, without revealing the (actual) data. Keeping privacy and authenticity intact.

A DID works through 3 components;

• Method name: Name of the method used to create a DID.

• DID Method-specific Identifier: An Identifier unique to the method used in the first place.

• DID Document: It contains information related to the DID and the entity that created it i.e. storing the proof for verification.

Example: For a user to prove 18 or above, without revealing the exact age - it can create a DID and store a document claiming the proof.

Whenever required, the user can allow the site or 3rd party access to that DID, which the site would verify using the machine-readable DID document.

Setting up and using a Decentralised Identifier (DID) consists of 6 steps:

• Creating a DID: DIDs are created on specific blockchain networks. It requires a “Method” that consists of rules and requirements for it.

  The method used for creating is crucial; as the DID resolver later used to authenticate depends upon it.

  A DID create with a certain method can only be verified with the same type of DID Resolver

• Generating DID documents: Once a DID is created, the next step is to generate a DID document.

  A DID document stores the information or data required to authenticate the identity. It can store links, music, video, image, text, metadata, etc.

• Storing the DID document: A DID doc is stored on a blockchain network using a decentralized storage mechanism such as; the Interplanetary File system(IPFS).

  The document is uploaded on the blockchain using such a system and a Content Identifier (CID) is created which is used to retrieve the document from IPFS.

• Authentication: To authenticate, the user is to prove that they hold control or know the specific attributes of the DID i.e. to prove ownership of the DID and DID document.

  Example: Proving control of Private keys for the Public keys stored in a DID document.

• Accessing Identity Information: A user can now access the Identity information of the DID. This information shall be used to verify their identity while logging into a site or accessing sensitive information.

• DID Resolution: At the resolution, a DID resolver is used that takes a DID as an input and resolves to a DID document; identifying and sending the requested information to the requesting party ex: a site.

2. Hardware wallets and Multi-factor Authentication - (Ice-Phishing and wallet theft)

Hardware wallet: enables users to store cryptocurrencies, tokens, nfts, and other digital assets off-network (unlike digital wallets that store them on-network). Eliminating the risk of wallet or asset theft.

Example: If a hardware wallet gets stolen, it is equally challenging to access its data or funds, as most hardware wallets are equipped with a secure PIN that acts as a gatekeeper. In such cases, a user can also duplicate the hardware wallet onto a new wallet with the help of the “Key-phrase”.

Multi-factor authentication (MFA): Refers to increasing the number of authentication gateways before accessing the funds or data.

Sites and digital wallets shall make MFA mandatory at the user sign-up.
It will provide users with 2 things;

• First-hand experience with the interface of MFA and how to use it.
  Ease of setting up.

• Multi-factor authentication makes it hard for a hacker to access the funds on a digital wallet, by adding more layers of security that require different authentication modes.

Example: Google Authenticator is easy-to-use and free for users. While signing up a user would install the app on their Android/iOS mobile phone, using a QR code shown by the site or business.

It will generate One-time-passcodes (OTPs) for 30 seconds or more repeatedly. When a user signs in, the passcode on the app in real-time will be valid.

3. Parameterized Queries - (Lack of security on API queries)

A primary way to hack an API and access sensitive data is the SQL Injection hack. Where a hacker injects malicious SQL code in an API query, gaining control over the API or access to data.

Parameterized queries prevent this, by creating a query with ‘placeholders’ for user input. Parameterized queries are treated as ‘data’ by the API, and not as executable code.

Example: An SQL Parameterized query with placeholders can look like this;

[SELECT * FROM users WHERE username =: username AND password =: password]

Placeholders, “username”, and “password” will be replaced by the user’s input, Creating a Parameterized API query ready to operate.

4. Code Audit - (Smart contract hacks)

Smart contracts can comprise code with vulnerabilities, triggering potential security risks and advantages for an exploiter.

‘Code Auditing’ becomes essential to prevent possible hacks or breaches. The Smart Contract ecosystem is new and still growing leaving gaps for security flaws.

Code auditing helps encounter and prevent first-hand drawbacks such as;

• Indirect execution of unknown code.

• Incorrect calculation of output token.

• Missing return value for ERC20 token, etc.

A code audit takes place in 4 stages;

1. Code Audit: A security auditor tests and goes through the code of a smart contract, identifying points of risks and loopholes.

2. Audit report: Based on the audit a report is prepared to state severe risks and their fixes. A programmer then implements these fixes into the code.

3. Review: After fixes, the auditor re-checks the code for one last time for whether the fixes are correctly placed or not.

4. Approval: If everything is correctly placed, the auditor approves the code and the smart contract. Auditing helps identify potential risks of attacks in smart contracts such as; the “Fake deposit attack”, where an attacker takes advantage of flaws in a smart contract’s code to trick the system with a fake deposit from the source chain.

5. Redundant network Structure- (Network failure and data loss)

A redundant network structure is a network configuration that adds additional units of components of the same functionality such as; hardware, software, or other network-related components.

Therefore, when a few components break down, the additional units come and restore the network, preventing failure and data loss.

In Web3, a redundant network structure is to be created by increasing the number of Nodes, and Validators.

Example: For a Proof-Of-Stake (P.O.S) network, increasing the number of validators will create a redundant network structure. This can be achieved by decreasing the token amount for staking to attract more people.

Thereafter, when two or more validators fail, the additional ones take over and prevent the network from failing.

Increasing the number of validators boosts security for the network as well, as an attacker would require to temper more validators in order to have >51% control.

Conclusion

The new infrastructure of Web3 brings some flaws and drawbacks related to its security. But, with new infrastructure comes newer solutions to such newer problems.

In this Whitepaper, we covered 5 of the most concerning and sensitive problems (and their solutions) in Web3 security;

• Authenticity and Privacy of Data

• Ice-phishing and wallet theft

• API query security risks

• Smart Contract hacks 

• Network failure and data loss

These problems impact; users, data, systems, tokens, and networks. Their impacts can range from loss of sensitive information to Millions of dollars in tokens and cryptocurrencies.

The solutions are a combination of user awareness, system changes, and network-wide changes:

• Decentralized Identifier protocol

• Hardware wallets and Multi-factor Authentication

• Parameterized Queries

• Code Audit

• Redundant Network structure

These changes aim to build the decentralized structure of Web3 - Robust.

Thanks for Reading!

Follow me on Twitter. I’d love to hear your valuable opinions!