pith. sign in

arxiv: 2605.18484 · v1 · pith:YOYJ2UGDnew · submitted 2026-05-18 · 💻 cs.CR

Bridging the Cybersecurity Gap Between Web2 and Web3 -- An Incident-Based Analysis of Organizational and Application-Level Security Failures

Tarkan Yavas , Arslan Br\"omme This is my paper

Pith reviewed 2026-05-20 09:27 UTC · model grok-4.3

classification 💻 cs.CR
keywords Web3 securitycybersecurity incidentsblockchain governancekey managementsecurity control categoriesorganizational securityISMS frameworks
0
0 comments X

The pith

Web3 security incidents reveal gaps in generic Web2 control catalogues for key management and governance.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines three major Web3 breaches to demonstrate that standard security frameworks from traditional systems do not adequately address risks unique to blockchain environments. It maps the causes of failures in these cases to established categories and identifies shortfalls in cryptographic key management, transaction approvals, and related areas. A sympathetic reader would care because these operational and human-centered issues drive many real-world losses as Web3 adoption grows. The authors conclude that Web3 organizations should adopt information security management systems supplemented with blockchain-specific control categories.

Core claim

The analysis of the Bybit exchange incident in 2025, the Ronin Network bridge compromise in 2022, and the DMM Bitcoin exchange breach in 2024 shows that dominant failure patterns in Web3 environments are insufficiently addressed by generic security control catalogues. The patterns center on cryptographic key management, transaction approval governance, signer and validator infrastructure, third-party tooling dependencies, and human-in-the-loop processes. The paper argues for the adoption of established information security management systems in Web3 organizations and derives a structured set of blockchain-specific cybersecurity control categories to operationalize existing frameworks for use

What carries the argument

Systematic mapping of incident root causes to OWASP-based vulnerability categories and organizational security control domains to derive new blockchain-specific control categories.

If this is right

  • Web3 organizations should add dedicated controls for cryptographic key management to their security programs.
  • Transaction approval governance structures tailored to blockchain operations become necessary.
  • Signer and validator infrastructure requires specific security oversight beyond generic catalogues.
  • Third-party tooling dependencies in Web3 need targeted risk management practices.
  • Human-in-the-loop processes should be formalized within information security management systems.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The proposed control categories could be applied to other Web3 domains such as decentralized finance protocols to test their broader utility.
  • Standardizing incident reports around these categories might enable better cross-organization learning over time.
  • Early adoption of these controls in new Web3 projects could reduce the frequency of high-impact breaches driven by operational issues.

Load-bearing premise

The three selected high-impact incidents are representative enough of broader Web3 organizational and application-level failures to support general recommendations for new control categories.

What would settle it

A review of additional Web3 incidents that shows all major organizational and application-level failures are already covered by existing Web2 control catalogues would undermine the need for new categories.

read the original abstract

The rapid adoption of Web3 infrastructures has led to a growing number of security incidents affecting cryptocurrency exchanges, custody services and blockchain-based platforms. While existing research predominantly focuses on vulnerabilities in smart contracts and blockchain protocols, a substantial portion of real-world losses originates from off-chain systems, organizational processes and human-centered operational workflows. This paper presents a qualitative, incident-based analysis of publicly documented, high-impact security breaches in the Web3 ecosystem, including the Bybit exchange incident (2025), the Ronin Network bridge compromise (2022), and the DMM Bitcoin exchange breach (2024). The selected cases are systematically analysed and mapped to established Web2 security reference frameworks, including OWASP-based vulnerability categories and organizational security control domains. The results indicate that dominant failure patterns in Web3 environments are insufficiently addressed by generic security control catalogues, particularly with respect to cryptographic key management, transaction approval governance, signer and validator infrastructure, third-party tooling dependencies, and human-in-the-loop processes. Based on these findings, this paper argues for the adoption of established information security management systems (ISMS) in Web3 organizations and derives a structured set of blockchain-specific cybersecurity control categories to operationalize existing ISMS frameworks for blockchain-based systems. The proposed categories aim to bridge the gap between generic security governance frameworks and domain-specific risks inherent to Web3 infrastructures.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The manuscript presents a qualitative, incident-based analysis of three high-impact public security breaches in the Web3 ecosystem—the Bybit exchange incident (2025), the Ronin Network bridge compromise (2022), and the DMM Bitcoin exchange breach (2024). These cases are systematically mapped to established Web2 reference frameworks including OWASP vulnerability categories and organizational security control domains from information security management systems (ISMS). The analysis identifies gaps in generic controls for cryptographic key management, transaction approval governance, signer/validator infrastructure, third-party tooling dependencies, and human-in-the-loop processes. The paper concludes that dominant Web3 failure patterns are insufficiently addressed by existing catalogues and proposes a structured set of blockchain-specific cybersecurity control categories to operationalize ISMS frameworks for blockchain-based systems.

Significance. If the incident mappings prove robust and the proposed control categories are validated, the work could usefully highlight domain-specific risks in Web3 organizational and application security that generic Web2 frameworks overlook. This has potential to inform the development of tailored ISMS extensions for cryptocurrency exchanges, custody services, and blockchain platforms, contributing to reduced losses from off-chain and human-centered failures. The explicit mapping of real incidents to standard frameworks is a constructive step toward bridging the two domains.

major comments (2)
  1. [Abstract and §3] Abstract and §3 (Case Selection): The central claim that the three selected incidents demonstrate 'dominant failure patterns' in Web3 rests on an unstated assumption of representativeness. No sampling frame, inclusion/exclusion criteria, or justification for choosing only high-impact public cases (Bybit 2025, Ronin 2022, DMM Bitcoin 2024) is provided; this leaves the inference vulnerable to selection bias toward large-scale key exfiltration and bridge compromises while under-sampling mitigated or lower-visibility failures where existing controls may already suffice.
  2. [Abstract and §4] Abstract and §4 (Mapping Methodology): The abstract states the cases were 'systematically analysed and mapped' to OWASP and ISMS domains, yet no details are given on inter-rater reliability, validation procedures for the mappings, or how disagreements in categorization were resolved. Without these, the identification of specific gaps in key management, transaction governance, and signer infrastructure cannot be assessed for reproducibility or robustness.
minor comments (2)
  1. [Discussion] The paper would benefit from an explicit limitations section discussing the scope of the three-case sample and the qualitative nature of the analysis.
  2. [Results] Figure or table summarizing the mappings of each incident to specific OWASP/ISMS categories would improve clarity and allow readers to trace the gap claims directly.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the thoughtful and constructive comments on our manuscript. We address each of the major comments below, indicating the revisions we plan to make to strengthen the paper.

read point-by-point responses

  1. Referee: [Abstract and §3] The central claim that the three selected incidents demonstrate 'dominant failure patterns' in Web3 rests on an unstated assumption of representativeness. No sampling frame, inclusion/exclusion criteria, or justification for choosing only high-impact public cases (Bybit 2025, Ronin 2022, DMM Bitcoin 2024) is provided; this leaves the inference vulnerable to selection bias toward large-scale key exfiltration and bridge compromises while under-sampling mitigated or lower-visibility failures where existing controls may already suffice.

    Authors: We agree that the manuscript would benefit from explicit discussion of the case selection process. The three incidents were chosen purposively as high-impact, publicly documented cases that exemplify key organizational and application-level security failures in Web3. We will revise the manuscript to include a new subsection in §3 detailing the selection rationale, inclusion criteria (e.g., incidents involving off-chain or human factors leading to significant losses), and limitations on generalizability to avoid implying statistical representativeness. This clarifies that the analysis aims to identify patterns for framework extension rather than claim dominance across all Web3 incidents. revision: yes

  2. Referee: [Abstract and §4] The abstract states the cases were 'systematically analysed and mapped' to OWASP and ISMS domains, yet no details are given on inter-rater reliability, validation procedures for the mappings, or how disagreements in categorization were resolved. Without these, the identification of specific gaps in key management, transaction governance, and signer infrastructure cannot be assessed for reproducibility or robustness.

    Authors: We appreciate this observation regarding methodological transparency. The analysis involved collaborative review by the authors to map incidents to OWASP vulnerabilities and ISMS domains, with mappings refined through discussion to reach consensus. We will add a paragraph in §4 outlining the mapping methodology, including the use of established category definitions, iterative application to each case, and resolution of any categorization differences via author consensus. While formal inter-rater reliability statistics are not applicable given the qualitative, small-scale nature of the study, this addition will improve reproducibility and allow assessment of the gap identifications. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on external incident mapping

full rationale

The paper performs a qualitative mapping of three external public incidents (Bybit 2025, Ronin 2022, DMM Bitcoin 2024) onto OWASP categories and ISMS domains, then identifies gaps in key management, governance, and related areas to motivate blockchain-specific control categories. No equations, fitted parameters, self-definitional loops, or load-bearing self-citations appear in the derivation. The central claim of insufficient coverage by generic catalogues follows directly from the described external mappings rather than reducing to the paper's own inputs by construction. The analysis is therefore self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 2 axioms · 0 invented entities

The paper rests on the domain assumption that publicly documented high-impact incidents provide representative insight into systemic Web3 security gaps and that established Web2 frameworks can be meaningfully extended without introducing new contradictions. No free parameters or invented entities are introduced.

axioms (2)
  • domain assumption Publicly documented incidents are sufficient to identify dominant failure patterns across the Web3 ecosystem.
    Invoked when selecting and generalizing from the Bybit, Ronin, and DMM Bitcoin cases to broader recommendations.
  • domain assumption OWASP vulnerability categories and organizational security control domains provide an appropriate mapping target for Web3 off-chain failures.
    Stated when the analysis maps incidents to these established Web2 reference frameworks.

pith-pipeline@v0.9.0 · 5781 in / 1318 out tokens · 37013 ms · 2026-05-20T09:27:21.284500+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

21 extracted references · 21 canonical work pages

  1. [1]

    OWASP Top 10:2021 — the ten most critical web application security risks.https://owasp.org/Top10/2021/, 2021

    OWASP Foundation. OWASP Top 10:2021 — the ten most critical web application security risks.https://owasp.org/Top10/2021/, 2021. Accessed: 12 Feb 2026

    work page 2021

  2. [2]

    ISO/IEC 27001:2022 — information security, cybersecurity and privacy protection — requirements.https://www.iso.org/st andard/27001, 2022

    International Organization for Standardization (ISO). ISO/IEC 27001:2022 — information security, cybersecurity and privacy protection — requirements.https://www.iso.org/st andard/27001, 2022. Accessed: 12 Feb 2026

    work page 2022

  3. [3]

    The NIST cybersecurity framework (CSF) 2.0

    National Institute of Standards and Technology (NIST). The NIST cybersecurity framework (CSF) 2.0. Technical Report NIST CSWP 29, 2024. Accessed: 13 Feb 2026

    work page 2024

  4. [4]

    Werner, D

    S. Werner, D. Perez, L. Gudgeon, A. Klages-Mundt, D. Harz, and W. Knottenbelt. SoK: Decentralized finance (DeFi). InProceedings of the 4th ACM Conference on Advances in Financial Technologies (AFT ’22), 2022. doi: 10.1145/3558535.3559780. Accessed: 12 Feb 2026

    work page doi:10.1145/3558535.3559780 2022

  5. [5]

    N. Li, M. Qi, Z. Xu, X. Zhu, W. Zhou, S. Wen, and Y. Xiang. Blockchain cross-chain bridge security: Challenges, solutions, and future outlook.Distributed Ledger Technologies: Research and Practice, 4(1), 2025. doi: 10.1145/3696429. Accessed: 12 Feb 2026

    work page doi:10.1145/3696429 2025

  6. [6]

    Belenkov, V

    N. Belenkov, V. Callens, A. Murashkin, K. Bak, M. Derka, J. Gorzny, and S.-S. Lee. SoK: A review of cross-chain bridge hacks in 2023. arXiv preprint arXiv:2501.03423.https: //arxiv.org/abs/2501.03423, 2025. Accessed: 12 Feb 2026

    work page arXiv 2023

  7. [7]

    S. Hägele. Centralized exchanges vs. decentralized exchanges in cryptocurrency markets: A systematic literature review.Electronic Markets, 34(33), 2024. doi: 10.1007/s12525-024-0 0714-2. Accessed: 13 Feb 2026

    work page doi:10.1007/s12525-024-0 2024

  8. [8]

    Meenakshi and S.P

    O.S. Meenakshi and S.P. Meenakshi. Cybersecurity crimes in cryptocurrency exchanges (2009–2024) and emerging quantum threats: the largest unified dataset of CEX and DEX incidents.Frontiers in Blockchain, 2025. doi: 10.3389/fbloc.2025.1713637. Accessed: 13 Feb 2026

    work page doi:10.3389/fbloc.2025.1713637 2009

  9. [9]

    Froehlich, P

    M. Froehlich, P. Hulm, and F. Alt. Under pressure: A user-centered threat model for cryptocurrency owners. InProceedings of the 4th International Conference on Blockchain Technology and Applications (ICBTA 2021), pages 39–50. ACM, 2021. doi: 10.1145/3510 487.3510494. Accessed: 13 Feb 2026

    work page doi:10.1145/3510 2021

  10. [10]

    Ghosh, R

    M. Ghosh, R. Halder, and J. Chandra. A systematic review on Ethereum phishing scam detection: Challenges, empirical insights, and future directions.Blockchain: Research and Applications. doi: 10.1016/j.bcra.2025.100424. in press (journal pre-proof); Accessed: 13 Feb 2026

    work page doi:10.1016/j.bcra.2025.100424 2025

  11. [11]

    Public service announcement: North korea responsible for $1.5 billion bybit hack

    Federal Bureau of Investigation (FBI) — IC3. Public service announcement: North korea responsible for $1.5 billion bybit hack. Alert Number: I-022625-PSA.https://www.ic3.go v/psa/2025/psa250226, February 26 2025. Accessed: 13 Feb 2026. 14

    work page 2025

  12. [12]

    2025 crypto crime mid-year update: Stolen funds surge as DPRK sets new records

    Chainalysis. 2025 crypto crime mid-year update: Stolen funds surge as DPRK sets new records. Report.https://www.chainalysis.com/blog/crypto-hacking-stolen-funds -2025/, 2025. Accessed: 13 Feb 2026

    work page 2025

  13. [13]

    Back to building: Ronin security breach postmortem.https: //roninchain.com/blog/posts/back-to-building-ronin-security-breach-6513cc7 8a5edc1001b03c364, 2022

    Ronin Network (Sky Mavis). Back to building: Ronin security breach postmortem.https: //roninchain.com/blog/posts/back-to-building-ronin-security-breach-6513cc7 8a5edc1001b03c364, 2022. Accessed: 13 Feb 2026

    work page 2022

  14. [14]

    Federal Bureau of Investigation (FBI). FBI, DC3, and NPA identification of north korean cyber actors, tracked as TraderTraitor, responsible for theft of $308 million USD from Bit- coin.DMM.com.https://www.fbi.gov/news/press-releases/fbi-dc3-and-npa-ident ification-of-north-korean-cyber-actors-tracked-as-tradertraitor-responsible -for-theft-of-308-million-...

    work page 2026

  15. [15]

    Bybit. Incident update: Unauthorized activity involving ETH cold wallet.https://anno uncements.bybit.com/en/article/incident-update-unauthorized-activity-involvi ng-eth-cold-wallet-bltb9baa0c12e06cf5b/, 2025. Accessed: 13 Feb 2026

    work page 2025

  16. [16]

    Department of the Treasury

    U.S. Department of the Treasury. U.S. treasury issues first-ever sanctions on a virtual currency mixer.https://home.treasury.gov/news/press-releases/jy0768, 2022. Accessed: 13 Feb 2026

    work page 2022

  17. [17]

    Elliptic. North korea’s Lazarus group identified as exploiters behind $540 million Ronin bridge theft.https://www.elliptic.co/blog/analysis/north-korea-s-lazarus-g roup-identified-as-exploiters-behind-540-million-ronin-bridge-theft, 2022. Accessed: 13 Feb 2026

    work page 2022

  18. [18]

    After a violent kidnapping, crypto elites hire bodyguards.https://www.wired

    Wired. After a violent kidnapping, crypto elites hire bodyguards.https://www.wired. com/story/after-a-violent-kidnapping-crypto-elites-hire-bodyguards/, 2025. Accessed: 13 Feb 2026

    work page 2025

  19. [19]

    Father of cryptocurrency entrepreneur rescued after being kidnapped for ransom in France

    Associated Press. Father of cryptocurrency entrepreneur rescued after being kidnapped for ransom in France. NBC News.https://www.nbcnews.com/world/world/father-cryptoc urrency-entrepreneur-kidnapped-rcna204718, 2025. Accessed: 13 Feb 2026

    work page 2025

  20. [20]

    A crypto investor is charged with kidnapping and torturing a man in an NYC apartment for weeks.https://www.cnn.com/2025/05/25/us/new-york-crypto-investo r-kidnapping-charges, 2025

    CNN. A crypto investor is charged with kidnapping and torturing a man in an NYC apartment for weeks.https://www.cnn.com/2025/05/25/us/new-york-crypto-investo r-kidnapping-charges, 2025. Accessed: 13 Feb 2026

    work page 2025

  21. [21]

    Blockchain cybersecurity controls.https://chain-horizon.com/d e/Produkte/Blockchain-Cybersecurity-Controls/

    Chain Horizon GmbH. Blockchain cybersecurity controls.https://chain-horizon.com/d e/Produkte/Blockchain-Cybersecurity-Controls/. Accessed: 16 Feb 2026. 15

    work page 2026