Until recently, legendary robberies rarely resulted in personal losses.
As uninvolved and unaffected bystanders, consumers could find some true crime thrills in theorizing how a team of unknown thieves stole 13 priceless masterpieces from the Isabella Stewart Gardner Museum in 1990, or in telling how the son and personally Saddam Hussein’s adviser walked $1 billion in cash out the front door of Iraq’s central bank in 2003.
These stories are staggering in scale, yet utterly unimportant to the average person; freed from any personal expense, we could freely enjoy it as a form of entertainment.
However, modern legends are less easily swallowed.
In 2022, two huge crypto hacks — namely the Binance Smart Chain ($566 million) hack and the Ronin bridge ($522 million) exploit eclipsed the total value of the most expensive painting in history, the Mona Lisa ($850 million). . In fact, $3.8 billion was stolen from DeFi protocols and exchanges in this landmark year, far exceeding the total combined value ($2.8 billion) of the Central Bank of Iraq robbery and the Isabella Stewart Gardner art theft. Museum.
And, unlike their predecessors, these robberies did not divert money from government agencies or a museum, but ordinary people.
In the case of the Ronin bridge hack, more than 75% ($400 million) of the total amount stolen belonged to users playing Axie Infinity, a popular play-to-earn game developed by Sky Mavis. The theft occurred after hackers obtained enough validation nodes to approve their fraudulent transactions. The exploit took advantage of human error; hackers managed to gain backdoor access because Axie DAO granted temporary proxy permission – and never revoked it – to sign transactions to Sky Mavis, creating a vulnerability.
Sky Mavis, to its credit, has taken responsibility for the breach and losses suffered by its users. Shortly after the exploit, the developer announced that it would reimburse players for losses even if it was unable to recover the stolen funds. Efforts are already being made to this end; in April, Sky Mavis raised $150 million for this in partnership with Binance and other crypto investors.
The good intentions of the developer should be acknowledged. However, compensation efforts cannot repair the damage these and similar exploits are doing to consumer confidence. While users may find reassuring promises like Sky Mavis in retrospect, crypto theft is an emotionally charged, even traumatic experience for victims.
Some might decide to take their losses as a sign to abandon Web3 – or news of the hack could deter potential adopters from buying the technology altogether.
It’s a matter of trust: if current and future Web3 users don’t feel safe navigating Web3, they’ll step aside until the landscape feels safer. This lack of confidence is already evident; according to a recent report from the Web3 development platform Alchemy, assets on centralized exchanges fell 45% at the end of Q4 2022, illustrating the clear lack of consumer confidence in crypto custodians. However, this was shown in the same report developer sentiment remains upbeat and enthusiastic.
The question remains: how can proponents bridge this gap between increasingly fearful users and blockchain’s undeniable potential? The only possible answer is to allow protocols, developers and users to protect themselves as they venture into the future of Web3.
Security: an unavoidable priority
Web3’s current security vulnerabilities are, in a way, unavoidable.
The decentralized and sometimes anonymous nature of cryptocurrencies provides fertile ground for cybercriminals, who can hide their identities and exploit technological and human weaknesses. This is compounded by the high value of crypto assets, making them – and the companies that trade them – prime targets for hackers. For example, Binance has a daily trading volume stretching into billions of dollars, so exploiting vulnerabilities in the exchanges’ native codebase could result in millions being stolen.
In addition, the rapid evolution of blockchain technology creates perverse incentives through security loopholes that can be exploited by hackers. Because many protocols prioritize functionality and product development over security, they become more susceptible to attack. Human errors, such as creating weak passwords, sharing private keys, or not updating relevant software, can also lead to additional vulnerabilities that hackers can exploit.
Given the above, it is crucial for Web3 innovators to understand that there is no easy or quick solution to the problem.
Restoring consumer confidence and achieving a “secure” status quo will require informed and targeted action from all Web3 residents – from individual users and developers to large-scale decentralized finance (DeFi) protocols.
Build a fortress
Individual users can and should take steps to protect themselves; however, the biggest responsibility for securing crypto assets will naturally fall with DeFi protocols.
Innovators need to recognize their limitations – ‘unreliable’ technology does not necessarily equal perfect or inviolable technology. Cybersecurity is a $153 billion industry for a reason; given a certain risk threshold, even prudent and well-meaning organizations can no longer protect themselves against bad actors without specialized support.
In the case of a protocol, the involvement of external code audit and monitoring by specialist blockchain cybersecurity firms becomes necessary. With their deep knowledge of the blockchain ecosystem and advanced tools, these companies can help detect potential threats, anomalies, and vulnerabilities in DeFi protocols, making them less susceptible to breaches. Regular, in-depth audits of the codebase can identify exploitable vulnerabilities, reducing the chances for hackers.
At the institutional level, robust security measures, such as transaction monitoring and emergency response protocols, must be embedded in existing systems.
Transaction monitoring can help detect suspicious activity early, allowing for rapid action. Automated emergency measures, such as circuit breakers, are another valuable security measure that can help, as they can slow down suspicious transactions and stop protocol operations when suspicious activity is detected.
In addition, applying innovative technologies, such as automated threat detection systems, can play an important role in preventing attacks.
These systems, often powered by advanced machine learning algorithms, can detect and neutralize suspicious activity before they do significant damage. They provide an essential layer of security by instantly responding to threats, making DeFi protocols more resistant to sophisticated hacking attempts.
Read more in our opinion section: Web3’s promised metropolis is just not fun yet
Commitment to ongoing user education is also a must.
Educating users about safe practices and potential threats can significantly reduce the risk of successful phishing attempts or other user-targeted attacks. In addition, because informed users are less likely to fall prey to scams, user education can improve overall security. And for individual users, embracing the latest and best digital security practices is absolutely non-negotiable; this includes using strong and unique passwords, using multifactor authentication and keeping software up to date.
Of course, such safeguards cannot be introduced overnight. Developing a robust security strategy requires careful planning, consideration, and financial investment.
Some in the industry may wonder if the returns are worth the lift; but for me the only possible answer is a resounding one Yes.
It’s up to today’s innovators to reassure and protect aspiring Web3 users – and to make sure crypto’s legendary heists don’t become cautionary tales.
Christian Seifert is the researcher-in-residence at Forta. Before joining Forta, Christian spent 14 years at Microsoft where he led security research and applied research teams that supported Microsoft Defender’s security offerings. Christian also led The Honeynet Project, a global non-profit security research organization that brings together passionate security researchers to work on the development of open-source honeypot tools and threat intelligence.
Get the best crypto news and insights of the day delivered to your email every night. Subscribe now to the free Blockworks newsletter.
Want alpha sent straight to your inbox? Get epee trading ideas, board updates, token achievements, must-see tweets and more from Blockworks Research’s Daily Debrief.
Can’t wait? Receive our news in the fastest possible way. Follow us on Telegram and follow us on Google News.