Experts from leading institutions talk about Web3 security practices, and AWS Web3 Developer Camp 2023 is a wonderful review

On December 7th, the Web3 Developer Camp, led by Amazon Web Services (AWS) and exclusively supported by the CrossSpace community, was successfully held at the AWS Causeway Bay event venue. As the offline sharing session of the “Web3 Security” seminar series, this event successfully invited experts and executives from Web3 security, wallets, L1/L2 public chains, cloud services, exchanges and investment institutions to share on the spot, presenting a Web3 security conference full of dry goods and highly discussed.

As a leader in the global cloud services market, AWS has been paying attention to and actively exploring security practices in the Web3 industry. By taking the lead in organizing a series of security activities, AWS hopes to help improve the awareness of industry practitioners on security, build a sustainable Web3 ecosystem, and lay the foundation for the healthy development of various tracks in 2024. The conference was attended by experts and panelists from a number of industry leaders, including (in no particular order): Beosin, Conflux, Hashkey Exchange, OKX Wallet, Polkadot, Scroll, SlowMist, SNZ Capital, and Taiko.

At the beginning of the article, let’s review the hot topics of the roundtable at this event. In this session, we invited executives and experts from leading Web3 institutions Taiko, Hashkey Exchange, Beosin, and SNZ Capital to talk about how their projects are implementing the Web3 security mission, and we were also fortunate to hear Conflux and Scroll, the popular L1/L2 public chains, share their technology and ecological development roadmap for 2024 offline for the first time.

From left: Leon, CEO of CrossSpace (moderator), Michael Investment Manager at SNZ Capital, Terence, Chief Strategy Officer of Taiko, Ming Wu, CTO of Conflux, Marcus Liu, Head of Growth for Asia Pacific at Scroll, Vincent Wong, Director of Exchange Product at Hashkey Exchange, and Eaton, Security Researcher at Beosin.

Roundtable Hot Talk**: What security matters should Web3**** projects pay attention to****?**

In the process of development, Web3 projects are prone to blindly pursue market expansion and ignore basic security, and a number of large-scale on-chain fund theft incidents this year have sounded the alarm for Web3 practitioners. Eaton, a security researcher at Beosin who has been deeply involved in the security field, gave these suggestions to the project team: "The project team needs to learn to use AI and audit tools to speed up the review process and detect contract vulnerabilities at the beginning of operation, so as to save audit time and solve complex business logic problems. During the project development phase, the team needs to ensure the accuracy of the business logic, focusing on testing and using a test-driven development approach. At the same time, it is important to be cautious about integrating third-party applications to prevent the introduction of unknown security vulnerabilities. After the completion of the project, it is highly recommended that the project team hire a professional audit team to conduct an audit to help identify and resolve potential vulnerabilities to ensure the security of the project. ”

SNZ Capital has extensive experience in investing in Web3 infrastructure and application projects. Michael, Investment Manager, also expressed the importance SNZ attaches to the safety of its portfolio companies: "Security is of paramount importance to SNZ and is an important consideration in our investment strategy. To this end, we have established partnerships with security companies to provide a full range of security services to the development teams of our portfolio projects. In addition to security management in the infrastructure and middleware space, we also provide post-management services for these companies, ensuring that they receive the services of security vendors we are familiar with. We require our portfolio companies to prioritize security in their business strategies and understand the importance of security audits, including real-time fraud, vulnerability monitoring, and compatibility assessments, to ensure security by design. ”

Roundtable Hot Talk**:** How does a well-run Web3** project carry out security practices****?**

As a fast-growing open-source ZK-rollup in the ETH ecosystem, Taiko ensures its security through its fully decentralized architecture and multi-validator participation in verification. Terence, co-creator and chief strategy officer of Taiko, said in the roundtable: "Taiko is a Rollup layer 2 network equivalent to ETH, with a fully decentralized architecture. Its strengths include open source, community building, and security, and it is committed to ensuring the quality and security of the code through the participation of global contributors. Taiko is currently on a testnet with more than 10,000 proposal and validator nodes, and this number is expected to continue to grow. This means that users don’t need to trust Taiko, and we don’t have a centralized sequencer, which is an important feature that differentiates us from other layer 2 networks. ”

As a licensed virtual asset exchange in Hong Kong that deals directly with investment users, Hashkey has been expanding its product range recently, and how to ensure the confidence and trust of customers is one of its top priorities. "Hashkey Exchange is committed to strictly adhering to the custody policy set by the SFC. 98% of assets are safely stored in cold wallets, while only 2% are stored in hot wallets to ensure a high level of security of assets. In order to further protect the rights and interests of investors, we have established partnerships with insurance companies such as AON and OneDegree to provide users with additional insurance protection. Vincent Wong, Director of Product at Hashkey Exchange, further shared, "Hashkey Exchange starts with KYC verification to ensure that our customers are legitimate and authentic. At the same time, we provide a password reminder function and require users to change their passwords regularly to enhance the security of their accounts. In addition to this, we will also provide educational materials to our customers, inviting them to learn, research and understand blockchain knowledge and related facilities. In these ways, we hope to be able to build long-term trust and relationships with our customers, ensuring that they feel safe and protected when trading with our platform. ”

Roundtable Hot Talk**:** Layer1/2****Leading public chain technology development and ecological support

As a leading public chain representative of Layer 1, Conflux recently announced its developer roadmap for 2024. CTO Ming Wu shared several directions of Conflux’s plan to improve the developer experience, including actively looking for programmable data availability solutions that enable smart contracts to interact with independent DA layers for efficient storage and retrieval of large-scale state; Efforts to integrate the AI platform into Conflux and position it as an incentive layer; Actively explore heterogeneous virtual machine architectures to improve scalability and expand the ecosystem, as well as research into integrating multi-party computing (MPC) to enhance privacy protection and anti-MEV capabilities. “We look forward to making our technology more mature and practical in the next few years by improving the performance of the system to adapt to more application scenarios,” said Ming Wu. ”

Scroll, a representative of another Layer 2 public chain that was recently launched on the mainnet, also shared its recent ecological security practices. Marcus Liu, Head of Growth at Scroll Asia Pacific, said: "In terms of security, the main source of security for Scroll comes from our ZKP, which uses ZK’s mathematical principles to ensure that ZKEVM is a safe and trustworthy operation result, and will be uploaded to ETH as a first-layer chain for ZK Proof verification. In addition to strict audits of all contracts and circuits, Scroll has also opened up the Bug Bounty program to work with community members to strengthen security in the spirit of open source. The next steps in the Roadmap for Decentralized Prover and Decentralized Sequencer can also enhance the decentralization and security of Scroll. ”

In addition to the roundtable session, AWS’s [Web3 Ethical Hacking and Best Security Practices] training, and dry goods sharing from security agency SlowMist, the next-generation public chain Polkadot, and Web3 application OKX Wallet experts are also worth savoring. Next, let’s get closer to the front line of security through records to understand the knowledge and experience of security risk categories, practical security strategies, application-side security, and ecological development security.

Smart contract vulnerabilities continue to dominate the list as the top three hacker attack categories in 2023

Smart contract vulnerabilities continue to be one of the most common types of hacking in 2023. According to security firm Beosin’s security report in the third quarter of this year, contract exploits are the third most popular attack category after private key leaks and database attacks. The 22 contract exploits resulted in a total loss of approximately $93.27 million. According to the breakdown of vulnerabilities, re-entrancy vulnerabilities caused the most losses, and about 82.8% of the losses in contract vulnerability events came from re-entrancy vulnerabilities. ”

AWS Web3 Solution Architects David Sung and Gong Tao shared three types of hacking incidents that are commonly seen in smart contracts, including re-entrancy exploits. In this attack category, an attacker exploits a security vulnerability in the contract to repeatedly call the same function before a transaction is completed, resulting in multiple transfers or consumption of the contract’s funds. This attack is often due to a flaw in the design of the contract or a lack of adequate defensive strategies. Since re-entrancy attacks pose a serious threat to the security and stability of smart contracts, defending against re-entrancy attacks should be considered a critical task when developing smart contracts.

The other two more common types of attacks include delegated invocation attacks, integer overflow and underflow attacks. DELEGATE CALL ATTACKS ARE DESIGNED TO FACILITATE CODE REUSE, AND THE EVM PROVIDES AN OPCODE DELEGATECALL FOR INSERTING THE BYTECODE OF THE CALLER CONTRACT INTO THE BYTECODE OF THE CALLER CONTRACT. Therefore, the malicious target contract can directly modify (or manipulate) the state variables of the caller contract. Integer overflow and underflow attacks are attacks that occur when the result of an arithmetic operation is outside the scope of a Solidity data type, resulting in unauthorized manipulation of its state variables.

If you want to learn how to deal with hacking attacks, you can refer to the AWS Web3 Ethical Hacking and Best Security Practices Security Hands-on Course and visit the relevant dedicated page.

Security policies before, during, and after the Web3 project runs

Web3 projects need to be aware of potential security risks from the very beginning of their operation, and security incidents often occur in smart contracts, blockchain wallets, and exchanges. Tony, Head of SlowMist Hong Kong Community, said: "In the face of blockchain security incidents, SlowMist will provide solutions from three stages: before, during, and after the incident. The project team can assess the potential risks in terms of safety according to its own stage of development.

Before a security incident occurs, the project team can conduct a comprehensive test on potential security risks. At this stage, SlowMist’s Red Teaming test can help the project team evaluate potential attacks from real vulnerabilities such as enterprise personnel, enterprise business systems, enterprise supply chains, enterprise office systems, and enterprise physical security, and provide customized security defense solutions to prioritize the protection of vulnerable nodes and increase the cost of attackers.

In the event of a security incident, the project team should strengthen the real-time monitoring of on-chain and off-chain security, and cooperate with security companies to discover and respond to potential security threats in a timely manner. After a security incident occurs, defensive actions should be taken immediately, such as using SlowMist’s emergency response support services and on-chain and off-chain tracking and investigation services to defend against attacks in a timely manner and find out the root cause of the incident.

Considering that many Web3 project teams need to consider security in the code design stage, rather than relying only on short-term guidance from security companies, SlowMist has open-sourced its Web3 project security practice requirements on Github, listing in detail the security risks that need to be paid attention to in the development environment. This will effectively encourage the project team to build and improve their own security systems based on the requirements of Web3 project security practices, and to have certain security capabilities after security audits.

Actively embrace cutting-edge technology**, Create a safe Web3 application

With the maturity of the underlying technology of the blockchain, more and more Web3 front-end applications have emerged one after another, and OKX Wallet is undoubtedly a product with an excellent user experience. As a direct-to-end user application, how to improve the user experience while ensuring the security of user funds and data? Darrel Wang, Product Manager of OKX Wallet, shared their secrets from the security hardening at the bottom of the system, full-stack security capabilities, and actively embracing cutting-edge security technologies. Let’s share it below:

First of all, OKX Wallet has been enhanced at the system level to ensure that products related to users’ assets have the security of financial institutions. By strengthening the security of the application, we strive to prevent hacking and ensure that users transact in a secure environment.

Second, OKX Wallet focuses on full-stack security capabilities. From node services, block explorers to user terminals, complete upstream and downstream service capabilities ensure product compliance and excellent security performance in the whole process. For example, the proactive risk warning function provided by the product actively prevents the emergence of phishing websites, further ensuring the safety of users’ assets.

Thirdly, OKX Wallet emphasizes innovation and actively embraces cutting-edge technology. This year, it launched a smart contract account based on the Account Abstraction Protocol (EIP-4337), which will greatly improve the wallet’s security management capabilities. The MPC no private key wallet on its line uses multi-party secure computing technology to reduce the risk of private key security caused by a single point of failure, so that users are not afraid of losing their private keys.

OKX Wallet positions itself as a technology company, not a financial company. Their goal is to solve problems from the perspective of the core principles and technologies of the product, and to bring users a safe and convenient digital transaction experience.

Substrate Framework Helps Developers Build More Secure Blockchains

Many developers are familiar with Substrate, an open-source, modular, and extensible blockchain development framework for building blockchains. The underlying blockchain framework of the Polkadot Relay Chain is built with Substrate. So, how does Substrate provide security for developers in this ecosystem? Jimmy, the core developer of the Polkadot ecosystem, pointed out at the event that under the Substrate framework, developers can pre-build components (Pallets) provided by Parity’s professional engineers, which can be upgraded at runtime, do not require chain forks, and have a variety of consensus mechanisms to choose from, achieving interoperability and security between different chains.

Jimmy further noted that Polkadot’s core goal is to enable cross-chain interoperability and scalability of the blockchain. Polkadot connects different blockchains so that they can communicate with each other and work in harmony. This architecture allows for data exchange and value transfer between different blockchains, improving the efficiency and scalability of the entire network. Its architecture includes a relay chain and a parachain, where the relay chain is responsible for verification and security, and the parachain provides specific functions. In addition, Polkadot focuses on the trade-off between the three key attributes of scalability, security, and decentralization, and adopts a unique architectural approach and bridging technology to achieve the safe and efficient transfer of assets.

Web3** project team needs to be good at cloud service infrastructure****,** Focus on service category, security and flexibility

Cloud services are a particularly important underlying infrastructure of Web3, from exchanges, public chains to front-end applications, all of which are inseparable from cloud services. For Web3 projects, the service scope, security and flexibility of the cloud service platform are particularly important. AWS is a “household name” cloud service provider in Web3, and David David, AWS Solution Architect, responded to these three aspects at the event.

In terms of service categories, AWS is the world’s most widely adopted cloud platform, offering more than 200 feature-rich services, including globally distributed data centers, to meet the unique infrastructure needs of various Web3 companies. AWS serves many Web3 projects, and the seven most widely used AWS services include: EC2 (Nitro Enclaves), KMS/CloudHSM, API Gateway, S3, Elastic Block Store, Shield Advanced, and WAF.

In terms of security, AWS has been committed to providing security, compliance, and governance services for project parties. With the AWS Nitro System, security is built into the chip level, continuously monitoring, protecting, and validating instance hardware, minimizing the potential attack surface. AWS also supports more security standards and certifications than any other cloud provider. Among them, Nitro Enclaves combined with KMS/CloudHSM provides Web3 BUIDLers with the best cloud-based private key security management solution and is widely adopted in the industry, while Shield Advanced and WAF provide security protection for dApps, Node, and various Web3 infrastructure layers.

In terms of flexibility, AWS provides project owners with a variety of service categories and pricing options for different products to help them optimize costs. David adds, "We offer a wide selection of analytics and machine learning services to meet virtually all of your project’s data analysis needs. From data movement, data storage, big data analytics, log analytics, streaming analytics, business intelligence, and machine learning (ML), we give you the flexibility to choose services to reduce costs. ”

If you need to know how to build secure cloud applications on AWS and support the Web3 ecosystem provided by AWS, you can click to learn more.

The above is the essence of this event, I hope to inspire Web3 BUIDLers and developers. We sincerely hope that the Web3 ecosystem can usher in the next stage of rapid growth with the continuous security consensus of all parties in the industry, and CrossSpace will continue to work with AWS, high-quality security companies in the industry, and Web3 ecosystem participants to bring more sharing activities to everyone.