If it feels like every other day there’s some hacker who steals millions of dollars in cryptocurrency it’s because, well, that's pretty much what's happening.
In the last few months alone, hackers have stolen $600 million from Poly Network, $320 million from cross-chain bridge Wormhole, $30 million from popular exchange Crypto.com, around $4 million from users of Multichain, $140 million from a crypto gaming company, almost $120 million from visitors to the website of a DAO, and $150 million from a crypto exchange that bills itself as the “most trusted” out there.
That’s $1.3 billion (with a “b”) right there.
That’s not an exhaustive list, but only the incidents Motherboard has covered. According to blockchain analysis firm Elliptic, DeFi protocols have lost $12 billions to date. And that’s not counting the slow but constant drip of regular users getting their six-figure ape JPEGs stolen. The variety of hacks is stunning, from smart contract exploits executed by hackers with monkish commitment to simple web attacks and phishing.
In other words, the crypto world—or “web3” if you like that nebulous and buzzy term—has a cybersecurity problem, and it’s going to be a challenge to fix it. According to cybersecurity professionals, there’s one thing that web3 can really use right now: more friendly hackers and people who truly understand how to secure software.
That may be a hard fix. There’s a lot of cybersecurity professionals who are resistant to joining an industry that they see as generally immoral, or even worthy of ridicule. And transitioning from securing traditional software to securing blockchain or cryptocurrency software is far from seamless.
A pseudonymous researcher who goes by "Jazzy," and is the co-founder of Zellic a cybersecurity firm that focuses on cryptocurrency and blockchain, said that “there's an insane shortage of crypto auditors” and that people who get into the business need to understand how it’s different from traditional cybersecurity.
“The stakes are a lot higher, because if you make a mistake in a traditional pentest,” Jazzy said in an online chat, referring to penetration testing, an industry term for testing the security of a system, “it probably won't cost the project all its money.”
“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up.”
A core issue is that writing and publishing the smart contracts that many cryptocurrency or DeFi projects rely on is not the same as writing a web or mobile app. You can’t just put it out and bolt security onto it as you go, according to Dan Guido, the co-founder of Trail of Bits, a 10-year-old cybersecurity consulting firm that’s been dabbling in auditing smart contracts (vetting the code for flaws before it goes live, which is itself a burgeoning industry) for around five years, and has also published several open source tools to analyze and audit software used in the crypto world.
“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up. And there isn't really a recovery process. You can't snap your fingers and get another rocket on the launch pad to send up tomorrow,” Guido said in a phone call.
Smart contracts are highly complex pieces of self-executing code that live on the blockchain. They can't be deleted, and like with anything else on the blockchain, operations can't be reversed. Because smart contracts are public and, generally, hard to change, they are “high assurance” software, Guido added, which means they are “software that has catastrophic issues and fails, and that you can't easily fix when you find issues.”
Do you work at the intersection of cybersecurity and crypto? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email email@example.com
That’s not the same as more traditional software, which the cybersecurity industry has become very good at squashing bugs in, and which developers have also learned to make more secure over the years.
“All software has flaws, and the web3 premise that ‘code is law’ raises the stakes by making these mistakes immutable. It’s all fun and games until you lose half a billion dollars due to a single software vulnerability,” Jennifer Fernick, the senior vice president and global head of research at cybersecurity firm NCC Group, told Motherboard in an email.
“A dangerous belief among web3 evangelists seems to be that blockchain is intrinsically and universally secure. This is categorically false. Not only are there several types of blockchain-specific security vulnerabilities, but decentralized systems are also subject to most of the same security risks as other computer systems," she said.
Tal Be’ery, a cybersecurity veteran who now works as the CTO of the crypto wallet app ZenGo, is one of a few cybersecurity people who are now focused on the crypto industry. As Be’ery put it, web3 security is in “dire straits.” One of the problems, Be’ery said in an online chat, is that while in theory it’s not harder to secure smart contracts compared to other kinds of code, “it's much easier to monetize smart contracts exploits as they deal with cash money.”
The other challenge, Jazzy said, is that “a lot of bugs in smart contracts come from external interactions with other contracts, so even if the code for your application is secure, if anything you interact with is vulnerable/broken, it can lead to catastrophic losses.”
With the increasing popularity of cryptocurrency and DeFi, there are some established cybersecurity companies that have either pivoted to securing the newly popular industry, or straight up new companies dedicated exclusively to blockchain security. There's Zellic and Trail of Bits, of course, but that's not all. NCC Group, a consulting firm founded in 1999, now offers blockchain and smart contracts reviews, Paradigm, an investment firm focused on crypto and web3 has an internal security research team—and they are hiring. There’s also Dedaub, the company that found a serious flaw in a crypto protocol that led to hackers stealing a few millions of dollars from users. Other companies in this space are Peckshield, Slowmist, Consensys Diligence, Immunefi, Paladin Blockchain Security, Certik, and Sigma Prime.
“For the short term we will see more web3 hacks,” Be’ery said. “However, there's a lot of VC money looking for web3 security solutions and talented teams starting to work on such.”
The crypto world’s cybersecurity problems, however, go beyond smart contracts. Hackers have also targeted and exploited the Discord channels that virtually all crypto organizations and companies use to interact with their user base. That’s usually done with good ol’ phishing. The websites connected to crypto projects are also useful targets, and they can be hacked by exploiting a third party internet infrastructure company. NFTs have proven to be particularly vulnerable to old-school social engineering or phishing attacks, since all a hacker needs is someone's MetaMask wallet permissions to steal their tokens.
Marcus Carey, a veteran cybersecurity expert, has recently launched a consulting firm specifically for individuals in the crypto space such as artists, creators, and investors, called Metaversable. His goal is to help people who “don't understand basic cybersecurity hygiene” and may be targeted by hackers. His other goal is to encourage more people in cybersecurity to stop being skeptical and come to help.
“There are so many applications of the technology that could be good. And that's why we need people to understand it and be able to secure it as soon as possible,” Carey told Motherboard in a phone call. “This is the way it's going. This is the future.”
Carey argued that cybersecurity people are skeptics by nature, and “resistant to change.” But cryptocurrencies, smart contracts, and DeFi aren't going away, and it eventually will intersect with more traditional companies. So even cybersecurity experts who don’t want to get into NFTs or crypto will have to understand it and help their companies get into this space securely.
“It’s all fun and games until you lose half a billion dollars due to a single software vulnerability”
Kimber Dowsett, another cybersecurity expert who’s worked in the industry for a decade, has publicly criticized hackers and other colleagues in the industry who mock NFTs and people involved in that space.
“A lot of infosec people are just shitting on it and it feels gatekeepy and elitist,” she tweeted recently.
The right attitude, she told Motherboard in an online chat, would be to use empathy and education instead.
“I'm as guilty as the next person of making an NFT joke here and there, but I started sitting in on twitter spaces with musicians and artists and other types of creators and it was tough to hear that security people just shut them down and make fun of them when they try to ask questions,” she said. “I just don’t want to make people feel like shit for trying to learn about blockchain and figuring out how to make NFTs. I’d rather spend my energy trying to teach them how to avoid scams, be safe, and protect their crypto wallets. I stopped treating users like idiots a long time ago and found ways to support their curiosity while educating them about the risks. I mean, it is part of the job, right?”
Another problem at this point is that there’s people building projects and protocols as fast as possible to secure investment and be the first to market, which leads to poor cybersecurity practices. That’s why the crypto world doesn’t just need cybersecurity people, it needs more security built in from the beginning, Carey said.
For now, however, it’s the “Wild Wild West,” he said.