Mitigating Cyber Threats in Crypto
By Aleksey Babukh , Head of Division, Devexperts
Indian crypto exchange WazirX lost $230 million last week after a cybersecurity incident. The loss was caused by a hacker attack on one of the exchange’s multisig wallets, which was operated using Liminal's digital custody and wallet infrastructure.?
Considering that both the WazirX and Liminal teams are experienced in the business, it is highly likely they had successfully prevented threats before this one occurred. I hope the measures they take to eliminate the consequences of the breach will help. Meanwhile, this incident serves as a critical reminder for market participants to revisit their security measures. In this short article, I'd like to reflect on approaches that can reduce the risk of cybersecurity issues.?
1. Understand Your Environment?
The environment you work within defines the risks you will face. The potential rewards in crypto also bring a lot of potential issues. The most significant is that you can't change what has been written on the blockchain. Meaning you can’t revert a transaction or stop smart contract execution, so your awareness level should always be high. At the same time, blockchain being public makes it accessible to everyone, including hackers. Incorporating risk management into your daily routine will prepare you to react with fast and adequate responses when faced with attacks.
2. Secure by Design?
Many issues can be avoided simply by considering risks during the design stage. For example, if you develop a non-custodial crypto wallet, sending the user's private key to a server might not be the best idea, as it risks malicious interception of that key outside the user's device. Instead, the user's key must be stored only on the user's device. Secure design may impact the convenience of your product for end-users, but since it is minor and improves overall solution security, it's worth it.?
3. Follow Secure Development Guidelines?
In addition to your domain-specific best practices, you can employ industry standards for secure development. Start with the OWASP Top 10 Security Risks and enhance them with what your team considers good practices to avoid issues.?
领英推荐
4. Monitor CVEs?
You can find the list of common vulnerabilities and exposures (CVEs) for almost every mature product on the market. The development team must regularly monitor CVEs of products your solution is integrated with. This allows you to react promptly to new risks, often requiring minimal effort. A new CVE is usually published with a new version of the app,a library you need to update to, or with a temporary workaround while the new version with the security update is under development.?
5. Audit the Entire System?
In system theory, the term "emergence" refers to properties of a system that do not exist in its parts on their own. These properties emerge only in the system as a whole. For example, if you develop a crypto solution that consists of infrastructure, on-chain, and off-chain code, the system will likely have some emergent properties or behaviors. This is why only auditing smart contracts may not reveal all risks the system possesses. If a security audit is part of your roadmap, consider auditing the entire system and not just a part of it.?
6. Insurance?
Even if you've taken all the necessary measures, there is always the risk of a successful malicious attack on your system. Everything created by humans is potentially vulnerable to other humans' actions. While there is no solution to this on the code level, you can always consider insurance that will cover your losses in this case. It comes at a cost, of course, but ask yourself: Is it that expensive in comparison to the damage your business could suffer, if a hacker steals all your funds in the blink of an eye??
We have implemented most of these approaches as part of the development of a non-custodial wallet for a large investment firm client. The firm realized that a wallet operating within the same ecosystem as their trading platform was an opportunity to maximize user retention. The client understood the risks associated with integrating a cryptocurrency solution into their product suite, and wanted to make sure that all measures were taken in the development phase to mitigate these threats. We explore how we approached this, along with the outcomes in a dedicated case study.
Our team is always on hand to discuss how firms can bolster the security of their infrastructure, or use out-of-the-box solutions backed by two decades of experience. Reach out to us here.??