Understanding Web3 and its security implications

Learn considerations as businesses explore the decentralized web

First steps into the world of Web3

The shift from Web 1.0 to Web 2.0 exposed businesses to a whole range of new security risks. The ability for any user to post content to the Internet meant untrusted and malicious inputs could more easily compromise websites, leak data, and infect databases.

As businesses begin exploring the new world of Web3, they will have to face another crop of security vulnerabilities — some of which they may not have encountered before. Businesses experimenting with Web3 will need new approaches to meet those challenges.

The core concepts of Web3

Web3 is a vision for a version of the Web that is decentralized and collectively owned. Web3 technology is built on decentralized databases that require majority consensus for any change or update.

To summarize how Web3 differs from previous Web technology:

• Web 1.0 is read: Users can obtain data on the Web but cannot interact with it.

• Web 2.0 is read-write: Users contribute data to the Web, for instance by uploading content.

• Web3 is read-write-own: Users do not just contribute data; they own their data.

This read-write-own concept is made possible by a few basic principles:

Decentralization

For much of the Internet’s history web applications have been controlled by centralized providers. These providers control the application's logic and data, and can edit and erase it however they want.

In Web3, web applications are distributed across a peer-to-peer (P2P) network of connected nodes. There is no central authority or controller, data is always visible to all nodes, and data cannot be erased or altered without consensus from the network.

Consensus

Web3 requires a majority consensus from the network to validate new transactions or updates. Blockchains use proof-of-work (PoW) and proof-of-stake (PoS) validation mechanisms to achieve consensus.

Implicit trust

Web3 relies on cryptography, especially hashing, to ensure data is never altered or removed without agreement from the supporting network.

For example, a given block on a blockchain cannot be changed on its own, because its hash is recorded on the following block. Changing a block will change the value of the subsequent block, which would invalidate the hash on the block following that, and so on. In other words, any change would require changing much of the rest of the blockchain. Such changes do occur, but they require broad consensus from the supporting network and are highly resource-intensive.

In many ways, this makes Web3 more secure than Web 2.0. Participating clients are certain of receiving the exact data they request, and the requested data cannot be altered — or replaced with something malicious. Clients do not have to trust a centralized provider; implicit trust is built into the blockchain.

How businesses are using Web3

There are several ways businesses are exploring the possibilities of Web3, ranging from decentralized application architectures to more resilient methods of file storage.

Blockchain and decentralized applications (DApps)

Blockchain is a method for recording transactions in chronological blocks of data across a distributed network. Data written to the blockchain cannot be changed.

One of the most widely known applications for blockchain is cryptocurrency, which is the crucial component of the decentralized finance (DeFi) services in use today. But developers can also write decentralized applications (DApps) that use a blockchain to execute (including non-fungible tokens or NFTs).

Smart contracts are the logic of DApps. A smart contract is code designed to carry out specific functions — like any other programmable function, smart contracts execute upon being called. Smart contracts are created and stored on blockchain networks.

From a development perspective, DApps offer businesses the advantage of not having to manage and maintain the full backend infrastructure necessary for supporting an application. Smart contracts are stored on the blockchain and operate autonomously. An organization deploying a DApp does usually need to deploy and maintain a user interface as well, using an intermediary service to make API queries to smart contracts on the backend.

DApps are reliable since they run on a vast peer-to-peer network, while centralized apps go down if their supporting infrastructure goes down.

Finance is one major use case for DApps — examples range from cryptocurrencies, to wallets, to decentralized exchanges. Additionally, developers have built DApp web browsers, games, social networks, and other services as well.

Decentralized finance (DeFi)

Decentralized finance (DeFi) is a collection of methods for obtaining financial services without relying on centralized authorities like banks. DeFi users can give or receive loans; buy, sell, and exchange cryptocurrencies; earn interest; and perform other tasks associated with the financial services sector, all using decentralized platforms. DeFi is built largely on smart contracts (supported by the Ethereum blockchain). Centralized exchanges support DeFi (like Coinbase), but DeFi protocols are inherently decentralized.

Distributed, decentralized file and data storage

Blockchain's decentralized storage of transactions makes it a core building block for Web3, but it is not the only type of architecture that businesses are experimenting with. The Interplanetary File System (IPFS) is another (non-blockchain) protocol for implementing Web3 principles. IPFS stores data in a distributed file system. The address of content provided via IPFS cannot be changed — updates result in a new, unique content address. And IPFS's distributed architecture makes it more resilient and reliable than more centralized storage methods.

Businesses can rely on IPFS for serving content to users in a trustworthy fashion. IPFS also enables users to easily publish their own content from their own environments.

The biggest security risks of Web3

While the underlying principles of Web3 make it more secure than Web 2.0 in some respects, like any technology it introduces its share of security risks. Some of the security gaps come from the way Web3 and Web 2.0 architectures interact; others are inherent to how protocols like blockchain and IPFS function. And Web3's reliance on network consensus can make patching these and other flaws a slow process.

Some of the main security risks include:

Lack of encryption and verification for API queries

Most people know not to give personal information out to unverified requesters. And yet, Web3 applications are often reliant on API calls and responses that do not authenticate the ends of the connection.

In theory, Web3 is completely decentralized, and any connected node on the network can interface directly with stored data. In practice, Web3 application front-ends will still need to rely on Web 2.0 technologies that user endpoints can interact with easily. Most Web3 app front-ends use API queries to the Web3 back-end for business logic and data storage.

Currently, many Web3 API queries are not cryptographically signed. This leaves them vulnerable to on-path attacks, data interception, and other attacks — just as the use of unencrypted, unsigned HTTP Web 2.0 apps leaves users vulnerable to data leakage and on-path attacks. In other words, there is often no guarantee that Web3 application data is from the correct source, despite the "implicit trust" concept described above.

Smart contracts hacking

Like any code, smart contracts can contain major security flaws that put user data or — as is often the case — funds at risk. A 2019 study identified poorly coded Ethereum smart contracts that put $4 million in Ether at risk. The problem has not improved with time; in December 2021, flawed smart contracts allowed attackers to steal approximately $31 million in digital currency. And in May 2022, a flawed algorithm caused the TerraUSD cryptocurrency to lose about $50 billion in value.

Privacy concerns for decentralized data storage

Data on a blockchain can be stored and accessed by any connected node — in contrast to a Web 2.0 model, in which access to databases can be highly restricted. This introduces multiple security and privacy concerns depending on what data is stored. Even if it is anonymized while at rest, research consistently shows that no data is truly anonymous.

Account theft and mobile wallet theft

The media is rife with stories of attacks on cryptocurrency or NFT wallets. Most often this occurs through attackers gaining access to users' private keys, or tricking users into handing them over through phishing. In fact, if these private keys are stored locally on a user's device, they are vulnerable to physical theft.

To this point, with cryptocurrency being the main use for DApps and Web3 in general, most attacks have targeted digital currency. But the implications for other applications of Web3 technology could be equally onerous.

Protocol and bridge attacks

Not all of Web3 is built directly on blockchain. Just as the Internet is composed of layers (7 according to the OSI Model) built on top of each other, blockchain has protocols built on top of it. One example is the widespread reliance on "bridges," which are protocols that enable transfers from one blockchain to another.

These protocols can be attacked as well. For example, thieves exploited the Wormhole bridge in February 2022 to steal approximately $320 million in cryptocurrency.

Slow updates

Web3 makes it difficult to issue fixes for security issues once they are identified. Because Web3 is built on decentralized network consensus, any changes have to be approved by the network at large.

This is perhaps the biggest security challenge for Web3. Building completely secure applications is not humanly possible, and the lack of ability to quickly fix flaws increases the impact security flaws can have, since they will be active longer even after discovery.

Typical Web 2.0 risks

From user credential theft to cross-site scripting, Web3 front-ends will still have many of the same vulnerabilities as Web 2.0 front-ends, despite the Web3 backend. Code injection, bots, API-based attacks, and other threat vectors can put applications and users at risk.

Best practices for protecting Web3 applications and infrastructure

API query encryption and signing

Widespread usage of Transport Layer Security (TLS) for HTTP requests and responses massively improved security for Web 2.0. Similarly, enforcing encryption and digital signing of API queries and responses for Web3 DApps will be crucial for protecting application data.

WAF and other Web 2.0 security measures

At this point, businesses have decades of experience countering Web 2.0 security vulnerabilities. While that does not reduce the seriousness of those vulnerabilities, it does mean that methods have long been available for protecting user accounts, preventing code injection, and stopping cross-site scripting, among other attacks. Web application firewalls (WAFs), bot management, and API security measures close off a wide array of attack vectors for application front-ends.

Strong code auditing before deployment

This was important in Web 2.0 as well, but many (if not most) organizations skip or rush through this step in the name of releasing and iterating quickly. After all, any security flaws in newly released features or products could be fixed in the next version.

But in Web3, it's not that simple. Updates and additions to decentralized apps take far longer than in Web 1.0 and Web 2.0, since they require consensus from the entire decentralized network. The right time to identify security vulnerabilities is in advance, not after the fact. Code auditing doubles in importance in such a scenario.

Web3: How to move forward securely

As businesses explore and start to interact with Web3, they must continue to keep security foremost in mind. Security holes can cripple a business or damage its reputation. And because Web3 applications rely on Web 2.0-style frontends, businesses will need to simultaneously secure against Web 2.0 and Web3 security risks.

Cloudflare helps combat security flaws for organizations in any situation, from on-premise network protection, to organizations migrating to the cloud, to organizations on the cutting edge of new models like Web3. For Web3, Cloudflare can help protect both frontend and backend, while also providing gateways that make it easy to interface with Web3.

Cloudflare manages and secures the connection to Web3 infrastructure so businesses can focus on what matters: building cutting-edge products and needed services for their users.

This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.

Key takeaways

After reading this article you will be able to understand:

• How Web3 differs from previous Web technology

• How businesses are applying Web3 to their products and operations

• The common security risks of Web3

• How to mitigate those security risks

Related resources

• White paper: Ethereum Gateway

• White paper: IPFS Gateway

• A guide to API security

• Video: Web3 Gateways walkthrough