By Trevor Traina, Founder and CEO of Kresus
You are reading these words because our planet is orbiting the sun at just the right distance to neither fry nor freeze us. Our planet is perfectly balanced for life to thrive. And within that world, numerous other forces exist in a state of optimal balance: light and dark, tropical and polar, terrestrial and aquatic.
So it is when it comes to designing blockchain systems. Their most powerful forces must be balanced in such a way that one cannot usurp another. Security should be as high as possible, but this must be balanced with the need to maintain sufficient decentralization. Network fees should be low but not so low as to induce spam attacks.
Finding that Goldilocks zone, the place where conditions are just right, is as much an ideological challenge as it is a technological one. After all, blockchain systems are ultimately designed and used by people who are only as strong as their weakest link. Web3 systems must walk the line between being optimized for security and for decentralization. It’s a delicate balancing act that goes to the very heart of what makes blockchain valuable.
Too Much Decentralization Can Kill You
There’s such a thing as too much freedom, which is why societies have laws and moral codes to regulate the worst excesses of human behavior. When it comes to Web3, it’s similarly possible to have too much freedom (i.e., decentralization) in the form of systems that have no recourse for worst-case scenarios:
- A team member loses their multisig key
- A user loses access to their wallet
- Tokens are sent to the wrong address
- A coding error leaves funds locked into a smart contract
- Assets are stolen using an exploit
All of these are “bad things” by Web3 standards, yet they occur every single day. As new users enter the space, the number of victims of phishing attacks, front-end injection, wallet poisoning, and other exploits will continue to rise. Attackers are getting more sophisticated, while each wave of Web3 users remains as vulnerable as the last.
Only recently, scammers used wallet drainers on Google and X ads to steal digital assets worth close to $60 million. Back in July, meanwhile, it was reported that four separate wallet drainers had stolen close to $65M since the start of 2023.
Give a society too much freedom, and a few of its members will rob, assault, and injure, driving at high speeds and engaging in other risky behaviors. Give Web3 users too much decentralization, and a portion will hack, be hacked, lose access to their wallets, and generally screw up.
Real-world freedom is dampened through security: police forces and CCTV. And blockchain freedom (decentralization) is also mitigated through security, which must be set at the right level to protect users from the most common mistakes while retaining the features that make blockchain so powerful:
- Strong transaction finality
- Lack of centralized control
- Support for financial self-sovereignty
Some crypto users want full control over their assets while also maintaining an undo button if they screw up. Others shudder at the thought of non-custodial wallets being “weakened” through provisions such as social login, seedless design, and key shares held by the developer.
Too Much Centralization Can Kill You
Do you know that saying about pleasing some people some of the time but not all of the people all of the time? That. When it comes to securing decentralized systems, it’s hard to create a single product that satisfies every user type. Put in too many safeguards, and hardcore users will abandon you; force new users to record a lose-it-at-your-peril seed phrase, and sooner or later, they’ll come unstuck.
Add too many centralized levers into a supposedly decentralized protocol, and you risk weakening the very foundations that gave it strength. Consider an ERC20 token contract that is upgradable by its creator. On the one hand, this allows the token’s parameters to be updated to reflect a shift in direction. On the other hand, it allows unscrupulous token creators to rug their operators.
As a result of this dichotomy, DeFi developers must strike a delicate balance between providing users with autonomy over their digital assets and making sure they aren’t taken advantage of by scammers seeking their next mark. Crypto wallets need to be more secure, but developers fear overstepping the boundaries of the decentralized wallet they’ve created.
Go for the Low Hanging Fruit
So what’s the solution? Well, for one thing, developers need to implement security features that can solve real threats – not theoretical ones. Less “military-grade encryption,” in other words, and more practical measures to warn users when they’re connecting to a spoofing site or about to send funds to a known phisher.
A lot of this comes down to better UX and more common sense on behalf of developers. For instance, it would be easy to filter all address poisoning attacks in which a user receives a dust transaction from a “lookalike” wallet they’ve recently interacted with. So why’s no one doing it?
Let’s focus on thwarting the most common hacks and scams before we move on to tackling threats from quantum computing and theoretical MiTM attacks. Hackers don’t go for the toughest possible exploit conceivable; they go for the low-hanging fruit, chalking up easy wins where possible. DeFi developers need to follow suit, focusing on fixing the most common ways in which users get rekt.
Security and autonomy don’t have to operate in conflict with one another: with a little thought, it’s possible to have the best of both worlds, combining the power of non-custodial ownership with a web2-level UI that demystifies everything from transaction signing to wallet backup.
Our planet may be perfectly balanced for life to thrive, but the on-chain environment still has some way to go. Still, it took the earth millions of years to create a climate that was hospitable for intelligent life. At just 15 years of age, blockchain has time on its side.
Author bio
Trevor Traina is the Founder and CEO of Kresus, the go-to Web3 SuperApp that combines a crypto wallet and an NFT platform. He is an investor and seasoned entrepreneur who co-founded five companies that were acquired by the likes of Microsoft, MasterCard, and Intuit and served on multiple non-profit boards such as the Fine Arts Museum of San Francisco and the Venetian Heritage, among others. Trevor served as the U.S. Ambassador to Austria from 2018 to 2021.
This article first appeared at CryptoPotato