“A compromised server may present the user with misleading information tricking him into executing transactions that will drain his wallet,” says Prisacaru. But putting enough time and effort into doing the implementation properly can protect against attacks, especially when it comes to using a decentralized platform.
“When implemented properly in a decentralized fashion, a compromised marketplace should not be able to steal or alter a user’s assets; however, some marketplaces cut corners and sacrifice security and decentralization for more control,” Prisacaru says.
Cryptocurrency scams are common, and they can often have a large number of victims. “Scammers regularly stay on top of highly anticipated NFT releases and usually have dozens of scam minting sites ready to promote in tandem with the official launch,” says Stein. The customers who fall victim to these scams are often some of the most loyal, and this bad experience could potentially affect how they perceive the brand. So, protecting them is crucial.
Often, users receive malicious emails telling them that suspicious behavior was noticed in one of their accounts. They are asked to provide their credentials for account verification to solve that. If the user falls for this, their credentials are compromised. “Any brand trying to get into the NFT space would benefit from allocating resources towards monitoring and mitigation from these types of phishing attacks,” Stein says.
5. Blockchain bridges are a rising threat Different blockchains have different coins and are subject to different rules. For example, if someone has bitcoin but wants to spend Ethereum, they need a connection between the two blockchains that allows the transfer of assets.
A blockchain bridge, sometimes called cross-chain bridge, does just that. “Due to their nature, usually they are not implemented strictly using smart contracts and rely on off-chain components that initiate the transaction on the other chain when a user deposits assets on the original chain,” Prisacaru says.
Some of the biggest cryptocurrency hacks involve cross-chain bridges, including Ronin, Poly Network, Wormhole. For example, in the hack against the gaming blockchain Ronin at the end of March 2022, attackers got $625 million worth of Ethereum and USDC. Also, during the Poly Network attack in August 2021, a hacker transferred more than $600 million of dollars in tokens to multiple cryptocurrency wallets. Luckily, in this case, the money was returned two weeks later.
6. Code should be thoroughly tested and audited Having good code should be a priority from the beginning of any project. Prisacaru argues that developers should be skilled and willing to pay attention to detail. Otherwise, the risk of falling victim to a security incident increases. For instance, in the Poly Network attack, the attacker exploited a vulnerability between contract calls.
To prevent an incident, teams should conduct thorough testing. The organization should also contract a third party to do a security audit, although this can be expensive and time-consuming. Audits offer a systematic code review to help identify the most known vulnerabilities.
Of course, checking the code is necessary but not sufficient, and the fact that a company did an audit doesn’t guarantee that they are out of trouble. “On a blockchain, smart contracts are usually highly composable, and oftentimes, your contracts will interact with other protocols,” Prisacaru says. “Businesses, however, only have control over their own code, and interacting with external protocols will increase the risks.”
Both individuals and businesses can explore another avenue for risk management: insurance, which helps companies reduce the cost of smart contract or custodian hacks.
7. Key management “ At its heart, crypto is just private key management,” says Schwenk. “That sounds simple to many firms, and CISOs may well be aware of the issues and best practices.”
There are several accessible solutions for key management. One of those is hardware wallets like Trezor, Ledger, or Lattice1. These are USB devices that generate and store the cryptographic material on their secure elements, preventing the attackers from accessing your private keys even if they have access to your computer, for example, using a virus/backdoor.
Another line of defense is multi-sigs, which can be used together with hardware wallets. “At its base, a multi-sig is a smart contract wallet that requires the transactions to be confirmed by a number of its owners,” says Prisacaru. “For example, you could have five owners and require a minimum of three people to sign the transaction before it can be sent. This way, an attacker would have to compromise more than one person in order to compromise the wallet.”
8. Employee and user education Organizations that would like to integrate Web3 technologies need to train their employees because new tools are needed to transact on the different blockchains. “Commerce for digital assets might seem familiar to traditional e-commerce, but the tools and browser plugins needed to be proficient in this new world are quite different than what finance teams are used to,” says Aaron Higbee, co-founder and CTO of Cofense.
While every business needs to worry about email-based phishing attacks, employees who handle digital assets can be targeted more often. The purpose of training is to make sure that everyone in the team follows the latest best practices and has a good understanding of security. Oded Vanunu, head of products vulnerability research at Check Point, says he noticed “a big gap” in knowledge when it comes to cryptocurrency, which can make things “a little bit chaotic” for certain companies. “Organizations that would like to integrate Web3 technologies need to understand that these projects must have deep security reviews and security understanding, meaning that they must understand the numbers and the implication that can happen,” he says.
Some organizations that don’t want to do private key management decide to use a centralized system, which makes them vulnerable to Web2 security issues. “I’m urging that if they are integrating Web3 technologies into their Web2, this must be a project that will have a deep security review and security best practices that need to be implemented,” Vanunu says.
9. The permanence of NFTs and Web3 decentralized apps Many enterprises will sunset products that no longer serve their needs, but this is typically not available for blockchain-backed assets if they are done right. “NFTs should not be treated as a one-time marketing effort,” Stein says. “If the NFT itself is not on chain, there’s now a burden on the company to keep it up in perpetuity. If the project becomes a wild success, then the company has taken on a major task of supporting the collectors of these NFTs with regards to mishaps, scams, etc.”
One viral project is the one launched by the Ukrainian government, which sold NFTs based on the timeline of the war. “The place to keep the memory of war. And the place to celebrate the Ukrainian identity and freedom,” according to a tweet by Mykhailo Fedorov, vice prime minister of Ukraine and minister of digital transformation. NFT enthusiasts reacted positively, saying they wanted to buy a piece of history and support Ukraine. Their expectation, though, is for the project to be kept up.
10. Blockchain is not always the right tool New technologies are always exciting, but before making the leap, organizations should ask if they actually solve the problem, and if it’s the right time to adopt them. Blockchain-based projects have the potential to change companies for the better, but they might also drain resources, at least in the initial stage.
“Weighing the risk/reward will be an important part of the decision, and appropriately resourcing the security effort, both in adoption and ongoing, is critical,” Schwenk says. “Judgment of risk/reward for these new exposures may not (yet) be a core competency, and it’s easy to get caught up in the hype that is often associated with crypto.”
