Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways

pcmag.com:

LAS VEGAS—So-called Web3 ventures have suffered enough meltdowns to keep an entire site ("Web3 is going just great(Opens in a new window)") busy chronicling them in multiple posts per day. But what has made this category of sites providing cryptocurrency and other services based on blockchain technology seem so snakebit?

A briefing at the Black Hat information-security conference here outlined common aspects to recent high-profile Web3 hacks that have resulted in the theft of hundreds of millions of dollars’ worth of cryptocurrencies. The single biggest factor: how quickly an attacker can turn a vulnerability into money.

"Simple mistakes can have immediate and devastating consequences,” said Nathan Hamiel, senior director of research at Kudelski Security(Opens in a new window). "Gone In 60 Seconds isn't just a terrible Nicolas Cage movie, it's also what happens to all your money."

It doesn’t help, Hamiel continued, that so many Web3 developers lack experience and are building on new platforms in public view. And Web3 apps that bridge different blockchains and such competing cryptocurrencies as Ethereum and Solana or integrate self-executing “smart contract” blockchain apps get especially complex. 

"Each of these components expands your attack surface,” he said. 

And while it might be tempting to point and laugh, Hamiel urged security professionals to pay attention because of the possible collateral damage, the high bug bounties now offered (in May, blockchain bridge service Wormhole paid $10 million for a vulnerability disclosure(Opens in a new window)), and the risk of nation-state attackers using these ill-gotten gains to underwrite hostile real-world activities.

Hamiel then walked the audience through four recent Web3