status

Higher Security Is A Necessity For The Growth Of Adoption

Published 20.2.2024

The conventional financial realm possesses a noteworthy edge over the blockchain sector, an aspect that often remains under-discussed. This advantage lies in its superior resilience to cyber-attacks. Over time, IT experts and the legal system have effectively tackled hacks, scams, and fraudulent activities. Although such incidents are not absent, their occurrence is significantly less frequent compared to those within the blockchain industry. For Decentralized Finance (DeFi) to reach its full potential, it must secure the trust of its users. This trust can only be established by significantly reducing the number of security incidents. The 2023 security report released by CERTIK offers an in-depth analysis of the incidents that transpired and the corresponding losses, thereby providing valuable insights into the state of security within the industry.

Security Report 2023 by CERTIK

CERTIK deals with security incidents that occurred on 24 platforms (including some L2s such as Arbitrum or Polygon). Cardano is also on this list.

You can look at the security report from CERTIK yourself.

Let's look at the essential numbers.

A total of 1,840,879,064 USD was lost across 751 security incidents in 2023.

This represents a decline of 51% from 2022's total of 3.7B USD. However, this may be the result of a bear market. In the upcoming bull market, we can expect increased activity by fraudsters and hackers.

When a bull market attracts new users, it naturally also attracts attackers.

The report states that it is possible to observe a moderate positive correlation between the number of hacks and TVL. If TVL increases, so does the number of incidents. It is important to note that the total financial loss in USD increases as the market value of native coins increases.

Private key compromises were the most costly attack vector, with ~881M USD lost in just 47 incidents. This represents almost half of all financial losses, although private key compromises accounted for just 6.3% of all security incidents.

BNB Chain experienced the highest number of security incidents, with a total of 387 hacks, scams, and exploits leading to 134M USD in losses.

Ethereum saw a total of 224 incidents but 686M USD in losses.

It can be observed that the highest frequency of incidents tends to occur in the most heavily utilized ecosystems. This is a logical trend from an attacker's perspective, as these ecosystems typically have the largest number of users and usually hold the most funds within their DeFi applications.

In the following figure, you can see the number of incidents per platform and the total financial loss.

Look at the representation of types of security incidents.

There were only 47 private key compromise incidents, but the total loss caused is the highest.

There were 306 exit scams, but the total loss was the lowest compared to other incidents.

There were 197 code vulnerabilities, the second-highest number of incidents. The total loss is relatively high.

Let's look at one of the significant incidents associated with the compromise of private keys.

In July, Multichain suffered a significant breach resulting in a 125M USD loss. It was later discovered that the CEO solely controlled the supposedly decentralized platform’s servers and private keys. This issue surfaced when the CEO was arrested, rendering 1.5B USD inaccessible to users. The situation escalated as funds started transferring to unidentified wallets, highlighting the risks of centralized private key control.

In the security report, you will find details about Ledger's library leak which resulted in approximately 500K drained wallets. Unfortunately, in some cases, even a HW wallet may not be sufficient protection for users' assets.

Further in the report, you will find details about the KyberSwap hack in which the attackers abused the infamous flash loan.

Institutional Adoption

It may be surprising that despite the large number of security incidents, financial entities are pushing for the adoption. In 2023, significant progress was made towards institutional adoption of blockchain technology, with key financial entities like Swift, the Hong Kong Monetary Authority (HKMA), and the Australia and New Zealand Banking Group (ANZ) leading the way.

We are slowly moving from proof-of-concept solutions to live production.

Swift focused on blockchain interoperability and tokenized asset settlement, demonstrating the ability to connect various private and public blockchains.

ANZ, with over 1T USD in assets under management, launched Australia’s first private stablecoin and traded tokenized carbon credits.

The HKMA issued 100M USD in tokenized green bonds, emphasizing the alignment of tokenized bonds with existing securities regulations.

These advancements suggest a growing acceptance of blockchain’s potential in traditional finance, paving the way for a significant influx of capital into the blockchain space, driven by tokenization.

It may seem like the financial world is finally moving to blockchain. However, it turns out that interoperability with other conventional systems, such as existing custody systems and payment systems, is technologically complex. The risks involved in this endeavor are great.

Overcoming technological difficulties can lead to the mass adoption of blockchains by traditional institutions and a huge influx of not only finance but mainly users.

Ultimately, it is about the possibility of writing such a smart contract that will be as secure as possible, i.e. it will not contain vulnerabilities. Although we can be happy about what has been achieved so far, we must be cautious. The number of security incidents is still very high on the two most used SC platforms, i.e. Ethereum and BNB chain.

Bottom-up Adoption

The adoption of DeFi is not solely about institutions. It’s also about everyday people who can benefit from using stablecoins and decentralized financial applications. However, for this to be possible, the security of these platforms must be significantly enhanced, thereby reducing the number of security incidents.

In the traditional financial world, the infrastructure is closed-source and centralized, managed by IT and security experts. Most frauds are detected and resolved by the legal system. This structure has its advantages, such as a high degree of control and the ability to quickly respond to threats. However, it also has its drawbacks, such as a lack of transparency and the potential for misuse of power.

Blockchain addresses the drawbacks of centralized financial infrastructure, but must not bring others. Decentralization loses its meaning for most users if it is not possible to achieve the same quality of security.

DeFi users should prefer open-source projects. The open-source nature allows for greater transparency and community involvement, which can lead to more robust and secure systems.

However, it also presents unique challenges in terms of security. The code is publicly available for anyone to scrutinize, including potential attackers. Therefore, the smart contracts must be thoroughly audited and battle-tested over time to ensure their security.

As these applications stand the test of time and prove their security, people will start to use them more. This is a gradual process, as trust needs to be built over time. Users need to feel confident that their assets are safe and that the platform will function as expected.

The fewer incidents there are, the more trust users will have in the platform.

The adoption of DeFi is a multifaceted process that involves not just institutions, but also everyday users. It requires a delicate balance of openness and security. As DeFi continues to mature and evolve, we can expect to see a greater influx of users who see the benefits of decentralization and the potential of blockchain technology.

Cardano And Bottom-up Adoption

Where does Cardano fit into the equation? In the report from CERTIK, it was not explicitly mentioned in the context of security incidents. This is largely due to the lower TVL compared to Ethereum and BNBChain.

If the number of users and TVL grows, Cardano will gain the attention of attackers.

So far, Cardano has the SC status of a platform that has never been hacked in DeFi. That can change quickly. Exit scams or various types of attacks cannot be prevented. However, we all expect to see fewer vulnerabilities in the source code.

If you look at the projects on which, according to the security report, there have been several serious security incidents, you will find that their TVL is significantly smaller or similar to that of Cardano.

For example, Base has a TVL of 400M, which is almost identical to Cardano's TVL. A total of 4 incidents occurred.

Core, Fantom, Scroll, and zkSync are projects that have a significantly smaller TVL than Cardano and the attackers were successful in at least one case. From this, it can be concluded that Cardano is an attractive SC platform for attackers, but that they did not manage to commit any significant attack (that CERTIK would mention in the report).

For attackers, it is an attractive platform on which tens of millions of USD are locked up. Hundreds of millions of USD are locked up on Cardano.

We can state that Cardano has 0 hacks very likely also for the reason that it is a secure platform and third-party code does not contain critical vulnerabilities.

Conclusion

In the coming years, the number of security incidents will be one of the key drivers of adoption. DeFi services are often very similar from the users' point of view, but they can fundamentally differ in terms of security. If any SC platform, be it Cardano or any other, turns out to be significantly more secure than others, it has a chance to gain significant market share.

The reality is that once the TVL of an ecosystem is over 1B USD, there will be at least 2 serious incidents every year. This is still a very poor result in the context of how huge TVL could be if mass adoption were to take off. The Tron, Avalanche, Solana, and Optimism projects are on the right track because they have a TVL of around 1B USD or higher, but a very low number of security incidents. Hopefully, Cardano will join them.

Featured:

Related articles

Did you enjoy this article? Other great articles by the same author