Share
Security Research
A Case for On-Chain Zero Trust
December 20, 2022
•
Zero Trust, or the idea of a positive reputation system, has the potential to revolutionize the world of on-chain security. The current goal of security systems is to identify malicious activity. This approach works well when malicious activity can be identified prior to actions that incur damages (e.g. stealing digital assets). But by implementing such a zero trust system inside of protocols, many of the attacks currently plaguing the ecosystem would be depreciated.
In Web3, attacks usually follow the four attack stages: Funding, Preparation, Exploitation, and Money Laundering. Identifying attacks in the preparation stage (e.g. by analyzing an attacker smart contract, for instance) can be effective to identify and mitigate an attack. This approach works well when attack behavior stays consistent and patterns have emerged that can be consistently detected (see Threat Detection Kits deployed on Forta).
However, the approach starts breaking down once attack behavior changes. Web3 attacks are nascent and attackers are evolving, constantly creating unique ways of attacking protocols. The approach also fails when identified attack indicators (e.g. addresses) are cheap for attackers to change. In the case of Ice Phishing, for example, several Forta detection bots identify addresses involved in the attack. However, an attacker can aggressively rotate those addresses to evade detection.
Zero Trust can augment traditional security approaches of identifying malicious behavior and attacks by identifying specified “good” behavior. This approach is more restrictive in that it assumes all behavior is bad unless there are indicators that it is good behavior. For instance, a DEX could only accept transactions from users that have been active on-chain for 90 days and engaged with at least 10 other protocols successfully.
Challenges
The Zero Trust approach is not without challenges. Some top of mind challenges are outlined below:
First, how is a positive reputation established? How are new accounts brought into the fold to avoid the introduction of friction? Reputation is a property that could propagate on a graph of involved entities. E.g. a new account could initially inherit the reputation of the funding address (another EOA or an exchange).
When the reputation system is part of an open system, attackers could analyze the zero trust system to generate a positive reputation in order to execute a multi-million dollar attack. While a heuristic would likely increase the cost on the attacker side (researching how the reputation system works and transaction costs incurred by building that reputation), it is certainly not un-gamable. More durable, expensive, and difficult to obtain positive reputation indicators that utilize a plethora of signals, like POAPs, proof-of-humanity, account value dependent reputation (e.g. an account with 100ETH can perform transactions involving up to 10 ETH or an account with 10 ETH can perform transactions involving up to 1ETH) could be used to manipulate the system.
Once positive reputation systems exist, attackers are likely to focus on hijacking the reputation of legitimate users. The threat landscape is already filled with phishing attacks that attempt to steal user’s private keys. So far, the value of those users is tied to the digital assets they hold, but in a zero-trust world, the reputation of those users could be of much greater value as the account could provide a stepping stone for a multi-million dollar attack. If implemented, it is important to start thinking about how these accounts can be better secured from attacks.
Once a robust positive reputation system exists, this reputation system needs to be made available in an efficient manner for protocols to utilize. One approach could be to encode the positive reputation in a Verkle Tree that is made available through a positive reputation contract. Protocol integration potentially increases transaction cost and complexity of the system; the latter could become an attack vector itself that warrants strong security measures itself.
What’s Next?
While these challenges are substantial, they are not insurmountable. The Forta community is looking forward to the space tackling some of the challenges listed above. Ideally, a positive reputation system would be encapsulated in a standard that anybody could implement. Please join Forta’s positive reputation Discord channel to get involved.
Subscribe to Forta’s News
Stay updated on the latest Forta news and announcements.