Open source software is needed to prevent future crypto hacks, Polygon CISO says

The pace of crypto hacks hasn’t slowed in the dog days of summer, with tens of millions of dollars stolen in August alone. As the crypto community carries on in the wake of the expensive exploits, many web3 users are biting their tongue waiting for the next big one to strike.

On August 1, Nomad, a crypto bridging protocol, was hacked for about $190 million. (Crypto bridges allow users to transfer one token on one chain into another on a different blockchain.) In a separate incident, just a day later, over 8,000 Solana-focused crypto wallets were drained of their funds. Earlier this week, Curve.Finance, a decentralized finance protocol, was hacked for about $570,000 — nominal compared to the Nomad exploit but noteworthy nonetheless.

“We want people to look at our code base and inspect it and find bugs in it so it can be improved. We want everyone to collaborate together.” Polygon's Mudit Gupta

As 2022 continues to rack up expensive exploits, many people in the crypto space are wondering what can be done to prevent these hacks in the future. Sure, they can emphasize the importance of education and protecting your own digital assets — but what else?

The answer might be through projects employing open source software, Mudit Gupta, chief information security officer at layer-2 blockchain Polygon, told TechCrunch.

The Solana wallet incident happened because of a silly mistake, Gupta noted. “Anyone can do it; we’re just humans. But if it was built on open source software it would have been caught almost immediately and the product would have been much safer.”

Polygon is one of the most well-known blockchains building on Ethereum, with a cumulative 37,000 decentralized applications (dApps) launched on its chain. Polygon proof-of-stake (PoS) chain is home to some of the biggest web3 projects, including Aave, Uniswap V3 and OpenSea.

The number of monthly active teams, which Polygon sees as the most direct measure of developer activity on the PoS chain, came in at about 11,800 at the end of July, up 47.5% from over 8,000 in March, the company said in a blog post.

“We’re leveraging open source software to leverage all the expertise in the space,” Gupta added. “We want people to look at our code base and inspect it and find bugs in it so it can be improved. We want everyone to collaborate together.”

Today, some crypto projects are hesitant to allow open source software because it makes them more vulnerable and gives competitors access to their code (which they could then copy). But if a company is confident in what they’re doing, it shouldn’t matter, Gupta said.

“We are seeing so many hacks with crypto companies and products. But if you stay with the high-quality products and good companies, you’re in a much better shape,” Gupta said. “This space isn’t bad; there’s just a bunch of bad actors.”

Ethereum is probably the best-known open source project and allows developers to scale and build on top of it with open source technology. Indeed, Polygon builds on top of open source Ethereum projects. Separately, Ethereum-based layer-2 networks like Arbitrum and Optimism semi-leverage open source software through releasing a product and then open sourcing it, Gupta said.

“If bad people want to exploit it, they will — they don’t differentiate between the two. You can argue exploiting a close sourced product is a little bit harder, but security by obscurity isn’t really security,” Gupta said. “By being open sourced, it invites not only bad actors but also hundreds of good actors to find bugs, too, before the bad actors. But if you close your code, the bad actors will still look at it, but the good actors won’t be able to.”

The stakes are high in crypto, but in the traditional space, if your money is stolen from a bank account, you can still trace and follow the money and (usually) get it back. As for looted funds on the blockchain? You can’t really do anything, Gupta said. “Obviously security is arguably more important for crypto and blockchain products. We need to focus on everything that focuses on security, like open sourcing versus caring about brand advantage and so on.”

The more a product, protocol or project is tested, the safer it gets, Gupta said. But until the emphasis on security is set in stone across the crypto industry, hacks will continue to happen, he noted.

“Eventually the number of hacks will reduce, but I do expect them to happen for a few months,” Gupta said. “The focus on security hasn’t happened. People don’t respect security as much as they should, and we’re pushing companies in the space to start caring about blockchain security.”

In the future, Gupta said he sees crypto security being a “superset” of Web 2.0 traditional security. Right now, people mainly care about the blockchain side of security and have completely ignored the traditional side of security, he noted. But in the future, all crypto companies will “have to do everything that a traditional Fortune 500 company does and other things to keep their blockchain secure and safe.”

“All of these things will take time. It won’t happen overnight, but I’m very positive that the whole space, not just Polygon, will be much safer for everyone.”