In this Q&A, we talk about why we need to understand the vulnerabilities of Web2 if we want to bring safety to Web3, and how blockchain developers can stay ahead of emerging threats.
Hexens is a cybersecurity provider with an essential focus on blockchain and emerging technologies like ZK proofs and liquid staking, and with a focus on the backdoors that Web3 projects might overlook in their race to the future.
A Conversation with Sipan Vardanyan: How to Take the Lessons of Web2 into Web3
Q: Let’s start with the numerous high-profile hacks and losses we’ve seen in blockchain in recent years. What do you see as the key cybersecurity challenges facing the industry today?
A: I’ve noticed that a vast amount of companies out there are completely ignoring traditional vectors of attacks and aren’t doing much in terms of security other than a smart contract audit. As we’ve seen time and time again, there are malicious actors out there who are very adept at finding security vulnerabilities in blockchain code and exploiting them.
Contrary to Web2, one exploit is enough for them to drain a project of hundreds of millions of dollars worth of funds in a matter of seconds. Before Web3, hackers would have to do a lot to monetize a vulnerability.
I also think it’s important to remember that hackers are constantly evolving their techniques and looking for new ways to exploit code. While over time, blockchain tech will get more secure, it is evident to me that malicious actors will use traditional vectors of attack more and more.
Blockchain, besides being an exciting technology, is also, in most cases, an example of a single point of failure: one single line of code, containing a vulnerability can, and probably will, lead to a financial loss, sometimes on the order of hundreds of millions.
Projects should work with security partners to conduct reviews at regular intervals to ensure the highest possible level of security as they continue to develop their tech, as well as always explore new tools, techniques, and best practices to continue decreasing risks.
Q: What are some examples of the most common vulnerabilities or threats that blockchain projects face?
A: We consistently see smart contracts being exploited by hackers. The most common ones are re-entrancy attacks and improper input validation-related vectors. Bridges, wallets, and exchanges, which are places that tend to hold a large quantity of funds, are also attractive targets for cybercrime. Private key leaks are happening more often, too, again signaling that “traditional” (Web2) vectors of attacks are gaining momentum.
Contrary to what most would think, the biggest hacks actually don’t share very many commonalities. Because each project’s code is specific to it, the vulnerabilities tend to be unique as well.
Q: What are the limitations of current Web3 cybersecurity firms?
A: Web3 cybersecurity firms tend to be limited by their team’s lack of prior cybersecurity experience in Web2. This, coupled with an incomplete knowledge of Web3 cybersecurity, a blanket approach to all clients, and a desire to scale too quickly, ultimately reduces the quality of their services.
Many providers focus on smart contract audits, which are of course very important to securing a blockchain project. That being said, there is more to most Web3 companies than their smart contract code.
They are also vulnerable to Web2 attack vectors. This is why it is so critical that providers tailor their approach to their clients and identify any possible surface area for a hack to occur in order to catch all vulnerabilities before a hacker does.
A lack of internal methodologies and necessary products and tools might be another reason the security field is facing trouble.
Q: Hexens has conducted security audits for projects like Polygon and Lido. Can you discuss the importance of independent audits in ensuring the security of blockchain projects?
A: We work with industry leaders who have a major impact on its future and who are innovating and pushing the boundaries of what decentralized tech is capable of. Not only do they hold a great amount of influence, but many other companies and users rely on them.
For instance, there are thousands of decentralized applications built on Polygon. An error in Polygon’s code would, therefore, put those thousands of projects, not to mention their users, at risk.
We are also supporting pioneering tech like ZK proofs and liquid staking, addressing security in both of these areas. For instance, we conducted a security review of Polygon zkEVM, enhancing the latter’s security and ensuring its code is of the highest quality.
Once again, it’s also important for companies to remember that a single review does not necessarily guarantee their safety forever and that a review can prove the existence of bugs — but not their absence. Hackers are constantly evolving their techniques to uncover and exploit new vulnerabilities. Therefore, regular reviews are critical to maintaining security long-term.
Q: Given that the blockchain industry is evolving rapidly, how can developers and users stay ahead of emerging threats and continually adapt to new security challenges?
A: Developers need to collaborate and share tips on how to ensure security within blockchain code. Whether this be a vulnerability they’ve uncovered, code that has proven to be secure in their experience, or directing each other to resources to help them code with security top of mind, this will help ensure a maximal level of security in their work.
The hope is that, over time, the industry will have more specialized tools and products that developers can leverage to maximize the security of their code and final products.
It is also helpful to read reports of security reviews published by cybersecurity firms to see what kinds of vulnerabilities they’ve found and avoid making those same mistakes.
Users can stay ahead by engaging with projects that have had their tech thoroughly reviewed by Web3 cybersecurity firms with a proven track record of success.
They should do their best to be on top of the latest cybersecurity news, too – hacks are constantly being reported, so keeping a pulse on which projects have suffered from them can help inform users as to which platforms are safe or unsafe.
Q: Understanding the vulnerabilities of Web2 is considered a crucial step in securing Web3. How does Hexens approach this?
A: Securing Web2 interfaces is an incredibly important – and often overlooked – step in safeguarding any blockchain company.
Virtually all Web3 companies utilize Web2 interfaces, such as websites and domain name services, which provide additional attack surfaces for hackers to exploit. It is only by securing all aspects of their tech that companies can ensure their security as a whole entity.
We’ve recruited auditors with years of experience in Web2. In other words, our team thinks like Web2 and Web3 hackers in order to find the bugs before ill-intentioned actors do.
In addition to personalizing each review, our “hack sense” philosophy consists of assigning several teams to each security review. To my knowledge, we are the only Web3 cybersecurity firm to do so. Each team has at least one lead engineer and senior engineer, in addition to other auditors of varying levels of experience. Two teams are assigned to each security review to ensure we do not fall prey to any biases or human error.
We pride ourselves on our ability to truly think like hackers to find security issues, and we intentionally keep our team and client portfolio small to ensure the highest level of attention and service – we’ve seen many security firms scale too fast, leading to a drastic reduction in the quality of their offerings.
Finally, we aren’t just thinking about bringing security to each client but to the industry as a whole. We’re working on solutions that will enable more companies to maintain a high level of security, protecting themselves and their ecosystems from hackers.
About Sipan Vardanyan
Sipan Vardanyan is the co-founder and CEO of Hexens.io, and has more than 11 years of experience in the cybersecurity arena. His focus is on a prominent cybersecurity boutique, safeguarding businesses from global cyber threats.
He is a dedicated Cyber Security Lecturer with an extensive background as a CISO in the banking sector.
In addition, he serves as an advisor to multiple startups, offering guidance and insights to help them thrive in their respective domains.
He is the winner of multiple cyber security competitions, including first place at PHDays VI (Antichat team) and the undefeated champion at Competitive Intelligence 2017, 2018, and 2019 (solo, Nickname – Noyer).