To build secure and resilient Web3 systems, transparency alone is not enough. By placing greater emphasis on simplicity, we can make code peer review more effective and minimize security gaps in the Web3 space.

The rise and fall of security through obscurity

We are used to the intuitive idea that security is somehow intertwined with secrecy. We keep our passwords secret and our valuables hidden. For decades, software engineers followed a similar approach to cybersecurity. The source code of the computer software was kept private. In the event of a vulnerability, a security patch would be released. This was and still is a vision of security: “security through obscurity” and we have to trust that patches that are pushed, without our knowledge or consent, to our computers and phones will do what they are supposed to do. .

Defenders of open source software took a radically different point of view. They argued that making the code transparent and publicly available would mean that developers could review and improve the code and would have the incentives to do so. Under those conditions, security issues could be identified, fixed, and peer reviewed.

The staggering growth of open source data systems

Since then, open source software has gained wide market penetration. Although only a small percentage of users run Linux distributions on their PCs or laptops, in the background, it is quietly powering much of the Internet. An estimated 96% of the world’s largest 1 million web servers run on Linux, which also powers 90% of all cloud computing infrastructure. When you bring Android into the picture, the fork of Linux that runs on more than 70% of smartphones, tablets, and other mobile devices around the world, it’s clear that the modern Internet as we know it is hugely influenced. by open source systems.

Of course, the ubiquitous presence of open source code also extends to Web3. Public blockchain networks, including Bitcoin and Ethereum, often cite their open source roots.

For Web3 security, transparency alone is not enough

The problem is that greater transparency does not necessarily guarantee greater security. Sure, the popularity of Linux has done wonders for open source code and has certainly improved its security. But are there really many eyes on the blockchain code?

In many respects, open source code scrutiny is similar to a public good in economics. Like any publicly accessible resource like clean air or public infrastructure, everyone benefits. However, individual users may be tempted to use the resource without contributing to its maintenance costs. In this analogy, “free riding” means using an existing codebase while assuming someone else will invest the effort and time to check for vulnerabilities.

Last year became known as the year of the cross-chain bridge hacks. Those attacks were clear warning signs that the extensive and loosely coordinated development of a supposedly transparent Web3 is still on a knife-edge.

The advantage of the Web3 development community is their enthusiasm to share, adopt, and build. The downside is the potential for huge damage from the free rider issue. Assuming that others’ solutions can be trusted to mix and match, attack surfaces and smart contract dependencies become too difficult to trace. A reasonable skeptic or late adopter might conclude that this open source movement is not like the one before: there are very few dedicated to making rigorous and diligent contributions, while the rewards go to those who make the boldest and most impressive claims, be it that the work can withstand scrutiny. Or not.

Join the community where you can transform the future. Cointelegraph Innovation Circle brings together the leaders of blockchain technology to connect, collaborate and publish. apply today

The complexity trap

Complexity bias is a term used to describe a logical fallacy in which people overestimate the usefulness of complex concepts or solutions over simpler alternatives. Sometimes it’s easy to get so dazzled by the apparent technical sophistication of a solution that we don’t stop to wonder if there might be an easier way.

Because blockchain is hard to understand, it’s easy to get excited about some idea, like a cross-chain bridge, and take its difficulty to another level, let’s call it “complicated.”

However, most blockchain projects are not complicated, they are complex.

According to the Harvard Business Review, complicated systems have “many moving parts, but they work in a patterned way.” When you think about a region’s power grid, for example, it’s clearly very complicated and encompasses many constituent parts. However, the parts of the system tend to act in predictable ways: when you turn on the light switch in your living room, you can expect light to come in the vast majority of the time. If properly maintained, complicated systems can be highly reliable.

By contrast, complex systems are characterized by features that “may operate in a patterned manner but whose interactions are continually changing.” This interactivity makes complex systems more unpredictable. The degree of complexity of a system is determined by three key characteristics: the multiplicity or number of interacting elements, how interdependent the elements are, and the degree of diversity or heterogeneity among them.

In case it needs to be said, almost all bridges and cross-chain solutions are examples of highly complex systems. The losses in the 2022 Wormhole and BSC bridge hacks, $325 million and $568 million respectively, illustrate the relative rewards of exploiting a vulnerability rather than preemptively fixing it.

keep it simple

It feels like Web3 should be complex. It is impossible to estimate the true scale and scope of the new economic activity to come. The Web3 values ​​of individualism and economic inclusion suggest permutations and combinations that will grow as each person is born. Who knows what’s ahead? Shouldn’t we embrace complexity?

Well yes and no.

The Web3 infrastructure does not have to be unpredictable. In fact, just like the electrical grid, it would be better if it weren’t.

For blockchain architecture to become more secure and genuinely transparent, we must overcome some of the biases we have been led to believe. Before following the new trend, perhaps we should examine the existing technical debt and go for simplicity or, at best, complexity. It takes discipline to build for the ages, in this case, for Web3 and beyond.

Stephanie So is the CEO and Co-Founder of Geeq, a Layer 0, multi-chain, smart contract-less platform. She is a microeconomist and policy analyst.

This article was published via the Cointelegraph Innovation Circle, a vetted organization of top executives and industry experts in blockchain technology who are building the future through the power of connections, collaboration, and thought leadership. Opinions expressed do not necessarily reflect those of Cointelegraph.

Learn more about the Cointelegraph Innovation Circle and see if you qualify to join