Security Considerations in web3
Ian Wallis
Page Title Goes Here
Security Considerations in web3
Cyber Kill Chain
01
Stages of the web3 Cyber security chain
02
Establishing a web3 Immune System
03
Ways to get involved
04
2
It takes 20 years to build a reputation and few minutes of cyber-incident to ruin it
Taking web3 security seriously
Stephane Nappo, Global Head Information Security for Société Générale International Banking
3
Taking web3 security seriously
4
Taking web3 security seriously
5
6
Background on the Cyber Kill Chain
The idea was established by Lockheed Martin in 2012
Identification and prevention of cyber intrusions activity
The seven steps of the Cyber Kill Chain enhance visibility into an attack and enrich the understanding of an adversary’s tactics, techniques and procedures
Challenges
7
What are the web3 stages of a cyber security chain?
Reconnaissance
Weaponization
Delivery
Exploitation
Acquisition
Command and Control
Actions on Objectives
8
Let’s take a look at each step of the web3 cyber security chain
Team Name
Deck Name
9
Reconnaissance
Overview
Recommendations
This is where privacy matters. Attackers will target known wallets or smart contracts with specific funds or assets. As on-chain data is public data attackers will be able to see the contents of a wallet address but it is safer if they cannot link it to you as an individual
Block analytics scripts: To prevent analytics providers from linking Wallet addresses to real-world identities, we recommend browser extensions like Privacy Badger or browsers like Brave Browser
Don’t connect your wallet unless you have to: We recommend treating one’s Wallet address like credit card or bank account information, i.e. only revealing it selectively and when necessary. Use hot wallets or disposable wallets for degen stuff
10
Weaponization
Overview
Recommendations
The attacker develops a malicious smart contract or phishing website
While we cannot stop malicious actors from developing smart contracts to steal funds and assets there are education steps we can take to reduce user exposure
Check out the MetaMask Learn site on Security in Web3
Check out the MetaMask Support site on Staying Safe in Web3
Consider using a Hardware wallet to protect your keys, see Ledger or Trezor
Never share your SRP: Your Secret Recovery Phrase (SRP) should only ever be in your hands, and yours alone
11
Weaponization - what are we doing to help?
MetaMask Learn
MetaMask Support
MetaMask Settings
12
Weaponization - what are we doing to help?
Linea - our approach is to drive by example to establish a security culture in the Linea ecosystem
Auditing - we audit every single line of code that we deploy as Linea. We have partnered with almost all Auditors, from top tiers (that audit Linea contracts) that are OZ and Diligence to partners that works in the ecosystem like Hexens, Zokyo, to mid and lower tier like CertiK, Zellic, Scalebit, Secure3 and many more
Bug bounty program - we are working with Immunify to incentivise the reporting of vulnerabilities in the Linea smart contracts
13
Delivery
Overview
Recommendations
The attacker is now taking the first steps to deploy an attack
This is where the attacker exposes what they are doing by either deploying a malicious smart contract on-chain, deploying a malicious dApp URL and website, a phishing site or phishing message / social post
Watch out for phishing emails and social engineering messages: If it is too good to be true then it’s a red flag. Beware of:
For new users only download MetaMask from a trusted App Store. See https://metamask.io/download/
If you have to connect your wallet use a hot wallet: Keep your valuable tokens and assets in a cold wallet. Use a hot wallets for day to day stuff
14
15
Delivery - what are we doing to help?
MetaMask Security
Phishing Detection - we are working with WalletGuard, ChainPatrol and Phishfort to keep our Phishing Detect list as up to date as possible
For Phishing Detection see more here: https://support.metamask.io/hc/en-us/articles/4428045875483--Deceptive-site-ahead-when-trying-to-connect-to-a-site
16
Delivery - what are we doing to help?
MetaMask Security
Malicious dApp Detection - we have engaged with Blockaid on their proactive Internet wide dApp Scanning capability
The solution scans millions of new websites a day determining if they are web3 enabled (is dApp), and only then initiating a full dApp Simulation and finally determining if it is malicious (is Malicious) or not
17
Exploitation
Overview
Recommendations
The attacker now sends you a convincing message to get you to either sign a transaction or share your SRP or gaining control of the your device via malware
The attacker could also be targeting a protocol or bridge by sending malicious transactions
Install Transaction Insight Snaps: within MetaMask there are a number of Transaction Insight Snaps which can preview the Tx and provide alerts.
If you use other wallets install Transaction simulation extensions: for wallets that do not provide Transaction simulation there are a number of Simulation extensions which can protect your assets like Blockfence or Hexagate
Make sure the protocol can be trusted: for important transactions make sure that the protocol has been audited and is being monitored to avoid losing any value locked in the protocol
18
Exploitation - what are we doing to help?
MetaMask Snaps
These Transaction Insight Snaps tend to combine multiple features including simulating the transaction, providing an outline of what will happen prior to a transaction being sent to the blockchain network as well as specific alerts for certain things the user wants to be informed about
Note that these Snaps will share the Transaction with 3rd party APIs so there can be privacy considerations to take into account
19
Exploitation - what are we doing to help?
Linea - our approach is to drive by example to establish a security culture in the Linea ecosystem
Event engines - we are researching different platforms that provide agents that monitor on-chain and off chain activities and trigger events and notifications
Bridge Monitoring - we are working with Hexagate to make sure the Linea bridge is not under attack to assure users that TVL on Linea Bridge is safe
Ecosystem monitoring - we are in the process of engaging with Cyvers, Hexagate, and Hypernative to provide broader monitoring of smart contract security risks on Linea and we'll have a economical risk dashboard powered by Gauntlet
20
Acquisition
Overview
Recommendations
At this stage the attacker is either compromising your machine with malware or convincing you to sign over approval spending to your assets
Opt-in to the MetaMask Security Alerts within Experimental: toggle it on under “Settings” in the “Experimental” tab to validate your transactions before confirming them
21
Exploitation - what are we doing to help?
MetaMask Confirmations
Privacy preserving Security Alerts via a client side module provided by Blockaid
Blockaid’s Privacy Preserving Offline Module is a fully sandboxed module that requires no communication with any backend
22
Exploitation - what are we doing to help?
MetaMask Confirmations
Privacy preserving Security Alerts via a client side module provided by Blockaid
Blockaid’s Privacy Preserving Offline Module is a fully sandboxed module that requires no communication with any backend
PPOM is a highly compressed version of Blockaid’s transaction security engine that resides within the MetaMask wallet without ever sending pre-signed transaction data to anyone ever
23
Command and Control
Overview
Recommendations
Having spending authority from your address - either by having your private key or on-chain spending allowance via an Approval or Permit.
Alternatively your computer is now setup for malware to receive instructions and exfil data to.
Familiarise yourself with how to use a Revocation engine: practice revoking a token approval in MetaMask. Try out:
Use a Revocation engine periodically - it is good to limit your approvals when you are not actively using a dApp, especially for NFT marketplaces. This reduces the risk of losing your funds to hacks, exploits and phishing scams.
Use a Revocation engine after getting scammed - quickly sort your approvals by most recent to find out which approvals you need to revoke to prevent further damage
24
Command and Control - what are we doing to help?
MetaMask Support - guide to revoking approvals
See our MetaMask Support page
Check out our blog on Approvals and Permissions: https://consensys.io/blog/the-seal-of-approval-know-what-youre-consenting-to-with-permissions-and-approvals-in-metamask
25
Actions on Objectives
Overview
Recommendations
This is the final stage where the attacker takes the on-chain actions to directly transfer assets out of your possession
Know who to contact if you do fall victim to a scam or attack:
Research Malicious Transaction front running - but only sign up if you fully understand what is being offered and how it works e.g. Saferoot, Webacy
Don’t get
26
Summary
et unless you have to
Block analytics scripts and don’t connect your wallet unless you have to
Check out the MetaMask Learn site on Security in Web3
Check out the MetaMask Support site on Staying Safe in Web3
Consider using a Hardware wallet to protect your keys, see Ledger or Trezor
Watch out for phishing emails and social engineering messages and never share your SRP
Only download MetaMask from a trusted App Store. See https://metamask.io/download/
If you have to connect your wallet use a hot wallet
Install Transaction Insight Snaps
Opt-in to the MetaMask Security Alerts within Experimental
Familiarise yourself with how to use a Revocation engine and use it periodically
Know who to contact if you do fall victim to a scam or attack: https://support.metamask.io/
27
This is not the first time we have seen these types of problems affecting an entire industry
Email Phishing
Email Viruses
Email in early 2000’s
28
…but we should be mindful for what could come next
Email Spam
Legal Interception
Email in early 2000’s
Spam across web3 Messaging, Social and Snaps
Government demands for web3 Legal Interception
29
Establishing a web3 Immune System
30
Shielding from contamination
Fighting off this cold
I’m battling the flu
Protect yourself from infection
31
32
What is the Immune System?
Lorem ipsum dolor sit amet
Human Immune system
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua.
Think about the parallels with web3 ecosystems
The immune system defends the body from infection, whilst protecting the body's own cells. It is made up of a complex network of cells, proteins, tissues and organs.
The immune system keeps a record of every germ (microbe) it has ever defeated so it can recognise and help the body fight the microbe or similar microbes quickly if they enter the body again. These can be bacteria, viruses and fungi as well as abnormal cells.
33
How is a natural system and a web3 system similar
Natural systems | Web3 systems |
Natural systems evolve and change | Web3 systems evolve and change e.g. EIPs, L2s, Account types, dApps… |
Natural systems have complex networks of biomes, species, populations, organisms, organs, tissues, lymph nodes, proteins and cells | Web3 systems have complex networks of blockchains, tokens, dApps, nodes, clients, smart contracts, wallets, users and addresses |
Infections evolve and mutate | Scams and malicious smart contracts evolve and adapt |
Cells get infected by germs | Addresses get tainted, smart contracts get deployed by malicious devs, protocols and networks get exploited |
Blood tests and other tests provide visibility | Indexers and nodes provide visibility |
There are many companies doing R&D and offering different vaccines and medication | There are many companies doing R&D and offering different Security services |
34
User Privacy
User Security
Decentralisation
35
Ways to get involved
Team Name
Deck Name
36
Establishing a web3 immune system
37
Defining a web3 Immune System
Team Name
Deck Name
A good start will be defining the layers in a web3 Immune System (note that not all are desirable or needed)
Off-chain
|
|
Wallet / client
|
|
On-ramp |
|
Firewall
|
|
Node
|
|
On-chain
|
|
38
Everyone can help
Security Grants
Security Start-up engagement
Security Research
Marketing Security
L2 Ecosystem Security
Secure RPC nodes
Wallet and Tx Security Snaps
Security Working Group
Security Service Aggregation
Wallet Support Services
Security Provider Investments
Decentralised Security Protocols
Security Events
Security Attestations
Security Education
39
Thank you