Web3 depends on rethinking security

Disclosure: The views and opinions expressed here are solely those of the author and do not necessarily represent the views and opinions of crypto.news editorial.

For most of 2024, I felt like I was living in the future. Google has introduced a quantum computing chip that can easily perform calculations that would take a traditional computer longer than the universe has existed. Waymo’s autonomous vehicles were transporting more than 150,000 people per week. AI models like AlphaFold have continued to solve complex biological challenges with precision.

Despite tremendous technological advances elsewhere, parts of our own industry felt as if they were stagnant, especially when it came to security. While advanced technologies have transformed nearly every industry, web3 security remains frustratingly broken.

The move from the centralized model of web2 to the decentralized architecture of web3 has significantly expanded the attack surface. While decentralization was the backbone of web3’s innovation, it inherently created a security paradox: the same open, distributed structure that gives users freedom also creates a vast, permanently exposed attack surface. Considering hundreds of billions of transactions per year, the risk of getting security right has never been higher.

Despite seismic growth in the attack surface and billions of dollars flowing from protocols, our industry remains reliant on reactive, manual controls as the foundation of security. Once considered the gold standard of web3 security, this approach has proven to be grossly inadequate and outdated. The data also confirms this fact; 90% of abusive contracts pass audits.

Just as web2 software development has evolved to include a range of tools and techniques far beyond manual testing (continuous integration, automated testing, runtime monitoring, etc.), web3 requires a similar transformation in how we approach development and ultimately distribute to the masses. .

Web3’s unique challenges

The state of smart contract security implementations is particularly concerning when compared to the web3 security breach risk level. There are three main reasons for this:

Immutability: When you deploy a smart contract, its code becomes permanent; Immutability is a fundamental property, not a bug. This means that unlike web2 applications where developers can quickly fix vulnerabilities, fixing smart contract flaws requires complex coordination across the entire protocol. Visibility: What further compounds this challenge is the public nature of the blockchain code, where potential attackers can see the source code. If vulnerabilities exist, bad actors can (and will) find them. Direct control over assets: Most importantly, web3 vulnerabilities immediately put real assets at risk. While Web2 attacks generally target data, smart contract exploits cause direct and often irreversible financial losses.

What makes Web3 revolutionary—its immutability, transparency, and direct control of assets—is exactly what requires us to completely rethink security.

Why are inspections alone insufficient?

Let me be clear: I do not oppose inspections. They play an important role in implementing secure smart contracts, but they should not be our first and only line of defense. When all we have are controls, users’ assets are exposed. Take the Euler Finance hack in 2023 as an example; Although the protocol passed ten different audits, losses exceeded $200 million.

The main problem with relying on manual audits is that even the most advanced auditors cannot catch everything; people can be wrong. Smart contracts are becoming increasingly complex, and each new feature exponentially increases potential attack vectors, making it nearly impossible for manual review to identify all potential weaknesses. The fact that a project can go through ten different inspections and still be hacked proves this point; This is not about the skills of individual inspectors, but rather about the inherent limitations of manual review.

Proactive security status

In short, our industry’s dependence on audits has created what I believe is an irresponsible situation for web3 security; A situation where proactively securing smart contracts is the exception rather than the rule. Realizing that web3 was innovating while security was becoming a thing of the past is what led me to launch Olympix in 2022, the developer’s first web3 security platform that empowers developers to secure code as they write it.

Our goal is to automate the audit process as much as possible and currently catch 20-50% of vulnerabilities before the project even reaches its first audit. This allows security professionals to focus their time on finding the highest impact and new vulnerabilities rather than routine problems. And it works; An internal analysis showed that in Q3 2024 alone, $60 million in contracts leveraging pre-audited contracts would be blocked if teams used our tools. This includes high-profile hacks like Pendle ($6.5 million) and LIFI ($600 thousand). But like audits, advanced tools like Olympix are not a complete solution. Web3’s unique challenges require a complex, multi-layered approach that combines proactive, developer-first tools with traditional audits, bug bounty programs, and on-chain monitoring to create multiple layers of protection.

The way forward: From reactive to proactive

Take a look at your approach to security today. Is it based on one-time inspections? Does the complexity of your security practices match the complexity and risk level of the project you are deploying? I would guess that for the vast majority the vulnerability is dangerously wide.

The truth is, we have everything we need to transform web3 security in 2025. The technology is here and the tools are available to securely implement smart contracts; Olympix is ​​one of them.

I firmly believe that the future of our industry will be determined by trust, starting with our ability to protect the assets our peers entrust to us. Yes, web3 is transformative, but it is also unforgiving. With billions of dollars at stake, the stability and longevity of web3 rests on our shoulders. Let’s proactively secure our future.

Channi Greenwall

Channi Greenwall is the founder of Olympix, a proactive security tools company for web3 development that has secured over $10 billion in total value locked across protocols. The platform, which has only been around for a few years, is used by more than 30% of Solidity developers for smart contract security. Prior to Olympix, he engineered mission-critical security infrastructure at JP Morgan Chase and then served as product lead at Security Scorecard. He holds a bachelor’s degree in Computer Science and a master’s degree in Security Engineering from NYU.