Alexei Dulub is the founder and CEO of PixelPlex, an R&D company powering meaningful digital transformation across industries.
As the Web3 landscape evolves, so does the frequency and variety of Web3 risks.
Having delivered blockchain solutions for 16 years, my team and I have observed numerous cases where both newcomers and seasoned experts have fallen victim to scammers' tactics.
I firmly believe that every Web3 enthusiast should prioritize self-education of the potential risks and embrace strong security practices. This is vital to avoid being tricked by fraudsters and to protect your assets effectively.
As an active member of the Web3 community and someone deeply involved in developing Web3 security tools, I've identified three dangers that I encounter most frequently: phishing, asset risks and smart contract vulnerabilities.
By recognizing these dangers and understanding ways to mitigate them, businesses can empower themselves to navigate the Web3 space with greater confidence and security.
Phishing
Phishing is a type of cyberattack with fraudsters aiming to trick victims into revealing sensitive information. To do this, scammers create clones of reputable websites, launch fake airdrops or pretend to be influential figures in Web3 on social media platforms and forums.
Binance users have recently suffered from this fraud by losing over $450,000 worth of tokens after clicking on a malicious link. All affected individuals were misled by messages they thought were from a Binance representative.
To prevent such accidents, you may want to consider the following security measures:
• Ensure you're visiting the official website and not a look-alike domain. For example, there is a tiny difference between openseea.io and opensea.io, but the consequences for your wallet may be gigantic.
• Opt for a hardware wallet since they store private keys offline, providing an added layer of security.
• Be cautious of messages that come out of the blue, especially if they ask you to do something right away.
• Before accepting any airdrop or other offering, make sure to verify its authenticity by checking official channels or reaching out to the platform's official support.
• Enable multifactor authentication, so that even if attackers have your password, it will be difficult for them to log in to your wallet.
NFT Risks
Managing Web3 tokens often involves some hidden reefs. In my view, the most common threats include:
Fake Assets
This category encompasses copycat NFTs and fake tokens that exploit the names, logos, visuals and other attributes of the originals. Such assets have no real value and almost no chances to be resold.
The key safety practices allowing you to avoid these scam assets are:
• Investigating the token’s origin to make sure it comes from a reliable project.
• Checking the token’s history and past owners to exclude any suspicious activity.
• Verifying the token’s metadata (the origin details, the creation data and the features, while also ensuring that it corresponds with the claimed attributes of the NFT).
Risky Token Approvals
When interacting with Web3 platforms, you are often requested to grant them approvals to some portion of your assets so that they can manage them on your behalf. However, if you give this approval to a fraudulent platform, you could lose all your assets. Additionally, even trustworthy projects can get hacked, putting your digital assets at risk of being stolen by bad actors.
To minimize token approval risks, you may want to consider the following safety practices:
• Consider avoiding granting a site unlimited access and only approve an amount necessary for the transaction.
• Regularly check your token approvals, revoking any that you don't need anymore.
• Avoid granting token approvals to platforms that you do not trust 100%.
Smart Contract Vulnerabilities
Since most Web3 operations rely on smart contracts, any flaws in their code can cause major disruptions for both users and Web3 projects.
From my experience working alongside smart contract developers, I've identified two main sources of vulnerabilities in smart contracts.
Number one is human errors. Even a minor oversight can potentially result in the loss of funds, data breaches or manipulation of the contract's intended behavior. Due to the immutable nature of blockchain, once a smart contract is deployed with such errors, rectifying them can be challenging—if not impossible.
Next in line are logic vulnerabilities. They present a significant threat to the integrity of blockchain systems and their applications, leading to various potential breaches, such as:
• Reentrancy Attacks: An attacker can exploit a contract by making repeated calls to its function and withdrawing funds multiple times before the first transaction is recorded as completed.
• Integer Overflow And Underflow Attacks: A hacker can manipulate the arithmetic operations of a smart contract in a way that causes unintended behavior, potentially stealing funds or disrupting contract functionality.
• Unauthorized Actions: Flaws in access control logic can allow unauthorized actors to perform restricted actions on the contract, like withdrawing funds or changing ownership.
To avoid these vulnerabilities, adhering to strict security measures in the design and testing of smart contracts is essential. The most vital ones are:
• Always perform comprehensive smart contract testing to eliminate bugs and unforeseen behavior. Incorporate unit tests, integration tests and stress tests to verify that every component of the contract functions correctly across different scenarios.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
