It is not unusual to enjoy a game with overpowered weapons or armor. Now imagine that the armor actually cost its digital weight in gold, or to be more precise, was one of those NFT that could sell for thousands of dollars.
No player would want to lose that, and no game would want the reputational damage of insecure NFT ownership. It is precisely the NFT technology which is the foundation of Web3, allowing secure ownership with no centralized control.
Web3 and Blockchain Security
Web3 poses a special challenge in that its adoption is speeding up among regular Web2 users. Unlike the spread of blockchain technology, which was slow and organic, Web3 is getting actively marketed. Users expect similar experiences as with Web2, and may not even suspect some of the security issues.
The most common type of risk is for users to expose their wallets to malicious links, thus losing all NFT. Being able to control the items and not have them extracted is one of the primary challenges for new projects that wish to retain their reputation.
Industry Consolidation and Standards for Higher Security
One of the main tools for Web3 security is smart contract audits. Faulty smart contracts may lead to losses and reputational damage. Certik and other startups remain a staple for new Web3 projects, and some are consolidating to create audit standards.
The other approach is to retain tokens within the game, and work on a secure smart contract for withdrawals and trading. Marketplaces are also risky in terms of verification, faked collections or the resale of stolen tokens.
A rough estimate establishes losses of around $100M from stolen or lost NFT and other scams. The awareness of risk is getting addressed by gaming projects to make sure their items remain secure.
New Standardized Web3 Packs Boost Safety
In 2023, a trend to offer high-profile SDK and smart contracts is forming in the Web3 space. Before, projects took months to build their features, leading to errors and losses. The bridge smart contracts were especially vulnerable.
Now, projects are looking for an optimal number of operations on the blockchain, with off-chain computing widely used.
Instead of in-house builds, the new trend is for establishing SDK and smart contract packages, which can speed up the process of launching a Web3 app.
Projects like Express Protocol and other big SDK producers help to batch the auditing of pre-made tools, avoiding errors and hacks. With millions missing from smart contracts, the next step was for startups to address the issue, with more focus on audits and reliable solutions.
Web3 Security: Focusing on Identity
Part of the security of ownership lies in the issue of user identity. For games, this may mean the effort to tie one user account to a wallet, avoiding the problem of whales, bots, exploits through scale and fake users.
The solution of a Web3 identity is also consolidating, with projects trying to offer universal solutions. With one Web3 identity, end users may also contact multiple Web3 projects without the need to build a new wallet for each game or collection.
For now, universal logins and identities rely on Web2 profiles, often using social media in addition to wallets. But with a single identity, a more secure wallet and NFT storage may be possible. Currently, wallets allow NFT theft through smart contracts and there is no verification of identity-based ownership. This helps NFT remain anonymous, but also allows for malicious links to drain wallets.
Oasis protocol, with its recently introduced private layer, is also offering tools to build a decentralized identity.
Coinbase is also introducing its in-house Web3 security stack, as the loss of NFT ownership would deal additional reputational damate.
There may be additional exploits and risks, but in 2023, the most vulnerable spots have been covered. Protocols exist to monitor off-chain and on-chain transfers, bridge security gets improvements, and developers are gaining special support for more streamlined apps.
Projects are already aware of multiple threats, including those specific to DeFi – usually a flash loan attack. Phishing and user-side security is also a focus of improvement as more projects try to either offer more secure wallets, and off-chain ownership, or educate their potential users.
