While web3 continues to push technological boundaries with decentralized finance, NFTs, DAOs, and on-chain governance, many projects overlook a critical threat vector: web2 vulnerabilities embedded in off-chain components. From API endpoints and backend services to relayer infrastructure and signers, the web2 layer in many web3 systems often becomes the weakest link.
A stark reminder came just weeks ago when time.fun, a web3 entertainment platform, was ethically hacked via its web2 components. The incident, though non-malicious, exposed the glaring oversight and helped bring much-needed attention to the risks posed by traditional web application security flaws in web3 contexts.
This article delves into the emerging trend of web2 vulnerabilities haunting web3 systems, highlights two critical issues (Insecure Direct Object References and Server-Side Request Forgery), and explores how these bugs—commonly seen in web2—can cause significant damage in decentralized environments. To make this research actionable, two accompanying labs demonstrate how these vulnerabilities manifest and provide remediation strategies for prevention.
Blockchain advocates often promote the idea that decentralization equals security. While it's true that blockchain consensus mechanisms offer strong resistance to tampering, this assurance does not extend to the off-chain infrastructure required to support many decentralized applications.
Key components like:
...are often developed using standard web2 stacks such as Node.js, Python, or Go, and are vulnerable to age-old bugs.
Recent incidents highlighting these weaknesses include:
These examples underscore a vital truth: web3 is only as secure as its web2 dependencies.