Hacks by outside parties have increased dramatically in the crypto world. According to experts, the issue is that companies often need to be more knowledgeable about how to defend against hacking, including multiple cryptocurrency exchanges.
Testing for vulnerabilities further along the supply chain is no longer just a good idea; it is now an absolute necessity. Most crypto exchanges assume that their new vendors will apply the same scrutiny and security measures used by the exchanges when they sign on with them. Some people don’t even think about security and security of the safety measures, say experts.
International investors and people who are new to financial technologies support numerous exchanges. Many are even entirely new to technology, backed instead by venture capitalists eager to get their feet wet in a developing sector. That isn’t necessarily a problem in and of itself.
On the other hand, the magnitude of the security risks associated with being a caretaker of hundreds of millions of dollars worth of digital assets is frequently not fully understood by companies that have yet to develop in the fintech sector.
We have witnessed what occurs when insufficient security exists, which extends beyond vendor management and includes cross-chain bridges. Binance only had to deal with a bridge hack in October that cost nine figures. Another breach worth nine figures is the Wormhole bridge hack. Over $500 million in assets were lost due to the Ronin bridge hack.
In fact, according to a recent report, cross-chain bridge hacks were responsible for the theft of more than $2.5 billion in assets over two years, dwarfing the losses brought on by hacks into decentralized exchanges and decentralized lending combined.
The latest frontier for bad actors is third-party breaches. But third-party breaches aren’t just an issue for the cryptocurrency sector; they don’t just affect small players. More than 800,000 people were impacted by a breach involving a third-party vendor in the New York City school system earlier this year.
This is especially true now that nation-states’ use of hackers for foreign policy purposes is increasing. In particular, factions from North Korea and Russia are searching for honeypots that they can target for hacking and stealing assets. As a result, the cryptocurrency sector is a top target.
Reorienting how the industry views third-party security initiatives is the only way to stop these problems before they bring the industry to its knees. Before being granted access to any institutional data, third parties must undergo extensive screening. As would have been advantageous to those involved in the Ronin breach, it is crucial to restrict their access once granted to only the necessary information and revoke those permissions when no longer needed. Reviewing each vendor’s privacy policies is essential after that.
Similar to bridges, the connection between third-party vendors and the institution’s system poses a risk. Most cross-chain bridges are broken after bugs or critical leaks are introduced into the code. These bridge attacks can often be lessened and even avoided. Human error is frequently a problem, whether the breaches are caused by false deposits or validator problems. Investigations reveal that these coding errors could have been corrected before hacks made headlines.
Which actions, in particular, might have impacted the recent cross-bridge hacks, like Binance? Before and after it is released, bridge code needs to undergo routine auditing and testing. Using bug bounties is one of the best ways to accomplish this.
False deposits and smart contract addresses both require ongoing monitoring. To oversee these risk management initiatives, a security team should be in place that uses artificial intelligence to identify potential risks.
There would be fewer negative headlines if security were given more consideration in the beginning. They are hiring white hat hackers to discover exploits before malicious actors are far less expensive than waiting for them to find them on their own.
The industry has historically experienced its fair share of negative press. Even nine-figure hacks have occurred in the past. This year, they have almost achieved acceptance within the digital assets sector.
But the risk is now greater than ever as politics and cryptocurrency regulation become more intertwined. Such third-party links will be scrutinized as nation-state-backed hackers use them more often. There is no question in my mind. It only remains to be seen when.
When the US Congress completes new legislation on the subject, that question will probably have an answer. Regulation would make sense as the next step — unless the industry moves quickly.