Original Author: Flowie, Chain Catcher

Acala was attacked by hackers and issued more than 1.2 billion stable currency AUSD, and Solana’s ecological wallet was stolen in a large area... It is not an exaggeration to say that half of the hot spots in the blockchain in the first half of 2022 are contributed by security issues.

According to a security report released by Certik, in the first six months of 2022 alone, blockchain and Web3 projects will lose more than $2 billion due to hacking and exploits, which has already exceeded the sum of 2021.

At the same time that security issues broke out, many project parties had to arrange security audits for their smart contracts, but it might take half a year to wait. Even if the audit is completed, as you can see, it will still face the risk of being attacked.

There is no doubt that blockchain security is just needed, but the reality is that it seems difficult for both project parties and ordinary users to feel safe.

Against this background, we have observed that new security service vendors have stepped forward one after another. Up to now, in 2022, security companies at home and abroad, such as Carret, BlockSec, Secure3, Halborn, Redefine, etc., have successively received relatively large amounts of financing. Among them, Certik has raised 4 rounds of funds in almost one year, which shows the enthusiasm of the market.

In this article, we try to see from the current situation of the security "guardian", what kind of dilemma is the entire blockchain security facing? How is the industry structure evolving?

Blockchain security services that are still "pioneering"

With the "barbaric" growth of the blockchain, the demand for security has surged at the same time, but security services cannot keep up.

Zhou Yajin, the co-founder of BlockSec, mentioned, “Security audit queues for smart contracts are normal in the past two years, and the security audit services for many projects have even been queued for half a year.” From the data of Chengdu Lianan, In the second quarter of 2022, among the attacked projects, nearly average projects failed to pass the security audit.

Although security service providers continue to advance one after another, in the view of YM Capital investor Thomas, "There are not enough service providers with real supply capabilities and a certain brand influence, and there are only ten or twenty in the world." Zhou Yajin believes that security audits Even though there are some well-known companies on the Internet, such as Consensys Diligence, Trail of Bits, Chain Security, and Certik, which entered the market earlier, they actually occupy but not a large market share, and the entire market is still fragmented.

In addition, on the specific segmented track, the players who entered the field did not fully cover different needs, and most of them were still "rolled" in the security audit with a clear income model and good cash flow.

In fact, similar to traditional Internet security, blockchain security services are roughly divided into B-side and C-side. On the to B side, the security of a blockchain project is divided into pre-chain and post-chain. Before the chain, it is mainly the security audit of the smart contract code. After the chain, there are real-time monitoring such as attack traceability and danger intelligence. On the to C side, it mainly involves the security of various assets such as user wallets and NFTs.

Zhou Yajin believes that in the entire security service market, there is a relatively blank market for important security services such as the security of DaPP developers operating on the B-side, and wallets and NFT security for C-side users. "Blockchain security services are almost still in a pioneering state."

Why has the imbalance between supply and demand become the norm?

The reasons behind the imbalance between supply and demand are not difficult to understand. First of all, the open source nature of the blockchain industry and the current development stage have made the demand for blockchain security services "grow wildly".

One of the basic judgments of YM Capital investor Thomas's bet on the blockchain security track is that "compared with traditional Internet security, blockchain security is more rigid."

On the one hand, because the blockchain industry attaches great importance to code open source, this also makes the source code of most projects open to everyone, and provides more natural convenience for hackers and other technicians to discover the loopholes; The threshold for blockchain projects to go online is very low and there is a lack of supervision. The quality of project parties is also uneven. Both project parties and users need security audits and other methods to provide security endorsements for themselves.

In addition, compared with Web2 security services, Web3 security services have a big pain point that attackers can profit by executing vulnerabilities. In the Web2 world, although attackers can shut down some major services, steal some data, sell malware, etc. to make a profit, the benefits are still limited. But in the Web3 world, because the blockchain code links various complex economic and financial scenarios and is directly associated with the user's encrypted currency assets, a vulnerability can easily bring millions or even trillions of dollars to the attacker. above income. "Under the supervision and co-creation of the community, every change of blockchain security products requires a complicated explanation process. Compared with the traditional Internet, it is difficult to quickly make product iterations, so the security of the product also needs to be more carefully considered before going online. to consider."

In such a situation where security is more rigid, the demand for security and the willingness to pay for blockchain products are extremely high. Judging from the data disclosed in Certik's b3 round of financing, in 2021, Certik's revenue will increase by 12 times, and its profit will increase by 3,000 times.

In the case of brutal growth on the demand side, the supply side itself has a lot of "powerlessness".

It is similar to the "earth method" of early traditional Internet security that requires manual matching of attack methods in local libraries. From the perspective of security audit alone, it is almost difficult for most service providers to achieve standardized automation, which means that the supply capacity is very limited by manpower.

Even if it can be pushed by manpower, where to find so many qualified security audit talents is a huge question mark. Contract audit needs to be done in combination with specific business scenarios. The audit capabilities required for different blockchain chains and different scenarios are different, and qualified audit talents are very scarce. Many technicians with auditing capabilities may prefer to be an independent hacker or white hat hacker. Whether it is conducting smart contract attacks or submitting smart contract vulnerabilities for bounties, they can get more considerable benefits. Since the beginning of this year, there have been many bug bounties exceeding one million dollars in the blockchain industry.

Compared with the complete imbalance between supply and demand on the order of magnitude, in the view of Go+ Security founder Mike, there is a more core problem that is the mismatch in the supply and demand structure of security resources, resulting in low matching efficiency.

When we talk about security issues, it seems that we put the security guard on the security audit. However, in the aspects of self-testing, optimizing contract design, improving code quality, and synchronous vulnerability scanning throughout the development process, if there are suitable tools or services, the audit workload can actually be greatly reduced. "A current situation in the industry is that many professional security auditors spend a lot of energy reviewing very low-level code layer errors."

"Standardization" is the core competitiveness

In the current market where there is a lot of room for imagination and blue oceans, whether it is a new or old player, we have observed that in addition to iterating on the security technology itself, we are basically looking for greater opportunities on two pain points: one is to launch more Standardized and more automated products to reduce marginal costs and break the development bottleneck; second, cover more subdivided scenarios or specific links, and get more security budget.

From the point of view of Certik, which has the strongest financing momentum, in addition to the security audit before going to the chain, Certik also launched Skynet, an automatic monitoring SaaS platform that runs 7*24 hours a day after going to the chain to defend against security threats. OpenZeppelin uses gamification technology to identify security vulnerabilities in smart contracts, provides services such as "Defender", and helps projects automate smart contract management, create automated scripts, and more.

BlockSec, which has recently completed a new round of financing, will not only provide services for security audits before going online, but will also provide real-time security monitoring service products for blockchain projects after going online.

"Currently, blockchain security audit projects are still listed in the form of equity financing. If SaaS-based standardized automation products cannot be launched, it is basically impossible to successfully complete the listing." Mirana Ventures investor Kenneth believes that this is also a factor that promotes SaaS-based products. One of the motivating factors. "However, the current iteration of the blockchain is too fast, there are many subdivided scenarios, and the problems of attack events are complex. Some software such as SaaS provide security services that have not been accepted by the market. Most of them are still case by case, which also gives newcomers Players provide a lot of opportunities for overtaking in corners”

In addition to applying for manual audits, more and more project parties will also seek automated audits.

In order to pursue more automation, formal verification is commonly used in the industry at present. This method defines security rules in advance, and then proves that the customer's code complies with these rules, thereby avoiding security holes that violate these rules.

However, Zhou Yajin, the founder of BlockSec, believes that many security vulnerabilities are related to the specific business scenarios of the smart contract. Only ensuring the correctness of the code cannot guarantee the security of the entire smart contract. In addition, the formal verification rules themselves also need to be customized for the project. So in specific operations, BlockSec will pass"attack"The idea of ​​code auditing, the specific technology includes the extraction and analysis of the attack surface and the overall solution of the combination of automatic Fuzzing (fuzzing testing) and other technologies.

The same is true of Mike, the founder of Go+ Security. The current domestic and foreign industry perception is that formal verification has not yet found a clear way to improve technical efficiency, and it is still difficult to replace manual audits. The proportion of the entire audit process is still relatively low.

In the absence of a good solution to the emergence of automation ideas, in traditional security audit companies, the design of the audit process is actually the core competitiveness of the audit company. It is about spending enough manpower, conducting sufficient audits to ensure good security results, and then endorsing ourselves through service cases.”

For B-to-B blockchain security service providers, in addition to technical capabilities, brand capabilities are also a core competitiveness. How to operate the community and some strategic cooperation to export their own security capabilities to the market is particularly important.

Contrary to the path of traditional Internet security starting from the security of the to C terminal, blockchain security is still mainly concentrated in the project side, while the security service of the to C terminal is relatively deserted.

But there are also a small number of entrepreneurs who choose to do C-end business, and Mike, the founder of Go+ Security, is one of them. Go+ Security uses a dynamic risk detection platform to access Web3 applications in the form of data APIs, covering user risk scenarios, and real-time identification of assets and behavioral risks that users may encounter, such as Token, NFT, and authorization detection based on contract detection. Anti-phishing websites, phishing emails, community scams, etc. in user usage scenarios, while providing security protection for users, also removes user-side risks that were difficult to handle before Web3 applications.

Mike believes that although from the experience of the traditional Internet, only a small number of users will pay for security, Web3 users have a clearer income model for purchasing security services. This is a bit like buying a car with insurance, and security services may be for all Web3 users in the future. It is a necessary service, and the core of the to C terminal is actually secure traffic and data. The business logic is different from the logic of to B charging service fees according to the project. Expanding the data scale is the key. "The entire technical architecture of the to C terminal needs to be fast. New attack methods appear every day. To identify and locate, the security engine has hundreds of strategies. This may be the key to the security of to C.” In addition to doing a good job in product services, expanding the data scale depends on the development and aggregation of the ecology.

Whether it is to C or to B, or whether it can break through standardization, in the opinion of Mirana Ventures investor kenneth, the key is people, and SaaS software also requires manpower research and development, so the project's current ability to expand manpower is also very critical. "Invested BlockSec , Secure3's founding team all have academic and university backgrounds, can train some high-end talents for blockchain security, and also have advantages in labor costs."

At present, market players, in addition to making efforts in standardized automation and business depth, also have some small and beautiful styles of play.

For example, there are some new audit companies in North America, which are positioned at refined auditing and mainly serve innovative businesses such as StepN and BanklessDao. This part of the market segment is difficult for traditional audit companies or the cost performance is not high, because a lot of complicated modifications are required to match innovative businesses.

In addition, there are some entrepreneurs who cut into security services for very subdivided pain points like anti-cheating. Many GameFi projects need to spend 50% of the research and development resources on the anti-cheating layer, but this layer may change into a data service layer similar to the API that can be involved in the future, allowing professional anti-cheating third-party services to help the project more efficiently deal with it.

Two Fuzzy Zones: Fees and Responsibilities

In addition to product standardization, there are some payment and responsibility distribution models that are not clear enough.

Although blockchain projects have a high willingness to pay for security services, it does not mean that they are willing or able to spend a large amount of security budget. Even if a loophole does protect a lot of assets of platform users, it is a question of how much the security service provider can get paid and how to charge.

There are basically three types of common charging models for traditional projects. One is to charge service fees by project or SaaS model. The second is to charge a certain percentage of commission for protecting the grid assets of the project, and the third is to provide a security API, which is charged according to the number of calls. If it is a token project, it may also use the built-in token model to achieve payment purposes, but this kind of practice is not very mature yet.

Zhou Yajin said that code audits are usually charged per project based on the size of the project. After the smart contract is on-chain, the data monitoring part will adopt a subscription system, such as an annual fee. As for the damage recovery service, in addition to the subscription system, the fee will be charged in percentage points according to the recovered amount.

However, in the view of Mirana Ventures investor Kenneth, "There is actually no clear charging standard in the industry. Although everyone is emphasizing the launch of SaaS, the charging is still case by case. It may be that the final payment of similar projects is much different, which is not conducive to the market. expand".

In addition to the non-standard charging model, who will be responsible for security audit or protection projects that are ultimately attacked by such attacks? At present, most of the attacked projects have completed security audits, and many of them are upgrades from well-known security companies, but they still have not avoided the fate of being attacked.

first level title

Ecologicalization and subdivision will be the general trend

"From the perspective of market share, the final pattern of blockchain security services is similar to that of traditional Internet security, and there are still a few leading manufacturers to lead the entire market." According to the judgment of BlockSec founder Zhou Jinya, blockchain security will first settle down a few top players in the code audit track.

Even if there are top players, there is a high probability that they will be regional top players. According to Mirana Ventures investor Kenneth, judging from the recent sanction of Tornado Cash for anti-money laundering, security services will expand from code auditing to similar and Privacy data and other services will be very restricted by local policies, and many data-related businesses cannot cross borders.

While the market structure is becoming stable and mature, YM Capital investor Thomas said that from the experience of Web2 development, security business itself has a large number of merger opportunities, including horizontal mergers and vertical mergers, and security companies may also break through the boundaries of security in the future. Expand to other non-secure data services.

Judging from the current status quo, many so-called Web3 security companies still have a very Web2 mentality. In essence, they just switch their service customers from Web2 to Web3. YM Capital investor Thomas is looking forward to whether there is a company or organization with a more decentralized form of Web3, or a channel that can build a decentralized security network.

Mike, the founder of Go+ Security, also believes that there will be some leading companies in different security segments, but compared with traditional Internet security services, it will be more ecological, rather than relying on a leading company to monopolize the entire market.

The blockchain security track is a very large market, but to solve the problem fundamentally, not only rely on security audit companies to clear up the loopholes as much as possible before the project goes online, but also need independent researchers such as white hat hackers to provide rewards after the project goes online The continuous discovery of loopholes in the model requires more efforts in supervision mechanisms and user education to form an all-round and full-cycle security guarantee mechanism for blockchain projects.