Multidimensional Thinking on Web3 Security Issues

In the current development of the Web3 industry, security issues are undoubtedly one of the most important topics for the next decade. This issue presents contradictions and challenges in both decentralized and centralized directions. Let us explore this issue in depth from the following perspectives:

Asset Sovereignty

Decentralized systems clearly outperform centralized systems in terms of asset autonomy, allowing users to have complete control over their assets. This was a mainstream narrative during the rise of DeFi and triggered large-scale withdrawals.

However, with frequent incidents such as attacks on smart contracts and authorization theft, we find that an increase in asset autonomy does not necessarily equate to an improvement in security. Ordinary users often lack the ability to identify risks, and managing assets securely on the blockchain requires a significant amount of learning and experience. This leads to a constantly increasing threshold for self-managing assets.

As a result, many new users entering the market still prefer to entrust their assets to exchanges or institutions, hoping to leave professional matters to professionals. Although this means giving up autonomy over their assets, it comes in exchange for custodial services provided by centralized entities.

Currently, exchanges and on-chain systems basically serve different user groups, each with different forms of risk. On-chain self-management of assets grants users 100% ownership of their assets, but requires sufficient experience and risk management skills. While delegating management to exchanges is simple, it may face centralization risks. There is no perfect solution; the key lies in understanding where the risks are and remaining vigilant at all times.

Smart Contract Security

"Risks always lurk in the unknown."

From the perspective of DeFi projects, non-upgradable and permissionless smart contracts are considered decentralized and immutable. However, this does not mean absolute security. Due to the inherent risks in smart contract code that are difficult to fully predict and simulate, if a critical contract has a fatal flaw and centralized intervention is not possible, the consequences could be dire. There have been several similar incidents in the early days of DeFi.

What is the future development trend of smart contract security? According to the original intention of decentralization, simple smart contracts will first achieve "solidification" after being tested by time and the market, meaning they will be completely decentralized and immutable. Subsequently, the complexity of contracts will gradually increase. In this process, some complex projects inevitably need to set up emergency mechanisms at critical points to prevent losses caused by major events. (Of course, various permission constraints are usually employed in this process to control risks and prevent potential dangers brought by excessive centralization.)

Therefore, the security of smart contracts must undergo the test of time and verification. Currently, the doubts regarding the security of DeFi are essentially questions about the future of the entire industry. The security issues faced by smart contracts will be challenges that all on-chain projects in the future, whether GameFi or SocialFi, will encounter. DeFi is simply ahead of the curve, paving the way for others. Only by establishing a sufficiently solid foundation in the early stages can future development proceed more smoothly.

Resistance to censorship

Resistance to censorship is an aspect that many people easily overlook, as most believe they are simply engaging in straightforward cryptocurrency transactions that have nothing to do with censorship resistance. However, once you experience it, you will deeply realize the importance of censorship resistance. It directly makes you feel that without decentralization, your assets cannot truly be called 100% yours. This topic need not be elaborated further, but it can be said that the ability to resist censorship is arguably the most important aspect of the vision for decentralization.

At this point, censorship resistance and asset autonomy complement each other, and decentralized management is indeed superior to centralized management.

Wallet Security

When saving assets on the blockchain, we often encounter cold wallets, hot wallets, and hardware wallets.

Cold Wallet: In simple terms, it means that the private key is kept offline throughout the creation and management process. Users can create their own cold wallets, for example, by using an old iPhone, with many related tutorials available online. From a personal management perspective, this method has a very high security factor, with the only thing to pay attention to being the safe storage of the paper where the mnemonic phrase is recorded.

Hardware Wallet: It is not the same as a cold wallet. Hardware wallets involve various hardware technologies, and the generation of private keys is usually offline, but the controversy lies in the fact that the vendors providing the hardware are centralized institutions, which theoretically may pose centralized risks. On the other hand, hardware wallets typically require additional verification steps before executing transactions, similar to the protective measures of a USB security token or security card.

Hot Wallet: This is the type of wallet we use most frequently in our daily activities, making it more flexible and convenient. Frequent on-chain interactions will increase the number of authorizations and signatures for the wallet, especially if an upgradeable contract has been authorized. Although there may be no issues currently, the upgraded contract may introduce new risks, posing potential hazards for the future.

The use of wallets is usually configured based on individual circumstances. The security of a wallet is essentially the security of the private key and permissions.