
Interview with a Web3 Leading Security Service Provider: The "Battle of Attack and Defense" in Cloud Security
TechFlow Selected TechFlow Selected

Interview with a Web3 Leading Security Service Provider: The "Battle of Attack and Defense" in Cloud Security
Approaching the end of 2023, bull market signals are gradually becoming clear, and the number of Web3 projects deploying on cloud servers will rapidly increase, with cloud infrastructure playing an increasingly critical role at the foundational layer.
By CrossSpace
The Web3 ecosystem, built on blockchain's underlying technology (distributed ledger), is rapidly evolving. Technological innovations in Layer 1 and Layer 2 public blockchains are making them viable candidates for the next-generation foundational computing network. Infrastructure components are continuously maturing like "Lego" building blocks, enabling Web3 BUIDLers to develop rich dApps across diverse application sectors.

Cloud services, as a critical foundational infrastructure for Web3, are indispensable to the entire ecosystem, with tens of thousands of applications running on cloud servers annually. According to public report data from security firm Immunefi, “In 2022 security incidents, 46.5% of financial losses stemmed from underlying infrastructure vulnerabilities, among which private key management, operational practices, and emergency response planning were most critical.” Web3 cloud security continues to face challenges, including private key leaks, unauthorized access, smart contract analysis and auditing, DDoS attacks, insider threats, compliance, and stability issues—persistent concerns for Web3 BUIDLers and ongoing challenges for cloud and security service providers alike.
As the pioneer in launching cloud services, Amazon Web Services (AWS) has long led the cloud industry. Today, AWS is actively embracing the Web3 ecosystem by partnering with leading Web3 community brand CrossSpace to launch the “Web3 Security” series of online and offline workshops. These events dive deep into cloud service security, listening to real-world security challenges from exchanges, public chains, infrastructure providers, and dApp developers, and exploring practical solutions.
As part of this series, we are honored to present exclusive interviews with four outstanding Web3 security service providers—Beosin, CertiK, MetaTrust, and SlowMist—and AWS cloud security experts, discussing current cloud security challenges and solution strategies.
Why Is Web3 Cloud Security So Important?
Security is paramount for any enterprise. Cloud services and Web3 are mutually reinforcing. Since Bitcoin’s mainnet launched in 2009 and Ethereum’s in 2015, security incidents and asset losses have increased year after year, underscoring the need to treat security as a cornerstone of the Web3 world. Whether centralized exchanges or decentralized applications such as DeFi, GameFi, NFTs, DAOs, Social, and Bridges—all involve token-based use cases. Ensuring the security of the entire token handling process is a critical consideration for Web3 BUIDLers. As a cloud security expert and provider serving numerous Web3 projects, AWS closely monitors blockchain and Web3 security developments, actively engages with project teams, and conducts various forms of Web3 security sharing and training.
Approaching the end of 2023, bullish signals are becoming clearer, and the number of Web3 projects deploying on cloud servers will grow rapidly. The cloud’s role as a foundational layer is increasingly vital, making cloud security an essential concern for every developer and BUIDLer.
What Are the Major Challenges Facing Cloud Security Today?
During this interview, security firm Beosin stated, “Attacks targeting cloud service data providers are one of the primary recent attack vectors, leveraging DDoS attacks, account hijacking, and malicious implants to compromise the computing and storage services offered by cloud providers, resulting in sensitive data leaks and service disruptions.” The team shared: “Recently, Mixin Network and Fortress IO suffered losses of $200 million and $15 million respectively due to attacks on their cloud providers.”
The leakage of sensitive data, especially private keys, was repeatedly cited by security experts in this interview as a root cause of security incidents. CertiK’s Q3 security report also noted, “Private key leaks were among the reasons for significant losses this quarter. Fourteen private key theft incidents caused a total loss of $204 million.”
Beyond data leaks, the SlowMist team outlined several other major categories of cloud security threats:
-
Account breaches and unauthorized access: Hackers can obtain user accounts and credentials through password cracking, social engineering, or weak password attacks, gaining unauthorized access.
-
DDoS attacks: Distributed Denial-of-Service (DDoS) attacks can render cloud services unavailable by consuming resources or overwhelming network traffic, causing business disruption.
-
Malicious insider threats: Internal users or employees may abuse their privileges to steal data, destroy information, or conduct other malicious activities.
-
Compliance and data management: Project teams fail to effectively use available tools to protect data when processing it on cloud service platforms, leading to data confusion or loss.
Faced with multi-dimensional hacker attacks and potential internal security risks, Web3 security experts urge awareness that cloud security requires comprehensive strategies and cannot rely on single-dimensional, simplistic defenses.
The Battle of Cloud Security Defense: How Can We Break Through?
Amid ongoing cloud security challenges, how can we strengthen defense to safeguard user privacy and funds? Experts and teams from various security organizations share their insights.
Beosin Team:
“Given the frequent occurrence of sensitive data leaks, we recommend encrypting data during storage and transmission to prevent unauthorized third-party access. For highly sensitive data such as private keys, we suggest using privacy-preserving computation and homomorphic encryption technologies to avoid key exposure.
Additionally, project teams should ensure clients access cloud services only via secure APIs, preventing injection attacks, cross-site scripting, and other malicious activities. Using APIs allows for client authentication and data validation before accessing cloud services, ensuring both access and data security. Given the weak security posture of personal computers as clients, we do not recommend direct API calls from personal devices for system data access or operations. Instead, use cloud-based virtual desktops or secure jump hosts for such tasks.”
Professor Kang Li, Chief Security Officer at CertiK:
“We primarily observe two common risks when using cloud platforms: misconfiguration of cloud data by users, and risks arising from embedding cloud backend services within dApps. While cloud platforms offer robust resource protection and data controls, improper configuration often allows external parties to access user backends. The second risk stems from developers embedding cloud backend services directly into dApps—some developers, for convenience, design interfaces they believe are internal-only, allowing mobile dApps to access backend systems without public exposure. Although cloud APIs are tightly controlled, this still results in extensive interaction between dApps and backends.
To address these risks, CertiK offers security services for cloud platforms and cloud-hosted dApps, including code audits, risk assessments, team identity verification, and background checks. Professor Li added, ‘If you cannot guarantee your development team is absolutely trustworthy, having audit experts conduct a thorough review of your dApp remains essential.’”
Professor Yang Liu, Co-founder of MetaTrust:
“As a foundational layer, cloud security must ensure data security and user privacy. End-to-end full-stack protection is crucial, with particular emphasis on data protection. Implement appropriate access permissions for different data types to prevent unauthorized access. Cloud mechanisms are complex, requiring independent access controls for each data category.
Moreover, data compliance must be prioritized. Many data sets coexist in the same cloud environment but may be subject to regional access restrictions. Lack of awareness can easily lead to compliance issues from cross-border data leaks. Therefore, access control and identity verification are equally important. We need to establish strict, fine-grained access control and identity verification mechanisms to prevent unauthorized access.”
SlowMist Team:
“Cloud security requires a comprehensive strategy encompassing proper access control, encryption, continuous monitoring, professional security audits, training, and education to ensure the security and stability of the cloud environment. For example, implement end-to-end encryption for critical data. If encryption is used, secure management of encryption keys is paramount—maintain key backups, preferably not stored in the cloud. Preventing basic vulnerabilities like configuration errors can significantly reduce cloud security risks. Finally, whether individual users, SMEs, or enterprise cloud users, ensuring network and device security is critically important.”
AWS: Security Is an Onion-Like Multi-Layered Defense
Whether in Web2 or Web3, AWS actively provides computing and security services to diverse projects. As a leader and active participant in cloud computing, AWS Web3 technical experts emphasize that security is not an egg-like single-layer model but an onion-like multi-layered structure—layered, progressive, and comprehensive. Specifically, the first layer is threat detection and incident response, the second is identity and access management, the third is network and infrastructure security, the fourth is data protection and privacy, and the fifth is risk management and compliance. AWS offers complete solutions for each layer, helping Web3 projects securely manage their entire application systems.
Conclusion: Winning the Battle of Web3 Cloud Security Requires Collective Effort
The security of the Web3 ecosystem depends fundamentally on the security of its cloud infrastructure. All stakeholders—including project teams, cloud service providers, and security service providers—must establish comprehensive security strategies, conduct regular audits, and perform self-security checks to maximize overall security.
For Web3 developers, beyond enhancing ethical standards, continuously improving security skills is essential. Developers are encouraged to participate in AWS-led developer initiatives and training programs such as Web3 Ethical Hacking and Security Best Practices to identify common contract risks.
Our shared goal is to build a secure Web3 ecosystem and achieve sustainable industry growth. We hope this interview provides valuable insights you can actively apply in your daily practice.
For Web3 project teams seeking guidance on building secure cloud applications, please click here to learn more.
Join TechFlow official community to stay tuned
Telegram:https://t.me/TechFlowDaily
X (Twitter):https://x.com/TechFlowPost
X (Twitter) EN:https://x.com/BlockFlow_News











