Recently, we had the opportunity to catch up with David Schwed, the COO of Halborn, a blockchain cybersecurity firm. Halborn is a group of ethical hackers and blockchain specialists with a vision of ensuring top-notch security and safety.
In our conversation, David spoke about prevailing concerns with and the future of Web3 security, the evolution of tech-based security, advice for developers in Web3 and much more.
To start, can you please brief us about the current issues pertaining to Web3 security?
I would argue there is not enough substance to term it ‘Web3 security’ yet. However, security in Web3, like Web3 itself, is in its early days.
We are at a landmark phase where company-owned Web2 is being replaced by user-owned Web3. This ownership element is not only for the funds that a user owns. It is also for the responsibilities that come with ownership. Custody is the keyword. Every act of the user on a blockchain has a cost attached and as self-custodians, they are accountable for any outcome.
Another important thing to realize is that most security breaches happen on the application and communication layer of blockchain. The core function of blockchain i.e. a distributed ledger is very rarely the place of attack. Observe closely and you see that smart contracts are mostly exploited during these hacks.
Why?
Because the environment for writing smart contracts is immature. Programming languages and EVMs are still largely experimental. Programming vulnerabilities account for a majority of security concerns.
Lastly, dApp founders and teams think of Web3 security as an end-stage plug-in for their products. They rely on trust first and then tooling and solutions. However, recent hacks and thefts have shown why the element of trust needs to be eliminated and security needs to be a priority.
Self-custody for the layman. Raw tooling for developers. Trust-driven DeFi ecosystem.
All-in-all, Web3 security is undercooked and needs to be ramped up exponentially to meet today’s sophisticated attacks.
What are your views on the evolution of tech-based security in recent times? Also, as we move into Web3, what are the trade-offs we can expect for robust security?
Security technology has grown at a rapid pace in recent years. The security is more water-tight than ever before. There are two tangents to this. The first is concrete centralization by parties to store, secure, and render data inaccessible to any third party. And second, make hacks and thefts a costly affair in terms of resources needed.
These two tangents have been manifested at scale into many security solutions. Artificial intelligence and machine learning have taken up security by a few notches. The duo has helped build automated and adaptive security networks. In the coming years, AI is set to improve further, and hopefully, it translates into a more secure future for all of us.
Lately, blockchain-based cyber-security has started to find its ground. With foolproof authentication and no-trust models, the blend of blockchain into security solutions has started and is ought to grow further.
Now, talking about what are the expected trade-offs for Web3 security. If we go by the theory of blockchain trilemma, scalability suffers as security is prioritized i.e. more nodes = more decentralization = more security.
Apart from that, I also believe true anonymity cannot be made possible while still upholding the best security ethos. There will be an element of traceability intact. However, I also think Web3 security will be privacy-centric. So, the bottom line is, users’ data, identity, and activity won’t be tracked but can be traced - if needed.
Can you share your thoughts on the adaptability of security solutions amidst the convergence of centralized Web2 and a fairly decentralized Web3?
First of all, I’d say that cultural integration between the security builders of Web2 and those of Web3 is the top priority. The ethos and the values are very different between these two sects.
A simple example of this is how the distribution of data storage is pursued by both these security groups. The Web2 sect views this as high-risk and conforms to their centralized ideals of a single database or server. However, in Web3, a distributed ledger is a means of security. The more the distribution, the more secure the network is.
The convergence of security solutions for Web2 and Web3 is a tough ask because there is a contrasting approach to how security is approached. In Web2, there is scope for patches and hotfixes to secure networks. However, in Web3, security needs to be weaved into the architectural design.
Making Web2 security solutions adapt to Web3 is a long-term game. From matching encryption standards to building strategic threat prevention tools, convergence needs to be built from scratch.
There is room for establishing synergy between both security solutions. However, to ensure maximum security, natively developed solutions are needed. Web3 native knowledge and expertise is a different ball game and is a must while bootstrapping security for the dynamic space.
What is your advice to the builders and developers in the Web3, crypto, and DeFi space from a security perspective?
I have two pieces of advice for the builders and developers coming up in this space. It is a hard grind; however, neglecting security will only make it exponentially harder.
The first one is, Build resilient products with great on-chain security.
What I mean by this is to build products and services that have a security-first approach. Resilience is a much-needed trait for any DeFi product or dApp out there. Prioritize security alongside performance and user experience. On-chain security is often overlooked and taken notice of only after it wreaks havoc.
From planning to post-deployment, smart contract audits, and cyber insurance, essentially what I’m trying to say is don’t leave any stone unturned when it comes to security and privacy.
Second, Cultivate a culture of security and safety practices.
Security literacy amongst users is pretty low in this space. The best practices are often expensive (say, a robust cold wallet) or too complex for the layman. Hence, the products and services need to have in-built security. Incentivizing the good players is as important as keeping the bad players away.
Bug bounties are a great way to keep good players engaged in continuously improving security systems in Web3. Not only does this incentivize safeguard activities, but it also establishes a culture of security and development in the team. And as this spreads, more security best practices become accessible to all and can be equipped at zero opportunity cost.
How do you foresee the future of security in Web3? What are the key developments in this area that you are keeping an eye on?
Blockchain pushes for true ownership of money and personal data. Cryptocurrencies and DeFi add to the functionalities of money. ZKPs guarantee privacy. NFTs enable tokenization and control of assets.
As you see, the potential is immense. However, for this potential to be realized, a safe, secure, and robust Web3 infrastructure is a must-have. There is no doubt that Web3 security has a huge room for improvement. Unlike other verticals, this needs to be prioritized and not chosen at convenience.
A security-first approach is necessary to bring about the mass adoption of Web3, including institutional participation. And coming to the key developments I’m keen on, the first would be MPC i.e. multi-party computation. Roughly, it is where the custody of the private key is shared between the user and service provider, with no one having the full key at any given time.
Also, I am a huge advocate of identity-first security. ZKPs are a great tool to enable this. Identity authentication and verification are a must to build security and privacy for the ecosystem. However, the catch is that the users need to be bestowed with control and consent over the data linked to their identity.
Another potential game-changer in the space of Web3 security would be enterprise-grade audits. There are barely any. The Web2 cybersecurity giants have little to zero relevance in the Web3 space. So, native Web3 audit firms with a proactive approach are a must for the industry to grow.