Contents


ABSTRACT

🗒️
Alex Sharata, senior associate at New Enterprise Associates, examines the cybersecurity gaps that are contributing to the frequent hacks, governance issues, and billions in losses within the Crypto and Web3 space. It is proving time-intensive and costly to address these vulnerabilities with legacy approaches, underscoring the need for cybersecurity innovation in this market, as well as the potential in Web3-native security tooling.

KEY POINTS FROM ALEX SHARATA'S POV

Why is Web-3 cybersecurity such an important category moving forward?

  • The crypto ecosystem is lacking many security standards common within traditional tech, resulting in a massive attack surface. “The traditional cybersecurity infrastructure that exists in the Web2 world has not been ported over to Web3 yet,” says Sharata. The lack of cybersecurity tooling is resulting in software bugs and security gaps, and the resulting losses from attacks are growing exponentially each year, he adds. “These attacks are becoming more prevalent, resulting in end consumers losing hundreds of millions in value.”
  • In addition, crypto exhibits a combination of inherent vulnerabilities. Common vulnerabilities are exchanges losing private keys, bad code, along with governance manipulation, according to Sharata. Additionally, the composable nature of smart contracts — their flexibility in integrating with outside systems — makes them inherently vulnerable. “These hacks pose a massive roadblock for widespread adoption of blockchain technology, both for consumers and enterprise,” he says.

The traditional cybersecurity infrastructure that exists in the Web2 world has not been ported over to Web3 yet.

Alex Sharata~quoteblock

What are the business models or applications that might be attached to this category?

  • Bug bounty platforms and Chaos Engineering solutions are seeing increased traction. The latter is a technique that deliberately introduces failure modes into distributed software systems to test for weak points. “Bug bounty platforms like HackerOne have seen a large uptick in smart contract- and crypto-related bounties, and crypto-specific bug bounty platforms like Immunefi have emerged,” says Sharata. Some companies, including Chaos Labs, have tried applying chaos engineering to identify security vulnerabilities.
  • The  market is being driven to specialist audits, which are still figuring out how to scale. “The manual services market for smart contract-audits has seen the most growth and adoption,” he says. CertiK, OpenZeppelin, and Quantstamp are popular players in this space, although they have yet to figure out how to productize and scale their audits.

What are some of the potential roadblocks?

  • Current audit solutions are cost- and time-intensive. Each audit process averages several weeks and costs up to $50K, despite some tech-enabled automation. The audit firms are not product-first, which makes them incredibly manual and costly,” says Sharata. "Their initial go-to-market wedge has involved offering traditional audit and penetration test-services for crypto projects, which are analogous in approach to Web2 security. In addition to these limitations, audits only provide a point-in-time snapshot of your security posture, which becomes stale quickly and does not allow for continuous vulnerability monitoring."
  • Standard security workflows are creating friction as they were not designed for modern Web3 environments. For example, “certain NIST standards for security are not directly applicable to blockchain development, resulting in inefficiencies and failures to plug security gaps at the source,” he says.

Hacks, theft, and other illegal activity are leading to a rise in the flow of illicit funds in blockchain markets.


IN THE INVESTOR’S OWN WORDS

saidbyblock~ via email correspondence
Alex Sharata

Security must be the next domino to fall if crypto and blockchain are to become mainstays.

The first domino was compliance, solved with KYC and AML tools like Chainalysis and TRM Labs. Now, there is a new attack seemingly every week, often caused by smart-contract vulnerability, governance manipulation, or oracle failure.

The Axie Infinity breach highlighted the fact that sidechains —networks that connect blockchains — are known security weak points. These caused $650M in losses in Ether and stablecoins. The Wormhole DeFi platform was hacked for $325M after a crucial bug fix was uploaded on GitHub, but not deployed.

The crypto toolchain for building and shipping distributed apps is fluid and ever-evolving, which adds to the urgency.

Given that crypto adoption is still in its early innings, investing in crypto security now is also a long-term bet on overall growth of the underlying market. There are over 40 million developers globally, but only a small percentage of those are crypto-focused. You have to believe that this number will continue growing rapidly in the coming years, even with the issues crypto has seen along the way.

It’s true that crypto volatility has an impact here. Whenever we enter into a “crypto winter,” crypto appetite seems to wane. Regardless of market cycles, if you believe that crypto is here to stay, then security will be an important pillar, enabling the next one to two billion users to onboard into the crypto economy.


Crypto-specific breaches can add a new pocket of TAM for the already large cybersecurity insurance market.

Alex Sharata~quoteblock

WHAT ELSE TO WATCH FOR

Watch for momentum to build on the necessity of Web3-native tooling as other approaches fall behind. “Some market participants are likely wondering if crypto-specific security tooling is necessary,” says Sharata. “The question is whether crypto-native security tooling will have sufficient differentiation versus what already exists in the market, and whether some Web2-focused tools will be applicable over time. But, from the looks of it, the existing static- and dynamic-analysis players are largely overlooking crypto because the vast majority of threats are novel. For example, Snyk hasn’t updated their vulnerability database for Solidity’s Integrated Development Environment (IDE) in a while.”

Adjacent markets like cyber insurance could see their revenue opportunities expand. “Crypto-specific breaches can add a new pocket of TAM for the already large cybersecurity insurance market,” he says.


STARTUPS MENTIONED IN THIS BRIEF

CertiK, Chainalysis, Chaos Labs, HackerOne, OpenZeppelin, Quantstamp, Snyk, TRM Labs


The 2022 EVC List honors the top 50 rising starts in venture capital. Terra Nova’s Thesis Brief series showcases each investor’s insights and category expertise.

Related Posts