In 2023, the Web3 infrastructure faced numerous security incidents. According to CertiK, more than 750 attacks were recorded during this period, with total losses exceeding $1.84 billion.
The main attack vectors were private key compromises and phishing, which accounted for a significant portion of the losses. These figures highlight a fundamental vulnerability of Web3: users are forced to trust software systems they cannot independently verify.
Maxim Andreev is a blockchain expert, mentor, and judge at prominent hackathons, Technical Product Manager, and Software Engineer at Unique Network, a leading infrastructure project building the next generation of NFTs.
He is also the creator of an open-source library that enables end-to-end testing of Web3 wallet behaviour, addressing critical blind spots in infrastructure QA for blockchain applications.
Based on years of hands-on experience, Andreev argues that in Web3, open-source code is no longer an optional luxury, it is a critical component of security. Without it, transparency, trust, and safety in decentralized systems are simply not possible.
HACKREAD: What is the significance of open-source code for the Web3 industry? How does the approach in Web3 differ from, say, AI, where it is actively supported by corporations?
Maxim Andreev: In Web3, transparency isn’t a philosophical ideal, it’s a design requirement. Trust must be established through code, not only reputation. If a protocol handles wallets, identity, or assets, and its core logic is closed, then neither users nor developers can evaluate whether it’s safe, performant, or even aligned with its stated goals.
This contrasts with sectors like AI, where corporations such as Meta, Google, and Microsoft generate value by controlling access to proprietary models and datasets. In Web3, that approach collapses under the weight of its own contradiction: centralizing control over decentralized infrastructure defeats the purpose of building it in the first place.
Meta’s experience with Libra (later Diem) illustrates the point. Despite developing its own smart contract language (Move), the project failed to launch under regulatory pressure. Since then, most tech giants have pivoted to offering peripheral services, cloud hosting, identity management, and analytics, instead of building core protocols.
HACKREAD: How does open-source code contribute to the development of Web3 standards? Can we find examples of “grassroots” Web3 standards that originated from open-source projects?
Maxim Andreev: Most of the key technological standards in the crypto industry began not in boardrooms, but on GitHub. Ethereum’s ERC-20 token standard and Bitcoin’s BIP-32 wallet format weren’t issued top-down. They were developed, discussed, and iterated in the open, proposed by individuals, reviewed by the community, and refined through real-world use.
In some cases, de facto standards emerge through adoption rather than process. Uniswap’s automated market maker (AMM) design, first launched in 2018, became the blueprint for an entire category of decentralized exchanges. Even though it wasn’t ratified through a formal EIP, dozens of major projects, including SushiSwap and PancakeSwap, began as Uniswap forks.
Aave adopted the Business Source License 1.1 for its codebase in April 2024, following a community governance vote in which 55% supported protecting the protocol’s intellectual property from unauthorized forks. According to the license terms, Aave’s code will automatically transition to an MIT license by March 2027 or earlier, depending on community decisions.
This staged approach balances early IP protection with long-term openness once the protocol’s innovations are battle-tested. Not every project can open-source everything immediately, but if it becomes critical infrastructure, its integrity must be verifiable by anyone.
HACKREAD: What’s the difference between commercial, open-source, and community-driven initiatives?
Maxim Andreev: Commercial Web3 teams don’t publish source code out of idealism alone. In many cases, openness is strategic.
First, transparency is essential to gaining user trust, especially for protocols handling money. You can’t expect people to risk their assets on a smart contract they can’t audit. Verification is part of the product.
Second, open-source code accelerates ecosystem growth. Developers can build on top of existing logic, fix issues, or create extensions, reducing redundancy and attracting broader adoption. In early-stage markets, network effects matter more than exclusivity, and openness becomes a force multiplier.
Third, open code is often required for funding. In ecosystems like Polkadot, grants from OpenGov are conditional on publishing work under open licenses. Transparency is not just encouraged, it’s institutionalized.
Finally, many infrastructure-focused teams, particularly those developing tools and libraries, initially lack clear monetization strategies. For these projects, open-sourcing internally maintained code creates mutual value, supports the developer ecosystem and leverages community contributions to enhance the product’s robustness.
HACKREAD: What motivated you to create your own library, and what practical value does it bring to the Web3 community?
Maxim Andreev: Security in Web3 isn’t just about publishing open-source code, it also depends on how well that code is tested in realistic, production-like scenarios. One of the most overlooked risks in the space is the lack of infrastructure for proper end-to-end testing.
I saw teams deploying code to mainnet without actually checking how wallet connections, transaction confirmations, or cross-chain interactions worked. Not because they didn’t care but because the necessary tools just weren’t available.
Traditional web testing tools weren’t built to handle browser extensions or mobile wallets, which are essential to the crypto user experience. Without native support for wallet interactions, multi-chain setups, and Web3-specific user flows, projects often go live without thoroughly testing the systems that manage real user funds. This creates serious risks in production.
After facing this issue firsthand, I built my own framework to test crypto-specific flows and later open-sourced it.
If we want Web3 security to become standard practice, not just a buzzword, someone has to start building the right tools.
HACKREAD: What is the open-source culture in Web3 still lacking today?
Maxim Andreev: Despite high-profile hacks, security is still treated as an afterthought in many Web3 projects.
One of the core reasons is cultural. The Web3 space inherited Silicon Valley’s “move fast and break things” mindset, and applied it to financial infrastructure. But unlike social media, failure here results in real financial losses, often with no way to recover. Traditional finance has guardrails: regulators, insurance, fraud protection. Web3 has none of that.
Investor pressure to ship quickly and launch tokens often conflicts with what true security demands: time, audits, and peer review. I’ve seen billion-dollar systems essentially run like hackathon prototypes.
What we need is a cultural shift. Security must be integrated before launch. Open-source libraries should go through rigorous peer review. We need proper tools for reproducible testing. And ultimately, we need to value not just speed, but resilience.
HACKREAD: What “grey areas” currently exist in Web3 security? How do UX features in Web3 affect user safety?
Maxim Andreev: The weakest point in most cryptosystems today isn’t the protocol, it’s the user interface. Key management, in particular, remains a serious vulnerability. According to Chainalysis, in 2023 the compromise of private keys accounted for 47.8% of all DeFi losses.
Seed phrases are marketed as “empowering,” but in reality, they place nearly impossible demands on everyday users: secure enough not to lose, and yet accessible enough to recover. Even IT professionals struggle with this. This isn’t just a UX issue, it’s a fundamental flaw in system design.
The solution isn’t more user education; it’s better abstractions. Smart contract wallets that support social recovery, hardware authentication, and spending limits offer a more realistic security model. These innovations made possible through account abstraction, bring Web3 closer to traditional fintech usability without sacrificing user control.
Another major blind spot is transaction signing. Most users have no idea what they’re actually approving, they see a hash and simply click “approve.” This opens the door to phishing attacks, front-end exploits, and malicious contracts. Interfaces need to evolve: human-readable previews, clear metadata, and permission scopes can help close the gap between user intent and action.
In Web3, open source isn’t just a gesture of goodwill, it’s a security primitive. In a trustless system, visibility is everything.
But visibility alone isn’t enough. To earn trust at scale, protocols need rigorous testing, secure-by-default tools, and user experiences designed to prevent human error. Trust isn’t something you ask for, it’s something you prove, in code, with systems that are clearly built to protect the people who use them.
(Image by Gerd Altmann from Pixabay)
