Ethereum Foundation has announced a trillion dollar security initiative to build trust at a level that 1 billion users feel safe to hold $1,000 each on Ethereum. This initiative includes a three-phase roadmap: mapping-executing-communicating, analyzing and addressing security vulnerabilities across the ecosystem.
This initiative comprehensively addresses user security threats, which have been the biggest obstacle to mass adoption of Web3, and its effects will extend beyond Ethereum to the entire Web3 ecosystem.
This article details the initiative and provides additional recommendations for achieving true user security.
Source: Ethereum Foundation
On May 14, the Ethereum Foundation announced an initiative called "$1 Trillion Security." This plan aims to re-examine and improve the entire Ethereum ecosystem with the goal of building a level of security and trust where 1 billion users can feel completely safe holding $1,000 each on-chain, and feel confident that there would be no risk even if all these funds were deposited into a single smart contract.
Security issues have continuously troubled Ethereum throughout its growth. Starting with The DAO hack in 2016, Ethereum and the EVM ecosystem have been at the center of security threats, occupying almost the entire Web3 ecosystem security incident leaderboard. In particular, hacking groups with state support, such as North Korea's Lazarus Group, have emerged as serious threats to the Ethereum ecosystem.
These threats are not limited to direct fund theft through smart contract hacking but extend to all Web2 components used for user-level interactions. Initially, attackers stole user funds through simple methods like wallet drainers or fake NFT minting, but nowadays, attacks have evolved into more complex forms that are difficult for users to detect, such as attacking third-party infrastructure services through social engineering as in the Bybit incident, or maliciously altering service frontends by attacking internet service providers through DNS hijacking.
Source: Flicker
Ethereum has long claimed the potential of ETH as a decentralized currency, but questions have persisted about whether Ethereum can replace the role of banks in an environment with high security risks to user funds. The phrase "Ethereum is a Dark Forest" emerged long ago, but we still bear the burden of having to fully embrace security concerns as individuals. Are we really at a stage where we can confidently tell your old neighbor to move $1,000 to Ethereum and try DeFi farming? I believe absolutely not.
Through this trillion dollar security initiative, Ethereum aims to secure a complete level of security that would make scenarios like the example above possible, and to use this to establish Ethereum's strong position by promoting its robust security attributes externally. The roadmap disclosed by the Ethereum Foundation to achieve this initiative consists of three phases:
Phase 1 - Identify Ecosystem Security Threats and Create Reports: Systematically analyze all security vulnerabilities within the Ethereum ecosystem and create a comprehensive report.
Phase 2 - Solve Urgent Problems: Resolve the most urgent security issues identified in the report according to priority.
Phase 3 - Make Security Understandable: Effectively communicate Ethereum's enhanced security attributes to make anyone to compare how secure Ethereum is than the other chains and legacy systems.
I believe Phase 1 is particularly noteworthy, as the Ethereum Foundation appears to be truly establishing security threats for almost all components that can occur in Web3 projects. The blog post written by the Ethereum Foundation related to this initiative reveals that it will include the following elements as attack surfaces:
User experience components related to frontend security and signatures
Firmware and library supply chain security for hardware wallets
Security re-examination of development tools and standard libraries
Infrastructure-level security including cloud and development dependencies
Consensus and protocol-level security including DoS (Denial of Service) risk and staking share centralization
Security of internet infrastructure such as DNS
I believe that general users would agree that frontend vulnerabilities, lack of visibility during signing, or hacking in cloud environments can cause damage. However, libraries or internet infrastructure might not be perceived as major threats by general users, so I'll explain why these lead to security threats through actual incidents in the Web3 ecosystem.
Source: Metamask
First, a real case of a hardware wallet's library supply chain being compromised exists in the not-too-distant past. The attack on Ledger wallets in December 2023 is such a case, where a wallet drainer was inserted into a library called ConnectKit, which connects Ledger to websites. This attack affected numerous users across the ecosystem, including PancakeSwap, SushiSwap, Mantle, and others, causing a total of $600,000 in damages. From a user perspective, there is no way to defend against this type of attack, and secure development operations (DevOps) need to be verified in real-time throughout the development process. Through this initiative, it is expected that the development process security of commonly used hardware wallets will be comprehensively re-examined.
Source: dYdX
There are also numerous examples of security attacks on internet infrastructure. Attacks commonly referred to as DNS attacks target DNS service providers that connect domain addresses in the format "www.xxx.com" entered by users to servers with the correct IP addresses. DNS attacks connect users to servers maliciously altered by attackers instead of the servers users want to access, and in most cases, connect users to wallet drainer websites disguised with identical screens. These attacks occurred intensively in late 2023 and Q3 2024, with affected projects including well-known ones such as dYdX, Ethena Labs, Ether.Fi, Compound, Aerodrome, Velodrome, and Balancer. Attacks through internet infrastructure are very difficult for users to notice since the string entered as the address, i.e., the domain address, is identical, unless one analyzes the website's source code each time. This also requires a real-time security check process set up by the project to track, which is expected to involve the Ethereum Foundation directly monitoring or supporting the development of websites for famous projects.
Source: Anchain.AI
While security for Web3 projects is often thought to be limited to smart contracts, Web3 projects include almost identical components to Web2 projects beyond interactions with blockchains. This means that comprehensive security for Web2 components must be achieved for complete Web3 security, beyond the blockchain environment where user funds are deposited, and the Ethereum Foundation is trying to make this a reality through a strong foundation-level initiative.
Realizing this initiative requires cooperation and research across the security industry, and the Ethereum Foundation has introduced the most influential figures in the security industry as advisors.
First to join as an advisor is Samczsun, former security advisor at Paradigm, who is well-known to the public. Sam is expected to lead cooperation among top-tier security researchers as the founder of SEAL Alliance, a key player group in the security industry, during the expansion of this initiative.
Next mentioned was Zach O'Bront, who has left historical footprints as an individual auditor, and is expected to create synergy with Ethereum developers and researchers as co-founder of Ethrealize.
Finally, Mehdi Zerouali, co-founder of top-tier security company Sigma Prime, was mentioned as an advisor. Sigma Prime operated as a top-tier team in the Ethereum initial security audit scene and is now focusing on product development. Their notable contribution to the Ethereum ecosystem includes the open-source release of Lighthouse, one of the most used Rust-based Ethereum consensus clients.
These individuals have significant influence in the security and development industries, making them suitable members to lead ecosystem cooperation for rapid innovation.
This initiative by the Ethereum Foundation is a vast plan to dramatically enhance security not only for the Ethereum ecosystem but for the entire Web3 ecosystem, and I could not help but welcome this announcement as I believe passive security systems are the most important element for the mass adoption of Web3. Just looking at the members, I believe the Ethereum Foundation is sincerely pushing this initiative forward, not just in words, as such a case of gathering key ecosystem members to present a security narrative at this level has never been seen in blockchain history.
However, conversely, we need to critically consider why such an initiative was necessary, and my conclusions are as follows:
I believe that the form of security threat making it difficult for Web2 capital to transition to Web3 is closer to new forms of vulnerabilities at the contract and chain levels, rather than attacks like website tampering that can occur in existing Web2 services. Also, since the environment where user capital is deposited and managed is ultimately the blockchain, I believe designing a safe form of blockchain is more important than anything else.
However, Ethereum and its development environment have consumed too much security cost. Currently, incidents caused by contract vulnerabilities occur almost exclusively in the EVM environment, especially in contracts written in Solidity. Contract security incidents are very rarely found in Non-EVM chain environments, with only about 1-2 cases per year in Solana, Aptos, etc.
Is it because Lazarus doesn't know how to read languages other than Solidity that they don't attack Non-EVM chains? I don't think so. Solidity, with its high degree of language freedom, inevitably has lower security compared to modern languages like Rust, which are designed with security as a top priority. But there has to be some trade-off between {development difficulty & usability} and security, and I also think the former played a big role in why Ethereum was naturally selected among second-generation blockchains.
However, it's unacceptable that tens to hundreds of millions of dollars in hacking still occur due to very basic types of vulnerabilities. Over the past 10 years, there have been efforts in the Ethereum ecosystem to automate the detection of vulnerabilities in contracts, such as Slither, but no tool has shown clear effectiveness yet. Currently, companies like Cyvers.AI and Anchain.ai are emerging to provide security audit services based on artificial intelligence, but projects that are attacked due to basic vulnerabilities cannot afford security audit costs. Ultimately, I believe that to make almost all contracts that users might interact with safe, powerful vulnerability detection tools must be operated in an open-source form with foundation sponsorship, and this is an aspect I hope will be considered in this security initiative.
Source: SEAL Alliance
I find it extremely encouraging that Sam from SEAL Alliance (hereafter SEAL) is included as an advisor for this initiative, because SEAL's goal is the "standardization of security." Before the emergence of SEAL, the process during a hack was not standardized at all. In reality, when a hacking incident occurs, there is a surge in simultaneous tasks that the project side must handle, such as resolving legal issues, tracking hacked funds, analyzing the cause of the incident, writing a postmortem, identifying responsibility elements, and collaborating with exchanges, which is why responses to incidents often didn't occur in the right place at the right time. In response, key players in the security industry such as samczsun and pcaversaccio established a Telegram channel as a hotline that projects could contact in case of an incident, which became SEAL 911, the origin of what is now the SEAL Alliance, a security cooperation body. Currently, SEAL Alliance includes key ecosystem personnel from whitehad validators like 0xc0ffeebabe.eth to key players in the security industry, and ecosystem key personnel like Alex from the Sui Foundation.
Currently, SEAL Alliance goes beyond simply deploying a certain number of personnel to respond to incidents, to standardizing the incident response process and distributing it as open source, and providing training programs that recreate incident situations for large projects that require stress testing. In addition, SEAL is trying to resolve legal difficulties arising from hacking incidents through the Safe Harbor program. To move funds through white hat hacking, either when vulnerabilities are pre-discovered in a project or for post-incident response, a legal agreement called Safe Harbor is required, which was very difficult for small projects without proper institutional support to perform. SEAL operates the program in a way that either pre-establishes Safe Harbor agreements or immediately connects with projects when incidents occur to initiate agreements. Thus, SEAL is making efforts in almost every aspect for quick and appropriate responses to incidents and standardization of processes.
However, despite SEAL's high level of contribution to the ecosystem, its awareness and support have been too low until now. Through this initiative, SEAL should grow to have awareness from all projects as a union responsible for at least Ethereum ecosystem security.
Even if many threatening factors that have acted as anxieties are resolved through this initiative, I believe that insurance for on-chain assets must be activated for users or institutions to truly feel at ease depositing capital.
Insurance products have been difficult to apply due to the difficulty of their design and judgment for compensation. The most significant on-chain insurance product so far has been Nexus Mutual, a fully on-chain insurance protocol that compensates for a portion of the fund losses caused by hacking or slashing for protocols and validators. Since its launch in 2019, Nexus Mutual has achieved meaningful results, providing $5.78 billion in coverage and paying $18 million in compensation.
However, Nexus Mutual's products were aimed at projects rather than retail, so they had limitations in providing the complete security stability for individuals that this initiative proposes. Current projects providing on-chain insurance include Pocket Universe and Fairside, and I believe that such insurance for on-chain users should be widely applied. The biggest issue with existing on-chain insurance products was the difficulty of loss assessment for incidents, but projects like Fairside are resolving this by collaborating with investigative agencies like Chainalysis. The biggest problem is user resistance to insurance premiums, which I believe requires various ecosystem support to resolve.
The security initiative announced by Ethereum is very encouraging as it appears to be a genuine attempt to face and resolve the security issues that have been raised over time. The main reason why Ethereum, or more precisely the EVM, is exposed to security threats is because its underlying technology is based on a relatively older structure. Some argue that Ethereum should have chosen a more advanced technology than EVM from the beginning. However, this view ignores the flow and context of technological development. Alternative technologies like Solana's Rust or Sui's MoveVM all emerged after Ethereum, designed as results of analyzing EVM's limitations and complementing them. In other words, without Ethereum, the direction of technological development in the subsequent blockchain ecosystem might have been different.
As for the argument that Ethereum should transition to such technologies even now, we must consider that Ethereum's systemic scale and complexity have grown exponentially with time. Attempting a complete technological transition at this point is realistically a very challenging task. This situation is like the fate experienced by all systems with deep history that have survived for a long time. They must bear "The weight of the crown."
Nevertheless, Ethereum's recent actions, including the announcement of this initiative, give the impression that rather than being crushed by that weight, Ethereum is continuing its efforts to overcome it. For example, the organizational restructuring through the appointment of Co-Executive Directors of the Ethereum Foundation, Vitalik Buterin's return as a researcher, and efforts to expand points of contact with the community while expounding the Ethereum Foundation's direction and roadmap are good examples showing Ethereum's self-purification efforts in various ways.
Ethereum has faced various challenges, such as the emergence of L1 blockchains that excel in performance and security, the fragmentation problem of rollups presented in the roadmap, and criticism about the intrinsic value of $ETH. In such situations, the most fatal attitude is to recognize problems but not acknowledge them. In that sense, it is significant that Ethereum at least does not avoid problems but shows willingness to acknowledge and solve them. Of course, a true evaluation will only be possible when the presented direction and initiatives lead to concrete results. But looking at the flow so far, Ethereum gives the impression that it is making a genuine attempt for structural improvement, not just a show-off response.
Going forward, watching the Ethereum Foundation pass through the long tunnel of self-reflection and fire the signal flare of revival again will have great significance for the crypto and blockchain industry, and the Web3 ecosystem as a whole. Can Ethereum continue to prove the saying "the one who survives is the strong one"?
Related Articles, News, Tweets etc. :
OVERTAKE
