The Metaverse Has a Security Problem
In 2023 we stand at the cusp of the next epoch of the internet. The rise of blockchain technology and smart contracts have changed the way people engage with information as well as money. However, the benefits of this technology also come with some notable risks.
Networks dealing with user funds need to be absolutely secure – or else why should anyone trust them? Auditing the underlying code is an important start, but it isn’t enough.
The latest major iteration of Web3 technology is the metaverse, and significant mainstream attention and financial backing make it look very likely to eventually achieve mass adoption, particularly for gamers. However, given that more established and mature applications of blockchain technology still face security issues, the relatively new metaverse space needs to address the security risks posed by complex smart contract interactivity before it can be expected to sustainably scale.
The road to the metaverse
The internet has come a long way over the last three decades. It all began with what we now call Web1, the early days of basic text, images and links. By the early 2000s the internet began to shift into Web2, dominated by streaming entertainment and social media. Now, we’re at the dawn of Web3.
This new era of the internet is built on top of decentralized technology, allowing for the free movement of data and value across multiple interconnected networks.
One of the promises of an open and decentralized blockchain economy is that of empowerment for the individual, allowing each person to take control of their own finances and profile information.
The sum of these Web3 services, as well as the virtual worlds that are starting to be built on top of them, is collectively known as the metaverse. Right now we’re just at the cusp of this movement, but it holds potential for becoming the standard way that people engage with shopping, entertainment, and socializing online. The vision is inspiring, but in practical application, there are still unsolved issues to address regarding securing this brave new world.
Opportunity comes with responsibility
With this unprecedented level of control and flexibility comes new risks. While users should have unfalsifiable control over their own data and assets, there are still places where issues could arise in the underlying code, known as smart contracts.
The promise of smart contracts is true decentralization, allowing users to rely on logic rather than needing to put trust in a central authority. Because of the power invested in smart contracts, their logic needs to be flawless, lest exploitable glitches arise and put user funds at risk. This isn’t unprecedented, particularly for contracts holding a large balance, and recently a major hack occurred on the BNB Token Hub, a bridge between the BNB Beacon Chain and the Binance Smart Chain.
Approximately half of all DeFi hacks are from cross-chain bridges, as these tend to be complicated and have the additional requirement of maintaining a constant reserve of funds, making them prime targets for exploitation.
Additionally, any oversight in the smart contracts of a bridge puts assets on both connected networks at risk. Blockchains themselves are often nearly impossible to successfully attack, but services built on top of them, such as DeFi platforms and metaverse smart contracts, are only as secure as their code lets them be.
When this code has not undergone a thorough security audit, the possibility of an exploitable error is actually quite high. The fact is, if this space is going to expand to become a larger part of everyday life, developers and administrators need to level up their security.
How to truly secure Web3
The first line of defense for securing decentralized services is always going to be a thorough security audit of its smart contracts before it is deployed. Furthermore, before code updates are to be applied, additional audits should also be done.
By hiring third parties to review and re-review all code, the likelihood of a bug or exploit slipping through the net drops considerably. This can go a long way in protecting users and giving them peace of mind when using decentralized platforms that handle real money and highly sensitive information.
Audits can only go so far, however, and the possibility of something going wrong due to an oversight or unforeseen interaction between multiple contracts is still very real. The only solid way to protect users from these types of risks is real-time network monitoring paired with automated risk assessment and flagging of threats, anomalies and other unusual behavior.
Monitoring of this nature lets developers respond to security incidents as soon as they surface as potential threats. When developer teams take such proactive measures, they signal to users and the broader market that they have their best interest at heart, which would be a major advantage given the possibility of crypto regulation and the promotion of security badges and ratings.
The Poly Network’s exploit is just one example where real-time monitoring could have greatly stemmed what was, in this case, an eye-watering loss of $600 million. The exploit occurred over the course of several mined blocks, and so with advanced monitoring in place, functionality could have been halted after the first block, preventing any additional loss of funds.
Continual audit support for various metaverse system components is required. That includes monitoring native metaverse tokens, meta-transaction implementations and additional required dependencies. Because the pieces that make up a metaverse puzzle are intricate and extensive, there is a lot to keep an eye on.
Spotting fraud in real-time
Often, strange transaction activity can be the first sign that something malevolent is underway. For example, if suddenly many large transactions begin moving funds off of a platform, well above the average traffic seen, then at the very least it needs to be looked into more closely, and fast.
Such action can halt attacks before they begin when the warning signs are made apparent. Automated monitoring can send an alert to a team of security experts who can then immediately look closer at the activity and respond appropriately.
Without active observation, these types of events are often only noticed days or weeks later, well after the damage has been done and the attackers have had time to cover their tracks.
There’s far too little of this going on in current Web3 applications, but this needs to change. Users can’t be expected to participate in the metaverse without well-vetted security protocols in place. The practice of auditing has proven essential in deploying existing Web3 services, but when considering the added complexity of metaverse projects, such measures can’t account for all possible variables, especially once code has been deployed and is running in the wild.
That said, automated, 24/7 monitoring of blockchain transactions and smart contract activity can be a powerful tool in dealing with threats as they emerge. This is the model that will make Web3 practical, and safe enough for global adoption, as users will rightly turn their backs on anything less.
This article was written by Stephen Lloyd Webber, a software engineer and author with diverse experience in simplifying complex situations. He is fascinated by open source, decentralization and anything on the Ethereum blockchain. Stephen is currently working in developer relations at OpenZeppelin, a premier crypto cybersecurity technology and services company, and has an MFA in English writing from New Mexico State University.
This article is originally from MetaNews.