A flurry of multi-million dollar hacks is creating booming business for blockchain security experts
Written by Tonya Riley
Even as cryptocurrency markets face economic turbulence, there is one segment of blockchain-based industries where business is booming: blockchain security.
A boutique industry of audit firms formed in recent years to handle the new technology now boasts wait times of up to a year to start working with clients and a growing list of vacancies they cannot fill quickly enough.
And investors are flocking to get a piece of the action, too, pumping millions of dollars into firms that promise to help protect an increasingly fragile cryptocurrency ecosystem.
From the outside, the race for security seems like an extended course correction for an industry now plagued by near-weekly multimillion-dollar hacks. However, security experts in the industry do not necessarily see the boom in business as an unmitigated victory for the industry, they tell CyberScoop. Instead, they say it points to a much deeper challenge for the industry: cultivating the kind of security talent needed to keep a growing financial industry under the constant threat of hacks safe.
“It’s not good that there is a reliance on terminal consultants for the core skills required to build blockchain software,” said Dan Guido, founder of security firm Trail of Bits.
Crypto companies hire Trail of Bits to independently audit their code for vulnerabilities, a process that Guido emphasizes provides some reassurance to the company, but does not amount to the same level of security as full or ongoing security reviews.
While experts like Guido certainly recommend that companies have other security processes baked into their development and review processes, external audits have become a crutch for an industry hobbled by a lack of blockchain security experts.
“It is not good that there is a reliance on terminal consultants for the core skills required to build blockchain software.”
Dan Guido, founder of Trail of Bits.
“You have a talent shortage in cybersecurity in general,” said David Schwed, CEO of blockchain security firm Halborn. “And a subsection of that is this new and emerging technology where it requires a different kind of thinking than traditional cybersecurity experts.”
Blockchain projects present different challenges for security professionals. First and foremost, many are written in newer and less common coding languages such as Solidity, which limits the pool of individuals who can revise the code. Unlike many other systems, which are designed to be closed in an attempt to prevent attacks, the blockchain is public, meaning hackers have an open book for vulnerabilities.
The bigger barrier to finding the right talent isn’t so much teaching people about blockchain as it is finding someone with the right mindset, says Schwed.
“I wouldn’t say it’s a different level of paranoia, but it’s really what’s required in this field,” Schwed said. “A transaction is immutable. It’s gone. That’s the important part they need to understand.” Given the nature of some attacks, security experts also need to understand how the technology works from the business side, he says.
Major cryptocurrency companies use a similar approach to finding talent. Nick Percoco, chief security officer at digital asset exchange Kraken, says he looks for candidates who have both a strong security background and a practical interest in blockchain.
Percoco notes that while Kraken uses external audits for legal reasons, having an internal security team allows it to continuously test Kraken’s products for potential vulnerabilities. It also helps develop a company-wide security culture, which is especially important as criminals and state hackers increasingly go after employees of digital currency firms.
“It’s more than the systems, it’s more than the policies, it’s more than the software — it’s essentially a mindset that everyone in the company is bought into,” Percoco said.
Both Schwed and Percoco pointed to bug bounty programs, where independent security researchers report vulnerabilities for a reward, as another key avenue for finding new talent. Large firms such as NFT platform OpenSea and Solana organize their own hack-a-thons as a supplement to traditional audits.
While the industry waits for universities and traditional training programs to catch up with the needs of the blockchain industry, some security experts have taken a hands-on approach to nurturing new talent.
“It’s the tragedy of the commons that happens with education and talent,” says Rajeev Gopalakrishna, a researcher who founded Secureum, an online learning community and boot camp for security professionals interested in blockchain security. “Everyone wants to hire talent. But who will train them or build the content?”
Since 2021, hundreds of individuals have used Secureum’s online training program. Gopalakrishna says he knows of about 20 students who have gone on to full-time work with auditing firms, although many have taken the skills to do more hobby work such as bug bounty programs. Trail of Bits also offers an apprenticeship program for security professionals interested in blockchain.
Human intervention is not the only answer. Experts also pointed to advances in automated tools that can help developers with more basic security features. But such tools will never be a complete substitute for human expertise, says Guido. His firm found in a study that automated tools only caught about 50 percent of vulnerabilities in blockchain projects.
Of course, addressing the blockchain security knowledge gap will only help the security of the industry to the extent that the growing number of crypto startups benefit from it. The rapid development cycle of blockchain projects and the boom and bust nature of the industry means that there will still be developers who fail to prioritize security from the start.
“The overall security position of the space increased and then that bull market happens and it really falls back to what it was four years ago,” said Mehdi Zerouali, co-founder of security firm Sigma Prime. “And I think it’s just a matter of having as many more people join this room, who potentially need to go through the same mistakes and realize the importance of safety.”
Those errors are increasing. By one estimate, blockchain projects have lost more than $600 million in cryptocurrency from hacks in the second quarter of 2022 alone. And some of the biggest losses in 2022, including the record $600 million hack of Axie Infinity, were the result of traditional cyberattacks, not the exploitation of web3 technology. More recently, sustained attacks by North Korean hackers against cryptocurrency firms have rattled the industry and raised the concerns of the US national security community.
– This has increased efforts. It has made the consequences of even minor mistakes much more serious,” said Guido. “And I just don’t think many companies are prepared to operate in such an environment where they have a dedicated focus group of attackers who will stop at nothing until they achieve success.”
These risks will continue to grow as blockchain technology evolves and becomes more complex.
“The average DeFi [decentralized finances] project we would look at two years ago has nothing to do with the average DeFi project that we would have now,” Zerouali said. “With innovation comes the question ‘How do you do it safely?’ It can be extremely difficult. So the further we go, the more complexity we will face, and the greater risk we will have to deal with.”
