Behind the surge in Web3.0 security incidents, CertiK founder Gu Ronghui explains security trends and solutions

Here is the English translation: Followin' the unprecedented challenges faced by the Web3.0 security sector in 2024. Although the Web3.0 market has seen the recognition of mainstream financial products such as Bitcoin and Ethereum ETFs, the surge in hacker attacks and fraud incidents has made the overall security situation in the industry increasingly severe. To deeply analyze these challenges, the renowned blockchain media BeInCrypto exclusively interviewed Professor Gu Ronghui, co-founder of CertiK, to interpret the key findings of CertiK's 2024 Security Report. Professor Gu shared the key data and trends in the report, revealed the main security threats facing the industry, and proposed corresponding strategies. The full text of the report is as follows: What are the reasons behind the surge in Web3.0 security incidents in 2024? Exclusive interpretation by Professor Gu Ronghui, co-founder of CertiK The Web3.0 sector in 2024 is progressing amid both development and crisis. Although the US has approved the launch of Bitcoin and Ethereum spot ETFs, marking an increase in mainstream acceptance, the industry remains shrouded by the surge in hacker attacks and fraud incidents, with billions of dollars in assets at risk. To deeply analyze the scale of the security threats, we interviewed Professor Gu Ronghui, co-founder of CertiK. The company's latest Hack3d: 2024 Security Report shows that a total of 760 on-Chain security incidents occurred throughout the year, resulting in $2.36 billion in losses, a 31.61% increase from the previous year. Phishing attacks alone accounted for nearly half of the losses, highlighting the urgent need to strengthen overall ecosystem security measures. BeInCrypto: What are the main reasons why Ethereum has become a prime target for attacks? Professor Gu: As the most popular EVM-based public Chain, Ethereum's prosperity has also made it a prime target for attackers. Its large number of projects and user scale provide more opportunities for attackers. Furthermore, Ethereum's open and composable ecosystem features, while promoting innovation by developers on existing protocols, may also introduce security vulnerabilities due to the interdependence between protocols. Emerging projects frequently deploy experimental code or protocols that have not been thoroughly tested, further amplifying these security risks. BeInCrypto: How should the industry respond to the phishing attacks that caused nearly half of the losses in 2024? Professor Gu: Building a three-pronged defense system of education, technology, and collaboration is the key to breaking the deadlock. First, we need to build a solid first line of defense through user education, teaching users to identify risk signals such as suspicious links, unfamiliar messages, and impersonated websites, which can effectively reduce the probability of being deceived. Providing clear security reminders can help users develop self-protection capabilities. At the technical level, integrating advanced detection systems (such as AI-driven threat monitoring systems and real-time alert mechanisms) can help enterprises detect and prevent attacks in advance. Meanwhile, sharing threat intelligence and best security practices across the industry can further enhance overall defense capabilities. BeInCrypto: Which DeFi protocols are most vulnerable to attacks, and what measures can be taken to strengthen security? Professor Gu: In 2024, we observed an increase in private key leaks and phishing incidents, reflecting a shift in the focus of attacks from contract vulnerabilities to human security vulnerabilities - the weakest link in these systems. To enhance security, protocol projects need to focus on strengthening two protective measures: establishing secure private key storage mechanisms and improving internal risk control systems to prevent targeted attacks on employees. BeInCrypto: How effective has the current smart contract vulnerability management been? Professor Gu: Since 2022, the losses caused by code vulnerabilities have been declining year-on-year, indicating that the security of smart contracts has indeed improved. However, the shift in attack trends towards private key attacks and phishing is due to the fact that ordinary users find it difficult to detect code vulnerabilities, unless they are high-level "bug hunters". BeInCrypto: Will the approval of Bitcoin and Ethereum ETFs bring new security threats? Professor Gu: These products, which connect the traditional financial and Web3.0 markets, may lead to regulatory arbitrage and insider trading issues, and will also attract the attention of criminals, increasing the risk of attacks on investors and related institutions. One important vulnerability is the risk of cyber attacks on ETF asset custody services and infrastructure. To protect these assets, robust security protocols are needed, including the use of cold storage solutions and real-time security monitoring. While the launch of Bitcoin and Ethereum ETFs represents an important step for the Web3.0 industry towards mainstream adoption, ensuring the security and credibility of these products is the cornerstone of their long-term development. BeInCrypto: How can user education help prevent private key leaks? Professor Gu: Most security incidents stem from users' lack of awareness of security practices, such as how to properly store private keys and identify social engineering attacks. We need to raise users' awareness of secure storage methods like hardware wallets and encrypted backups, which can effectively reduce risks. Furthermore, cultivating users' awareness to identify phishing traps and refuse to provide sensitive information, as well as using multi-factor authentication (MFA), can further enhance overall security protection capabilities. BeInCrypto: How should blockchain developers respond to the increasingly complex hacking methods? Professor Gu: Many developers are adopting more advanced encryption technologies, improving consensus mechanisms, and conducting rigorous security audits. Formal verification techniques can help ensure smart contract code is vulnerability-free, while AI and machine learning tools can be used for real-time network monitoring to identify and prevent anomalous activities. BeInCrypto: What insights have the major security incidents in 2024 brought to the Web3.0 industry? Professor Gu: Overall, we expect stricter regulations: the improvement of regulatory frameworks like the EU's MiCA, the iterative upgrade of security measures, and the widespread adoption of user education will effectively reduce risks. However, we must be aware that as technology evolves, attack methods are also evolving in parallel. The industry needs to build a collaborative defense ecosystem of developers, regulators, and security experts to maintain a leading position in addressing threats. Through continuous efforts, the losses in the Web3.0 sector can be gradually reduced, but maintaining a high level of vigilance remains an eternal task. CertiK's Hack3d: 2024 Security Report provides an in-depth analysis of the industry's main risks and forward-looking security recommendations to help projects and users prevent emerging threats. To learn more about the attack trends, technical principles, and complete solutions, please click the link below to access the full report. CertiK's Hack3d: 2024 Security Report