“Why do these things keep happening?” I asked myself, staring blankly at the news headline.
It was a hot Sunny afternoon, and Cointelegraph had just reported the hacking of
Two days earlier, Curve’s liquidity pool platform, Conic Finance, was reportedly hacked for $3.2 million in eth.
The recurring attacks on crypto exchanges and service providers are a major challenge for the crypto industry. However, cyber security experts understand why they occur and how they can be addressed.
First of all, thank you for taking the time to speak with me. I am a born and bred New Yorker who spent more than a decade working in traditional banking covering FX, eFX, and transactional banking for both individuals and institutional clients.
After noticing continuous inefficiencies in transactional processing and KYC, I immersed myself in better understanding the blockchain space to figure out a way to solve issues my clients frequently experienced.
In that research, I realized that there are a number of projects that would help with the inefficiencies I encountered in traditional banking, but the downside is that many of these projects were vulnerable to hacks, making them less appealing to potential clients.
I realized that focusing on cybersecurity would help these projects build trust with the public, and open the door for a wider variety of end users to take advantage of blockchain efficiencies.
I have always been a bit of a tech geek wanting to stay up to date with the newest gadgets and software. I dabbled a bit in cryptocurrencies out of curiosity and even created an NFT gallery in Decentraland. The more time I spent on these hobbies, the more opportunities I started to see what blockchain could accomplish.
Not only could blockchain solve some of the ongoing issues with transactional processing and KYC I saw daily in the corporate banking world, but there was a slew of other use cases for blockchain that spanned industries far beyond banking.
When I tried to explain these benefits to many of my colleagues, their responses were that it wasn’t secure enough to be a viable alternative, which got me looking more deeply into the cybersecurity side of the blockchain world.
It was clear to me that in order to unlock blockchain opportunities, there was a lot of work to be done to secure these projects and to influence public opinion, which led me to opportunities in the Web3 cybersecurity space.
There are so many contributing factors leading to these high dollar vulnerabilities. Some of it comes down to the fact that blockchain is still evolving.
As the space has built various chains and projects, we’re obviously thinking about functionality and safety, and as we’ve stress tested those systems some of their vulnerabilities become more apparent.
Any time the space builds a new chain or functionality, we open the door to new hacking opportunities, so the proliferation of blockchains widens the vectors for attack, and that requires more attention paid to testing and auditing before going live. We’ll continue to see this as we incorporate other emerging technologies as well.
On the other hand, if you look at the Web 2 space, it’s not as though that space is “hack free” either, although more time has been spent on identifying potential risks and solutions to mitigate them.
Many of the vulnerabilities we see on the Web2 side also carry over to Web3. We spend a lot of time on education because people are often the biggest opportunity for vulnerability.
Obviously, we hear a lot about bad actors in blockchain, but there are plenty of people in the space who are inadvertently jeopardizing projects by doing simple things like clicking a link in an unverified email or leaving their laptops unattended.
At the end of the day, we can’t be naive about all the ways our security can potentially fail, and we need to hold projects accountable for being more proactive about their security strategies.
As I spent time talking to a huge variety of project founders in the space, two things became clear to me.
The first is that security is not one size fits all and different projects had different needs when it came to cybersecurity.
The second was that we were on the precipice of a number of new technologies, such as AI, machine learning, and quantum computing, being leveraged in the space that would increase the sophistication of cybersecurity attacks.
For the industry to be prepared to meet these threats, we needed to be immersed in these technologies and we needed to have the flexibility to provide the right security mix to each client.
This realization led me to form a team of seven all-star engineers and executives to start Resonance Security, with a focus on delivering a true cybersecurity concierge experience that covers best-in-class engagements with a cybersecurity dashboard made up of dozens of curated products and services.
The landscape in the industry is constantly changing, and it’s hard, even for the most informed people in the space, to stay up to date on all the options available to secure a project.
We realized what was missing in the cybersecurity space was a digital Shepard or someone who has insider knowledge and can ensure projects are picking the best services and products for their specific needs, and even better, provide it all in one place.
Our key objective is to make it effortless for projects to implement the appropriate cybersecurity measures for their organization. We take a personalized, holistic look at a project’s needs, identify their cybersecurity priorities, and provide them with a security roadmap.
We have partnered with dozens of cybersecurity products spanning AI, forensics, social engineering, fuzzing tools, hardware, bug bounty programs, and more to ensure a strong security posture.
If we don’t offer the cybersecurity product you are looking for, we will act as a concierge and interview products to find the right match for you. We want to be a top-tier service provider but also the add-on to any audit no matter where you’re getting your audit or what stage you’re at.
There are many best practices, and it depends on the scope, audience, chain, and various other factors, but some tried and true things to consider as an individual is to Do your own research first.
Understand the history of projects before you invest, always use 2fa, be aware of social engineering attacks, and generally just seek to know when it comes to cybersecurity and emerging tech.
For developers, ongoing awareness of the different types of security vulnerabilities in web3 apps and how they tie into web2 components including webapps cloud and ci/cd are very important.
The space is constantly changing, so this is a constant activity for our engineers, and if you’re developing in the space, you should make it your job to stay up to date. Following the best secure coding practices for the specific language you are working with, you should have extensive knowledge of the blockchains they are deploying the system on.
There are so many more!! I can go on forever.
Keep in mind that while these are some best practices, we believe that cybersecurity needs to be customized based on a variety of factors. We always suggest conducting multiple audits with different security companies as well as implementing a suite of tools for ongoing security.
Organizations must educate their audiences regarding cybersecurity threats from all fronts; this not only includes auditing the technical stack, but also training staff members, and users.
Security awareness and education should be a continuous narrative in every ecosystem, and even that is just a small piece of security that should resonate.
One of the biggest challenges I think we see in cybersecurity currently is not taking the topic of end-to-end cybersecurity seriously enough. There are a lot of check-box security reviews happening rather than truly taking an end-to-end look at how projects can be secure on all fronts.
Smart contract audits are great, and I’m going to be the first one to tell you that you need more than one, but there are other aspects to security like front-end, back-end, and employee attack vectors that can destroy an organization.
That’s why Resonance not only offers audits, pen tests, and education but our cybersecurity product dashboard as an add-on to any audit that can ensure you have the bespoke security you need.
The other looming challenge is the impact of emerging tech and how we’ll need to respond to meet the new threats that arise from those technologies.
My feeling is the best way to stay ahead of threats is to get immersed in the technologies. Understanding how they can be used and leveraging them to build our own tools is the best way for us to be prepared to meet this threat.
One of the things I love the most about my job is the ability to talk to a wide variety of cybersecurity projects and products spanning every use case you can possibly imagine. It’s incredible to see the innovation happening in the space and seeing how invested people are in creating novel solutions to problems that have long existed.
I’m always excited to get on a call with a new client and learn about what they’re doing.
I am also incredibly lucky to have an amazing team at Resonance. I’m impressed daily by our engineers; not only are they auditors, but they are researchers, teachers, and innovators.
Their insights help us to develop high-quality in-house tools, integrate emerging technologies into our audits and product offerings, and stay on top of trends in the space.
So much of what a project’s cybersecurity needs are will be unique to an individual project, so there is no one size fits all answer to this question. That being said, there are a variety of ways to help secure your project.
Audits can be found at a variety of price points, and although all audits are not equal, having someone look at your code who was not part of its creation will help projects identify issues that may have been overlooked.
We’re also at a place now where there are so many high-quality tools and products in the market that can help identify threats outside of an audit. Some of the products we work with currently cost less than your monthly coffee habit, and others are free for the basic functionality.
Despite the fact that there are some lower-cost options in the space, I think it’s important for projects to start to understand what their specific security needs will be early on in their building process and make sure to budget accordingly for the security needed.
This is not the place to cheap out because if you run into a problem down the road, it will cost ten times more to fix, and the reputational damage may not be fixable.
We are at the stone age of the emerging technology era, and we've just discovered fire. It's important that we all be cognizant that everything will need to be tested, fine-tuned, and eventually converged to create a stronger whole.
The best way for the community to learn and adapt quickly is for us to foster collaboration throughout the industry so we stay ahead of future threats and optimize the innovation from these new technologies.