Web3 Security: Securing the Path to Crypto Adoption

by Isaiah Washington

$3B+ lost to smart-contract exploits in 2022 (Chainalysis) exposes the immaturity of the security landscape and the underuse of security practices in web3. Fundamental differences between web2 and web3 technologies create novel opportunities to both attack and secure the data and assets of users leveraging blockchain. Today, the global cybersecurity market is estimated at about $167B (McKinsey). As web3 gets further along the S-curve of adoption, it will include both financial and non-financial data so we will see a similarly-sized market for web3 security at the minimum.

Web3 security is not broken, but underdeveloped. The current ecosystem of semi-mature web3 security companies is nascent compared to the breadth of security solution types in web2. Of all the web3 security companies that have raised a Series A or are above $3M in annual revenue, the majority are mostly services-based with smart contract audits as the main value proposition. Auditing is a manual process to scrutinize a project’s code and highlight security vulnerabilities. While auditing is an important pillar of web3 security, there were 167 major hacks in 2022. Half of these hacks were of audited smart-contracts (Beosin Web3 Security Report), demonstrating the need for more security infrastructure and automation.

The Current Web3 Security Landscape

The developing landscape of web3 security companies can be separated into three main categories: auditing, tools, and communities. Within tooling and communities, some of the areas where we see a lot of early activity are secure code development, continuous or runtime monitoring, security bug bounties and competition communities, and transaction security.

Secure Code Development: Security products need to be integrated into the developer flow. Solutions that help developers to build with a “security-first” mindset and allow devs to prevent the deployment of bad code can help make audit-level security more scalable in web3. A great example of a company championing this thesis is CoinFund’s portfolio company Certora, which provides tools for securing smart-contracts with formal verification strategy and is designed to minimize smart-contract vulnerabilities before deployment and pre-audit. Examples of companies pushing the boundaries of innovation here include continuous security dev tools like Enigma Labs which is developing Dev0x, a developer tool for security product orchestration. There are also transaction and ecosystem testing and simulation tools like Tenderly, Chaos Labs, and Gauntlet. These projects are contributing to the developer security toolset by allowing developers to manage and predict smart contract output prior to its deployment.

Continuous/Runtime Monitoring: Companies like Chainalysis and TRM Labs have raised a combined $686.5M for post-mortem AML detection, investigation and data analysis. However, there is a gap in the market for runtime monitoring solutions for the proactive prevention of security exploits. By taking real-time monitoring and adding predictive capabilities for exploit detection and prevention, companies like Forta and Cyvers are building to fill this gap. Forta is a distributed network for continuous runtime monitoring and CyVers is solution that leverages machine learning to continuously monitor multiple networks and automatically detect attacks on behalf of exchanges, custodians, and DeFi protocols. (See also CoinFund’s thesis on AI for more on the intersection of AI and crypto). After detection, techniques like transaction front-running and automated circuit breakers can be deployed to mitigate asset loss.

Security Networks/Communities: Web3 is driven by community engagement. There are developer communities(i.e. Developer DAO), investor communities(i.e. FlamingoDAO) and infrastructure for financial communities (i.e. SyndicateDAO, Juicebox). There will be winning security solutions and platforms that best aggregate and mobilize security-focused professionals to engage in securing web3. For example, ImmuneFi, who recently raised $24M for its Series A, has demonstrated the power of leveraging community to secure code for web3 by creating and incentivising a network of white-hat hackers to identify vulnerabilities and bugs in smart-contracts. To date, Immunefi has facilitated over $65M in bug bounties paid out to ethical hackers. Other early examples like it include Code4rena, Secure3, and PwnedNoMore. Forta’s distributed network incentivizes a network of security professionals and hobbyists to build and deploy detection bots, smart-contracts that detect and respond to malicious smart-contracts by alerting the contract’s users or creators. Forta leveraging its network to create machine learning-based solutions to detect malicious smart contracts .

Consumer and Institutional Transaction Security Solutions: User-facing transaction and wallet security products that are purchased by the user of a dApp/protocol,will play an important role in web3 asset security for both individuals and institutions. Solutions can also be sold to wallets themselves as a way to make the overall experience of using the wallet more safe. While wallets can also work to build security functionality into their products themselves, security-focused solutions that build a technological moat by using proprietary algorithms to detect risk and make integration as easy as possible will stand out above the rest and make a strong case for buying rather than building. One great example of a company building in this direction is Redefine, which provides real-time transaction risk assessments and alerts that are informed by a combination of real-time transaction simulation and monitoring mechanisms and are delivered directly to the entity most incented to protect funds, the user. Some other “firewall” type solutions protecting the transactor specifically include Shield, Hexagate and Web3Builders’ TrustCheck.

Going Beyond Auditing: Oftentimes major auditing firms recognize the need for productization to expand their offerings and make their companies more scalable. Halborn, though focusing mainly on manual audits today, is building with the intention of bringing process automation tools for auditing and devops to the market. Companies like Quantstamp and Sherlock, a CoinFund portfolio company, are taking another approach by exploring the intersection of security auditing and asset insurance.

What is important in web3 security?

At a high level, there are a few key thesis points that drive my thinking toward web3 security development:

• Identification of key security stakeholders: Web3 introduces a fundamental shift in how we think about the target market of security products and services. Developers and projects, motivated by web3 product adoption, and users, motivated to protect their assets, are the most important security solution customers. This is different from web2 where businesses were legally and economically liable for the protection of user data. In a world where users own their own data, they also inherit the challenge of protecting it and will use the most secure protocols and new products that allow users to secure their own assets directly.
• Prevention, mitigation, and response: Security is a layered approach (IBM) and there is a need for continuous and proactive security strategy that is not accomplished by today’s (almost exclusive) focus on pre-launch auditing in web3. Code can never be completely vulnerability-free, which makes real-time exploit mitigation and response necessary in web3 as it is in web2.
• A combination of traditional security and web3 expertise: Security is historically a very challenging and crowded market where the talent and strategy of hackers is constantly evolving. Despite the many thousands of security startups in the market, only a handful have reached break-out potential. Malleable and fast-iterating founders that intimately know traditional security and the developing web3 security landscape are most attractive. Though web3 is novel, fundamental security problems and solutions are well-understood. Therefore, security researchers who have spent years understanding vulnerabilities in technology will lead the way to securing web3

What We Look For in an Investable Security Opportunity

At CoinFund, we invest in companies that are making blockchains easier to build on, use, and access safely. Scalable solutions, products, and networks that push web3 security forward are important pieces of that vision. Teams that are most attractive, from an investment perspective are teams with (1) deep web2 security expertise as well as a cryptonative view, (2) an ability to identify “who cares” most about the security they provide and effectively sell to those stakeholders be they protocol developers or institutional and individual users, (3) a product or network that can scale in line with the underlying technology’s ability to serve clients.

In the web3 security market, as was the case in web2 security, thousands of solutions will be created. However, comparatively few will scale to be billion dollar businesses and CoinFund aims to partner with founders with their eyes set on becoming industry leading standards as the security market for web3 technology develops. We want to invest in teams that are expanding the web3 security stack. If you are building a developer tool to help devs build with a security-first mindset, a solution that helps expand the security focus from prevention into mitigation and response, or a tool to help every day blockchain users protect their assets, we are looking for you.

There are many areas of web3 security that we left out of this post. Secure key management, secure custody, and privacy are deep in and of themselves. What is most important in web3 security to you? I’d love to hear it in the comments or in my DMs. Also, if you are building a solution in the web3 security space, I’d love to chat. Cheers!

TG: @isaiahwash

Email: isaiah@coinfund.io

[Thank you to the CoinFund team as well as Mooley Sagiv(Certora), Jesse Tasman(Redefine), Don Ho(Quantstamp), Catrina Wang(Protocol Labs), and others for helping me refine my thoughts]

The views expressed here are those of the individual CoinFund Management LLC (“CoinFund”) personnel quoted and are not the views of CoinFund or its affiliates. Certain information contained herein has been obtained from third-party sources, including from portfolio companies of funds managed by CoinFund. While taken from sources believed to be reliable, CoinFund has not independently verified such information and makes no representations about the enduring accuracy of the information or its appropriateness for a given situation. In addition, this content may include third-party advertisements; CoinFund has not reviewed such advertisements and does not endorse any advertising content contained therein.

This content is provided for informational purposes only, and should not be relied upon as legal, business, investment, or tax advice. You should consult your own advisers as to those matters. References to any securities or digital assets are for illustrative purposes only, and do not constitute an investment recommendation or offer to provide investment advisory services. Furthermore, this content is not directed at nor intended for use by any investors or prospective investors, and may not under any circumstances be relied upon when making a decision to invest in any fund managed by CoinFund. (An offering to invest in a CoinFund fund will be made only by the private placement memorandum, subscription agreement, and other relevant documentation of any such fund and should be read in their entirety.) Any investments or portfolio companies mentioned, referred to, or described are not representative of all investments in vehicles managed by CoinFund, and there can be no assurance that the investments will be profitable or that other investments made in the future will have similar characteristics or results. A list of investments made by funds managed by CoinFund (excluding investments for which the issuer has not provided permission for CoinFund to disclose publicly as well as unannounced investments in publicly traded digital assets) is available at https://www.coinfund.io/portfolio.

Charts and graphs provided within are for informational purposes solely and should not be relied upon when making any investment decision. Past performance is not indicative of future results. The content speaks only as of the date indicated. Any projections, estimates, forecasts, targets, prospects, and/or opinions expressed in these materials are subject to change without notice and may differ or be contrary to opinions expressed by others.