DeFi Hacks Usually Come Down to Poor Security: Halborn COO

The tech industry has had its eyes fixed on artificial intelligence, and cybersecurity professionals are lining up to find vulnerabilities and patch security holes in AI platforms like OpenAI’s ChatGPT. But blockchain cybersecurity firm Halborn has kept its eyes on the ball, continuing to look for ways to support and secure Web3 projects.

“I think as the ecosystem starts to mature, we’ll start to see a slowdown of some of the dumb mistakes that a lot of projects are making, a lot of organizations are making,” Halborn COO David Schwed told Decrypt at Messari Mainnet. “This is a controversial statement, but many hacks are preventable.”

Schwed pointed to a report by the blockchain security firm that said over $5 billion had been lost in DeFi hacks between 2016 and 2022.

“A number of the hacks were not necessarily on-chain vulnerabilities,” Schwed said. “They were standard Web2 security that was just compromised or breached due to poor security practices.”

While Schwed pointed to a lack of cybersecurity deficiencies in some projects, he also recognized that certain breaches, like zero-day attacks stemming from vulnerable technology, are inevitable. However, he emphasized the need for companies to be prepared.

In cyber security, a zero-day (vulnerability, exploit, or attack) refers to a software vulnerability unknown to those responsible for patching or fixing the software. The zero refers to the amount of time developers had to address to address and patch the vulnerability.

“If you’re relying on a piece of technology, and there’s a vulnerability in that technology that’s a zero-day, I would not fault that organization,” Schwed said. “What I would fault them for potentially is looking for detective-type controls.” Detective controls are designed to find errors or problems after the transaction has occurred.

“So if you start to see anomalies in a smart contract, or anomalies behavior on-chain, that’s when you should have a strong incident response program, or have the ability to issue circuit breakers within a contract or being able to sweep the funds into a potentially non-effected wallet.”

Zero-day attacks are only one of the potential threats DeFi projects face. Last week, the decentralized cryptocurrency exchange Balancer was hit by a denial-of-service (DNS) attack that led to the theft of over $250,000 in funds.

Since their inception, blockchains have been lauded for their decentralization, with many proponents saying hacking blockchains like Bitcoin and Ethereum is impossible because these chains are decentralized. But while blockchain tech may be decentralized, Schwed said the dapps built on top of them are not.

“From the time it’s built to the time it’s deployed, there are still engineers that work at all of these organizations that will update the smart contracts,” he said, adding there is still somewhat of a centralization in deploying smart contracts, their security, and monitoring.

Schwed pointed to the reliance on platforms like Amazon Web Services (AWS), Azure, and Google Cloud for Web3 projects, underscoring that “true 100% decentralization” remains elusive. “There are always centralization choke points in the ecosystem, and a certain level of centralization might actually benefit everyone,” he said.

Schwed suggests Web3 companies look at their projects as a threat actor, and see where potential vulnerabilities lie. Another option he suggests is seeking out professionals or so-called red teams to address security concerns. For companies that lack the funds to hire these professionals, Schwed suggests offering equity in the organization.

Despite the risk posed by cybercriminals and hacks, Schwed is optimistic about the future of blockchain technology.

“I believe that this [technology] has the ability to disrupt and really innovate and provide such value to us as a society, and everybody in this space does and will be more than willing to help,” he concluded.


This website uses cookies. By continuing to use this site, you accept our use of cookies.