One of the most significant challenges that Web3 AppSec programs face is the fact that they have a wider and more complex digital attack surface to secure and defend. Many Web3 projects have traditional Web2 applications, such as web frontends, that can contain vulnerabilities that expose them to attack.

One example of this is the BadgerDAO hack, where an attacker inserted malicious scripts into the project’s Web2 frontend that added malicious DeFi approvals to user transactions. With these approvals, the attacker was able to drain $120 million in tokens from users’ wallets.

In addition to these classic security risks — which the Web2 space still struggles with — Web3 projects also have to cope with smart contract security challenges. Vulnerabilities like reentrancy — which have been a known risk for years — still crop up in modern smart contracts.

The introduction of new smart contract platforms and programming languages and updates to existing ones also exacerbate this issue. For example, the Vyper incident in 2023 involved vulnerabilities in the Vyper compiler that undermined reentrancy protections.

Web2 and Web3 AppSec also differ in the potential penalties for a hack. In many cases, Web2 projects can take steps to undo or mitigate the effects of a security incident. However, the immutability of the blockchain digital ledger means that the only ways that a hacked smart contract retrieves stolen funds are if the attacker elects to accept a bug bounty or they’re hacked back and the private keys of the wallets storing the stolen crypto are retrieved.

AppSec in Web2 and Web3 differ significantly in the details. However, many of the core principles and best practices remain the same regardless of the platform where an application is launched.

Vulnerability management is essential to any AppSec program. Vulnerabilities in a smart contract or Web2 frontend can have devastating effects on a Web3 project.

To implement effective vulnerability management, a project should take a “defense in depth” approach. This includes:

• Automated Scanning: Automated tools exist for many smart contract platforms that are designed to identify a wide range of potential vulnerabilities. These tools can be run manually or integrated into automated DevOps pipelines to detect potential issues as quickly as possible.

• Smart Contract Audits: A smart contract audit should involve a human auditor reviewing an application’s code to identify potential issues. This helps to detect business logic errors and other problems that automated tools are unable to find.

Automated scanning and human-led audits should be performed on all application code before deploying it on-chain. This is because any change to an application could introduce new issues, and not all of these are detectable by automated tools. For example, a smart contract vulnerability scanner is designed to identify flaws like reentrancy, not where a developer made an error and implemented functionality in a way that differs from the documentation.

It’s also important that smart contract audits cover all aspects of a Web3 project’s ecosystem. For example, GemPad is a project that allows users to quickly and easily deploy tokens using pre-audited smart contracts. However, it suffered a $1.9 million hack in December 2024 because its underlying smart contracts contained a reentrancy vulnerability that allowed the attacker to steal the tokens that it was supposed to keep safe.

Performing a smart contract audit right before release is a great idea, but it can be an expensive way to manage security. If an application contains fundamental issues, auditing only when development is complete could require a complete code rewrite.

A better approach is to integrate security into the development lifecycle, a practice called DevSecOps. For example, a project could explicitly define security requirements during the design phase, implement unit tests, and automatically perform vulnerability scans upon every code commit.

This approach enables the team to identify and fix potential bugs earlier in the process, reducing the amount of code that needs to be rewritten and the potential impacts on deadlines. Additionally, performing many scans and tests reduces the risk that something could slip through the cracks.

Despite a team’s best efforts, it’s possible that a vulnerability will make it to deployment and be discovered by an attacker. Minimizing the potential impacts of this requires a robust incident response strategy with the following elements:

• Continuous Security Monitoring: Blockchains are global systems, and hacks can happen at any time. Implementing continuous monitoring of a project’s smart contracts enables swift incident identification and damage control.

• Defined Response Plans: Having a defined incident response plan in place may enable a project to decrease the damage done by an incident. If an attack takes multiple stages to complete, a team that knows exactly what to do may be able to reduce or eliminate losses if they move quickly enough.

• Fallbacks and Killswitches: Smart contracts and the rest of a project’s infrastructure should have controls in place to help manage the impact of an incident. For example, a smart contract may be designed to halt trading or loans if these capabilities are being exploited during a security incident.

The ability to identify and remediate potential vulnerabilities is a critical part of any AppSec program. In the Web3 space, the best way to accomplish this is a comprehensive audit of code pre-launch that can identify both common vulnerabilities and business logic errors. For help enhancing the security of your code, contact Halborn.