Forrester Report Warnings About Web3 Security

The next generation web — web3 — has been hailed as more secure than the current incarnation of cyberspace, but a report released Tuesday warns it may not be.

While Web3 may be difficult to undermine at the infrastructure level, according to the report from Forrestera national technology research firm.

Web3 applications, including NFTs, are not only vulnerable to attacks; they often provide a broader attack surface than conventional applications due to the distributed nature of blockchains, Forrester reported.

It further added that Web3 apps are desirable targets because tokens can be worth significant sums of money.

Web3’s openness, which should be one of its main advantages, can also be a disadvantage. “Code running on a public blockchain is easily accessible by anyone with the requisite technical skills, from anywhere in the world — no need to go through corporate defenses to get to it,” noted Forrester Vice President and Principal Analyst Martha Bennett, who is also a co-author of the report.

“Source code is also usually easily available, because running ‘smart contracts’ with closed sources is frowned upon. After all, the Web3 ethos is ‘open code’,” she told TechNews All.

Unwanted complexity

David Rickard, CTO for North America at Figurea division of Prosegur, a multinational security company, explained that Web3 is based on the distributed control of data and identity by its users.

“That increases the attack surface for individuals who may be unwilling or simply unable to manage their own data and identity, bringing technical complexity to an arena that wants to be ‘easy to use’ above all else,” he told TechNews All .

“People who go beyond texting, email and scrolling through social media and shopping apps is a real challenge for them,” he added.

It’s unlikely that Web3’s idea of ​​making code transparent and publicly available will really gain traction, he insisted. “There is too much money at stake between capital investors and users of blockchain financial systems and NFTs,” he said.

Making code transparent and public can also increase the attack surface in obvious ways, he continued. “Secure encryption practices that predict how someone could abuse a system for nefarious profits are not used very often,” he explained. “It is not easy to predict how people might use systems for purposes other than what they are intended for.”


“Most of the financial losses related to blockchain and NFT are not exploiting the immutable object itself, but manipulating them by exploiting the applications they can affect,” he said.

In addition, while legacy systems can be old, they can also be robust. “What’s new is usually the most insecure,” said Matt Chiodi, chief trust officer at Cerbycreator of a platform to manage Shadow IT, in San Francisco.

“While time is not always a friend of security, an application can be put to the test,” he told TechNews All. “Web3 is no different. It is new and untested. Legacy applications have the advantage of time. Web3 not.”

NFT becomes popular target

Regardless of whether code is visible and accessible, the report notes, attackers will find the weaknesses. It explained that while it is tempting to assume that attacks on smart contracts and cryptocurrency wallets are confined to the Wild West of decentralized finance, NFT projects have increasingly become a favorite target.

“Why go for a harder hack when there are easier ways to get what you want?” asked Bennett. “Like any other place where value is traded, [NFT] marketplaces and communication tools attract people who want to steal or otherwise undermine the rules.”

“In all things Web3, speed is of the essence, and many of those involved don’t have the expertise required to even assess what a potential security vulnerability could be,” she said. “Sometimes startups don’t even advertise a chief of security until something bad has happened.”

One of the largest breaches of an NFT marketplace occurred in June at OpenSea, exposing some 1.8 million email addresses. “In that particular case, there was an insider threat, but applications that process transactions can be quite vulnerable,” Rickard noted.

“There could be hundreds of thousands of ways these can be exploited and that coders have to try to explain, but a hacker only needs to discover one vector, once for a breach to occur,” he said.

Hangout for scammers

Forrester also reported that Discord, a social media network, has become a major weakness in NFT and other public blockchain projects. Successful phishing attacks on Discord are at the root of many, if not most, NFT thefts, it went on.

It explained that the attacks typically target community managers and administrators. Once an administrator account has been successfully taken over, attackers have the opportunity to steal at scale, as users tend to trust messages from community administrators.


Discord was designed primarily as a communication forum for gamers, not a place to hold and exchange value, Bennett noted, and it has mechanisms to mitigate risk. “But these mechanisms can only help if they are implemented, and it is clear that all too often they are not,” she said.

“Also,” she added, “as the preferred communication mechanism for token projects, Discord attracts a proportionate share of phishing attacks and scam messages.”

Rickard claimed that Discord communities are a rich source of information for scammers and investors. “Collecting participant contact information leads to phishing,” he said. “Hacks in digital wallets are not uncommon.”

“Discord bots have been hacked to allow threat actors to post fake coin offers, resulting in cryptocurrency theft,” he added.

Better security than legacy web?

In the fast-paced Web3 world, it’s tempting to ignore security in favor of rapid innovation, but public safety issues can easily derail a big launch or slow down the product team by forcing them to analyze and mitigate critical security flaws. the Forrester report.

Companies can identify risks and protect both the decentralized and centralized components of their Web3 application by engaging their security teams — not just in the software development lifecycle — but throughout the product lifecycle, it added.

“Web3 needs to shift its focus to the left, which means getting security as close to developers as possible and making prevention the end goal,” Chiodi noted. “Without this focus, Web3 will end up no different than Web2. That would be a shame given the huge potential, especially around decentralized identity.”

“Web3’s distributed approach offers different kinds of security capabilities, but the fundamental issues remain the same,” added Mark Bower, vice president for product Anjunaa confidential computer company, in Palo Alto, California.

“If an attacker gains access to credentials, root-level privileges, or keys — especially private keys that run across the ecosystem,” he told TechNews All, “it’s game over, just as it would be on a centralized platform.”

Get in Touch

Related Articles

Get in Touch


Latest Posts