Security in Web3

Blockchains are very secure – but there are weaknesses that have been exploited.

Validator nodes

What are validator nodes?

Any blockchain requires a consensus mechanism. This is a system for validating the encrypted data in each block in the chain. There are various systems for doing this, as discussed elsewhere in this pathway.

But what do we mean when we say ‘validation’ of blocks in a chain? How can people validate all that data?

Well, the only way is to download it all as a spreadsheet, and visually check every single row of course! Just kidding.

Validating the data in a block is in fact an entirely automated process, with no human involvement at all. For this to happen, the person participating in the consensus mechanism needs to be running a special software that can validate the block for them. Devices that run this software are known as ‘validator nodes’, and they are essential to the operation of the blockchain.

Challenges of blockchain validation

However, validator nodes pose a problem to most regular users. Most people don’t want to set up a dedicated computer to run a complex software that may or may not remunerate them with a digital currency.

That means that, in reality, most people won’t be participating in validating the blockchain. They will effectively be relying on other people to do that for them. This could lead to very large conglomerates running the majority of validation nodes, and dominating the supposedly decentralized playing field.

Moreover, this isn’t just an issue of access. One of the lessons learned from the transition from Web1 to Web2 is that people didn’t want to run their own servers – they’d rather have the economies of scale and quality assurances associated with centralized servers. Of course, centralization is exactly what Web3 is attempting to avoid, so mechanisms and incentives are critical to ensure centralization doesn’t replicate the problems of Web2 in the Web3 world.

Governance attacks

The nature of the Blockchain is that when developers provide updates, these have to be agreed to by the majority of users. This means that the majority of users, rather than a centralized body, governs functions on the Blockchain.

However, this means that if a criminal can get access to the majority of blocks on a given chain, they are able to change the rules of that chain. Maybe they’ll change the rules so only they can mine new coins. Or maybe they’ll change the rules that means every transaction gives them a cut.

Obviously, governance attacks are not a threat on huge blockchains like Bitcoin or Ethereum because they have so many different users. However, on smaller blockchains, it is easier for criminals to take control. This may also happen through them loaning out different coins so they temporarily own a majority. In fact, on the Beanstalk blockchain, over $77 million was lost through a governance attack re-regulating liquidity pools.

Of course, if the community involved in running a protocol sees an attack like this take place, they can always ‘fork’ or copy the code into a new entity, exclude the attackers and continue as normal. In any case, governance attacks are an important threat to consider when managing a blockchain protocol.

Decentralized code updates

Another quirk of the decentralized blockchain is that it can be difficult to patch bugs in the code. The vast majority of ways hackers can get into a system is through exploiting bugs, or undesired vulnerabilities in the code. In Web2, developers will patch these bugs and force all users to get the update – this is something that already happens with apps, web services and operating systems.

In Web3, a decentralized protocol run by a number of developers across the world would require a majority of users to approve any changes. For a number of reasons, this process may take longer than if a centralized entity like Apple decided to update one of its software products. Many users might be suspicious of a new update. As a result, patching holes in Web3 can be much slower than in Web2. This means that users could be exposed unnecessarily to security vulnerabilities for longer.

Identity in Web3

Currently, to get into different online services, you need to uniquely identify yourself for each one. Everyone has a username and password for different services like Facebook, Google and Amazon. This means you share your personal data many times over with many different companies.

In Web3, there isn’t yet a clear standard for identity management. The W3 Consortium – the people who made the HTTP standard for the World Wide Web – have created a decentralized identity standard called DIDs. This makes it possible to ‘bundle’ a group of wallets under a single identity – effectively allowing you to have a unique, unfalsifiable online identity card.

Other standards are being created by other institutions to create a Self Sovereign Identity (SSI). To get one, you will need to apply to an issuer, who will ordinarily be a government body. They will then add the SSI to an online international registry.

SSIs could be a powerful tool for online identity management. For example, to enter Facebook, you need to be over the age of 18. Currently this is verified by Facebook when you enter your date of birth. However, with Self Sovereign Identities, Facebook would be able to ask a trusted registry whether you are over the age of 18. This is both a more reliable system and a more secure one – it means you don’t have to share your date of birth with Facebook, who currently use that data for profit.

Smart contract audits

Another aspect of good web security in Web3 is through the auditing of smart contracts. As we already know, Smart Contracts are contracts between two parties, enforced by the blockchain. Like a regular contract, they make it possible to trust in a deal reliably without necessitating simultaneous exchange. However, since smart contracts are written in computer code, they’re not comprehensible to anyone without a strong knowledge of computer science.

Therefore, just as people would engage a lawyer to audit an ordinary contract, you can engage a programmer to do a Smart Contract Audit. This prevents you from agreeing to a Smart Contract where the person you are engaging with has put in a hidden clause that is harmful to you. Smart Contract Audits are a great way of ensuring that your interests are protected. Such smart contract audits can be costly however.

Where’s the deterrent?

Another security concern in Web3 is the lack of a credible deterrent. One of the primary things deterring a scammer in the Web2 universe is the threat of consequences if they are caught. Law enforcement will identify them and the scammer may face criminal charges.

However, this is significantly harder to do in Web3. Because users don’t have to give their personal information to a centralized database, there is a greater level of anonymity. This means that law enforcement bodies can’t identify scammers as easily and bring them to justice. As a result, many scammers will perceive there to be no downside to engaging in internet criminality.

In spite of this, as Web3 matures, the onus will be on developers and regulators to find innovative new ways of ensuring that there is the right balance between protecting user identifies and ensuring digital accountability. Only time will tell whether they’ll be able to find the right equilibrium.

The liberty security equilibrium

In Web2, the internet started out as a place of interaction entirely with good intentions. However, as it developed, malicious actors began to use it for scams, and spreading misinformation. Web3 is likely to follow a similar pattern of development – there have already been plenty of bad actors in the space.

What’s the solution to this? On the one hand, some government regulation and enforcement is required to ensure that Web3 doesn’t become overridden by criminal activity. However, overregulation can restrict innovation which goes against the very essence of Web3.

As a result, in creating frameworks for the governance of Web3, developers and governments are going to have to think about how to balance liberty and security.

You will forget 90% of this article in 7 days.

Download Kinnu to have fun learning, broaden your horizons, and remember what you read. Forever.

You might also like

Redefining Communities;

How DAOs may radically reshape all forms of human organization.

Introduction to Web3;

An introduction to the wild world of Web3

What is Web3?;

A fad or the next technological revolution?

What’s a blockchain?;

An overview of the technology that makes everything in Web3 possible.

How does Decentralized Finance Work?;

How descentralized finance (DeFi) is shaking up financial services.


Crypto doesn’t have to be cryptic. An explanation of how cryptocurrencies work, starting with the first principles of economics

Leave a Reply

Your email address will not be published. Required fields are marked *