Over 2 billion dollars’ loss in half a year, the capital is rushing into the blockchain security sector
From the perspective of a security “guard”, block-chain security is facing what kind of security dilemma? How is the industry landscape changing?
Author: Flowie, ChainCatcher
Acala sent out over $1.2 billion of AUSD after being attacked, and Solana saw wallets stolen massively… It is no exaggeration to say that more than half of the hot-spot issues of blockchain are contributed by the security issue.
According to the security report of Certik, only in the first 6 months of 2022, over 2 billion dollars were lost because of the hack attack, higher than the overall loss of 2021.
With so many security issues rising, many project parties feel necessary to arrange security audits, which requires a waiting of more than half of a year. However, even after the audit is completed, the project still faces the risk of being attacked as it just happened.
The security issue of blockchain is definitely a rigid demand. But the reality would be a loss of sense of security for project parties or normal users.
Against such a backdrop, we have observed security service providers swarming into this field. Until now, some companies including Carret, BlockSec, Secure3, Halborn, and Redefine have raised a relatively high amount of funds. Certik has raised 4 rounds of funds in just one year, giving us a glimpse of the popularity of this market.
In this article, we try to take the perspective of the “guard” to analyze the plight facing the blockchain industry.
The blockchain security service is still “uncultivated”
Blockchain’s wild growth asks for great security demand, which is, however, lagging behind.
The co-founder of BlockSec says, “the security audit of smart contract normally requires a waiting of 2–3 months in recent two years and the security audit service of many projects have been scheduled to half a year later.” From the statistics of Chengdu LianAn Technology, in the second quarter of 2022, close to half of the attacked projects did not pass the security audit.
Though security service providers swarm into this field, in the opinion of Thomas, an investor at YM Capital, “there are not enough service providers showing enough supply capability and brand influence, with only one or two dozen globally.” According to Zhou Yakin, even though there are some well-known companies such as Consensys Diligence, Trail of Bits, Chain Security, and Certik that have entered the market earlier, they do not actually occupy a large market share, and the whole market is still very fragmented.
In addition, in each specific sector and direction, the current players fail to fully cover different needs, with most of them still in the rat race of making security audits, which already have a clear revenue model and good cash flow.
In fact, similar to traditional Internet security, blockchain security services are broadly divided into to-B and to-C. On the to-B side, the security of a blockchain project is divided based on before and after the chain. Before-the-chain is mainly related to the security audit of the smart contract code, after-the-chain includes real-time monitoring such as attack tracing and danger monitoring. To-C side mainly involves the security of various assets such as user wallets and NFTs.
Zhou Yajin believes that in the entire security service market, the important security services such as DaPP developer to-B operation security, user wallets, and NFT security, are relatively blank in the market. “Blockchain security services are still almost uncultivated.”
Why this imbalance between supply and demand becomes normality?
It is not hard to understand. First, the open-source of block-chain industry and its current development stage have driven the wild demand growth.
YM Capital investor Thomas has bet on the security sector of blockchain, which he believes “is more in need compared with the traditional internet security.”
For one thing, most projects’ codes are open to everyone in such an open-source field. This makes hackers and other technical guys more convenient to dig out the project bugs. Also, the low bar for project launching, lack of regulation, and uneven project quality all make security audits in great demand for project parties and users to back up their security.
Also, one pain point of Web3 security compared with Web2 is that attackers can gain profit through executing bugs. In the Web2 world, while an attacker could profit by shutting down some major services, stealing some data, or selling malware, the gains would be limited. But in Web3, block-chain code connect all kinds of economic and financial scenarios, directly linked to users’ cryptocurrency assets, so a single breach could easily yield millions, if not trillions, of dollars or more for an attacker.
With security becoming a rigid demand, people’s willingness to pay for products is higher. From the data disclosed in Certik’s b3 round of funding, Certik’s revenue grew 12 times and profit grew 3,000 times in 2021.
While the demand side is growing wildly, the supply side struggles to match up.
The blockchain field is currently using the old method similar to the old ones in the early days of traditional internet security, which required manual matching of attacks to local libraries. For security audits alone, most service providers can hardly achieve standardization and automation, and this leads to a dilemma that supply capacity is very much choked by manpower.
Even if we want to solve it by adding manpower, still, a question mark arises for where to find qualified security audit talents. Contract audits depend on specific business scenarios, thus requiring different auditing abilities on different chains or in different scenarios. And this leads to a scarcity of qualified audit talents. Many technical talents with auditing ability may prefer to be independent hackers or white-hat hackers, able to gain considerable profits from either smart contract attacks or smart contract bug reporting. This year, the blockchain industry has already had multiple bug rewards of more than a million dollars.
There is a more prominent problem besides the basic supply and demand imbalance in quantity. That is the mismatch in the supply and demand structure of security resources, leading to a low matching efficiency.
When we talk about security issues, we seem to put many weights on the security audit. But many ways such as self-testing, contract design improving, code quality improvement, bug scanning updating, and appropriate tools or services can all greatly reduce the workload of auditing.
“The status quo of the industry is that many professional security auditors have wasted much energy on fundamental code errors.”
Standardization is the key competence
Against the backdrop of such a blue ocean market with much imagination space and opportunity, we have observed that old and new players all try to make things out of the two big pain points besides the basic product iteration: one is to promote a more standardized and automated product to lower down marginal cost and break development bottleneck; one is to-Cover more specific scenarios or specified links to obtain security fund.
Certik is the most aggressive player in this field. Besides the security auditing before the chain, it also launches the non-stopping 24/7 automatic monitoring SaaS platform to defend against security threats. OpenZeppelin uses gaming techniques to identify the security bugs in smart contracts to provide services such as “Defender”, to help the project realize the automation of smart contract management and automatic script creation.
BlockSec has just ended the new round of fund-raising. Besides providing security audit services before the chain, it also provides real-time security monitoring products for projects launched on the chain.
“Currently, the security audit project of block-chain still uses the listing pattern of equity raising. Without a SaaS standardization and automation product, it is almost impossible to go public. Mirana Ventures investor Kenneth also thinks this is what drives the product to use the SaaS model. The blockchain iterates really fast today, covering many specific scenarios, with many complicated attack events rising. Some security service provided by SaaS-like software has not been accepted by the market with most of them done case by case. So this situation has provided a great chance for new players to catch up.”
Besides requiring manual auditing, also more and more projects are seeking automatic auditing.
For better automation, formal verification is commonly used in the industry. This method would define the security rule in advance, and then prove that the codes of clients follow the rule well, to prevent security bugs caused by breaking rules.
But the founder of Blocksec Zhou Yajin believes that many security bugs are related to specific business scenarios of smart contracts. Simply making codes right cannot ensure the security of smart contracts. Also, the formal verification rule should be formulated based on a specific project. So in specific operations, BlockSec would audit code from the perspective of “attacks”, with specific techniques including extracting, analyzing, fuzzing, and other integrated plans.
Go+ Security founder Mike also holds the view that formal verification hasn’t clearly figured out how to improve efficiency, making it hard to replace manual auditing. The formal verification only accounts for relatively a low part of the overall auditing process. This is also common sense in the industry.
Before a sound solution for automation arises, the key competence of traditional auditing companies would be their auditing process design. “For example, Quanstamp is doing parallel auditing. Their key to business is to devote enough manpower to doing full auditing to ensure good security results, and they use service cases to prove their security.
For to-B security service providers, besides technical capability, branding is also a key competence including community operation and strategic cooperation. It is important for them to promote their security capability.
Blockchain has taken a totally different path compared with traditional internet security, the latter started from to-C security. Blockchain security is still currently focused on project parties, with less attention paid to to-C services.
However, there are a few entrepreneurs choosing to do to-C business, and Mike, the founder of Go+ Security, is one of them. Go+ Security covers user risk scenarios through a dynamic risk detection platform that accesses Web3 applications with data APIs to cover risky scenarios for users and identify in real-time asset or behavior risks, including tokens based on contract checking, NFTs, authorization checking, and the services also are based on the user scenarios of anti-phishing sites, phishing emails, community fraud. This has provided users with security protection and relive web3 from the tough issue of user-side risk.
Mike thinks that from the experience of traditional internet companies, only a small amount of users would pay for security. But web3 users are more aware of the returns gained from purchasing security services. This is just like buying insurance for cars. Security service may be a necessary service for web3 users in the future. Also, the key of web3 is security data and traffic, with its business logic different from the to-B fee pattern based on projects. The key would be expanding the data scale. The whole technical architecture should be fast, considering new attack methods popping up every day. Identifying the location of a bug often requires hundreds of strategies of security engines, so how to have accurate identification in just 2 seconds when doing ten types of checking would be a key to to-C security. Expanding data scale does not only rely on product service but also on the integrated development of the eco-system.
For to-B or to-C products, whether standardized or not, Mirana Ventures investor Kenneth believes that the key would both be talents.
SaaS software also needs talents to further develop, so the project’s current ability to develop talents is also very critical. “The founding teams of BlockSec and Secure3 have academic and university backgrounds, able to train some high-end talents for block-chain security, and also have advantages in terms of talent costs.”
The current market players also made some innovative strategies besides automating, standardizing, and deepening business.
Some new auditing companies in North America target segmented auditing, mainly serving some innovative businesses including StepN and BanklessDao. This specific market is a hard nut and a bad deal for traditional auditing companies, requiring a lot of recovery work to match innovative businesses.
Besides, there are some entrepreneurs focusing on specific points such as anti-cheating to provide security services. Many GameFi projects require 50% of development resources to work on the anti-cheating layer. This layer may transform into a data service layer able to be integrated with APIs, and the specific anti-cheating third party would help the project to effectively deal with the cheating.
Two vague parts: fee and accountability
Besides problems with product standardization, the fee and accountability distribution patterns are also not clear.
Block-chain projects’ high willingness to pay for security services does not mean they are willing or able to pay a great amount of money for security. Even if a bug recovery may help protect many user assets, still it is unclear how much the security service provider can gain from it and how to charge fees.
There are normally three fee patterns for traditional projects. One is based on a project or SaaS model. One is to charge a portion of the protected grid assets. One is to provide security APIs, and charge fees based on how many times the API is called out. For the token-related project, the built-in token pattern may be needed for payment, currently without any mature practice now.
Zhou said, normally code auditing charges fees based on the project scale and times. When a smart contract is launched on the chain, the data monitoring would take a subscription mechanism, for example, collect the fee by year. For loss recovery service, besides the subscription pattern, fees are collected based on how much can be traced back by taking a percentage.
But Mirana Ventures investor Kenneth believes that “the clear fee charge standard is lost in the industry. Though people promote SaaS patterns, the fees are still charged case by case. And this leads to a very imbalanced fee charging, which hinders the market expansion. ”
Besides the nonstandard fee pattern, if the project with security audited or protected is still attacked, then who would be responsible for that? Currently, most of the attacked projects all once have their security audited and updated by famous security companies. However, they still fail to evade the fate of being attacked.
Kenneth mentions, that for the traditional auditing service from traditional accounting firms, once a problem arises, there should be a third party to formulate a set of rules from top to bottom to clarify the responsibility of the project and service party, which does not exist in the blockchain field. “even if it exists in future, but the imperfection of laws and regulations, the rule difference of different regions will bring tough issues on responsibility auditing and accountability.”
Eco-system building and segmentation would be the great trend
“In terms of market share, blockchain security services and traditional Internet security will ultimately have a similar pattern, where a few top vendors lead the entire market”. According to BlockSec founder Zhou Jinya, in the blockchain security field, firstly several top players in auditing will grow up.
Even if there will be a head player, it is likely to be a regional one. In Mirana Ventures investor Kenneth’s view, from the recent sanctions against Tornado Cash for anti-money laundering, security services will expand from code auditing to other services such as private data, which will be quite restricted by local policies, making it hard for projects to-Cross the national border.
With the market landscape becoming mature and stable, YM Capital investor Thomas says that from the experience of Web2’s development, there are a large number of merger opportunities in the security business, horizontal and vertical. In the future, security companies may also break security boundaries and expand into other non-security data business directions.
The status quo reflects the web2 mentality of many so-called web3 security companies, where they just target customers from web2 to web3. YM Capital investor Thomas would expect a more web3 decentralized company or organization, or a decentralized security network on channels.
Go+ Security founder Mike also believes that though there would be several top players in the different specific security areas, the whole landscape would be more like an ecosystem rather than a monopoly of the market by one top company.
The security sector of blockchain is an enormous market. To solve the problem at the root, security auditing companies need to solve bugs before the project is launched, and independent researchers like white hat hackers should keep digging out bugs based on the reward model after the project is launched. But more importantly, we need the synergy of regulation mechanism and user education, to build up a security insurance mechanism for blockchain projects, in the full cycle and full aspects.