How to build a secure Web3?

Everything in Web3 is built on code, and one thing every Web3 developer can never get around is code auditing. Though it’s the same case as in Web2, Web3 goes a step further in security. Blockchain can be seen as a distributed ledger, which entails finance attributes by nature. If It's about money, it must be secure.

Web3 can be risky

According to reports from CertiK and SlowMist, crypto lost from attacks has surged in 2022, reaching $2 billion in the first two quarters. In particular, flash loan attacks resulted in a $300 million asset loss in Q2. November has become the worst month in DeFi history, as hackers stole $700 million on more than 12 DeFi protocol attacks in just two weeks. In addition, according to tweets from on-chain data service provider OKLink, hackers stole approximately $31 million from multi-chain wallet provider BitKeep on Dec. 27.

Fear spurs in crypto world after a string of attacks. The lag of code auditing continues to plague Web3 developers, while users are stuck in the dilemma that technology developments are not able to cope with the evolving attacks. Numerous hacks have already forced some people to leave the world of Web3 in frustration and fear, and what's even worse is, these could lead to economic collapse, which will leave more people who don't even have a chance to be Web3 users. Crypto industry needs to be prepared for cyber-security crises now more than ever, and luckily, it’s already on the way.

MetaTrust breaks into Web3 security

MetaTrust provides automated code auditing services for Web3 builders, bringing code auditing that was usually lagging behind the project development forward to the early stage to cover the entire development lifecycle. The "auditing as you develop" feature achieves Shift Left testing & security, which helps builders to identify vulnerable code at the earliest stages in the development lifecycle.

1. Builders do need code security tools, what's the specific size of your target audience?

According to Dr. Liu Yang, the co-founder of MetaTrust, the number of Web2 builders may reach 50 to 60 million. While Web3 is still in a very early stage, the number of Web3 builders is roughly 20k to 30k.

Many Web2 engineers are transitioning to Web3. In the next three years, the number of Web3 builders may grow to hundreds of thousands. MetaTrust hopes to work on code security at the earliest stage, thus we can build a proven and secure development methodology following the continuous development of Web3.

2.  Each line of code is unique, and requirements in different development stages vary. How can automated scanning tools achieve smooth user experiences and accurate code audits?

Liu Yang: we provide corresponding support to each phase in the development cycle, including project plan security assessments in pre-development phase, secure package management tools and our code scanning tool MetaScan in development stage, project contract security audit services in post-development phase, and security monitoring in post-launch phase.

MetaTrust not only provides comprehensive automated scanning services but also provides a toolchain for the entire development pipeline. Our scanning tool MetaScan includes 4 primary engines that cover code security in full range, the 4 engines are fast static code scanning, precise formal scanning, development supply chain security scanning, and IP analysis scanning. In addition, MetaScan can continuously empower software development security automatically by integrating CI/CD. Corresponding scans will be performed every time code is submitted, providing builders security support in the complete development lifecycle.

For better user experiences, MetaScan is in use in just three steps: simply import, scan, and download, then a complete auditing report will be ready in a few minutes. The report automatically integrates scanning results of four major engines, users can very verify project security from multiple dimensions, saving them time and learning costs.

To ensure auditing quality, we have hired a large number of talented auditors and research & development engineers to improve the accuracy of scanning tools. MetaTrust has built a complete Web3 vulnerability classification criteria standard, including 12 main vulnerability categories and more than 150 subdivided vulnerability types — each with a detailed definition. Based on the criteria standard, an automated scanning rule is implemented for each type of vulnerability. Plus, after comparing the results of automated scanning and manual auditing on top 50 projects, we have found that automated scanning audit reports can detect 20% more vulnerabilities than manual auditing while maintaining a low false alarm ratio and false negative rate levels (under 10%). Thus, we believe automated audits will definitely replace manual audits in the near future. This is the core competitiveness of MetaTrust.

3. How to solve open-source security risks?

Liu Yang: Open source is the core spirit for many Web3 builders. Open-source components are widely used, and the proportion of open-source code in a project can reach 60% to 90%. When a large number of open-source components are used, there are possibilities of inheriting security issues or infringing on IP. To solve this problem, MetaTrust provides an automated open-source security scanning engine to identify open-source components and built-in security issues, plus code repair suggestions. In addition, MetaTrust created the concept of secure package manager (MPM), we provide secure package manager (which must have passed our audit and verification first) for open-source components. MPM can solve open-source security risks in pre-development phase. The product is scheduled to launch in Q1 of 2023.

4. Does the "full development life cycle" include post-launch phase? What security services are provided for non-engineers? What are the billing standards?

Liu Yang: 7x24 dynamic monitoring is a key feature of MetaScout — another MetaTrust product. MetaScout is a dynamic and real-time smart contract security monitoring platform. It offers a complete solution through the combination of automatic scanning in development stage and dynamic monitoring in post-launch stage. In addition, MetaScout's real-time monitoring feature will focus on newly launched hot projects. Once potential vulnerabilities and security risks are identified, it will "broadcast" to warn all Web3 participants at the foremost time.

MetaScan is a SaaS product. A 14-day free trial is available for the MetaScan community version. Developers can utilize the static engine and development supply chain engine in MetaScan for project scanning. We hope MetaScan can be used by as many developers as possible, so we can continuously optimize and upgrade our product services based on feedback from developers and the market. A paid version of MetaScan is also available. Users can choose to subscribe on a monthly or yearly basis. The paid version includes a complete set of four primary engines and product features, such as professional report generation and export. The paid version is mainly billed per month and depends on code amounts. Currently, MetaScan offers three primary pricing tiers — $599 per month, $799 per month, and $999 per month, with a 10% discount for annual subscriptions. Bonus manual audit services are also provided for annual subscriptions: 1 x manual audit service included in $599/month package, 2 x manual audit services included in $799/month package, 3 x manual audit services included in $999/month package.

Each additional manual auditing services are a standalone payment of $2499.

5. Can you tell us more about MetaTrust's team and fundraising plan? Any thoughts on ICO?

Liu Yang: MetaTrust is a technology and research-based start-up company. Our co-founders and key team members are top cyber security professors. We are highly confident in our research and development competence.

We have completed around ten million US dollars in our seed round. Investors include M23, Redpoint Ventures, ABCDE Capital, Longhash, Hash Global, SNZ, Yunqi Capital, GGV, Fellows Fund, Aimtop Ventures, and many other well-known venture capitals.

Four products are scheduled to launch in Q1 of 2023, and we will look for the next round of funding after reaching our revenue and profit goals. Our top priority at the current stage is to focus on building to ensure product delivery in full on time.

Building a security development community is one of our future plans. We wish to incentive engineers to be better involved in open-source programs through our ecosystem and collaboration tokens. R&D contributions can be directly pegged to token rewards, the more you contribute, the higher value of token rewards you will receive, this mechanism will promote security development in the whole open-source world and achieve a closed loop of value generation and economic return.

Conclusion

 Outstanding research and development capabilities are the DNA of MetaTrust. Blockchain security is an industry with high thresholds, we chose to break into the market with SaaS products that focus on high accuracy and ease of use and cover the entire life cycle of project development.

However, being responsible for code is far from enough for Web3 security. The most urgent problem in Web3 is to build new industry consensus standards and programming paradigms in the fast-growing industry. Providing security feedback can optimize the best practices for Web3 and enhance code development security in the future. Whether these valuable security feedback data and solutions can be completely open source still depends on MetaTrust's future choice.

In addition, other than individual developers, most of MetaTrust's clients are project stakeholders. A fatal vulnerability disclosure could lead to the instant death of a thriving project. When dealing with clients who "refuse to disclose potential risks" and the constraints of service terms, can MetaTrust still keep its faith in defending the security of Web3? Time will tell.