The first US Spot Bitcoin ETF has now been approved, and optimism for the industry has been at its highest levels since April 2022. We can, therefore, expect to see more liquidity enter the space, more building, and an increase in the number of emerging crypto startups.
However, as liquidity returns, token prices increase, and new projects come to fruition, so will interest from hackers. On the same day that Bitcoin reached its highest token price since April 2022, as if on a queue, Orbit Bridge got hacked for US$82 million. Therefore, as we move into 2024, it is fundamental that we learn the lessons from exploits in 2023 and highlight what we need to learn to prevent such exploits from happening again.
Equally, we must look at the technological developments we have made in the past year and plan ahead for the challenges that will arise out of these developments, namely the rise of zero-knowledge roll-ups. However, what is of paramount importance is that builders, in 2024, incorporate security by design and cease to deprioritise security.
Lessons from the HECO Bridge Hack and Curve Finance Hack
The HECO Bridge Hack of November 2023 was yet another reminder that protocols and organisations do not prioritise security. Cross-chain bridge protocols have proven lucrative targets for hackers, largely due to their experimental designs and the fact that they generally have large, centralised repositories of assets bridged by users to other blockchains.
The HECO Bridge Hack of November 2023 was likely due to an attacker gaining control of a private key, which should have been quite preventable. It highlighted a failure on HECO’s part to, above all adhere, to basic security practices such as adopting a multi-signature security wallet. It also showed that HECO Bridge had not been properly audited.
Also Read: Securing the future: Navigating the digital transformation in BFSI amid cybersecurity challenges
Reputable audit reports often explicitly identify which parts of protocols are controlled by external addresses and, therefore, vulnerable to private key theft. It is possible that the hack could have been prevented if more in-depth audits had been conducted.
Another example, the Curve Finance Hack in August 2023, illustrated that protocols need a “panic button” in place. Nothing in DeFi (Decentralised Finance) is completely safe from hackers and it is essential that, if in the event a protocol is hacked, there needs to be an emergency function. Immutability, a central concept of blockchains, is the idea that they remain unchanged to stop people from tampering with them.
However, it can leave people powerless when trying to fix a potential exploit. This became apparent during the Curve Finance exploit. Curve’s Liquidity Providers (LPs) had a timelock embedded in the smart contracts, making it technically impossible to fix a coding vulnerability within Vyper. By forfeiting the ability to edit the state of the smart contract, the protocol was unprotected against an exploiter who was able to drain US$62 million from Curve.
Although a comprehensive audit might have detected these exploitable functions, the nature of immutability would have made it impossible to fix. Therefore, it is imperative that protocols consider having some kind of emergency stop system that can prevent these types of attacks from occurring.
Examples of this would be the Pausable Contract from OpenZeppelin’s library or the Million Ether Homepage, where the Emergency Stop pattern is implemented inside the main contract and gives the owner of the contract the ability to stop the execution of several functions at any given time.
New challenges from technological developments
Blockchain technology is always developing. These developments can come with their own inherent risks. Ethereum is by far the most popular blockchain for user activity. However, it has considerable issues with scalability. That is to say, the network’s capacity, how many transactions it can process, and how quickly it can process them is low.
Therefore, Layer 2 blockchains were created as scaling solutions for Ethereum designed to speed up transaction speeds and lower costs, and they are seeing significant development. For example, the Total Value Locked of Ethereum layer 2s now amounts to US$14.46 billion, while Ethereum’s TVL stands at US$26 billion. In 2024, Zero-Knowledge rollups are Layer 2 blockchains that are showing promising development and the potential for many projects adopting these solutions.
With this explosive growth comes the need for significant security auditing. However, zkRollups are complex and difficult to navigate, and only limited experts are able to read and write in zk-specialised programming languages.
This introduces an entirely distinct realm of security whereby technological development outpaces the ability of security researchers to study them comprehensively. Understanding zk requires a mathematical background equivalent to that of a master’s or doctoral level.
Therefore, teaching this to current security researchers would be a formidable challenge. Instead, protocols should focus on recruiting security researchers with a strong mathematical background in large numbers as soon as possible to cater to this need.
Security by design is the way forward
Security may not always be seen as the first priority to look at for projects in the crypto industry. Companies prioritise rapid development and deployment of their products to stay ahead in the market, which can sometimes lead to overlooking certain security measures.
Also Read: The business edge: Why prioritising employee cybersecurity is a smart investment
As Web3 technology is relatively new and continuously evolving, developers face a lack of established best practices, standards, and tools for ensuring security. Certain crypto startups operate with limited resources, including funding, time, and skilled personnel. This can make it challenging to invest adequately in robust security practices and conduct thorough security audits.
All these contribute to products being built that do not have a robust foundation layer, which can be detrimental in the long run. However, building protocols with security woven into the fabric through collaborative code reviews and rigorous audits will significantly curb vulnerabilities before malicious actors exploit them.
In conclusion
In 2024, we are still seeing hacks occur despite being relatively easy to prevent, namely, private key hacks. With optimism high and liquidity returning, growth must be met with robust security or we will see past mistakes continue to repeat themselves which continues to hinder the industry’s progress and reputation.
The lessons learned from hacks like HECO Bridge and Curve Finance show that prioritising speed and neglecting basic security practices leave projects vulnerable. This is especially true as innovative technologies like zero-knowledge rollups emerge, demanding expertise that outpaces current security research capabilities.
Now is the time for protocols to be more responsible and ensure that they have taken all the necessary security measures. Audits should not be worn as badges of approval; they are a means of assessing where vulnerabilities lie, and it is essential that any weak spots are reinforced immediately, as one never knows when one could be the next victim of a hack.
Equally, startups built with security woven into their core, employing rigorous audits and collaborative code reviews, will stand strong against malicious actors. However, this ultimately requires a shift in mindset, where security ceases to be an afterthought and becomes a priority of every project.
—
Editor’s note: e27 aims to foster thought leadership by publishing views from the community. Share your opinion by submitting an article, video, podcast, or infographic
Join our e27 Telegram group, FB community, or like the e27 Facebook page
Image credit: Canva
The post Learning from history: Safeguarding crypto in 2024 and beyond appeared first on e27.