Web 3.0 & Decentralized Security

By: Nolan Marolf

Introduction:

Bitcoin, Ethereum, dApps, DeFi and DAOs are just a few of the newest technologies being created that are pushing the abilities the internet to a new generation. What are these new technologies? Are they secure? These are some general questions about the new emerging technology known as blockchain. In this blog post I will be going through what these technologies are and the security risks posed from them. This new generation of the web is being titled “Web 3.0”, but what was web 2.0 and 1.0?

Web 1.0:

Web 1.0 was born in 1900s when a man named Berners-Lee wrote the three fundamental technologies the web today. These technologies were HTML, URLs, and HTTP. These technologies, a coding language that could be interpreted to display information, the unique address specifications of these servers, and a protocol that is used to transport this information between two computers. Web 1.0 was the era of the Netscape browser and static webpages that were retrieved from servers.

Web 2.0:

Web 2.0 was the era of dynamic webpages, user-generated content, and social connectivity. Companies like Google, Apple, and Firefox created new browsers that were used to serve dynamic content to the user that allowed users to click buttons, sign in, and view these websites from the convenience of their “smart” devices no bigger than your hand. This allowed for anybody with a connection to the internet to view these websites and further connect society. These new websites built for Web 2.0 were hosted on big, centralized servers owned by one organization or the other. These servers can display webpages to millions of users simultaneously. One of the biggest developments for security during this time was TLS and HTTPS which helps secure user’s information is not free for everyone to view. This is due to the crime that runs rampant on the internet. Although Web 2.0 gave everybody who had access more freedom, it quickly became a lawless land that mostly self-educated computer specialists could steal your money, information, and identity. However, people soon found out that although new layers of security could be added, their information was always at risk and wanted to protect their freedom and Web 3.0 was born.

Web 3.0:

Web 3.0 is built on the idea of decentralization, by giving power to the users rather than to the corporations that run it. The first step of the decentralization of the internet was the idea of a decentralized finance system (DeFi) which didn’t rely on a central organization to ensure the validity of a currency but rather relies on the properties of mathematics.

Bitcoin and the Blockchain:

The first successful electronic currency created was Bitcoin. Bitcoin was created in 2009 by  the anonymous group or user named “Satoshi Nakamoto”. Bitcoin is a block-chain that contains the ledger of all transactions ever made with the currency. Each block is a hash of a group of transaction, usually over 500 transactions are inside a block. To hash a block, requires a node, or user running the blockchain, to complete a difficult math problem involving find the nonce value in an Elliptic Curve hash. If the value discovered is correct, the node broadcasts the new block-chain to all the other nodes on the chain and the cycle continues. Another benefit of Bitcoin is the privacy of identities. Bitcoin transactions are not done with names or account numbers like typical banks. They only show the public digital signature of the user that created the “wallet” that holds the blocks of bitcoin. Bitcoin incentivizes nodes to hash groups of transactions by rewarding the first node to broadcast the correct hash of the next block. The Bitcoin currency was the first technology to be a currency that is fully decentralized and has no central authority. The benefits of Bitcoin are it allows its users to complete fully anonymous transactions without trusting the other party. After many years, the Bitcoin has become a popular technology used by millions of people, only strengthening the Bitcoin network. After the success of Bitcoin, other blockchains were created. The next most popular blockchain is known as Ethereum.

Ethereum & Smart Contracts:

Ethereum was released in 2015 and was meant to be another decentralized blockchain but to have a different purpose from Bitcoin. Ethereum used the idea of a blockchain but intended for Ethereum to be used to build decentralized applications, which would be secure and efficient. This is done by creating an abstract foundational layer where anybody can create their own version of a Namecoin and related protocols easily. Another feature that sets Ethereum aside from Bitcoin is the ability for smart contracts to be programmed. Smart contracts are “contracts” that are executed when certain conditions are meant and are used to build on top of the Ethereum platform. These contracts are coded in high-level programming languages like Solidity or Viper. These are compiled, just like any other language and are then deployed to the blockchain. Like Bitcoin, changes to Ethereum blockchain require gas fees. A smart contract is also a change to the blockchain. Once you deploy a smart contract to the blockchain you cannot change it, it is immutable(kind of, I’ll get into it later). These gas fees are due to the fact that to validate changes to the blockchain, nodes must use computational power which comes with costs some money. To incentivize nodes to stay on the network and validate changes to the chain, nodes are rewarded with the gas fee for each block that is validated.

Note: This is because both Ethereum and Bitcoin are both proof-of-work blockchains. There are other blockchain technologies that use proof-of-stake to validate transactions to the blockchain. It has been speculated for a few years that Ethereum is going to switch to a proof-of-stake method and that is rumored to occur sometime in the Summer of 2022. This would no longer require nodes to complete difficult math problems to validate changes on the chain rather it would require nodes to “stake” Ethereum on the blockchain to be considered trustworthy enough to validate blocks. Because you have to “stake” Ethereum to be a validator, it doesn’t make sense to attack the Ethereum blockchain because you would only be devaluing your own currency that is stacked on the blockchain.

Deploying a Centralized Application:

Compared to deploying a centralized application, deploying a decentralized applications(dApp) get complicated quickly. First, I will go over deploying a centralized web application and what’s different when deploying a decentralized application When deploying a web application on the current web, all you need is a frontend(Javascript, HTML, and CSS page), a backend(Node.js, Java, or Python application), and a database(MySQL or others) to store persistent data between sessions. To create a Web 2.0 application, it would look like this.

Example Logon to a Centralized Application:

For a user to login for example. They would click on the text box and type in their username and password on the front-end page. Then, they would hit the submit button which would send the username and password to the back-end. The back-end would then query the database to see if your username exists, and if it does exist, is your password correct. The database would return query of your username and password. If the back-end decided the username and passwords match, you could log on. The database would then send more information about your account specifically back to the back-end. The back-end would then communicate to the front-end to serve a new page to the user. This page would be full of information retrieved from the database send through the back-end to be displayed on the front-end. This information might include, number of messages, number of notifications, balances, or other information.

Deploying a Decentralized Application:

Now you can see what a current web application is made of, lets talk about what is the same, and what’s different within a Web 3.0 application. First, front-end stays the same, kind of, I will revisit this. To host an application, you will always need there to be a front facing server that displays the different pages of your application. However, now, you no longer have a centralized back-end server that can be targeted and exploited. Now, the front-end makes calls to smart contracts that are stored on the blockchain. These calls are executed as broadcast requests from nodes for transactions to be executed on the Ethereum Virtual Machine(EVM). The Ethereum Virtual Machine defines the rules for computing a new valid block on the blockchain. Many people choose to not run their own nodes as it gets complicated when expanding their dApp infrastructure. This is done by using providers such as QuickNode, Infura, or alchemy to run their nodes for you. These providers allow you to read states on the blockchain and sign transactions to change the state of the chain. Some dApps allow users to sign transactions through their application. These applications require users to sign transactions using their private key. This is done through third part signers such as the most popular one Metamask. Metamask allows users to sign transactions from the ease of their browsers and is bringing Web 3.0 to users. Now, if you want decentralized applications to have the usability of Web 2.0 applications, they need to have some sort of database that allows users to sign into websites and persistently stores information that is commonly changed as users sign in and use your decentralized application. However, any sort of database commonly used is stored on a central server. There are two known solutions for this currently known as IPFS and SWARM. IPFS stands for Interplanetary File System. This file system would be a distributed file system that would works by breaking apart data across many different peers that are a part of the network. It allows peers to basically “rent out” their hard drive space for a small amount of Ethereum so that decentralized applications can have databases that easily accessible and still decentralized. When decentralized applications use it, their data is hashed and give a content identifier(CID) that is used to then retrieve the content. Nodes that commonly use information can pin content, but the content is still stored other places within the IPFS network. SWARM is another distributed storage platform and content distribution service that runs on the Ethereum stack. Content on the IPFS and SWARM cannot be edited by peers on the network because the hash of the content will no longer match. Now coming back to your front-end, it currently is being hosted by a centralized server. But if you want a truly decentralized application your front-end also much be decentralized. IPFS can host your front-end as well. The latest version of IPFS allows users to use IPNS which is a decentralized naming system that allows people to be able to visit the front-end of your website by using a human-readable DNS name. Finally, there is one last part of decentralized applications to note which is how will your front-end know when events occur on the blockchain? There are technologies such as the Web3.js library that allows your front-end to listen for smart contract events to occur. There is another technology that front-ends can use to query for events occurring on the blockchain which is known as the Graph. It indexes your smart contracts on the blockchain allowing for quick querying for events occurring rather than listening for the contract to execute using Web3.js. With this all considered, this is what your decentralized application would look like.

Decentralized Autonomous Organizations:

A decentralized autonomous organization or DAO would be a virtual entity that would require a set percentage of members to have the right to spend the entity’s funds or modify the DAO’s code. Normally, smart contracts are considered immutable after being deployed to the blockchain. However, if you separate chunks of code into separate smart contracts and have the address of which contracts that are called be in a mutable storage area, a DAO contract could be modified if the set percentage of members agree to change the contract. These types of contracts are considered upgradable smart contracts and allow for the smart contracts to be upgraded in the future. However, they can be dangerous as I will discuss later.

Security:

Although the new era of web comes with some security benefits, it also comes with new attack surfaces and attack vectors. One of these new attacks is called a rug pull. This attack relies on crypto developers and influencers hyping up a blockchain project to encourage investment. When the project has enough money, the developers and influencers will sell all their currency at a higher price and essentially steal all the investors’ money. Another attack vector based of the idea of phishing is called ‘ice phishing’. This is when an attacker convinces a user to sign a transaction that delegates approval of the user’s tokens within a transaction. Some of the new Web 3.0 exploits are smart contract logical exploits. These are exploits that rely on poor logic encoded either within the blockchain or within the smart contracts that operate it.

NFT Stealing:

One of these crypto-swap currencies was recently scammed due to the release of ApeCoin. A popular Non-Fungible Token (NFT) that is a part of the Bored Ape Yacht Club (BAYC) was scammed using a fake NFT on a crypto-swap dApp. This victim swapped their BAYC ‘bubble gum ape’ for fake matching mutants that would be the same value. However, the attacker took advantage of the way the dApp showed validated NFTs and counterfeited a verification check onto the image of a Bored Ape.

Bored ApeCoin Scam:

Another crypto-loan scam dealing with the Bored Ape NFT occurred on March 17th. The creators of the Bored Ape NFT dropped ApeCoin to the Bored Ape NFT owners. The scam involved a flash loan service. A flash loan is a way to borrow a large sum of cryptocurrency at a low-interest rate, but the loan must be repaid before the block is solidified. Because the attacker new the creators of the Bored Ape NFT were dropping ApeCoin the attacker flash loaned 5 Bored Ape NFTs putting his own Bored Ape NFT up for collateral. However, when the attacker had the 5 NFTs, he claimed the ApeCoin that was being dropped by Yuga Labs. This caused the attacker to retrieve the 60,000 ApeCoin that was meant to the user who loaned out their NFT. The 60,000 ApeCoins were solve for 399 ETH or around 1.1 million USD.

Wormhole Exploit:

            These aren’t the only exploits that have existed due to poor logic within blockchains. There was an attack on a cross-chain protocol known as Wormhole which had a vulnerability within its smart contracts which allowed the attacker to mint 120 million WeETH (wormhole Ethereum) and transfer it into Solana which is what wormhole was commonly used for. However, this minting of new wormhole ETH is more dangerous than someone might think. This attack is not only the attacker stealing money, but it also put the value of all the other blockchains WeETH is connected to at risk. Because this WeETH can be transacted into any other blockchain supported by WeETH. Blockchains connected by these cross-chain protocols, are only as secure as their weakest link, the cross-chain protocol in this case.

Security Provided by Web 3.0:

Although there have been many attacks on blockchains, it is difficult for attackers to derive value out of these attacks. There are applications such as Chainalysis Reactor who track the movement of large amounts of crypto. They have the wallet address of which the attacker has the cryptocurrency located. It will be very difficult for the attacker to transfer their successful attack into any physical monetary value without being caught. This is because if this wallet is used at any crypto-exchange, their information will be available for the government to discover who the attacker is. Because of this, attacks in the future will most likely not be meant for direct monetary value out of attacks against cryptocurrencies. An example exploit would be using compromised computers to mine/validate cryptocurrency and send the profits to the attacker.

The best way to protect yourself from these attacks is to be knowledgeable about the new technologies you are investing within. If you are planning on investing into this new age of Web 3.0 technologies understand the services, you are uses and understand what they protect you from and what they cannot. Attacks targeted at users such as rug pulls, and phishing attacks can be easily avoided with some simple knowledge of the attacks and the signs to look for. In this post I covered a lot of what the new Web 3.0 technologies were. Now that you have an idea of what the new Web is made of it, you can now start to take advantage of these technologies and start investing in our future.

Resources:

https://www.preethikasireddy.com/post/the-architecture-of-a-web-3-0-application

https://bitcoin.org/bitcoin.pdf

https://ethereum.org/en/whitepaper/

https://ipfs.io/

https://blog.chainalysis.com/reports/wormhole-hack-february-2022/

https://www.techtarget.com/searchsecurity/tip/Top-3-Web3-security-and-business-risks

Advertisement

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s