Developers must stop cryptohackers – or face regulation in 2023
Third-party data breaches have exploded. The problem? Businesses, including cryptocurrency exchanges, do not know how to protect themselves against them. When exchanges sign new vendors, most innately expect their vendors to apply the same level of scrutiny that they do. Others do not consider it at all. In today’s age, testing for vulnerabilities down the supply chain isn’t just good practice – it’s absolutely necessary.
Many exchanges are supported by international financiers and those new to fintech. Many are even completely new to technology, instead backed by venture capitalists looking to get a foothold in a burgeoning industry. In and of itself, it is not necessarily a problem. However, firms that have not grown up in the fintech arena often do not fully understand the extent of the security risks associated with being a custodian of hundreds of millions of dollars in digital assets.
We’ve seen what happens in the face of inadequate security, which goes beyond supplier management and extends into cross-chain bridges. In October alone, Binance faced a bridge hack worth nine figures. Then there’s also the Wormhole bridge hack, another nine-figure breach. The Ronin bridge hack resulted in the loss of well over half a billion dollars in assets.
In fact, a new report indicates that over a two-year period, more than $2.5 billion in assets were stolen thanks to cross-chain bridge hacks, dwarfing the losses associated with breaches related to decentralized finance lending and decentralized exchanges combined.
However, third-party breaches are not just a problem for the crypto industry, and they are certainly not limited to small players. Earlier this year, the New York City school system had a breach involving a third-party vendor that affected more than 800,000 people. Third-party breaches are the new frontier for bad actors.
Related: Government intervention comes unless crypto starts self-policing
This is especially true as nation states rely more and more on hackers as a matter of foreign policy. Groups from North Korea and Russia in particular are looking for honeypots from which to siphon assets. This makes the cryptocurrency industry a prime target.
The only way to stop these problems before they take down the industry is to adjust how it perceives third-party security initiatives. Third parties need full and thorough investigation before accessing institutional data of any kind. Once accessed, it is critical to limit access to only the data that is absolutely necessary and revoke those permissions when they are no longer required, which would have benefited those involved in the Ronin breach. Beyond that, it is important to review the privacy practices of each provider.
As with bridges, the risk to third-party providers is in connection with the institution’s system. Most cross-chain bridges are broken after bugs are introduced into the code or when keys are leaked. These bridging attacks can be mitigated and in many cases prevented. Whether the breaches are due to fraudulent deposits or validation issues, human error is often a problem. After the hacks made the headlines, investigations show that these errors in code could have been fixed with foresight.
In particular, what steps might have had an effect on the cross-bridge hacks, like Binance, that we’ve seen recently? Brocode must be regularly revised and tested before and after release. One of the most effective ways to do this is to use bug bounties. Smart contract addresses need constant monitoring, as do fake deposits. There should be a security team in place, one that uses artificial intelligence to flag potential risks, to oversee these risk management efforts.
Related: The Feds are coming for the metaverse, from Axie Infinity to Bored Apes
With more consideration in security on the front, there would be fewer bad headlines. It is far cheaper to hire white hat hackers to find companies before bad actors do than it is to wait for the bad actors to find them themselves.
Historically, the industry has had its fair share of bad headlines. It’s even had its fair share of nine-figure hacks. This year they seem to have become an almost accepted part of the digital asset industry. But as politics become increasingly intertwined with cryptocurrency regulation, never before has it been a greater threat. As nation-state-backed hackers take greater advantage of these third-party connections, they will come under greater scrutiny. There is no doubt about that. It’s just a matter of when.
That question will likely be answered as soon as the US Congress finalizes new legislation on the matter. It makes sense that regulation would be the logical next step – unless the industry acts with great haste.
Richard Gardner is CEO of Modulus, which builds technology for institutions including NASA, Nasdaq, Goldman Sachs, Merrill Lynch, JPMorgan Chase, Bank of America, Barclays, Siemens, Shell, Microsoft, Cornell University and the University of Chicago.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed herein are those of the author alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.