With crypto hacks becoming increasingly commonplace, the need for better security measures in the Web3 space has become more pressing than ever. This was a lesson learned by the Ethlas team, where they heard about multiple instances of fraud in Web3 as their gaming platform gained traction. Given their strong security background, the team identified inherent risks that can be found even in audited platforms and formed Eleos Labs with the aim of giving users better tools to protect themselves.
KrASIA recently spoke with Gennady “Ari” Medvinsky (CTO), Aneirin Flynn (General Manager) and Elston Sam (Product Advisor) to learn more about the risks of navigating the current Web3 space, and how Eleos Lab’s anti-theft approach provides users with a safer experience.
The following interview has been edited and consolidated for brevity and clarity.
KrASIA (Kr): How does Eleos Lab’s multi-layered approach to security make it more effective in protecting users’ assets?
Gennady “Ari” Medvinsky (GM): We were inspired by the concept of defense-in-depth, which has been around since the late 80s and early 90s. The idea is to not put all your trust in one mechanism so that other layers can help to prevent or mitigate the impact of an attack.
Our team brought this multi-layered approach to Web3, as we found that the current security products tend to be very segmented. For example, hardware wallets protect a private key with an air gap, which is excellent at protecting against malware. However, people still get hacked using these devices because there is more than one kind of threat to a user’s funds. Even if your private key is on a hardware device, you could still be tricked into authorizing a smart contract that drains your funds, so it’s not a one-size-fits-all security solution.
This is why we developed FailSafe, a suite of security solutions that protects Web3 assets from a range of potential threats.
Kr: What do you believe is more important: user education or measures to protect users’ assets?
I believe that security should be the default setting for any system. There is a common notion that users need to be educated about security, which has been present not only in Web3 but also in security practices for decades.
However, it should not be the user’s responsibility to understand every intricate detail of the system’s underlying technology and the threat model to protect themselves. The assumption should be that the system is designed to make users secure by default.
Kr: Are you able to share any examples where Eleos has helped protect users’ assets?
GM: Right now, the company is in the pilot phase, and we are collaborating with a few partners. We are still testing our product against our own internal benchmarks, but we’re very close to launching the full-fledged system.
Aneirin Flynn (AF): To add on, we believe that it’s nearly impossible to expect users to always follow security best practices in Web3. Instead of focusing on selling to the end user, we are focusing on the broader picture and targeting the network level. We are proud to mention our partnership with Polygon, and we’re working closely with them to actively prevent theft on the network level.
Elston Sam (ES): We break down fraud into three phases: prevention, asset management, and asset recovery. FailSafe is a suite of tools, and we’re currently hyper-focused on a product called Interceptor. This product is designed to be activated when all else fails and a bad actor tries to move your funds. What we do is front-run the bad actor and divert your funds into a safe wallet for storage that can be accessed later on. A lot of our deep tech is focused on effectively and successfully moving funds, with specific examples on Polygon, where the window is only two seconds before a block gets minted.
We’re optimizing for performance in the milliseconds, and we’re starting on Polygon first because it has low gas fees with one of the fastest block limits. If we can solve this two-second window problem, we can solve five-second or even 15-second windows. Interceptor is the crux of our product focus, even for all the pilots we have done with Polygon, where they want us to protect funds on their bridge.
Kr: How do smart contract platforms like SushiSwap still get hacked despite being audited by Web3 security firms?
GM: Most of these third-party swap protocols like Uniswap and SushiSwap ask users for unlimited authorization to act on their behalf. These can be revoked by the user, but most people usually don’t perform this action.
ES: SushiSwap relies on users selecting a specific pairAddress to trade tokens. However, there is a security vulnerability where attackers can create a fraudulent smart contract that mimics the pairAddress and deceive the system. This allows them to steal tokens from users who have given approval for the trading process.
It’s difficult to have a 100% foolproof solution. Even for the Axie Infinity hack last year, it was due to a phishing attack on the developer. In security, it’s a cat-and-mouse game, as your defense may not be robust to tackle the threats of tomorrow.
That’s why we’re approaching blockchain security by intercepting right at the point when you’re getting attacked, instead of just blocking phishing sites. This is how FailSafe is different from most providers, and it has gained a lot of traction with the partners we’re working with.
Kr: In your opinion, what else needs to be done to improve security in Web3?
GM: Users often do not understand what they are clicking on when asked to sign something that looks like a bunch of code, and this is common even with basic experiences such as using MetaMask, a non-custodial wallet. The current language used on these interfaces is only understood by about the top 1% of the population, and this needs to change.
We need a combination of improved usability, a secure configuration by default, and a defense-in-depth approach that doesn’t put all our eggs in one basket. While contract audits can help catch some issues, we should not assume that a nice checkmark or logo automatically means that the smart contract is safe.