From the moment Satoshi released the Bitcoin white paper, the world experienced a platonic shift.
A revolution was born, and cryptocurrency was the weapon, and yes, it worked; five years later, crypto became the cool thing, and by 2024, countries were adopting it, and non-state actors were investing massively in it.
As adoption increased and investments surged, many experienced a harsh reality when their finances swiftly disappeared. This wasn't due to personal errors but rather because the projects they invested in were flawed, leaving them vulnerable to bugs and malicious hackers who siphoned their funds.
Many early adopters soon got burned and walked away. Still, while we piece all the parts together and figure out why bugs in Web3 are not easy to fix, as the system is trustless and deterministic, we will also find out how best security researchers are working to make Web3 more secure.
Web3 Hacks
Web3 has seen some of the most devastating hacks in recent years, with attackers exploiting vulnerabilities in smart contracts to siphon off millions—sometimes billions—of dollars. These incidents have caused financial losses and shaken the confidence of users, developers, and investors in the Web3 space. Below are some of the most notable hacks and their implications
The DAO Hack (2016)
The DAO (Decentralized Autonomous Organization) was one of the earliest and most ambitious Web3 projects. It was designed to operate as a venture capital fund governed by smart contracts. However, a reentrancy vulnerability in its code allowed an attacker to drain $60 million worth of Ether.
The DAO hack was a wake-up call for the Web3 community, exposing the fragility of smart contracts and the potential for catastrophic failures.
Another hack, the Poly network hack, led to many projects investing in security and web auditing.
Poly Network Hack (2021)
It can be termed as one of the largest DeFi hacks. An attacker exploited a vulnerability in Poly Network's cross-chain bridge, stealing over $600 million in assets. Interestingly, the hacker returned most of the funds, claiming they did it "for fun."
While the funds were returned, the incident raised questions about the security of cross-chain bridges, which are critical to the Web3 ecosystem, and whether this network audits its codes before deployment.
Ronin Network Hack (2022)
The Ronin Network, a sidechain for the popular game Axie Infinity, was hacked for $625 million due to compromised validator keys. Attackers gained control over five out of nine validator nodes, allowing them to approve fraudulent transactions.
The hack damaged the reputation of Axie Infinity and its parent company, Sky Mavis, and underscored the importance of securing validator nodes and private keys.
Wormhole Bridge Hack (2022)
The Wormhole Bridge, a well-known cross-chain bridge, suffered a $320 million exploit resulting from a flaw in its smart contract code. The attacker created 120,000 wrapped ETH without any collateral backing.
The hack highlighted the vulnerabilities of using bridges to transfer assets across blockchains and underscored the necessity for improved security measures. It further diminished trust in cross-chain bridges, which is critical for realizing Web3's interoperability goals.
These hacks and volumes raise questions about whether Web3 projects are safe and, if so, what tools are available to implement security.
Security Tools for Web3 Security
Many tools are available for securing smart contracts and projects before deployment, including Slither, Aderyn, OpenZeppelin Defender, Mythril, and my current favourite, Drosera.
In the following section, we will examine the pros and cons of using these tools to test a smart contract and then compare them to see which is best suited for beginners and which has a better workflow.
Get started
Before moving forward, you need a foundational understanding of smart contracts and their creation.
You can get a copy of the smart contract, which we will review here. Clone the contract to your local machine.
Slither
Slither is a powerful static analysis tool that secures Solidity smart contracts in the Web3 ecosystem. It analyses contract code without executing it to detect vulnerabilities such as reentrancy, integer overflows, and access control issues.
Spin up your terminal and run forge build to compile your smart contract. Notice we have a few warnings, but we can skip the warning for now.
Next, run slither . to analyze your contract.
Slither analysis comes in three colours: red is the most severe, yellow is medium, and green is low but worth investigating.
While this would give you a good starting point, it is essential not to rely solely on Slither. You must also test and audit your codes before deploying them.
Aderyn
Aderyn is a dynamic analysis tool tailored for Web3 security, focusing on the runtime behaviour of decentralized applications (dApps).
Unlike static analysis, Aderyn identifies vulnerabilities during execution, uncovering issues that traditional tools might miss. Simulating real-world interactions provides deeper insights into potential exploits, making it a critical resource for developers aiming to enhance the security and reliability of their smart contracts and dApps.
To get started, run aderyn .
This will automatically create a mark-down file called report.md, which has the entire report.
You can preview the report by running Shift command V. This will give you a well-formatted report.
Note: While this provides a quick review of the codebase, it does not spot all the bugs. To avoid missing bugs, an external audit and testing are needed.
Drosera
Drosera is an automation tool that makes building and monitoring systems for decentralized apps easy. It helps developers automatically detect and respond to events on the Ethereum network, making apps more secure and reliable.
To get started, configure your environment.
curl -L https://foundry.paradigm.xyz | bash
foundryup
# The trap-foundry-template utilizes node modules for dependency management
# install Bun (optional)
curl -fsSL https://bun.sh/install | bash
# install node modules
bun install
# install vscode (optional)
# - add solidity extension JuanBlanco.solidity
# install drosera-cli
curl -L https://app.drosera.io/install | bash
droseraup
You can spin off a template by either running a template by running npx @drosera/create-drosera-app.
Update your dependencies and configure the .toml file.
The drosera.toml file is set up to deploy a basic "Hello, World!" trap. Ensure thedrosera.tomlfile includes a private key and the correct ethereum_rpc.
Fund your Holesky wallet address. To do this, use Metamask or any wallet and create a custom testnet.
Network name - Holesky
Default RPC URL - https://ethereum-holesky-rpc.publicnode.com
Chain ID - 17000
Currency Symbol - ETH
Once saved, After creating the testnet account, fund the account with the Holesky testnet faucet from here.
Copy the account's created private key and store it in the drosera.toml or include it directly into the command.
response_contract = "0xdA890040Af0533D98B9F5f8FE3537720ABf83B0C"
response_function = "helloworld(string)"
To deploy the trap, run the following commands:
# Compile the Trap
forge build
# Deploy the Trap
DROSERA_PRIVATE_KEY=<private_key> drosera apply
After successfully deploying the trap, the CLI will add an address field to the drosera.toml file.
Congratulations! You have successfully deployed your first trap!
Response Trap
You can then update the trap by changing its logic and recompiling it or changing the path field in the drosera.toml file to point to the Response Trap.
The Response Trap is designed to trigger a response at a specific block number. To test the Response Trap, pick a future block number and update the Response Trap.
Specify a response contract address and function signature in the drosera.toml file to the following:
response_contract = "0xdA890040Af0533D98B9F5f8FE3537720ABf83B0C"
response_function = "responseCallback(uint256)"
Finally, deploy the Response Trap by running the following commands:
# Compile the Trap
forge build
# Deploy the Trap
DROSERA_PRIVATE_KEY=0x.. drosera apply
Note: The `DROSERA_PRIVATE_KEY` environment variable can be used to deploy traps. You can also set it in the drosera.toml file as `private_key = "0x.."`.
Testing
Example tests are included in the tests directory. They simulate how Drosera Operators execute traps and determine if a response should be triggered. To run the tests, execute the following command:
forge test
Conclusion
Tools like Slither, Aderyn, and Drosera offer robust solutions for securing Web3 projects; they. However, these are just a few options developers have available. Each tool has strengths; experimenting with them can help build a more secure and resilient ecosystem.
By leveraging these tools and conducting thorough audits, developers can significantly reduce vulnerabilities and restore confidence in the safety of decentralized applications. The key is to stay proactive, test rigorously, and continuously improve security practices.
Top comments (0)