The crypto winter of 2023 has been a challenge for many, not least the thieves targeting crypto wallets, platforms and token protocols. So far this year, they’ve managed to steal just $1 billion in crypto assets – a steep drop from 2022’s record of $3.8 billion.
Unfortunately, the decline appears to have more to do with a reduction in available capital than stronger defense mechanisms. And although the scale of the attacks has decreased, their frequency has actually increased sharply: from 60 hacks in 2022 to 75 by the end of October. And the year is not over yet.
If decentralized finance is ever to be widely accepted by private and institutional investors, it must achieve its goal of democratizing global finance.
We must collectively do better to close the loopholes that malicious actors continually try to slip through.
The key to lock the door against bad actors? We need to vastly improve safety audits, which at the moment are inconsistent at best and a rubber-stamp exercise at worst.
Specifically, our industry as a whole must adopt a consistent audit methodology for decentralized technology that is rigorous, standardized and repeatable – as robust as what traditional finance protects.
Such an audit standard, coupled with a public commitment by accounting firms to the principle of responsible disclosure – the willingness to highlight projects that refuse to listen to or act on recommendations – will encourage projects themselves to raise their security standards.
Atomic Wallet’s refusal to comply with a February 2022 public disclosure of serious security vulnerabilities by auditor Least Authority resulted in the loss of more than $100 million to hackers by June 2023.
At its best, a third-party security audit is a thorough investigation by a skilled team that analyzes every aspect of a system’s design and implementation, identifying weaknesses and flaws that could impact operations or users – or give bad actors access may access sensitive data or assets.
A good audit also carefully assesses whether developers and designers have adhered to best practices when creating and deploying a system.
Vulnerabilities come in many forms; incorrect or insufficiently secured cryptography, leaks of sensitive information, unprotected system components, inconsistencies between system design documentation and the code used in implementation.
Weaknesses like these can have a range of consequences, from exposing sensitive and secret user data to the loss of user and system resources.
That audits are as detailed – and consistent – as possible is therefore essential for both a project and the safety of its users.
There are dozens of companies offering audit services, but without an industry standard, quality can and will indeed vary drastically. Even within reputable companies, there is no consensus on what should be monitored, nor a consistent set of metrics.
Of course, there is no guarantee that even the most experienced auditors will find every weakness in a system or protect every user from loss. But when done thoroughly and regularly, security audits have been proven to greatly reduce the risk of a serious vulnerability going undetected.
Read more in our opinion section: It’s time for blockchain security companies to join forces
However, audits can’t stop social engineering attacks — attacks that manipulate people — like when the North Korean group Lazarus convinced engineers at an unknown crypto exchange to download malware disguised as an arbitrage bot earlier this year. Preventing these types of attacks only comes from vigilance and team training.
It is true that every audit will be different, just as every project is different.
But my long experience in security auditing has taught me that there are specific steps an auditor must take to maximize the effectiveness of the security audit for the benefit of customers, users and the ecosystem.
What are these requirements? An audit standard that aims to make decentralized systems more resilient and protect their users from potential losses should include an exhaustive assessment of the following:
- The project’s threat model
- Safety by design
- The security of the implementation
- The use of dependencies
- To test
- Project documentation
- The scope of the audit and whether or not it is sufficient.
To ensure that any improvement in standards benefits the blockchain as a whole, we also advocate sharing knowledge and creating public goods such as research, tooling and training.
By working together to improve the standards of the security audit industry as a whole – and therefore the decentralized technology sphere – we can take a big step forward in preventing blockchain black hat hackers from breaking the 2022 record for stolen crypto assets break.
And that’s a record we don’t want to see broken again.
Hind Kurhan is co-founder of Thesis Defense, a decentralized technology security audit firm with a mission to facilitate the widespread adoption of decentralized technology by improving security and audit consistency across the blockchain space.
