While the third quarter of 2022 saw losses by almost a third compared to the previous quarter, more than $500 million of Web3 protocols were lost over the course of the last three months. Exit scams and flash loan attacks are two of the most common yet preventable types of exploits we see. Unfortunately, there has not been a reduction in the frequency of these incidents in recent months.

But let’s step back for a second. At this point, it has become a cliché to say that the Internet has revolutionized almost every facet of our lives. Since the launch of the World Wide Web to the general public in the 1990s, the way we work, learn, communicate, buy, sell, and entertain ourselves has permanently changed. Such rapid and radical change has not been without its teething pains as we learn to live with and improve the technology we have created.

Enter Web3

Web3 is the latest version of this profoundly revolutionary technology. It promises to rectify many of the problems that have arisen from the corporatization of the Internet over the past two decades.

Blockchain technology has the potential to give power back to users in a number of important ways. Users can protect their data with nearly impossible-to-crack cryptography by choosing who and when to give their information to. Arbitrary discrimination will be much more difficult, since all users are equal before the rule of immutable and deterministic law of smart contracts. And residents of underserved communities will gain access to financial products and services that the developed world takes for granted.

But until Web3 does not manage to solve its serious security problem, this promise will remain unfulfilled.

This is cause for concern, not despair. Addressing the security issues that plague the world of Web3 is the way to go, the way to bring its liberating power to as many people as possible. Harnessing the full potential of Web3 requires everyone in the industry, both users and developers, to take security seriously.

That starts with understanding the magnitude of the problem.

2022 is on track to be the worst year on record for Web3 security. In 2022, more than $2.5 billion of value was drained from blockchain protocols. This is more than double the amount lost in 2021, which was nearly triple the amount lost the year before.

Bridges are still the weakest link

Interchain bridges continue to be one of the biggest sources of losses. The $1.42 billion lost in 2022 in eight separate bridge attacks represents 56% of the losses for the year. And the average loss of $178 million per bridge incident dwarfs the average of $5.83 million lost in non-bridge incidents.

This reflects two fundamental truths. First, there is clearly a huge demand for cross-chain infrastructure. Users want to be able to seamlessly transact across multiple blockchains, taking advantage of the unique value propositions each chain offers. However, it is apparent that many current implementations are not up to the required security standard in the adversarial blockchain space. And since bridges attract such high demand from users, they are also prime targets for attackers looking to maximize their profits from successful exploitation.

The state of cross-chain bridges reflects the state of the industry as a whole. There are a number of innovative technological concepts in production, i.e. advanced zero-knowledge proofs or sharding, that are not quite ready to go yet. These are innovative new technologies that take time to perfect. Bridges are currently stuck in an awkward middle ground: mature enough to go beyond a simple idea, but not quite ready to secure the large sums they attract.

Lessons (not) learned

In cryptography, lessons tend to be learned the hard way. It took just four days from the public disclosure of a vulnerability in a third-party wallet generator tool for it to be exploited to the tune of $160 million. As the saying goes, the worst mistake is the one from which you don’t learn.

These incidents provide valuable lessons for the entire industry, which is why transparency is so important. Fortunately, transparency is one of the founding tenets of Web3, and it’s heartening to see the community come together after an incident to diagnose the vulnerability, rectify it, and make sure it doesn’t happen again.

Still, security is a major bottleneck for the industry and is holding back Web3 adoption. Right now, the repeat losses we see due to insufficiently secure protocols primarily hurt retail users and cryptocurrency businesses.

But the implications are broader. In order for this technology to help as many people as possible, it will need to abstract away the current complexity of navigating the world of cryptocurrencies. This is likely to be done by a new wave of service providers, as well as entrenched organizations that understand the benefits of Web3 and recognize the threat it poses to slow-response incumbents. However, it is difficult to promote the benefits of Web3 for these organizations when there is a non-negligible risk of losing all their money or all their customers’ money.

Again, this should not be seen as a reason to give up, it should be seen as a rallying cry for the entire industry.

The bottom line: ensuring security evolves with technology

Web3 already provides tangible benefits to millions of investors, artists, creators, and economically downtrodden communities. And the future is even brighter: we have barely scratched the surface of what is possible with this new way of organizing productive energies around the world.

Any discussion of security would be incomplete without mentioning projects that take security seriously, protect their users’ funds, and provide real value. These include the blue chip protocols that secure billions of dollars of value and have done so for years without issue.

Even during this market downturn, decentralized exchanges still allow roughly a billion dollars worth of trades every day. And Aave, one of DeFi’s original projects, secures $8 billion worth of value across nearly a dozen blockchains, giving users the power to borrow, lend, and use their capital more efficiently. without having to give your confidential information to an unsafe or trusting credit bureau. about a potentially discriminatory decision by a mortgage loan officer.

The current prevalence of security incidents is challenging for the industry, but it is more than surmountable. A real and meaningful commitment to security by all involved will ensure that we come out of this battle tougher and better prepared to show the world what a difference this technology can make. It’s a cutthroat, high-stakes environment, but that just means only the strong will survive. And the ones that do are the projects that can deliver real value to real people, even under constant external pressure.

That’s the promise of Web3: user-driven decentralized services that won’t go offline when you need them most. To deliver on that promise, we must continue to raise the bar for security across the industry, to protect today’s users and attract future beneficiaries of this technological revolution.

Ronghui Gu is CEO and Co-Founder of CertiK.