From Hackathon to Hacked: Web3's Security Journey

The emerging technology of blockchain and cryptocurrency presents unique security challenges due to inexperienced developers creating financial products on emerging platforms with high public exposure and unexplored attack surfaces.

• Emerging technology involves a combination of traditional technology experience and something new, leading to a trade-off of known issues for unknown issues and complexities.
• The blockchain and cryptocurrency space has seen billions of dollars in illicit transactions and theft, leading to increased regulation.
• Inexperienced developers are creating financial products on emerging platforms with high public exposure and unexplored attack surfaces, leading to a high cost of failure and low exploitation effort and time.
• Everyone in the space is acting as their own bank, including projects, which leads to high impact when things get hacked.
• Recommendations include getting security professionals more involved, implementing threat modeling and static analysis, practicing defensive coding, and building a monitoring strategy.

The speaker notes that the community is upset about a cryptocurrency mixer getting sanctioned by the US government, as anonymity is important in the space. However, the problem arises when someone like 'Three Watermelons Guy' takes money during an exploit, as this creates a need for regulation. The speaker also points out that those who collect cryptocurrency and NFTs are creating themselves as targets, leading to more attacks.

If there's one prediction you can make with certainty, it's that security in the Web3/blockchain space will get a whole lot worse before it gets better. We have the perfect cocktail of inexperience mixed with emerging technology playing out in full public view with large sums at stake and the permanence of immutable transactions. The result is predictable. An environment free from constraints can seem like an innovation paradise, but when the stakes are so high, you have to get everything right the first time because there may not be a next time. We tend to forget that what we see from this space are experiments playing out in production, and the time between exploitation and losing millions of dollars worth of value can be measured in seconds. So, how did we get here? Is it all doom and gloom? What can be done?This talk is a grounded look at the factors contributing to the security failures we've witnessed, free from the hype and hatred associated with the space. We look at the similarities and differences between the development of this new technology and more traditional applications and how some of the attacks manifested. Better testing and tools aren't enough to solve the problem. We discuss actionable steps projects and chains can use today to address these issues and make the ecosystem safer for projects and users.