Image: gorodenkoff/GettyImages
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Advertisement
A core issue is that writing and publishing the smart contracts that many cryptocurrency or DeFi projects rely on is not the same as writing a web or mobile app. You can’t just put it out and bolt security onto it as you go, according to Dan Guido, the co-founder of Trail of Bits, a 10-year-old cybersecurity consulting firm that’s been dabbling in auditing smart contracts (vetting the code for flaws before it goes live, which is itself a burgeoning industry) for around five years, and has also published several open source tools to analyze and audit software used in the crypto world.“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up. And there isn't really a recovery process. You can't snap your fingers and get another rocket on the launch pad to send up tomorrow,” Guido said in a phone call. Smart contracts are highly complex pieces of self-executing code that live on the blockchain. They can't be deleted, and like with anything else on the blockchain, operations can't be reversed. Because smart contracts are public and, generally, hard to change, they are “high assurance” software, Guido added, which means they are “software that has catastrophic issues and fails, and that you can't easily fix when you find issues.”“A lot of these smart contracts are like trying to launch a rocket into space. And if you miscalculate it's gonna blow up.”
Advertisement
That’s not the same as more traditional software, which the cybersecurity industry has become very good at squashing bugs in, and which developers have also learned to make more secure over the years. “All software has flaws, and the web3 premise that ‘code is law’ raises the stakes by making these mistakes immutable. It’s all fun and games until you lose half a billion dollars due to a single software vulnerability,” Jennifer Fernick, the senior vice president and global head of research at cybersecurity firm NCC Group, told Motherboard in an email. “A dangerous belief among web3 evangelists seems to be that blockchain is intrinsically and universally secure. This is categorically false. Not only are there several types of blockchain-specific security vulnerabilities, but decentralized systems are also subject to most of the same security risks as other computer systems," she said. Tal Be’ery, a cybersecurity veteran who now works as the CTO of the crypto wallet app ZenGo, is one of a few cybersecurity people who are now focused on the crypto industry. As Be’ery put it, web3 security is in “dire straits.” One of the problems, Be’ery said in an online chat, is that while in theory it’s not harder to secure smart contracts compared to other kinds of code, “it's much easier to monetize smart contracts exploits as they deal with cash money.”Do you work at the intersection of cybersecurity and crypto? Do you research vulnerabilities on cryptocurrencies and their networks? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com
Advertisement
The crypto world’s cybersecurity problems, however, go beyond smart contracts. Hackers have also targeted and exploited the Discord channels that virtually all crypto organizations and companies use to interact with their user base. That’s usually done with good ol’ phishing. The websites connected to crypto projects are also useful targets, and they can be hacked by exploiting a third party internet infrastructure company. NFTs have proven to be particularly vulnerable to old-school social engineering or phishing attacks, since all a hacker needs is someone's MetaMask wallet permissions to steal their tokens.
Advertisement
Kimber Dowsett, another cybersecurity expert who’s worked in the industry for a decade, has publicly criticized hackers and other colleagues in the industry who mock NFTs and people involved in that space.“It’s all fun and games until you lose half a billion dollars due to a single software vulnerability”
Advertisement