Loading...

When we think of Web3 we think of decentralization, trustless systems, and immutable code. At first glance, this might seem like a system immune to traditional cyberattacks, after all, smart contracts are deployed on a decentralised blockchain, not hosted on a single centralized server.

But here’s the reality: most Web3 projects are built on a hybrid architecture where a large portion of the system still depends on traditional Web2 components. And this is a critical oversight. Your system isn’t immune to web2 attacks.

A lot of projects in the space invests heavily in web3 security and smart contract audits, which is great and a necessary practice, however the web2 attack surface is often neglected, even though it might be the most vulnerable part of the system. Off chain components like oracles, relayers. And backend services receive much less attention. In 2023 it was reported that approximately 35% of crypto hacks involved off-chain vulnerabilities rather than smart contract exploits.

APIs, cloud-hosted databases, admin dashboards, and off-chain services all create entry points that attackers can exploit without ever touching the blockchain itself. This overlap between decentralised logic and centralized infrastructure has already led to some of the industry’s most damaging hacks

Common Web2 vulnerabilities in web3 systems and their risk

Even if your Web3 components are secure, integrating Web2 elements introduces traditional vulnerabilities. Having a perfectly audited smart contract doesn’t make you immune to these attack vectors, though it’s still a vital step against blockchain-specific threats that we highly advise.

Some recurring examples include:

Cross-Site Scripting (XSS) in Web Dashboards:

This happens when a dApp dashboard allows malicious JavaScript to be injected and executed in a user’s browser. In a Web3 context, this could trick victims into signing unauthorized blockchain transactions.

Cross-Site Request Forgery (CSRF):

A token staking site could be tricked into executing unwanted transactions for authenticated users if CSRF protections are missing.

Insecure File Uploads on GameFi or DAO Platforms :

This occurs when applications allow unrestricted file uploads without proper validation. Attackers could upload malicious files, gain server access, and potentially alter blockchain-related data or steal sensitive keys.

SQL Injection (SQLi) in Backend API:

This occurs when backend APIs fail to properly validate and sanitize user input in database queries. In Web3 systems, an attacker could extract user data, wallet addresses, or API keys from NFT marketplaces, token platforms, or DAO tools.

Web3 hacks affected by web2 vulnerabilities

In 2024 there were multiple crypto platform breaches due to web2 vulnerabilities, due to Off-chain failures, including multisig flaws, private key leaks, and backend misconfigurations. This affected big platforms like WazirX, DMM Bitcoin, and Compound Finance.

BadgerDAO Cloudflare API key leak (2021):

Attackers injected malicious scripts into the frontend using stolen Cloudflare credentials. Users thought they were interacting with BadgerDAO, but were tricked into signing transactions that drained $120M in assets.

DNS Hijacking in Ambient Finance(2024):

Attackers compromised Ambient Finance’s DNS records, redirecting users to a malicious replica of the site embedded with Inferno Drainer malware. Victims, believing they were on the legitimate platform, connected their wallets and unknowingly authorized transactions that drained their funds.

The importance of integrating web2 security

No matter how decentralised your protocol is, your Web3 application still relies on Web2 components. These elements often become the weakest link if they’re not held to the same security standards as your on-chain code.

A stronger approach to Web3 security includes:

• Hybrid security audits that assess both smart contracts and supporting Web2 infrastructure.
• OWASP Top 10 testing for backend APIs, dashboards, and administrative interfaces.
• Security integration in CI/CD pipelines to identify vulnerabilities before they reach production.
• Comprehensive threat modeling that considers attack vectors across both on-chain and off-chain systems.

Web2 security in more depth

Web2 security in a Web3 context requires adopting established penetration testing practices while tailoring them to blockchain-integrated systems.

API Security Testing:

Validate input/output, enforce authentication, and check for injection flaws in blockchain API gateways.

Web Application Testing:

Identify XSS, CSRF, authentication bypass, and session mismanagement in dApp dashboards.

Cloud Infrastructure Security:

Secure keys, limit IAM permissions, and monitor for unusual activity in cloud environments hosting Web3 services.

Bug Bounty Programs:

We already have bug bounty programs for the smart contracts, so why not do another one for the web2 side? Invite ethical hackers to test both the smart contract and Web2 layers.

Bridging the gap: what web3 auditors can learn from web2 pentesters

Many Web3 auditors excel in web3 security, however have limited exposure to web2 security. Drawing from Web2 pentesting practices can close this skills gap and strengthen overall security.

If you’re hiring a team of auditors make sure to include someone capable of testing your web2 attack surface, and not only the smart contracts, and if you’re a web3 auditor looking to expand your expertise, you can start by learning about reconnaissance and OSINT technique, to uncover exposed subdomains, leaked confidential data, unprotected APIs or forgotten staging environments that could be utilized as an entry point to your system.

Make sure as well that everyone in your environment utilizes multi-factor authentication, and token rotation as it can make critical admin panels and APIs far harder to abuse. And don’t overlook the human element, phishing attacks remain a critical threat. In the first half of 2025 alone, losses due to phishing attacks totalled approximately $410.75 million across 132 reported incidents. Being the most costly attack vector in Q2 2025. Security awareness training and phishing simulations can drastically reduce this risk.

Conclusion

Web3’s decentralised foundation hasn’t completely eliminated the need for a centralized infrastructure, and with that comes introduction of the vulnerabilities and so the risk they carry.

The future of Web3 security lies in treating the ecosystem as a whole, applying both blockchain-native audits and Web2 testing methodologies.

A trustless blockchain doesn’t mean much if the systems that connect to it cannot be trusted.