Following the loss of almost $200 million in a security exploit on crypto protocol Nomad, security experts insisted that more education and security protocols are necessary for protecting web3 communities from hackers.
“The crypto ecosystem is currently in a nascent stage of adoption,” Nick Percoco, chief security officer at Kraken, said to TechCrunch. “Despite the surge of interest over recent years, there is an educational divide that still needs to be bridged for crypto adoption to be truly successful.”
Nomad, a crypto bridging protocol that allows users to trade tokens between a number of blockchains, lost approximately $190.7 million in crypto in a hack on Monday, leaving the protocol with about $15,000 total value locked (TVL, or total user funds in a DeFi protocol), according to data on decentralized finance tracking platform DefiLlama.
Like other cross-chain bridges, Nomad allows its users to transfer assets from one blockchain to another through wrapped tokens, Victor Young, founder and chief architect at interoperability network Analog, said to TechCrunch.
The motivation for malicious actors in the crypto bridge space is substantial because a minor vulnerability can yield millions of dollars, Percoco noted.
“We will continue to see more hacks,” Young said. “This is because the sheer number of blockchains on the market keeps growing, with more being created each day. The broader implication of this growth is that blockchain ecosystems have become ‘walled gardens’ of sorts.”
But there are a number of bug bounties in DeFi. “This means that if a white-hat hacker identifies an exploit, they can now receive massive payouts,” Percoco said. “This incentivizes legal routes of exploiting vulnerabilities and should reduce the overall number of hacks across the ecosystem over time.”
Cointelegraph reported that Nomad said some of the people who took funds were white-hat hackers protecting funds from further losses. The exact amount they saved is unclear, but Nomad thanked the actors from its official Twitter account on Tuesday.
“Thank you to our many white hat friends who acted proactively and are safeguarding funds,” Nomad wrote. “Please continue to hold them until we provide further instructions on this thread.”
As the crypto ecosystem becomes larger over time, interchain operability will continue to grow, too, “at profound levels with a focus on security and decentralization,” Daniel Keller, co-founder at Flux, said to TechCrunch. “However, attention needs to be given to security and not only speed of development as we push DeFi products to the masses.”
Nikos Andrikogiannopoulos, founder and CEO of Metrika, shared similar sentiments, saying that that the high rate of innovation in the crypto world — combined with frequent software upgrades — will inevitably introduce more vulnerabilities. “We need to have real-time monitoring infrastructure in place to prevent and quickly react to exploits.”
There have only been four bridge hacks to date, but three of them occurred this year. The Nomad hack is the third-largest bridge exploit behind Wormhole’s $326 million loss and Axie Infinity’s Ronin Bridge loss at $615.5 million, at current values, according to DeFiYield’s REKT database.
“One of the big issues with bridges is that they store significant dollar amounts of funds in what effectively constitutes a hot wallet,” Percoco said. “Therefore, if a minor mistake is made when creating the smart contract, conducting its maintenance or scheduling its upgrades — as was the case with the Nomad bridge upgrade — then the funds in the bridge can be stolen.”
Disruptive technologies are volatile and can bring significant risk and great rewards, Keller said. “Most of the developers in the blockchain space are learning on the fly, as they come from conventional technology stacks and are retrofitting their skills. Education will become a driving force for better and more secure programming.
“We all must remember that technology is not born but instead, developed,” Keller added.
Similar to fire and weather alerts, which mobilize communities, evacuate threatened areas and activate volunteer rescue teams, blockchain communities need processes and tools to deal with emergency situations, Andrikogiannopoulos said. “More awareness around the crypto-related risks would be of great benefit to the crypto investment community.”
Crypto exploits aren’t a new trend — and they’ve increased year over year as the industry grows in value, even though the crypto market faltered over the past few months. The second quarter of 2022 had $670,698,280 worth of losses, up 52% from $440,021,559 in the same period for 2021, according to Immunefi’s Crypto Losses in Q2 2022 report.
“Ultimately, bridge developers and operators need to invest heavily in security,” Percoco said. “Every upgrade and each configuration change that happens on-chain needs to be audited, preferably by multiple independent parties. This may come at a significant cost, but otherwise incidents like this will continue to occur.”