Intro to Web3 security
Web3 is the decentralized Web. But while this is the ethos behind Web3, “decentralization” is still a bit abstract. For all intents and purposes, today’s decentralization means that sites and apps live on blockchain networks instead of centralized servers (as they do in Web 2.0). While Web3 is not necessarily reliant on crypto and blockchain networks, today the concept is almost indistinguishable from the tech that powers it.
Web3 is an innovation built on new technologies that bring both unique benefits and risks. Web3 is intended to be transparent, resistant to censorship and, most importantly, decentralized. It’s this decentralization that presents an important tradeoff: there’s more personal risk and responsibility for users.
In its ideal form, Web3 wouldn’t rely on any central authorities or servers, and users wouldn’t have to trust as many third parties. But Web3 as it exists today doesn’t eliminate trust or reliance on central authorities altogether. These days, just going online requires some element of trust: that sites and apps and hardware do what they say they’ll do, that they’ll safeguard our data, our money, our identities. This was true in Web 2.0, and it’s true in Web3. So maybe it’s better to define Web3 by saying it attempts to introduce a new trust model: one where trust is minimized, and placed more in business processes (often called protocols).
Web3 users must trust the code that makes up blockchain networks, crypto wallets, governance processes, and the smart contracts that decentralized apps (DApps) are built on. Web3 isn’t completely decentralized or “trustless,” then. But those are core end goals of Web3 proponents. And it’s improving by the day.
In this short article, we’ll discuss the security risks that remain. And how to protect yourself in Web3.
Systematic risks in Web3
Systematic risk refers to broad, ecosystem-wide risk that’s mostly out of a user’s control. Some examples of systematic risks in Web3 include:
- Widespread economic downturn or crypto market volatility (which can affect the blockchains that power most of today’s Web3 DApps)
- Legislation that’s unfavorable to Web3 or the crypto market (which, again, will have a trickle-down effect on most Web3 DApps)
- Traffic blocking, takedowns, or other censoring from some still-centralized Web3 services (e.g. node providers)
- Technical failures with blockchain networks (e.g. node operators are untrustworthy, or a network is attacked by malicious actors)
While market volatility is common, most major blockchain networks (like Bitcoin and Ethereum) have been battle tested for years against serious technical failures. In any case, these risks are endemic to the blockchain and crypto industry and, by default, to Web3. There are, however, some risks you can control (or at least reduce).
Addressable security risks in Web3
The more tangible risks that Web3 users should be aware of include:
- Loss of private keys
- Phishing, scams, and hacks that target a user’s crypto wallet or private keys (for all intents and purposes, today’s Web3 treats a crypto wallet like a unique digital passport to entry)
- Smart contract failure and exploits
- Corporate failure with particular blockchain or crypto companies or exchanges that don’t have the same level of government oversight (or protection, as with the United States FDIC) as traditional services
Thankfully, there are steps you can take to protect yourself against each of these risks.
Safeguard your private keys
If you store your assets in a self-custody wallet (as opposed to a centralized exchange), you’ll have sole control over your private keys, and therefore your assets. Most commonly, private keys are backed up with a recovery phrase, a unique set of 12 or 24 words in a particular order that grants access to a crypto wallet address. It’s like a human-readable version of your private keys—and it functions like your bank password. Recovery phrases, just like private keys, grant complete control over the assets in a wallet and must be carefully safeguarded.
Many people store their recovery phrases in a fireproof safe, and record it on something more resilient to damage than a piece of paper (like engraving it on a piece of steel). It may also be wise to store multiple copies of your recovery phrase in different locations, such as a bank safety deposit box or home safe—but each copy must be stored securely, as each physical instance of the phrase increases the chances of theft or compromise.
Protect yourself against phishing attempts, scams, and hacks
It’s also important to protect your private keys and recovery phrases from digital theft—the vast majority of hacks, scams, and phishing attempts in crypto will target your private keys or recovery phrases. If a hacker gains control of either one, they gain control of your assets.
Phishing attempts are the most common way someone will try to gain access to your wallet. You may receive emails or messages from people pretending to be someone else (like a support team member) asking for your private key or recovery phrase. If you’re ever uncertain if a message is legitimate, reach out to the company directly—via Twitter, Discord, or another customer support method—before clicking a link. Scammers may also contact you to say you’ve won a prize (like free crypto), and request your sensitive wallet info. As a rule, you should never share your private keys and recovery phrases with anyone.
One great strategy for keeping your private keys safe from automated attacks and malware is to keep them offline with a self-custody hardware wallet—a method known as “cold storage.” Devices like Ledger and Trezor offer physical, offline storage for your private keys. These devices will securely “sign” (or approve) transactions with your private keys offline. Then you’ll connect the cold wallet to the Internet to broadcast the signed transaction. This way, your private keys are never revealed while you’re online. Hardware wallets are the gold standard for safe, offline crypto storage, but you’ll need to be sure to keep them safe just like a recovery phrase.
Note: Brave will never ask you for your Brave Wallet recovery phrase. Never share this information with Brave or anyone else.
Be cautious of smart contract failure and exploits
The decentralized Web is full of sites and DApps that live on blockchain networks. These networks are built entirely on (or at least have some core logic running on) smart contracts. Smart contracts—blockchain-based programs that execute automatically—are foundational to Web3. They’re also quite new, and can be prone to errors in their code (which, given they execute automatically, can be disastrous). Hackers often look for errors in smart contract code, which they can exploit to steal funds from DApps or their users. Malicious actors might even intentionally develop smart contracts that are designed to drain assets from crypto wallets.
Thankfully, many Web3 developers are highly aware of the importance of airtight code. As with any open-source project, it’s crucial for developers to keep code simple, perform rigorous and regular security audits, and seek formal verification before releasing products to the public—especially when user funds are involved. But of course, most people don’t have the technical expertise to evaluate code to determine if a service or DApp is safe. It’s easy to be caught by attackers trying to steal funds.
So what can you do? A few things:
- Try to stick with well known DApps with a track record of safety
- Try to avoid newer DApps or services that might present more risks
- Double check the URLs for services you use (which can be done during the transaction signing process in Brave Wallet), and consider bookmarking them to avoid being redirected to an imitation site
Watch out for corporate failure
As mentioned in the intro to this article, today’s Web3 exists in an in-between state: Often decentralized, but not always. One way this in-between state presents risk is with centralized Web3 corporations like centralized crypto exchanges (CEXs). When a single entity like this fails, it can bring far-reaching volatility to the crypto market, and directly affect its users (think of major examples like Three Arrows Capital, Terraform Labs, and—most recently—FTX). These three examples represent a spectrum of crypto companies (an investment group, a blockchain development team, and a CEX, respectively) with a common thread: they were centralized companies playing in the decentralized, Web3 space. And they all collapsed, leaving investors and users to deal with the fallout.
As with any other corner of the Internet, there are bad actors in Web3. Where possible, you should try to stick with large, reputable Web3 companies. Of course, even some of the biggest names in crypto have fallen, and there’s no guarantee that a service is safe just because it’s popular.
If you want to avoid this type of risk altogether, consider self custody. Again, Web3 doesn’t eliminate risk altogether. But it does give you a choice to decide who you want to trust.
General Web3 security tips
In general, many security best practices from Web 2.0 translate to Web3:
- Use two-factor authentication (2FA)
- Create strong (i.e. longer) passwords
- Don’t reuse passwords between services
- Be wary of scams and phishing attempts, and check the source before you download
Another wise strategy is diversification. By diversifying your crypto assets between self-custody wallets, CEXs, and offline hardware wallets, you reduce the likelihood that a crash in one will harm your holdings in another. Similarly, when using DApps, you can diversify which smart contracts and platforms you use, not depositing all your funds into any one protocol.
Web3 gives you a real chance to be your own custodian and take control of your assets. But that means being aware and cautious, too. Everything we do online involves some element of trust, of not knowing. While Web3—like Web 2.0—isn’t there yet, the core ethos of Web3 is to minimize this element of unknowing, and to make everything more open and verifiable.
For those interested in trying self-custody for the first time, or those looking for Brave-level protection in their wallet, try Brave Wallet. It’s a browser-native wallet that raises the bar for privacy and security in crypto self-custody.
Ready to Brave the new internet?
Brave is built by a team of privacy focused, performance oriented pioneers of the web. Help us fix browsing together.Download Brave