Commentary by Leticia Martignon — a crypto learner
Even the most prominent blockchain projects can be brought to their knees by hackers and coordinated financial attacks. One more reason to take your dough and run for your life? Here’s why crypto is hacked frequently — and why that might be a good thing.
We’ve spoken about the most common scams you might encounter on your crypto journey. You have a certain control over whether you fall for them or not (hopefully no longer after having read our article). But you might end up as collateral damage when the project itself falls victim to an attack. Throw up your hands and give up on the entire Web3 space? Not so fast.
You’ve heard the news: Solana holders that engaged with the Slope wallet or extension had their seed phrases served on a golden platter to the hackers that made away with an estimated US$8 million, draining the over 8’000 wallets that were compromised.
This heist came just a day after the US$200 million hack of the Nomad bridge and had the crypto community on edge. So, the question I invariably get whenever a big project gets hacked is my mother asking (I haven’t figured out where she gets her intel from) whether I lost any money this time. “Thankfully not, mom.”
But I will. It’s just a matter of time before some of my money will be lost at some point. It’s placed with sufficient diversification. And I don’t hold it in a single hot wallet interacting with all sorts of infrastructure and websites. I only buy with money I can lose. So she won’t hear me crying about having lost all of my pension money on a single token. But some loss is still bound to happen. And that’s a good thing.
Fail early, fail fast, fail often
I believe in blockchain technology wholeheartedly. I believe Web3 will transform our lives. And I believe in the people that run (most) projects behind this transformation. But they work on very new tech, and a lot of the things that gain fast fame and big adoption are done for the very first time.
In the late 2000’s I launched a Web2 startup and failed. I spoke with a lot of experienced investors and developers during that time. And I learned something that I use every day, even in the very traditional consulting business: fail early and fail often. Anyone looking at your project from a buyer’s or investor’s perspective should ask if you’ve failed and how you managed the situation. It’s an excellent way to judge a team and a product for resilience, transparency and crisis management.
In Web3, with its strong community focus, these crises are discussed intensely. Project teams tend to communicate live and massively, very unlike stock market companies, that might put out a couple of press releases and respond with “No comment.” That has made the fail-and-recover approach in crypto, as opposed to most other tech industries, fairly visible.
Is blockchain even secure?
We might be led to think that this space is particularly unsafe and vulnerable to hacks. The truth, however, is that blockchains themselves, the underlying technology of Web3, are rarely hacked and extremely secure. So where do all those spectacular hacks enter the system?
Decentralisation vs. Centralisation
We won’t discuss decentralisation in detail here. But it’s key to understanding the dynamics that lead to a lot of attacks. While the entire premise of the blockchain is the decentralisation of power — computation and information away from one centralised entry point — many services built on top of blockchains are centralised and less robust. This is what allegedly got crypto users who interacted with the Slope wallet services into trouble during the August “Solana” hack. In fact, the Solana blockchain itself wasn’t attacked. But the centralised wallet and related services offered by Slope opened the door. The clients’ seed phrases were stored without encryption on a centralised server: an open invitation for theft, and negligence even under Web1 conditions.
Centralisation isn’t the only factor that leads to vulnerabilities, and some decentralised systems such as DAOs are also targeted frequently. But it is key to understand that the blockchain technology itself is not the magnet for hackers. It’s what happens around it, if you will.
Innovation & finance = sweet temptation
Products in crypto are often launched without the possibility to perform all stress tests, simply because all scenarios haven’t played out yet, as the technologies are very new. Add to that the storybook plays of people making crypto millions with a few hundred bucks. They’ve attracted high risk players willing to invest in projects that haven’t proven themselves. That’s how an immature but very exciting industry was catapulted to the investment skies.
Add to that the juicy catch for a hacker that manages a successful attack. Hacking a bank, for instance, is extremely cumbersome: the tech has been used and proven and tested and tested again, before it ever goes live in a banking environment. And while it could be very profitable to hold a S&P100 company ransom after hacking its information system, it involves negotiations with humans, which is another complication. In crypto, however, once the hacker gets to their destination, it’s quick cash.
Buy the blood
So, there seems to be many reasons to cringe. But there is a silver lining. Hacks are also — and forgive the coldhearted trader’s view — an excellent way to catch good projects on a discount. This, as usual, is not financial advice — I’m just sharing some of the things I’ve learned. But whenever a project I like gets hacked (and at least three have), I observe the price drop and the leadership actions; and if it checks out, I make a move.
Don’t worry about what you cannot control
While scams are largely targeting the individual, giving us the possibility to prepare and protect ourselves, hacks are out of our control. We cannot research a future hack, we mostly don’t have knowledge about and access to the information that could help us judge the security of a system (especially if it is centralised and the code is not visible on the blockchain), and most of all, we don’t have the time to perform the detailed research to discover a vulnerability in the code.
So what’s the solution?
You can, however, check if the project was audited by a respectable entity (they often list their audits and the recommendations for improvements on their websites). You can get to know the team and judge their experience and resilience. You can also research professionals on Twitter that do cybersecurity research in the crypto field and communicate about potential weaknesses of major projects. You can find and make friends that have the knowledge and capacity to analyse the available documentation of projects and hang to their every word.
But in the end, the only reliable and easy measures to keep a good night’s sleep while participating in the adventure that is crypto stay the same: Do not place money you need. Do your own research. Diversify. Protect your data.
Disclaimer: This is not financial advice, but the opinion of our commentator. Crypto is a risky and volatile asset. Kryptview cannot be held responsible for any investment decisions you make. Do your own research.