To build secure and resilient Web3 systems, transparency alone is not enough. By placing greater emphasis on simplicity, we can make the peer-review of code more effective and minimize security breaches in the Web3 space.
The rise and fall of security through obscurity
We are used to the intuitive idea that security is somehow intertwined with secrecy. We keep our passwords secret and our valuables hidden. For decades, software engineers followed a similar approach to cybersecurity. The source code of computer software was kept private. In the event of a vulnerability, a security patch would be released. This was and continues to be one view of security: “security through obscurity” and we have to trust the patches that are pushed — without our knowledge or consent — to our computers and phones will do what they are supposed to do.
Proponents of open-source software took a radically different view. They argued that making code transparent and publicly available would mean developers could review and improve the code, and would have the incentives to do so. Under those conditions, security issues could be identified, corrected and peer-reviewed.
The staggering growth of open-source data systems
Since then, open-source software has gained broad market penetration. Although only a small percentage of users run Linux distributions on their PCs or laptops, in the background, it is quietly powering much of the internet. An estimated 96% of the million largest web servers globally run on Linux, which also powers 90% of all cloud computing infrastructure. When you bring Android into the picture — the Linux fork running on over 70% of smartphones, tablets and other mobile devices globally — it’s clear that the modern internet as we know it is massively influenced by open-source systems.
For Web3 security, transparency alone is not enough
The problem is, more transparency does not necessarily ensure greater security. Sure, the popularity of Linux has done wonders for open-source code and has certainly improved its security. But are there really many eyes on blockchain code?
In many respects, the scrutiny of open-source code is akin to a public good in economics. Like any publicly accessible resource like clean air or public infrastructure, everyone benefits from it. However, individual users may be tempted to use the resource without contributing to its maintenance costs. In this analogy, “free riding” means using an existing codebase while assuming someone else will invest the effort and time to check it for vulnerabilities.
Last year became known as the year of the cross-chain bridge hacks. Those hacks were clear warning signs that the sprawling and loosely coordinated development of an allegedly transparent Web3 still rests on a knife’s edge.
The upside of the Web3 development community is their eagerness to share, adopt and build. The downside is the potential for enormous damage from the free rider problem. By assuming others’ solutions can be relied upon to mix and match, attack surfaces and smart contract dependencies become too difficult to track. A reasonable skeptic or late adopter might conclude this open source movement is not like the last: there are too few dedicated to making rigorous and diligent contributions while the rewards go to those who make the boldest and most impressive claims — whether the work can withstand scrutiny or not.
The complexity trap
Complexity bias is a term used to describe a logical fallacy whereby people overvalue the utility of complex concepts or solutions over simpler alternatives. At times, it is easy to be so dazzled by the apparent technical sophistication of a solution that we don’t stop to question if there might be an easier way.
Because blockchain is difficult to understand, it is easy to get excited about some idea, like a cross-chain bridge, and chalk up its difficulty to another level — let’s call it “complicated.”
However, most blockchain projects are not complicated — they are complex.
According to Harvard Business Review, complicated systems have “many moving parts, but they operate in patterned ways.” When you think about the electricity grid for a region, for instance, it is clearly very complicated and encompasses many constituent parts. Nevertheless, the parts of the system tend to act in predictable ways: When you flick on the light switch in your living room, you can expect to get light the vast majority of the time. If properly maintained, complicated systems can be highly reliable.
In contrast, complex systems are characterized by features that “may operate in patterned ways but whose interactions are continually changing.” This interactivity makes complex systems more unpredictable. The degree of complexity of a system is determined by three key characteristics: the multiplicityor number of elements that interact, how interdependentthe elements are and the degree of diversity orheterogeneityamong them.
In case it needs to be stated, nearly all bridges and cross-chain solutions are examples of highly complex systems. The losses in the 2022 Wormhole and BSC bridge hacks, $325 million and $568 million respectively, illustrate the relative rewards of taking advantage of an exploit instead of fixing it pre-emptively.
Keep it simple
It feels as though Web3 ought to be complex. It is impossible to estimate the true scale and scope of new economic activity to come. Web3 values of individualism and economic inclusion suggest permutations and combinations that will grow as each person is born. Who knows what’s ahead? Shouldn’t we embrace complexity?
Well, yes and no.
The infrastructure for Web3 need not be unpredictable. In fact, like the electric grid, it would be better if it weren’t.
For blockchain architecture to become more secure and genuinely transparent, we need to overcome some of the biases we have been led to believe. Before following the newest trend, perhaps we should examine the existing technical debt and aim for simplicity or, at most, complicated. It takes discipline to build for the ages — in this case, for Web3 and beyond.
Stephanie So is CEO and co-founder of Geeq, a no-smart contracts, multi-chain, Layer 0 platform. She is a microeconomist and policy analyst.
This article was published through Cointelegraph Innovation Circle, a vetted organization of senior executives and experts in the blockchain technology industry who are building the future through the power of connections, collaboration and thought leadership. Opinions expressed do not necessarily reflect those of Cointelegraph.