2022 has been the year of DeFi exploits - leading to the loss of millions of dollars worth of digital assets. In October alone, hackers got away with $718 million worth of digital assets across 11 different hacks. It’s clear that DeFi protocols are increasingly becoming the go-to target for cybercriminal activity.
This is unsurprising given the nascency of the DeFi ecosystem including the very technological infrastructure they are built on: the blockchain. While the digital asset industry is innovating at a pace unmatched by any other asset class, the ideation and experimentation that takes place in the ecosystem are sometimes the perfect gateway to vulnerabilities.
This year’s turn of events serve as a reminder for digital asset organizations, including DeFi protocols, to consistently place security at the forefront of their business operations. Integrating robust security systems and processes, whether it be via internal sources or external ones, are the only way for companies to protect themselves and their users.
How do cybersecurity teams help cultivate innovation while protecting valuable information?
Unlike other industries which have been around for decades, the digital asset industry is still in its infancy – consequently leaving it largely unregulated with a lack of controls/guidelines which would normally be in place for more traditional organizations or governmental institutions. The blockchain space is definitely one of the most innovative industries in the world, but inevitably also presents unique challenges for security professionals. How do they help cultivate innovation while protecting valuable information worth hundreds of millions of dollars?
Given the ever-changing nature of the digital asset ecosystem, it is important for security practices to be viewed in a holistic manner to ensure an organization’s protection while also considering operational or regulatory components. Malicious actors have always been around, and are no exception to digital assets – it is up to organizations to invest in the tools and people that can provide accumulated experience in identifying common patterns of cybercriminal behaviors.
The fundamentals of security postures and programs remain the same whether it be in the blockchain industry or not. All companies should have a common set of security controls on inventory, access management, and more. DeFi exploits that have occurred resemble exploits in other industries – just with a change of target (e.g. credit card details to private keys) and the underlying infrastructure (e.g. centralized banks to blockchain). Bringing in technologies and processes which may have worked for industries that are much ‘slower’ in innovation, may not be suitable for the blockchain world which operates on a different pace of implementation and operation.
While it does present new challenges, working with blockchain technology also provides opportunities for new security systems and practices. Security professionals must work to innovate new ideas and technologies, adapting to the unique and evolving nature of blockchain technology. Digital asset companies are innovating new security technologies to make the secure way of doing things the easy way. Bullish referenced a recent initiative as an example, where they eliminated the need for passwords completely when new users go through authentication on their platform. Solutions to long-standing problems such as passwords also prove testament to how blockchain security can be an innovative space in itself.
What are some key aspects of security breaches in the DeFi ecosystem?
We can identify some emerging patterns from the DeFi exploits that have occurred so far. Although most believe that hacks are due to an exploitation of private keys and this alone, most fail to realize that many DeFi exploits are due to either poor coding practices or infrastructure mistakes. Every party interacting with these protocols may have the most robust security practices, but in most cases, the smart contracts underlying the protocols itself are exploited.
The industry recognizes the significance of blockchain private key security, but given the expanding ecosystem of DeFi projects that are being built on this infrastructure layer, it opens a gateway to a whole new set of security concerns. According to Chainalysis, around 35% of exploited funds this year have been due to human error – meaning most DeFi hacks are done so with ease. This points to a greater need for companies to check and recheck their code, and ensure their protocol design isn’t too complex leaving loopholes for malicious actors to leverage.
This is why infrastructure providers like Hex Trust offer solutions such as digital asset cold storage. DeFi projects already have to manage their project infrastructure and its security – and doing the same for customer assets will require intensive investment and work. By utilizing Hardware Security Modules (HSMs) or private key storage practices, Hex Trust is able to protect customer assets against the highest security standards.
What are some processes that digital asset organizations can adopt to work towards preventing DeFi breaches?
Broadly speaking, the industry as a whole can better collaborate to bring new tools and ideas to the table. When industry leaders share information that they collect or produce, collective efforts can be made to identify or recognize suspicious activity, ensure due diligence processes, or cross-check trust levels put in certain entities. Doing so will also enhance the much-needed standardization of security practices in the DeFi ecosystem. Crowdsourcing of security must also improve, and decentralization of security practices is needed – which also aligns well with the goal of blockchain technology.
A specific method that organizations can start adopting is to conduct threat modeling. Organizations and their respective security professionals need to understand how to think like a hacker – and identify the hundreds if not thousands of ways third parties can break into organizational systems. This comes with having an in-depth understanding of what assumptions an organizational system is built on, and how each of these assumptions can go wrong. Critical evaluation and being one’s own devil’s advocate goes a long way in preparing for unexpected events.
No one security system will ever be 100% secure. But what security professionals can do instead is to be patient, detect anomalies as quickly as possible, and work towards kicking external parties like attackers out.
Overall, there must be a fundamental cultural shift in the DeFi ecosystem. Currently, complexity is being used as a criteria to define credibility or legitimacy, which is mostly unnecessarily and is usually what leaves the door open for cybercriminals. These complex designs are also what makes it more difficult to conduct procedures like threat modeling, making it harder to foresee every way that a project can be exploited or misused. It is also up to users to fully understand what exactly they’re interacting with or investing in, including its smart contracts, tokenomics, and other relevant mechanisms.
The debate between self-custody and utilizing third-party custodians
Whether one utilizes the self-custody method or a third-party licensed custodian, is based on their respective use case. Everyone must conduct their own risk assessments, taking into account their risk appetite, the amount of digital assets they hold, what they wish to do with these assets, ease-of-access to platforms and so on.
Institutional investors have many factors to consider. Their decision making and risk assessment should be dictated by regulations/rules, broader company policies, the organization’s risk appetite, as well as its security capabilities. Trying to maintain such processes internally requires investment in technologists, security practitioners, developers etc – and with such high cost, leveraging licensed third-party custodians to handle safekeeping may be most suitable. Custodians like Hex Trust can support institutional players in integrating digital assets into their business operations, while eliminating the need for them to hold all the associated responsibilities.
Given current market conditions, some people may be skeptical of keeping their digital assets with another party. Licensed custodians however, are required to fully segregate their own assets with the clients’, meaning in the rare scenario of bankruptcy or even government confiscation, client assets remain safe.
→ Read more about asset segregation
What are some key considerations when identifying DeFi exploits?
The biggest mistake most companies and their developers make is trusting third party code, boiling down to the same supply chain problem which has existed for many years now. Before choosing to copy and paste someone else’s code, re-evaluate whether integrating the third party will risk exploitation of your own ecosystem. Some questions to ask are: where did the data come from? Who wrote it? Is there a possibility of exploitable vulnerabilities?
Main tasks that companies should see as non-negotiable should be to conduct their own research, perform security code reviews, and only work with reputable sources. The crypto world is still in the midst of setting things in place. Adopting new and improved processes aligning with the changing industry is the only way to really prevent future exploits. The role of security needs to be readjusted in the DeFi ecosystem moving forward – and there is lots of room to innovate.