Top 3 Web3 security and business risks

The third iteration of the internet is quickly coming to fruition. With Web3 comes an evolution in business risks, however, as well as susceptibility to traditional risks.

The tech industry is buzzing about Web3, the internet movement to shift economic benefits back to participants by using distributed digital networks, such as blockchain and cryptocurrencies.

The Web3 movement has sparked passionate debates among proponents and critics alike, particularly when compared to the massive control, financial and information asymmetry of Web2's search, e-commerce and social media giants. These debates, however, often revolve around centralized control, the role of regulation and age-old tactics to make money, while glossing over practical business risks.

For all the activity, funding and hype, few have analyzed Web3 business risks. Here are three such risks.

1. Cybersecurity: Novel designs spell new tactics, confusion and tradeoffs

Web3 has ushered in a new class of cyberthreats. While decentralized data and services reduce single points of attack, they have the potential to expose data to a broader set of risks. These involve traditional threats, as well as tactics unique to blockchain networks and interfaces.

Some examples of novel threats are the following

  • Smart contract logic hacks. This new threat targets the logic encoded in blockchain services. These hacks have been used to exploit a wide range of functions and services, such as interoperability, crypto-loan services, project governance and wallet functionality. Smart contract logic hacks also raise important legal questions, as smart contracts are often not protected by the law or are fragmented across jurisdictions.
  • Cryptojacking. Cryptojacking occurs when threat actors quietly install cryptomining software onto victims' computers and networks.
  • Rug pulls. These attacks involve insiders -- cryptodevelopers, criminal groups, paid influencers, etc. -- creating hype around a project, only to run off with the investors' funds.
  • Ice phishing. Ice phishing involves attackers maliciously convincing users to sign a transaction that delegates approval of the users' tokens to the attacker.

These novel methods exist alongside traditional threats, such as phishing attacks. Decentralization makes censorship more difficult, but it perpetuates questions of information quality and accuracy, which has already led to vast misinformation, disinformation and security issues. Consider the difficulty of policing cybercriminals across distributed and anonymous actors or within a metaverse. Other existing Web3 security issues include attacks on endpoints, traffic overloads and other service availability exploits -- only they will likely have less IT oversight. Distributed networks offer some security benefits, but they are far from immune to software exploits, bugs or human errors.

Infographic explaining Web 1.0, 2.0 and 3.0
Based on blockchain technology, Web3 aims to be different than its predecessors.

2. Identity: Greater control requires greater responsibility

Web3 capabilities, such as user-controlled wallets, ID portability and data minimization, mitigate some of Web2's privacy risks by offering individuals greater agency and control over their data. However, self-sovereign identity (SSI), pseudonymity and anonymity have downsides. The transparent nature of public blockchains -- which make transactions available to everyone -- builds trust without an intermediary, but it also comes with security and privacy tradeoffs.

A few examples of identity-related risks in Web3 are the following:

  • UX. Most SSI and cryptowallets require cumbersome onboarding processes, private key education and multiple versions with little interoperability.
  • Privacy. Web3 has created many questions surrounding privacy. What information is stored on-chain vs. off-chain? Who needs to know when and how to authenticate transactions? Who decides, based on what parameters?
  • Compliance. Web3 pseudonymity creates data gaps for regulators and open doors for money laundering and terrorist financing. Decentralized IDs also complicate existing regulations, such as GDPR, making it difficult to discern personally identifiable information data controllers from PII data processors.
  • Anonymity. Secrecy can cause confusion and erosion of social norms, as Web2's bots have demonstrated. Anonymity creates questions surrounding accountability, liability, legal recourse and consumer protections.

As Web3 applications evolve in the coming decade, organizations must consider potential risks from adjacent technological, political and social forces:

  • How will the use of biometrics affect identity in Web3, whether for user or employee authentication, healthcare or otherwise?
  • How will IoT device identity features interact in Web3 environments when infrastructure such as cars or solar panels become economic actors?
  • How might institutional backlash, political abuse and nationally centralized blockchains shift implications around immutable identity data and ownership?

As with Web2, organizations have to consider questions surrounding design, policy, human rights and monetization in Web3.

3. Web3 economics: Social and financial incentives underly Web3's future

Microeconomies, currencies and other financial assets are embedded into most Web3 applications and digital communities. Therefore, new incentives and disincentives will shift risk calculations.

Take cybersecurity as an example. Web3's embedded economic architectures create clear incentives for hackers compared to traditional cloud or IT deployments. In traditional environments, services and data are exploited often without clear or immediate monetary benefit. In blockchain applications, on the other hand, significant value is often encoded directly into their blockchains.

Businesses must also evaluate Web3 for consumer and related legal, environmental and societal risks. As notions of individual ownership, financialized participation and decentralized interoperability are embedded, several questions face business leaders:

  • How can businesses support accessibility, rather than exacerbating financial and digital disenfranchisement?
  • How can organizations support societal and environmental improvement when UX is hypercapitalized and interactions are driven by tokenization, artificial scarcity or other buyable reputation signals?
  • How will traditional businesses transact with Web3-native decentralized autonomous organizations, and what legal wrappers will protect entities?
  • Most importantly, how will organizations foster participant and business trust in Web3 environments?

These are just a few of the risk areas identified in Web3 research. The next generation of the web is not just about empowering people through distributed governance -- technical, social and economic -- but about better securing the ecosystem in the process.

Web3 builders, whether established corporations or nimble startups, play a crucial role in safeguarding against risks. Security by design is essential when developing Web3 systems, and these principles should encompass the entire infrastructure and incident response processes.

Despite the rapid pace of the market, teams should take time to design protections against insider attacks and have contracts and code independently analyzed and audited. Developers should be equipped to evaluate risk before, during and upon implementation and incorporate any related cryptoassets into their existing threat monitoring landscape.

Overall, organizations need to prepare for Web3 security risks by focusing on collaboration, cooperation and flexibility.

Next Steps

Web 2.0 vs. Web 3.0: What's the difference?

This was last published in March 2022

Dig Deeper on Application and platform security

Enterprise Desktop
Cloud Computing