It’s safe to say that 2020 was a banner year for the digital assets space. Bitcoin (BTC) has passed its previous highs, and many other well-known cryptocurrencies hit their highest levels since their heyday in 2017 and early 2018. Across the financial services industry, institutional voices are showing a revived interest in digital assets. The growth and maturation of this space could not be ignored, which inspires a lot of optimism from those who build the platforms and systems on which it runs.
Unfortunately, not all headlines from last year were positive. Several well-known crypto exchanges and other organizations were hacked, resulting in significant losses. Events like this not only damage a company’s reputation and potentially have devastating consequences for investors, but they also undermine the hard-won trust of institutional investors and the general public in the digital asset space.
Many of these hacks could have been avoided if the companies involved took proactive steps to modernize their technology infrastructure. As we close this whirlwind year for digital assets, one of the industry’s top resolutions for 2021 should be to review its approach to infrastructure and make changes to ensure that investors of all kinds can trade and conduct transactions with safety, efficiency and security.
Let’s look at three of the top hacking events of 2020 and examine how a smarter approach to infrastructure could have produced a different outcome.
KuCoin hack: $ 275 million in stolen customer funds
On September 25th, the KuCoin crypto exchange was at the end of a major hack that affected the Bitcoin, Ether (ETH) and ERC-20 hot wallets. While initial analyzes indicated that the hackers had stolen around $ 150 million, estimates increased in the days that followed, ultimately making it one of the biggest hacking events in digital asset history.
Connected: KuCoin hack unpacked: Possibly more crypto stolen than initially feared
As it turned out, the hack was the result of private keys being stolen. While private keys are still widespread in the digital asset space, they mean there is always a single point of failure through which bad actors can claim unrestricted access to hot wallets. Simply put, they are a business risk.
A better approach would have been to use multi-party computation protocols that eliminate the need for private keys and sign each transaction in a secure, distributed manner in conjunction with an enforced governance and control mechanism.
In the case of KuCoin, even if the exchange was successfully breached, the hacker would not be able to execute a transaction that was not authorized by the institution’s policy engine provided by the infrastructure.
Freeze OKEx payout
In October and November, investors were unable to make withdrawals from the OKEx cryptocurrency exchange for five weeks. In a letter to customers, OKEx announced that one of its private key holders was collaborating with a police investigation that blocked them from contact with the company and prevented the multi-signature authorization process from completing.
For a platform that users use to make important investment decisions, the notion that a single person could be compromised by having critical functionality disabled for more than a month is clearly untenable.
There is a lesson here: when companies use blockchain features designed for security in order to implement a policy, the result is overwhelming inflexibility. This is one of the paradoxes in the digital asset realm – blockchain transactions are safe and irreversible, but without the right approach, that same rigidity can mean disaster if something goes wrong.
To prevent this from happening, organizations must ensure that their infrastructure includes a policy engine that does not compromise on security, but allows more flexible policy control for multiple approvers, including the separation of registration and approval of transactions. With this type of solution, OKEx’s ability to operate fully could not have depended on the availability of a key person.
Nexus Mutual Infringement: $ 8 million stolen
These hacking events weren’t limited to sharing, as demonstrated by the December breach of Nexus Mutual, a decentralized financial platform that serves as an alternative to insurance. The hacker managed to access CEO Hugh Karp’s personal device and install a compromised version of MetaMask, which resulted in Karp inadvertently signing a transaction that dated $ 370,000 NXM worth $ 8.2 million Attacker controlled address sent.
The problem here has to do with locally operated wallets. These local wallets cannot provide an out of band policy engine. Therefore, it cannot be checked whether a contract and a counterparty address are on the whitelist, whether the amount and the issuer comply with company guidelines, or whether there are certainly additional approver transaction parameters.
By engaging a third party with a more flexible and secure infrastructure approach, these risks can be addressed. This is especially important in order to reduce the manipulation of counterparty addresses, which is a risk in many scenarios. Even in the unlikely event that a vendor like this is breached, safeguards are in place to verify counterparty addresses and provide companies with multiple lines of defense.
While digital assets have gained remarkable momentum in recent months, many companies still need to improve their security infrastructure before they can actually begin the actual adoption of digital assets.
This is not intended to chastise those companies that continue to do important work for the industry, but rather to figure out where their focus should be on achieving future growth and bringing digital assets into the mainstream.
For all of these topics – private key security, authorization structure, local wallets and more – there are approaches that can result in more efficient, hassle-free transactions and fewer headlines that set off alarm bells for the traditional investors we all want to reach.
The views, thoughts, and opinions expressed here are the sole rights of the author and do not necessarily reflect or represent the views and opinions of Cointelegraph.
Itay Malinger is co-founder and CEO of Curv, a digital asset security infrastructure company. He has over 15 years of cybersecurity experience in the public and private sectors. Itay was previously the director of enterprise security products at Akamai Technologies.