Recent crypto hacks provide lessons on the importance of constant security testing, the limitations of Web3 in today’s environment, and the need to hold judgment until all facts are in.
CertiK’s director of security operations, Hugh Brooks, said the blockchain security firm tracked 31 significant incidents in August. The most notable, the $190 million Nomad hack, led to what may be the first mob attack in crypto history. Thanks to a code vulnerability, thieves could easily, and with little knowledge, exploit the flaw.
Brooks said that the Solana hack is an example of Web2’s impact on Web3. A third-party service installed by a vendor was not properly security tested. It sent secret phrases and clear text back to the servicer, which hackers had accessed. They went into wallets and transferred money out.
Why Web3 is limited in a Web2 world and the importance of security testing
“Everyone needs to realize that true decentralization in 2022 is a dream and will continue to be one until Web3 no longer relies on Web2 infrastructure. Your dApp likely utilizes files that are stored on various servers. It’s a bit of Web3 and a whole lot of Web2,” Brooks said.
Another lesson companies must learn is that security testing is a continuous process.
“These people had done security testing of the app and audits and all these other things as well, but they didn’t do it with every release,” Brooks said. “And sure enough, the latest release caused them to have some accidents.”
Brooks frequently sees hacks exploiting improperly audited projects. Companies must complete exhaustive checks when considering external vendors or risk damage from someone else’s mistake, as Solana did.
“There was no flaw in Solana itself,” Brooks stressed. “Initially, everybody thought there was some mistake in Solana. It was difficult at first to tease out what was going on there. And it wasn’t until the community got together… (that) they were able to start narrowing it down.
“But it is the kind of thing that regular mobile application security testing would have caught.”
Web3 can learn from those they want to displace
Web3 companies need to view their internal security processes like companies in traditional cybersecurity industries do.
“There’s been this big move and shift… where people are looking at security from the lifecycle of when they start coding that mobile app to when we put it out there,” Brooks said. “And then every release, it goes through essentially, that same kind of testing.
“You don’t see that yet in many of the Web3 worlds. Web3 people with great ideas also do a mobile app or a web app. They’re not bringing on the kind of security, and few people are experts to do the security testing they need.”
But the stakes are higher in Web3 because of the total value locked in. A slight mistake can quickly become expensive, avoided by regular security testing.
That’s what TradFi accepts as part of doing business. Bank apps are tested at every step. Because of regulations, there are security protocols to be met.
“We’re just not seeing that in the crypto space,” Brooks said.
Why bridges bring risk
Bridges allow communication between separate blockchains that might otherwise be interoperable. With cryptocurrencies, they hold one token as collateral and issue you another on the blockchain you want to participate in.
As bridges connect to more protocols and more types of collateral are accumulated, matters become more complex. One error can produce many vulnerabilities.
Brooks said that the solution is testing and then more testing by multiple sources.
“You can guarantee the hackers are looking at it. Then you need to be red teaming and have blue teams on your team that can manage when things go bad. Security is always cat and mouse, and you must be doing that life all the time.”
Tony is a long-time contributor in the fintech and alt-fi spaces. A two-time LendIt Journalist of the Year nominee and winner in 2018, Tony has written more than 2,000 original articles on the blockchain, peer-to-peer lending, crowdfunding, and emerging technologies over the past seven years. He has hosted panels at LendIt, the CfPA Summit, and DECENT's Unchained, a blockchain exposition in Hong Kong. Email Tony here.