Developers need to stop crypto hackers — or face regulation in 2023

Published at: Nov. 3, 2022

Third-party data breaches have exploded. The problem? Companies, including cryptocurrency exchanges, don’t know how to protect against them. When exchanges sign new vendors, most just innately expect that their vendors employ the same level of scrutiny as they do. Others don’t consider it at all. In today’s age, it isn’t just a good practice to test for vulnerabilities down the supply chain — it is absolutely necessary.

Many exchanges are backed by international financiers and those new to financial technologies. Many are even new to technology altogether, instead backed by venture capitalists looking to get their feet wet in a burgeoning industry. In and of itself, that isn’t necessarily a problem. However, firms that haven’t grown up in the fintech arena often don’t fully grasp the extent of the security risks inherently involved in being a custodian of hundreds of millions of dollars in digital assets.

We’ve seen what happens in the face of inadequate security, which goes beyond vendor management and stretches into cross-chain bridges. Just in October, Binance faced a bridge hack worth nine figures. Then there’s also the Wormhole bridge hack, another nine-figure breach. The Ronin bridge hack resulted in the loss of well over a half billion dollars in assets.

In fact, a new report indicates that over a two-year period, more than $2.5 billion in assets was stolen thanks to cross-chain bridge hacks, dwarfing the losses associated with breaches related to decentralized finance lending and decentralized exchanges combined.

Third-party breaches aren’t just a problem for the crypto industry, though, and they certainly aren’t confined to small players. Earlier this year, the New York City school system had a breach involving a third-party vendor that affected more than 800,000 people. Third-party breaches are the new frontier for bad actors.

Related: Government crackdowns are coming unless crypto starts self-policing

This is especially true as nation-states rely more and more on hackers as a matter of foreign policy. In particular, groups out of North Korea and Russia are looking for honey pots from which they can siphon off assets. This makes the cryptocurrency industry a prime target.

The only way to stem these issues before they take down the industry is to realign how it perceives third-party security initiatives. Third parties need complete and thorough vetting before they’re allowed access to institutional data of any kind. Once they are allowed access, it is critical to limit their reach to only the data that is absolutely necessary and revoke those permissions when no longer required, as would have been beneficial to those involved in the Ronin breach. Beyond that, it is critical to review the privacy practices of each vendor.

Like with bridges, the risk of third-party vendors is in the connection with the institution’s system. Most cross-chain bridges are breached after bugs are introduced into the code or when keys are leaked. These bridge attacks can be mitigated and, in many cases, prevented. Whether the breaches result from false deposits or validator issues, human error is often a problem. After hacks make the headlines, investigations show that these errors in code could’ve been fixed with foresight.

In particular, which steps could have had an effect on the cross-bridge hacks, like Binance, that we’ve recently seen? Bridge code needs to be regularly audited and tested before and after its release. One of the most effective ways to do this is to employ bug bounties. Smart contract addresses need constant monitoring, as do false deposits. There should be a security team in place, one that utilizes artificial intelligence to flag potential risks, to oversee these risk management endeavors.

With more thought put into security on the front end, there would be fewer bad headlines. It is far less expensive to hire white hat hackers to find exploits before bad actors do than it is to wait for the bad actors to find them themselves.

Related: The feds are coming for the metaverse, from Axie Infinity to Bored Apes

Historically, the industry has had its fair share of bad headlines. It has even had its fair share of nine-figure hacks. This year, it seems they’ve become an almost accepted part of the digital assets industry. However, as politics become increasingly intertwined with cryptocurrency regulation, never before has there been a greater threat. As hackers with nation-state backing take greater advantage of these third-party connections, they will come under greater scrutiny. There is no doubt about that. It is only a question of when.

That question will likely be answered as soon as the United States Congress finalizes new legislation on the matter. It makes sense that regulation would be the logical next step — unless the industry acts with great haste.

Richard Gardner is the CEO of Modulus, which builds technology for institutions including NASA, Nasdaq, Goldman Sachs, Merrill Lynch, JPMorgan Chase, Bank of America, Barclays, Siemens, Shell, Microsoft, Cornell University and the University of Chicago.

This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Tags
Bitcoin Regulation
Cryptocurrencies
Defi
Law
Hacks
Hackers
Cybersecurity
Security
Usa
Related Posts
Poly Network hacker returns less than 1% of the $600M theft
These transfers have occurred across the three wallets associated with the Poly Network hacker across the Ethereum, Binance Smart Chain (BSC) and Polygon networks. Poly Network confirmed receipt of the returned funds via a tweet issued on Tuesday. Details from Etherscan show that $2 million worth of Shiba Inu (SHIB) and $616,000 in Fei USD (FEI) tokens are being returned. So far, we have received a total value of $4,772,297.675 assets returned by the hacker. ETH address: $2,654,946.051 BSC address: $1,107,870.815 Polygon address: $1,009,480.809 pic.twitter.com/bPFAQk4mvS — Poly Network (@PolyNetwork2) August 11, 2021 Data from BscScan also shows the hacker returning …
Ethereum / Aug. 11, 2021
DeFi hacks and exploits total $285M since 2019, Messari reports
Decentralized finan’s rising popularity since 2019 has seen the emerging market segment become a target for hackers and opportunistic profiteers. According to a report by crypto research company Messari, DeFi protocols have lost about $284.9 million to hacks and other exploit attacks since 2019. This figure is about 0.65% of the adjusted total value locked of the Ethereum-based DeFi market, according to data from DappRadar. In February Messari calculated that over $284 million in DeFi was lost to hacks since 2019 At this point in time, the decentralized insurance industry only covers a fraction of TVL in DeFi. The need …
Blockchain / April 29, 2021
Uranium Finance developer suspected of ‘leaking’ information leading to $50M exploit
The $50 million exploit of Uranium Finance, a decentralized finance protocol on Binance Smart Chain, may have been an inside job, according to a member of the project’s development team. The theory was put forward in Uranium Finance’s Telegram channel by a user named “Baymax,” who appears to be listed as an administrator. In a pinned post, Baymax explained that the security flaw leading to the exploit happened just two hours before version 2 of the protocol was launched. The suspicious timing of the exploit narrows down the list of potential perpetrators significantly. Baymax explained: “There are a total of …
Blockchain / April 28, 2021
DeFi attacks are on the rise — Will the industry be able to stem the tide?
The decentralized finance (DeFi) industry has lost over a billion dollars to hackers in the past couple of months, and the situation seems to be spiraling out of control. According to the latest statistics, approximately $1.6 billion in cryptocurrencies was stolen from DeFi platforms in the first quarter of 2022. Furthermore, over 90% of all pilfered crypto is from hacked DeFi protocols. These figures highlight a dire situation that is likely to persist over the long term if ignored. Why hackers prefer DeFi platforms In recent years, hackers have ramped up operations targeting DeFi systems. One primary reason as to …
Adoption / May 14, 2022
Crypto hacks are set to hit all-time highs in 2022, analyst explains
Reducing the amount of hacking by improving cybersecurity should be considered a top priority for the crypto industry, said Kim Grauer, director of research of blockchain intelligence firm Chainalysis. As pointed out by the firm, this year could outpace 2021 in terms of crypto stolen through hacks. The vast majority of these exploits have been targeting the field of decentralized finance. “This can't go on in the industry because people are going to lose faith in investing in DeFi platforms”, Grauer said in an interview with Cointelegraph. Unlike centralized exchanges, which have improved their resiliency to crypto hacks, decentralized protocols …
Blockchain / Oct. 19, 2022