Skip to main content

A crypto New Year’s resolution: Modernize security infrastructure

In 2021 and in the years to come, the digital-asset space must take steps to identify and implement solutions for its security.

It’s safe to say that 2020 has been a banner year for the digital-asset space. Bitcoin (BTC) soared past its previous high, and many other prominent cryptocurrencies reached their highest levels since the heyday of 2017 and early 2018. Across the financial services industry, institutional voices are expressing reinvigorated interest in digital assets. The growth and maturation of this space has been impossible to ignore, engendering plenty of optimism among those who build the platforms and systems on which it runs.

Unfortunately, not all the headlines from the past year have been positive. Several well-known crypto exchanges and other organizations were hacked, which led to significant losses. Events like these are not only damaging to a firm’s reputation and potentially devastating for investors, they also erode hard-won trust in the digital-asset space among institutional investors and the public.

Many of these hacks could have been avoided if the companies in question had taken proactive steps to modernize their technology infrastructure. As we close this whirlwind year for digital assets, one of the industry’s top resolutions for 2021 should be to reexamine its approach to infrastructure and make changes to ensure that investors of all stripes can trade and transact with security, efficiency and peace of mind.

Let’s review three of the most consequential hacking events of 2020 and examine how a more intelligent approach to infrastructure could have led to a different outcome.

KuCoin hack: $275 million in customer funds stolen

On Sept. 25, crypto exchange KuCoin was on the receiving end of a major hack that affected its Bitcoin, Ether (ETH) and ERC-20 hot wallets. While initial analysis suggested the hackers stole around $150 million, estimates began to increase in the ensuing days, ultimately making it one of the largest hacking events in the history of digital assets.

Related: KuCoin hack unpacked: More crypto possibly stolen than first feared

As it turns out, the hack was the result of private keys being stolen. While still prevalent in the digital-asset space, private keys mean there will always be a single point of failure through which bad actors can claim unfettered access to hot wallets. Put simply, they are a business risk.

A better approach would have been to leverage multiparty computation protocols, which eliminate the need for private keys and sign every transaction in a secure, distributed way, coupled with an enforced governance-and-control mechanism.

In the KuCoin case, even if the exchange was successfully breached, the hacker would not be able to execute any transaction not authorized by the institution’s infrastructure-provided policy engine.

OKEx withdrawal freezing

For five weeks in October and November, investors were unable to make withdrawals from cryptocurrency exchange OKEx. In a letter to customers, OKEx revealed that one of its private-key holders was cooperating with a police investigation, which kept them out of touch with the company and prevented its multisignature authorization process from being fulfilled.

For a platform that users leverage to carry out important investment decisions, the idea that a single person becoming compromised could result in a critical functionality being disabled for over a month is clearly untenable.

There is a lesson here: When firms use blockchain features designed for security to implement a policy, the result is overwhelming inflexibility. This is one of the paradoxes of the digital-asset space — blockchain transactions are secure and irreversible, but without the right approach, that same rigidity can spell disaster if things go awry.

To prevent this, firms must ensure their infrastructure includes a policy engine that, while not compromising on security, enables a more flexible policy control for multiple approvers, including the separation of signing on and approval of transactions. With this kind of solution in place, OKEx’s ability to fully operate would not have hinged on the availability of any key person.

Nexus Mutual breach: $8 million stolen

These hacking events were not limited to exchanges, as evidenced by the December breach of Nexus Mutual, a decentralized finance platform that serves as an alternative to insurance. The hacker managed to access the personal device of CEO Hugh Karp and install a compromised version of MetaMask, which led to Karp inadvertently signing a transaction that sent 370,000 NXM, worth $8.2 million, to an attacker-controlled address.

The issue here has to do with locally run wallets. These local wallets are unable to provide an out-of-band policy engine, so there is no way to verify that a contract and counterparty address are whitelisted, that the amount and issuer comply with company policy, or that there are additional approvers for certain transaction parameters.

Enlisting a third party with a more flexible, secure approach to infrastructure is the way to address these risks. This is especially important to reduce counterparty address manipulation, which is a risk in many scenarios. Even in the unlikely event that a provider like this is breached, there are safeguards in place to verify counterparty addresses, giving firms multiple lines of defense.

Conclusion

While digital assets have gained a remarkable amount of momentum in the past several months, many organizations still need to improve their security infrastructure before true adoption of digital assets can start.

This is not meant to chastise these firms, which continue to do important work to serve the industry, but to identify where their focus should be to achieve future growth and bring digital assets to the mainstream.

For all these issues — private-key security, authorization structure, local wallets and more — there are approaches that can lead to more efficient, stress-free transacting and fewer headlines that set off alarm bells for the traditional investors we all want to reach.

The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of Cointelegraph.

Itay Malinger is co-founder and CEO of Curv, a digital-asset security infrastructure firm. He draws on more than 15 years of cybersecurity experience in both the public and private sectors. Formerly, Itay was the director of enterprise security products at Akamai Technologies.


from https://ift.tt/2MczogX
https://ift.tt/3rLTC1E
Labels:

Comments

Post a Comment

Any questions, Please.

Popular posts from this blog

ENS DAO delegates offer perspective on DAO governance and decentralized identity

AlphaWallet CEO and Spruce co-founder talk about their roles as contributors to the Ethereum Name Service following the project's recent airdrop. Earlier this month, the Ethereum Name Service, or ENS, formed a decentralized autonomous organization, or DAO, for the ENS community.  Cointelegraph spoke to two ENS DAO delegates who applied for the opportunity to represent the community and stay involved in the decision making process: Victor Zhang, CEO of AlphaWallet, an open source Ethereum wallet, and Gregory Rocco, co-founder of Spruce, a decentralized ID and data toolkit for developers. Zhang spoke about his experience as an external contributor to ENS and an early supporter since 2018. Zhang initially sought to help ENS by offering Alpha Wallet as a user-friendly tool for  resolving .eth names and cryptocurrency wallet addresses. Essentially, if a user inputs an .eth name in the AlphaWallet, it will show the wallet address, and vice versa using reverse resolution. Alpha...
Post a Comment
Read more

How Social Platform Chingari is Using Web 3.0 to Transform the Traditional Way We Use Social Media

The world is changing. This isn’t news to anyone, but sometimes it is nice to realize that—contrary to news headlines—not all the change is bad.  In fact, the last decade has seen so much innovation and so many improvements to technology that even 2015 seems like a different world.  Internet speeds, connecting with anyone globally (for free), and our ability to reach large groups of people without a middleman is nothing short of revolutionary. When it comes to technology evolution, this often happens with different iterations.  Once a system is mature, there’s a better idea of what we would like to change and improve.  We go back to the drawing board, target our creative minds at the issues, and create a new version that has evolved to better meet our needs.  The Internet has followed this model since its inception, evolving through three distinct stages.  We are only at the cusp of the third stage, called Web 3.0, with technologies such as blockchain and ...
Post a Comment
Read more

INX submits bid for Voyager Digital's assets

FTX US won a $1.4-billion bid to purchase Voyager’s assets in September, but with the firm filing for bankruptcy, the funds were once again up for grabs. Trading platform INX has submitted a bid for an undisclosed amount to purchase the assets of crypto brokerage firm Voyager Digital. In a Nov. 30 announcement, INX said it had sent a non-binding letter of intent for Voyager’s assets following the platform filing for bankruptcy in July. According to INX CEO Shy Datika, the bid was aimed at providing “credibility, technology, and unique regulatory positioning” for Voyager users seeking stability in a volatile market. Voyager’s original bankruptcy filing from the Southern District Court of New York suggested the firm could owe between $1 billion to $10 billion to more than 100,000 creditors amid a bear market and exposure to Three Arrows Capital. In September, FTX US won a $1.4-billion bid to purchase Voyager’s assets, but with FTX Group itself filing for bankruptcy in November, th...
Post a Comment
Read more