The majority of people think Web3 security is about smart contracts, but this is just one side of the coin.  As  security becomes more premature in the smart contract space, attackers will switch to the “path of least resistance”. This means that end-users and the technologies they use will be seen as easier targets.

The Bybit incident exemplifies a critical security mistake, regardless of the attack/exploit vectors used, transactions were signed without adequate verification. While increasing the number of signatories might seem like a solution, it does not address the core issue of process failure. In this case, a quorum of signers approved a transaction without any one of them thoroughly inspecting its contents. Security cannot solely rely on cryptographic controls; it must also incorporate rigorous verification processes to ensure that human oversight does not become a liability.

Breaking Down Crypto Attacks: A Proactive Approach for Organizations

Organizations must systematically analyze each attack in the crypto space to understand their various stages and components. This can be done by studying publicly available post-mortem reports and security analyses.

Once an attack is deconstructed, security teams should conduct a war game exercise tailored to the crypto industry, applying the same attack scenario to their own infrastructure by asking key questions:

1. When and how would we detect this attack (if at all)?
2. How can we identify and verify suspicious actions?
3. What controls are in place to mitigate risks?
4. Is there sufficient logging and accountability?
5. How can we improve our security posture?
6. Should this happen to us, how will we respond/act?

Effective Security Measures Have to Go Beyond Multi-Sig

Increasing the number of signatories is not a viable solution when the underlying risk is human error. The best mitigation strategy is to establish a robust process where every transaction is thoroughly reviewed and documented before signing.

1. Security in the Signing Process: A security team member should be included in the signing quorum to mitigate the risk of collusion or oversight.
2. Technical Review Accountability: Each vault should have at least two technical reviewers responsible for decoding and verifying transaction call data.
3. Logging & Tagging Critical Addresses: Organizations should maintain a list of critical addresses (smart contracts, wallets, etc.) and implement automated alerts to detect unauthorized activity.
4. Transaction Authorization Workflow: Every vault must define escalation paths and approval thresholds to ensure security oversight.
5. Comprehensive Logging & Recording: Transaction details, signatory actions, and operational events must be recorded and stored securely for forensic analysis.
6. On-Chain Monitoring & Alerting: Real-time monitoring tools should be implemented to detect suspicious treasury or contract management activities.
7. Periodic Transaction Audits: A sample of transactions should be reviewed every 3-6 months to refine processes and strengthen security measures.

GRVT's Hybrid Model: Security and Self-Custody Combined

GRVT’s hybrid approach merges centralized exchange (CEX) trading capabilities with an on-chain settlement layer, allowing users to maintain self-custody of their funds. Security is at the core of this model:

• Users authenticate with Web2 multi-factor authentication but must register a wallet and sign privileged actions using their private key.
• Web2 authentication and session security is applied (e.g. MFA and session tokens) to all user requests before it is even passed onto the smart contract.  Providing a defence in depth approach.
• GRVT’s smart contracts enforce treasury actions only with valid EIP-712 signatures.
• GRVT has no access to users’ private keys, ensuring that funds remain under user control.
• A system of smart contracts is deployed on GRVT’s private Layer 2 (L2) chain. Zero knowledge proofs sent to Ethereum Layer 1 ensure that transactions are executed as specific in the smart contract while preserving privacy.

Continuous Security Audits: A Necessity, Not an Option

Activities such as penetration testing only provide a “point in time” view of the risk, as new attack paths/exploits become available.  These may be missed until the next yearly audit, making the organisation vulnerable during that time.

Even with proactive security measures, periodic security audits are critical. Routine assessments—whether through risk analysis, penetration testing, or transaction audits—create a feedback loop that helps organizations continuously improve their security posture.

• Early Involvement of Security Teams: Embedding security early in the development cycle reduces costs and improves resilience.
• Third-Party Vendor Assessments: External vendors integrated into an organization's tech stack pose potential security risks. Due diligence, such as assessing the vendor's data and security posture.  Requiring established certifications such as SOC2, should be standard practice.
• Smart Contract Reviews, Penetration Tests and Bug Bounties: Welcoming and rewarding leading industry researchers and professionals to help secure a Web3 project is key to staying protected against the most cutting-edge risks and attacks. 
• Periodic Auditing: Perform regular activities such as reviewing logs/alerts, processes and other telemetry such as known risks/incidents.  These activities should be reviewed for security risks or gaps in controls/processes, any such findings would then provide a constant feedback mechanism for improvement.

The Evolution of Web3 Security Standards

While centralized exchanges (CEXs) generally maintain better security than DeFi protocols, most still follow traditional Web2 security frameworks. This leaves gaps in addressing Web3-specific attack vectors.

• Regulatory Frameworks: Emerging regulations (such as EU’s MiCA) provide a foundational security framework, but they only focus on specific areas and lack specificity for Web3 as a whole.  
• Knowledge Sharing and Collaboration: Security professionals must actively share insights and research to develop standardized security practices.
• Proactive Defense Over Reactive Response: The Web3 space must move beyond a reactive "cat-and-mouse" security model.  Organisations must assume they have been breached and to  proactively establish robust defense-in-depth controls.

Conclusion

The Bybit incident serves as a wake-up call for the Web3 industry. Security cannot be an afterthought—it must be embedded into every stage of an organization’s operational and technical processes, especially in the crypto industry where stakes are in the billions. By leveraging structured risk assessments, robust transaction verification workflows, and proactive security measures, organizations can fortify themselves against evolving threats. Collaboration within the industry is crucial to developing comprehensive Web3 security standards, ensuring the space matures with resilience against future attacks.