How can crypto stop getting hacked?

After the $615 million heist of the popular blockchain game, Axie Infinity, crypto was once again under the spotlight for being an unsafe, hackable industry. There is no doubt that the emerging DeFi industry should, like any other industry, focus on security. 

However, it is important to put things into perspective. Hacks and heists are not unique to crypto. They are incredibly common across plenty of other industries.

DeFi, which started in earnest around three years ago, is in its infancy compared to the banking industry. However, the “mature” banking industry was and is still susceptible to large heists and breaches.

More than a few come to mind: The SWIFT system suffered from a continuous series of hacks between 2015 and 2017. Among these attempted hacks was the hack of the Bangladesh Central Bank for close to $1 billion, the attempted theft of $170 million from the Union Bank of India and an attempt on Bancomext Mexico for $110M. Most of the funds were recovered across these high-profile cases, each of which received extensive global media coverage.

Aside from these heists, data hacks are still trending even at big banks and corporations where strong cybersecurity processes should be in place. An example is JP Morgan, a bank that spent $250 million on cybersecurity in 2014, suffering a mega hack of 83 million accounts’ data that same year, which led to stock manipulation

At the end of March, the FBI released its 2021 Internet Crime Report which stated that American victims reported $6.9 billion in losses due to cybercrime and internet fraud to the FBI last year.Of the 847,376 complaints received, less than 4% (32,400) were related to cryptocurrencies, yet, the predominant narrative surrounding cryptocurrencies is that they are an anomaly when it comes to security. 

But these examples should not be excuses for the crypto industry to rest on its laurels. There are things that we can do to at least decrease security risks.

It is important to understand that most crypto hacks are not hacks of Layer-1 blockchains but hacks on Layer-2 protocols. Translated to Web2, these are not hacks involving the whole infrastructure of the internet, but a website that exists on the internet, such as Facebook, for example. These hacks are due to two types of errors: a weakness in the code (as was seen in the $600 million Polynetwork hack) or via social engineering (as was seen with SkyMavis).

There are a number of ways in which the crypto industry can better safeguard these assets. Crypto protocols are one of the quickest go-to market products. In some cases, it can take as little as three months to go from an idea to an operating product. The speed of this innovation is impressive, but it clearly carries high risks, especially when young startups with no operational and risk-monitoring structures manage hundreds of millions of users’ funds. It is, therefore, critical for the industry to arm itself with the correct weapons.

There are ample solutions that the industry can utilize to prevent these hacks from occurring.

Similar to what we see within more mature industries, part of a crypto company’s budget needs to go to security from day one. According to NTSEC, in non-crypto industries, 6% to 14% of the overall IT budget is currently spent on cybersecurity. Due to the nature of crypto and the size of client funds, we’d estimate this amount to be relatively larger.

Many in the crypto industry are not blind to these risks. The rise of hacks has led to the emergence of decentralized insurance protocols that use risk-sharing pools or structures similar to credit default swaps to insure against risks — from wallet and smart contract breaches, to hacks of centralized exchanges. Individuals, institutions and the protocols themselves should start looking at either using or collaborating with such protocols.

More specifically; to avoid code flaws, protocols should implement testing, testing and more testing. Protocols should have their code audited by at least two auditors. Companies can also leverage their communities, by organizing bug bounty hunts, where a protocol asks highly skilled community members or hackers to detect security vulnerabilities while rewarding them proportionally. Alternatively, protocols could work with bug hunting companies like Immunefi.

Differently from more traditional industries, protocols should and can have a real-time picture of their risk. This involves adding instrumentation to their controls so that a much wider percentage of its systems and processes are involved in network monitoring in real time. This is a level above most industries, as monitoring is mainly assessed at a point in time rather than continuously. This should be the case when a protocol manages hundreds of millions of users’ funds.

When it comes to protection against social engineering and phishing, training and promoting employee awareness is crucial. Basic cybersecurity training should become mandatory in the crypto industry. This should include learning about data protection and various forms of social engineering through recurrent online modules and reminders. Remember: 95% of hacks are due to human error.

With the large number of funds invested in cryptocurrencies, protocols need to realize that they are at risk of being attacked. There’s a common saying on CryptoTwitter: “It is not IF, it is WHEN a protocol will be hacked.”  Founders must therefore not only prevent through planning, but assume that some of those attacks will succeed. Consequently, they must also plan for the necessary recovery side. 

Crypto may be young, but crypto is growing at an unprecedented pace, with total funds invested in DeFi surging over 1,200% in 2021, surpassing $240 billion. We cannot remain lax in matters of security. It is now primordial for protocols to include security in their budget and in their roadmap. Otherwise, the whole industry will face dire reputational, financial and regulatory damages which can hamper, if not annihilate, its growth.  

Dr. Amber Ghaddar is the founder and CIO at AllianceBlock.


This article was published through Cointelegraph Innovation Circle, a vetted organization of senior executives and experts in the blockchain technology industry who are building the future through the power of connections, collaboration and thought leadership. Opinions expressed do not necessarily reflect those of Cointelegraph.

Learn more about Cointelegraph Innovation Circle and see if you qualify to join