Web3 adoption seem inevitable, but so does the increase in security issues and hacks. What are the main factors causing this? The high rate of innovation in the crypto world and the frequent software upgrades of the multi-chain world look like they will inevitably introduce more vulnerabilities. We need to have real-time monitoring infrastructure in place to prevent and quickly react to exploits.
“Effective monitoring infrastructure in the hands of the community acts as a powerful deterrent to bad actors,” Nikos Andrikogiannopoulos, CEO of Metrika, told The Armchair Trader recently. “Similar to fire and weather alerts, which get communities mobilized, evacuate threatened areas, and activate volunteer rescue teams, blockchain communities need processes and tools to deal with emergency situations.”
Disruptive technologies are volatile and, with that, bring significant risk and great rewards. Most of the developers in the blockchain space are learning on the fly, as they come from conventional technology stacks and are retrofitting their skills. Education will become a driving force for better and more secure programming.
DeFi needs good stewardship
“We all must remember that technology is not born but instead, developed,” explained Daniel Keller, Co-Founder of Flux. “As adoption grows, you will see a robust push from leadership driven by the institutional demands for their client base. Defi needs to feel like legacy finance but function like a decentralized network, and for this to happen, we need to be good stewards of speed and security best practices.”
Andrew Morfill, Chief Information Security Officer at Komainu, thinks that as the industry matures, we will continue to see hacks.
“Early indications with Nomad was that it was driven by opportunistic “looters” but cross-chain bridges have been targeted by nation-state threat actors in the past with meticulous planning and precise execution,” he says. “The drivers are different, but the outcomes, inevitably, are the same…loss of assets.”
The Nomad hack is yet another crosschain vulnerability. We’ve seen quite few this past year. But investors will want to know what causes these, and why do they happen? This is also a concern for regulators and institutional investors as they contemplate greater participation by institutional players in the cryptocurrency space.
Cross-chain bridges are complicated. Frequent software upgrades of the supported protocols and the bridge protocol itself can introduce bugs and enable exploits. In the case of Nomad, a bug in the software update allowed a type of transaction that normally should be allowed to only the owners of the funds. This bug allowed anyone who wanted to copy-paste the type of transaction, to change the recipient’s address, and drain the funds.
Blockchain was created to do one thing, allow movement without a trusted third party. Most of the current decentralized fiance (Defi) models use a hybrid of centralized and decentralized technology, so there is an increased risk of exploits and malicious third-party actors.
“Interchain operability will continue to grow at profound levels with a focus on security and decentralization; however, attention needs to be given to security and not only speed of development as we push Defi products to the masses.” said Keller at Flux.
Put simply, having reviewed the smart contract, it appears that deficiencies resulted in any transaction received being processed.
How can the industry be better prepared?
Most decentralized finance makeup is refugees from conventional finance, focusing on building a legacy-based system on Defi. When these leaders, developers, and teams focus on iteration, they look at the mechanics and development for speed and quick access; security tends to be an afterthought.
“Perhaps not a popular opinion, developers need to get away from programming frameworks like Solidity and more toward secure ones like PACT on the Kadena network,” said Keller. “The issues around Ethereum and these breaches should showcase the need for deeper development into the security of smart contracts with safer deployments on products like Flux and Zelcore.”
This is not a new phenomenon, security issues relating to cross-chain bridges have been responsible for some of the biggest dollar value hacks in crypto this year. In terms of prevention, an industry set of standard smart contract templates that are known to be secure, smart contract auditing and secure software development lifecycles would be steps in the right direction.
“We need real-time analytics and monitoring along with more rigorous testing and higher software quality standards at the source, as per the shift-left principles,” said Andrikogiannopoulos. “A lot of the analytics we see in exploits today are forensics and fraud detection after the exploit happens. We need analytics and real-time monitoring for anomalies before anomalies happen. A lot of these exploits start with small experiments, often in TestNet, and later get fully deployed on MainNet. Real-time detection can raise alerts on suspicious activity before these exploits get “into production””.
For example, in the case of Nomad, imagine seeing a transaction with a zero hash being executed after the software upgrade which had never been seen before. This would raise an alert. In addition, after an exploit goes live, alerting the entire community in real-time and quickly notifying all members would allow for a quick community response, i.e., freezing of the exploited funds, coordinating with validators to pause network activity while a release of a software patch is being prepared.
This type of operational governance as a response to emergency crises is more ad hoc today and relies on the goodwill of the community and heroic actions of the protocol team and individuals who step up. There needs to be more tooling and infrastructure in this direction to empower the entire community with a standardized response to emergency situations.
Is the end-user or the protocol ultimately responsible?
The protocol is responsible for identifying exploits and doing the necessary audits, procedures, stopgaps, and code protection. Time and time again, we have seen that multiple audits are still not enough to promise hacking-proof protocols, mostly because more of this code is iterative and being developed for the first time.
Retail investors are responsible for taking these risks in consideration before using any conventional or Defi-based product. It is still the wild west out there – high yields do not come without the associated risk involved, and you are the only one who can personally understand your risk assessment. Although sad, hearing stories about people losing their life savings should just not happen, and a deeper level of education is needed to allow Defi to truly flourish.
Ultimately the protocols that are proven to be secure will have credibility over those that suffer these types of incidents but retail investors need to do their research and understand the risks, promises of high %APY yields or unusual airdrops are not uncommon but the wrong picks may result in investors losing their investments (if it seems too good to be true, it probably is).
The protocol teams are ultimately responsible for the security associated with the software releases of their protocol. Protocol teams often hire several external software security auditing firms and also put bounties in place to ensure that any vulnerabilities get discovered before the release.
Cryptocurrency markets are not regulated like futures markets
Despite best practices in software development and release cycles, it’s unclear where the financial responsibility around exploits lies. Unlike banks where deposits are secured up to $250K by the Federal Deposit Insurance, crypto is not regulated at the same depth; regulation in those areas is actively developed by CFTC and SEC.
Until the crypto space reaches this maturity level, the ultimate financial responsibility lies with consumers who have chosen to make early investments in the nascent crypto world. More awareness around the crypto-related risks would be of great benefit to the crypto investment community.
“Also, interchain operability is the holy grail of blockchain technology, not only for DeFi but other conventional tech sectors such as EMR, supply chain, physical assets, and more,” said Keller. “Understanding we are very early in the adoption cycle allows us to be innovators and disrupters, but with innovation comes inherent risks. The pain points now will yield a more robust infrastructure for the delivery framework of blockchain to many users.”
Adds Komainu’s Morfill: “As the market matures, securely developed and updated protocols with real utility will provide the credibility and security assurance investors are looking for.”
