I've recently come across a new report from Forrester saying that "Web3 applications (including NFTs) aren't just vulnerable to attack, they often present a broader attack surface (due to the distributed nature of blockchains) than conventional applications do."
This finding sparked me to talk to a Web3 expert to dive deeper into the Web3 cybersecurity space and see what risks exist and can potentially plague the market that's worth almost $3 billion (as of 2021).
I've reached out to Hartej Sawhney, Founder and CEO of Zokyo, a venture studio that builds, secures, and funds crypto, DeFi, and NFT companies. As a Web3 industry pioneer, Hartej has played a key role in elevating standards in the digital asset ecosystem and introducing products and services that set the industry benchmark for security, transparency, and compliance.
In particular, we've talked about common cybersecurity vulnerabilities identified during smart contract audits, the role of social engineering in web3-related cyber fraud, what cybersecurity risks should be taken into account before investing in web3 application development, how to protect NFTs, and more.
Enjoy the conversation!
Hartej, could you tell me more about yourself and how you became a blockchain/web3 security expert?
Sure! I got into crypto seriously while living in Las Vegas in 2013. At that time, I was running a fintech startup called Zuldi – a mobile point-of-sale (PoS) solution that integrated with food and beverage legacy PoS systems.
In 2016, I co-founded Hosho alongside Yo Sub Kwon, a "crypto OG," with the vision of building a company that would sit at the intersection of blockchain and cybersecurity.
At the time, there was no company in the world that was sitting at this intersection. Of course, some companies did carve out a separate division within their larger entity to focus on smart contract auditing. Still, there wasn't a single company that would call itself "a crypto/Web3 cybersecurity company" and would cover more than just source code and smart contract auditing. That being said, there was no company specializing in things like infosec, operational security, penetration testing, and compliance in general.
We built up Hosho very fast. Based out of Las Vegas, USA, we quickly grew to a team of 37 people and generated about $4 million in revenue in just the first 12 months of the company's existence. We were not remote-first, and most of our employees were based in Las Vegas. We learned many lessons from having that approach.
We never launched our ICO because we could not come up with a reason why a smart contract auditor would need their own token. So, we never launched our own token and decided not to raise venture capital, especially at that time. This was mainly due to the fact that we didn't build our own products. At our core, we were still a services-oriented business which was not very attractive to Silicon Valley venture capitalists.
In 2018, the crypto market crashed, and all demands for smart contract auditing essentially vanished. We could not maintain an expensive team of famous and reputable white hat hackers working for us in our Las Vegas office. So, tragically, we had to let everybody go and lay off our team.
Shortly after that, I moved from Las Vegas to Kyiv, Ukraine. Within two months, I began setting up Zokyo and hiring Ukraine-based smart contract auditors. We put up a landing page for Zokyo and started auditing smart contracts. During the bear market, the work turned from auditing smart contracts for ICOs to auditing chunks of layer 1 blockchains.
Before we knew it, DeFi summer came around, and demands for smart contract audits returned. At the time, I traveled worldwide, speaking at major blockchain and crypto conferences and throwing private events where we curated the best blockchain builders in every major geography. Due to this fact and thanks to my track record at Hosho, it didn't take long for me to get contacted by companies seeking cybersecurity solutions, especially smart contract audits.
When you audit smart contracts, do you often find cybersecurity vulnerabilities in them? What are the most common types of cyber attacks on smart contracts? And what do you do if/when you find a loophole in a smart contract being audited?
When we audit smart contracts, we sometimes encounter vulnerabilities like reentrancy, malicious libraries, ERC20 API violations, implicit visibility levels, unsafe type inferences, DoS with block gas limit, and timestamp dependencies. Whenever we encounter potential vulnerabilities, we share our findings with the development team and provide them with an opportunity to fix them. Once the team has fixed all the identified vulnerabilities, we will audit the smart contract again.
Most often, seasoned developers learn lessons from the most common mistakes made over the years and try not to repeat them.
Nowadays, most of the critical vulnerabilities come from the underlying business logic of the contract and edge cases that developers have not considered when writing the code. This is why it is crucial to conduct line-by-line manual code reviews.
In general, what does it take for a smart contract to pass the Zokyo audit with flying colors?
Smart contracts that pass our audits implement best practices and do not have a contract owner with special powers. For example, robust design that might mitigate problems in case of a black swan event—decentralized in terms of ownership, not allowing any actor to have too much power or control over the implementation or logic.
It's important to conduct unit tests with 95% or even 100% coverage. The team will fix all the bugs based on our recommendations regardless of the severity level. We will also have open discussions about future development plans and how they could affect the actual product.
What cybersecurity risks should be taken into account before making an investment into building a web3 application, decentralized platform, or Token?
Before investing, it's important to engage in multiple concurrent audits with reputable team members. You must study the audit reports to understand the design or logic of the product from a high level. First of all, audit reports are created for the community, second for investors, and third for the development team.
Is it true that Web3 demands security to be more preventative rather than responsive as opposed to Web2? Why?
Web3 transactions are immutable. So, they cannot be reversed once they take place. This makes preventative security critical to web3 as the financial impact can be significant. As such, it's a departure from web2's reactive detection and response security model.
Blockchain networks are particularly attractive targets for cybercriminals due to digital and often tangible assets managed on them. Based on your firsthand experience at Zokyo, do you see an increased use of social engineering scams, such as ice phishing, in web3? And if yes – could you tell us more about their impact on web3 security and how they should be combatted?
Social engineering attacks continue to plague the industry. However, social engineering in web3 is a little different. Instead of sending a phishing email, threat actors may also compromise a popular Twitter account and promote crypto giveaway schemes and NFT projects to unsuspecting users.
Phishing is what recently led a hacker to gain access to Sky Mavis's four Ronin validators and a third-party validator run by Axie DAO.
Web3 companies cannot afford to implement a reactive and incident-driven security approach.
Companies, even the early-stage ones, need to hire a Chief Innovation Security Officer (CISO) that leverages the CISO Council's Handbook that lays out the best standards and approaches toward cyber regulations. The CISO Handbook covers one of the most important frameworks – NIST (National Institute of Standards and Technology) from the US Department of Commerce.
I saw Zokyo among Tier1 crypto funds investing in famous projects such as Layer Zero. How do you choose the companies you are investing in? And which web3 sector is the most booming right now?
Zokyo partners closely with many top-tier investment firms and has built up the internal expertise and resources to conduct projects' technical and security investment diligence. Companies that we invest in pass both qualitative and quantitative due diligence. We have supported an array of early-stage companies with tech architecture, engineering smart contracts, designing and reviewing token economics, and cybersecurity. Much of our investment focus has been on core crypto infrastructure.
Hartej, on LinkedIn, you call yourself an "NFTs hoarder." What cybersecurity risks do you personally care about the most when it comes to keeping NFTs collections? And how can they be protected against web3 fraud?
Sadly, in 2022, we have seen more than a 6x rise in losses from NFT crimes. Most of the NFT crimes I've seen are malicious signatures/errors that have nothing to do with storage or seed phrases.
The issue with NFTs is that they are meant to be interactive; you can't just vault them. People are often advised to use a hardware wallet. Still, a hardware wallet such as Ledger can't save you when you're signing malicious transactions.
To secure your NFT portfolio, you need to have a layered structure when using a hot wallet, a cold wallet, and a vault (a second hardware wallet). Use a hot wallet to mint NFTs and interact with contracts. You only want to have the necessary funds to mint/buy an NFT in specific periods of time. In a cold wallet, you will store the assets you list for sale. Third, you have a vault that conducts solely in/out transactions. Still, you never connect this wallet to any website or interact with any contracts.
When it comes to user-maintained spaces in web3, there's a statement that if users fail to implement proper cyber hygiene and protect their own data and privacy, there will likely be few other enforcement mechanisms in place. This represents an intrinsic risk to the security of the web3 infrastructure itself. Is it true?
As a user, you must be sure that you follow cybersecurity best practices, especially in this space. The whole point of web3 is to empower users and give them complete control. However, this is a double-edged sword because it makes users more responsible for their data. As such, in web3 (more than in web2), social engineering attacks like phishing, keyloggers, and malware can be far more destructive than in web2 because they can lead to significantly higher financial losses.