Is Crypto (In)Secure?

Crypto promised to be secure and immutable, so why Is hacking commonplace?

As most know by now, crypto is short for cryptography, so it must already be secure, right?

But the fact is that thefts are a routine occurrence as a result of hacks and attacks. Cyberattackers made off with $2 billion worth of crypto in 2023, and not mincing any words, “Why is Web3 Such a Cybersecurity Disaster?” was a discussion topic at the TechCrunch Disrupt event in September.

Yet crypto’s proponents still point to the fact that platforms like Bitcoin and Ethereum are secure against attackers and use phrases like “not your keys, not your crypto” to espouse the view that self-custody is the best protection against theft or censorship.

While the numbers tell a clear story, crypto’s supporters aren’t simply being disingenuous when they talk about the security of blockchain. The networks that operate Bitcoin and Ethereum have always proven to be resilient against attacks. But due to the immaturity of the industry and a lack of rigor in cybersecurity operations, the applications built on and for these networks frequently prove to be far more vulnerable than the underlying infrastructure. In the absence of universal standards or regulations, the industry needs to find the will to raise the bar.

The Changing Landscape of Blockchain Attacks

In a blockchain network, the first security defense is its encryption. Transactions are encrypted, decentralized, and stored in blocks that are linked cryptographically, creating an immutable chain. So far, no one has managed to interrupt the biggest chains by inserting fake transactions.

Users can only authorize a transaction by entering their unique private key. However, since users are fallible humans, for many years, the first line of attack for hackers was discovering private keys through methods such as phishing and malware. Cyberattackers always target the biggest rewards for the least risk or effort, and so key-holding employees at centralized exchanges became the earliest targets.

From 2017 onwards, Ethereum became a hub of activity for smart contracts and decentralized applications, allowing anyone to create code that governs cryptocurrency or programmable money. The explosion of innovation created many use cases for cryptocurrencies that the world began to see in 2021 in what became known as ‘DeFi’ applications. This on-chain liquidity created a new bull run and began to flow through DeFi protocols and bridges that connect otherwise unconnected blockchain ecosystems.

Unfortunately, since every one of these protocols is based on code, which is also written by fallible humans, this innovation opened up a whole new set of attack vectors for hackers. According to Chainalysis data, the percentage of all cryptocurrency stolen using DeFi protocols rose from 30% in 2020 to 97% in the first quarter of 2022.

By the second quarter of the same year, Chainalysis announced that cross-chain bridges had become the biggest security risk facing the industry. The amounts involved in bridge and DeFi exploits can be eye-wateringly high – $600 million stolen in the 2022 DPRK hack of the Ronin bridge. Even in the down markets of 2023, a single attack can result in losses of up to $200 million, as users of Mixin Network found out.

So who’s to blame?

What makes this segment such a honeypot for hackers? While the risk-reward ratio is similar to centralized exchanges, DeFi also offers the allure of pseudonymity and permissionless access, with proceeds available immediately for a liquid exit.

Furthermore, the decentralized environment means that users are often flying blind, navigating a poor user experience where glitches are commonplace and there is no recourse for clicking the wrong button in error.

However, a far more significant problem is the relative lack of maturity in the sector when it comes to cybersecurity. When coding Turing-complete languages such as Solidity, it’s still very easy to program in bugs, or it may be possible that the code allows for unanticipated outcomes that can be exploited by attackers.

Although things have improved somewhat over recent years, there are still no best practices when it comes to protocol security and audits to identify and eliminate these issues. Many DeFi projects now engage third-party code auditors in an attempt to root out bugs and security issues, and some also operate bug bounties to encourage indie developers and white-hat hackers to support their efforts to maintain clean code.

The lack of uniform standards and the complexity of technology means the average person can't be sure how effective a security audit really is. Plus, not all audits are equally reliable. The best auditors often have long waitlists, leading to newer auditors filling in the gap. This can be risky because protocols might end up with a low-quality audit and not realize it until a hacker finds a weakness. For those handling large amounts of user funds, getting a top-notch audit is crucial but often not feasible due to these challenges.

Raising the Bar

While industry-wide teething problems explain the issues to a certain extent, it’s impossible to ignore the elephant in the room – an overall lack of rigor that’s applied to Web3 protocols compared to their Web2 counterparts. Robust cybersecurity operations almost always incorporate an element of monitoring, where suspicious activity can be flagged, investigated, and, in many cases, averted via automated incident response before a hack occurs. Projects like Forta, Tenderly, and Hypernative have all sprung up to fill this gap in the market. However, the tools that have been developed for centralized systems are generally unfit for purpose in a decentralized environment. After all, intrusion detection has little use where access is permissionless by design.

But things are changing. The publicly available nature of blockchain data combined with the power of machine learning means that it is possible to monitor and detect threats on blockchain-based protocols in real time. By harnessing a decentralized network of bots, each dedicated to monitoring either generic threats or protocol-specific activity, it’s possible to garner a tremendous amount of threat intelligence data, which can then be consumed by users or developers. In most cases, it would be possible to shut down operations and stave off a threat before it becomes an incident.

The availability of Web3 monitoring tools and their efficacy in detecting attacks in advance before any funds get stolen are now sufficiently developed such that they can and should become an industry standard. Furthermore, this should be prioritized as one of the most significant leaps forward in cybersecurity that the industry can make in the coming years. Although hackers will invariably find the next vulnerability, cutting the current lines of attack off from the source will make DeFi a significantly safer place for its beleaguered users.