Third-party data breaches have exploded. The problem? Companies, including cryptocurrency exchanges, don’t know how to protect against them. When exchanges sign new vendors, most just innately expect that their vendors employ the same level of scrutiny as they do. Others don’t consider it at all. In today’s age, it isn’t just a good practice to test for vulnerabilities down the supply chain — it is absolutely necessary.
Many exchanges are backed by international financiers and those new to financial technologies. Many are even new to technology altogether, instead backed by venture capitalists looking to get their feet wet in a burgeoning industry. In and of itself, that isn’t necessarily a problem. However, firms that haven’t grown up in the fintech arena often don’t fully grasp the extent of the security risks inherently involved in being a custodian of hundreds of millions of dollars in digital assets.
We’ve seen what happens in the face of inadequate security, which goes beyond vendor management and stretches into cross-chain bridges. Just in October, Binance faced a bridge hack worth nine figures. Then there’s also the Wormhole bridge hack, another nine-figure breach. The Ronin bridge hack resulted in the loss of well over a half billion dollars in assets.
In fact, a new report indicates that over a two-year period, more than $2.5 billion in assets was stolen thanks to cross-chain bridge hacks, dwarfing the losses associated with breaches related to decentralized finance lending and decentralized exchanges combined.
Third-party breaches aren’t just a problem for the crypto industry, though, and they certainly aren’t confined to small players. Earlier this year, the New York City school system had a breach involving a third-party vendor that affected more than 800,000 people. Third-party breaches are the new frontier for bad actors.
This is especially true as nation-states rely more and more on hackers as a matter of foreign policy. In particular, groups out of North Korea and Russia are looking for honey pots from which they can siphon off assets. This makes the cryptocurrency industry a prime target.
The only way to stem these issues before they take down the industry is to realign how it perceives third-party security initiatives. Third parties need complete and thorough vetting before they’re allowed access to institutional data of any kind. Once they are allowed access, it is critical to limit their reach to only the data that is absolutely necessary and revoke those permissions when no longer required, as would have been beneficial to those involved in the Ronin breach. Beyond that, it is critical to review the privacy practices of each vendor.
Like with bridges, the risk of third-party vendors is in the connection with the institution’s system. Most cross-chain bridges are breached after bugs are introduced into the code or when keys are leaked. These bridge attacks can be mitigated and, in many cases, prevented. Whether the breaches result from false deposits or validator issues, human error is often a problem. After hacks make the headlines, investigations show that these errors in code could’ve been fixed with foresight.
In particular, which steps could have had an effect on the cross-bridge hacks, like Binance, that we’ve recently seen? Bridge code needs to be regularly audited and tested before and after its release. One of the most effective ways to do this is to employ bug bounties. Smart contract addresses need constant monitoring, as do false deposits. There should be a security team in place, one that utilizes artificial intelligence to flag potential risks, to oversee these risk management endeavors.
With more thought put into security on the front end, there would be fewer bad headlines. It is far less expensive to hire white hat hackers to find exploits before bad actors do than it is to wait for the bad actors to find them themselves.
Historically, the industry has had its fair share of bad headlines. It has even had its fair share of nine-figure hacks. This year, it seems they’ve become an almost accepted part of the digital assets industry. However, as politics become increasingly intertwined with cryptocurrency regulation, never before has there been a greater threat. As hackers with nation-state backing take greater advantage of these third-party connections, they will come under greater scrutiny. There is no doubt about that. It is only a question of when.
That question will likely be answered as soon as the United States Congress finalizes new legislation on the matter. It makes sense that regulation would be the logical next step — unless the industry acts with great haste.
Richard Gardner is the CEO of Modulus, which builds technology for institutions including NASA, Nasdaq, Goldman Sachs, Merrill Lynch, JPMorgan Chase, Bank of America, Barclays, Siemens, Shell, Microsoft, Cornell University and the University of Chicago.
This article is for general information purposes and is not intended to be and should not be taken as legal or investment advice. The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.