Web3 photo illustration

Web3 learning from Web2 mistakes

While Monier Jalal is only a few months into his role as vice president of marketing at blockchain security provider CertiK, he already sees parallels between the evolution of Web3 and its earlier iterations. 

CertiK uses AI to secure and monitor blockchain protocols and smart contracts through unique innovations from academia.

Monier Jalal.

Jalal has spent two decades in cybersecurity in a variety of roles. He said he has been watching blockchain technology’s evolution for the past five years, and while there was early growth, Web3 is what caused its adoption to explode.

Web3 is different than Web2 in some key aspects, he noted. Because Web2 is centralized when issues occur, a company can issue a patch or even a fix during run time. Once it’s out there with Web3, it’s out there.

One of the common threads in the evolution of both Web2 and Web3 is they both spawned furious levels of innovation and competition.

Creators wanted to get their solutions to market as quickly as possible, which could produce security vulnerabilities. As Web2 evolved, the enterprise eventually saw the need to ensure security from the onset, but it took time. Web3 collectively is still learning that lesson.

Verification with AI

Jalal said auditing generally involves analyzing code to determine if there is a bug. Suppose someone finds one they recommend fixing. It’s a process with human limitations at its core. 

CertiK’s formal verification process looks at technology mathematically by analyzing all of the permutations and combinations for a specification to see what could go wrong. Jalal said it is pretty different from a straight human inspection.

There are several common issues often identified by audits, according to CertiK’s State of DeFi Security 2021 Report. Believe it or not, centralization was a top problem. Of the 1,737 audits performed by CertiK in 2021, 286 identified discrete centralization risks.

The report cites the example of DeFi protocol bZx, which was hacked for more than $55 million last November because of private key mismanagement, which allowed the criminal to assume control of all contracts controlled by that key.

Missing event emissions were found 211 times. When certain functions are performed, they should emit events as notifications to users because key variables or processes are changed somehow.

Unlocked compiler versions identified 176 times can allow a user to compile a contract’s source code at or above a particular version, leading to code differences in the separate versions.

Validate those inputs

CertiK audits also found 104 examples where lines of code lacked proper input validation. Validating inputs limits the ability to create unknown and hazardous events on a smart contract, especially when users can interact with components throughout a smart contract.

Other issues include gas optimization challenges, where faulty code could produce higher gas fees on a blockchain.

Jalal said in a sense, the industry gets the issues, but it all comes down to writing single lines of code. It can be hard to see how that line relates to the larger whole at that granular level.

“But when you get down to the lines of code, it’s not ( easy to see), and you’re running so fast,” he explained. “It’s not so obvious that you’ve you’ve created yourself an issue.”

Another vulnerability to watch is the bridge being built between blockchains. Developers will seek to scale as the industry matures by creating links between successful blockchains. As with any technology, vulnerabilities can occur during the transfer between different units.

Jalal refers to these bridges between blockchains as connecting islands. A proper audit serves as similar to a structural inspection on an actual bridge.

A system is only as strong as its weakest link, with audits meant to identify those and, if the company chooses, to improve them.

Insurance will emerge

As DeFi, IoT, and the related dollar amounts invested in the sector grow, there will be a growing insurance presence. With that, providers will pressure governments and industry bodies to apply common minimum standards to receive coverage.

When applied to DeFi and smart contracts, Jalal finds it troubling. Given all the connections between different entities, what exactly are you protecting? Where does liability begin and end?

“When you’ve got a full breadth and length of interconnects with transactions, it feels dangerous to do that,” he said. “There’s still the issue that you can have a situation where you get vulnerable, or you have a vulnerability in an area that you didn’t own. 

“So what do you what are you insuring for? The idea of decentralization is that you don’t own everything. It is all fragmented. Go back to the web — you could ensure that because you have control points, it’s all centralized, you own it all. So you can step up and say you’ll set up insurance around this. 

“It’s totally the opposite way right for decentralization. It’s fragmented. It’s out there. I’m not sure how that would take off.”

Cautious approach

Jalal said CertiK is cautious about giving its seal of approval to any project for several reasons. An audit does not mean a company will never get hacked. It identifies areas where code can be improved and better secured. It’s impossible to guarantee nothing will go wrong. A firm paying for an audit may not even act on all recommendations.

“We’re trying to build trust here and make things secure… but at the end of the day, it is the people that contribute to making these applications, smart contracts, and blockchains. It’s up to them to adhere to the security principles.”

Jalal said that those who want the industry to maximize its potential and not just make a quick buck need to educate each other about the importance of a strong foundation and executing on necessary improvements. They did it in Web2, and they’ll be doing it here in Web3 for some pretty fundamental reasons.

“If you get it early, it’s going to be $1,000 to fix versus a billion dollars to fix whatever that is, right?” Jalal explained. “Because once it’s out, the ramifications are much higher.

“And if you think about it from beyond just the report, even if you can educate developers in the principles of secure coding, it’s going to help. I think there’s a crazy party going on at the moment. It’s just an explosion that’s happening, and people are trying to get out as fast as they can at an even more profound rate than Web2. I think we will get there eventually to the core — more secure coding principles.”

Marry security to product

What other lessons can we learn from the evolution of Web2? Jalal said the industry would look for ways to marry security to the development process seamlessly.

Early iterations of Web2 security were about stopping the bleeding by finding the issue, but eventually, the industry evolved to building solutions that seamlessly integrate into the development process.

Hopefully, soon, systems will automatically autocorrect faulty code as it is being created. Good things are happening, but the industry is not there quite yet.

Investors like what CertiK is doing. Last December, they completed an $80 million Series B2 round led by Sequoia and existing investors, including Tiger Global, Coatue Management, and GL Ventures. It brings CertiK’s valuation to nearly $1 billion and is the third round of capital raised by CertiK within four months, totaling north of $140 million.

“It’s multiple things, it’s volume, it’s acceleration of revenue that’s happening,” Jalal concluded. “It’s the team. It’s the founders that have really attracted some key investors. If you think about… the investment and how that happened in a short time…that really says a lot’s right for the company.”

  • Tony Zerucha

    Tony Zerucha is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.