Why web3 companies get hacked so often, according to crypto VC Grace Isford

On the Chain Reaction podcast this week, Lux Capital’s newest investor, Grace Isford, joined us to talk about the opaque but crucial world of web3 infrastructure. At Lux, Isford invests in the companies working behind the scenes to make sure crypto exchanges are secure and reliable enough to avoid being hacked.

Before joining Lux this February, Isford was an investor at Canvas Ventures focused on enterprise software and fintech. A data infrastructure investment she worked on at Canvas revealed to her the opportunity in the web3 space for companies to “share data immutably at scale,” motivating her pivot to crypto, she said.

“That led me down the rabbit hole, and then I ended up investing myself personally,” Isford said. “I got into yield farming, which coincided with my move to New York, where many of my friends are also in the crypto and VC ecosystem.”

Isford says her investing approach in web3 is rooted in what she calls her “circle of competence,” or the area where she can be competitive compared to others in the space.

“NFT investing is quite different than DeFi investing, which is quite different than crypto data infrastructure investing, and I would argue that any person who says they invest in web three shouldn’t invest in all of that — they should probably choose their sweet spot in their core competency,” Isford said.

Isford’s own “circle of competence,” based on her prior experience, is in enterprise and fintech infrastructure, so we asked her what she thinks some of the biggest challenges are for web3 infrastructure providers.

Compared to Web 2.0, Isford said, web3 lacks enterprise-level security solutions. Alchemy and Infura are the only two major node service providers in the industry, meaning that most of crypto is reliant on two infrastructure providers to manage their data.

“There seems to be a new security hack reported every week [in web3],” Isford said, citing the recent Metamask and Ethereum dApp outage that originated from Infura and February’s Wormhole bridge hack.

While a number of startups are working on developing security solutions, Isford said, the tech is “still quite nascent” when it comes to developer tools, data infrastructure monitoring and storage.

Another major challenge is managing fraud and downside risk, Isford added.

“I think [that issue] is really keeping a lot of folks out of the crypto world right now [because they’re] afraid of losing all their money if they venture too deeply into crypto,” Isford said.

Isford is optimistic that through the massive inflows of investment into web3 startups in the past year, companies will be able to build more reliable solutions.

“I think TRM Labs, Chainalysis and several other companies in this space have 10x potential in terms of compliance and monitoring because you just do not have that yet at scale in the same way that we’ve kind of created these sophisticated AML systems on the financial infrastructure side in the web2 world,” Isford said, referring to traditional financial institutions’ anti-money laundering technology.

Better fraud and risk management systems are a precursor to more institutional money flowing into crypto, Isford said. As companies like Fidelity, Goldman Sachs and JP Morgan continue to make strides into crypto, the market will mature she added.

“I think one of the biggest opportunities in crypto right now is still security, if you can build more reliable smart contracts at scale … but you can’t have a reliable system if it’s not secure, right? And you can’t run a system securely if you don’t know who’s within that system, so I think security is probably one of the most important pieces from a prioritization standpoint,” Isford said.