Below is a guest post from Michael Egolov. Founder of Curve Finance.
Recent Bibit hack A total of $1.5 billion was lost in Crypto Assets, making it the biggest hack in the entire industry history. What is particularly concerning about this violation is that hackers have targeted Bybit’s cold storage. This is usually the safest part of the exchange infrastructure.
Bibiting It moved The entire event still rocked many people, in order to quickly restock its preparations with the help of our partners. This situation again raises security concerns. How vulnerable is crypto exchange and what lessons should the industry take away from this violation?
Increased risk to CEX platforms
As I see, this incident is more than just another attack. This is a wake-up call that exposes the systematic security flaws of centralized exchanges. Despite implementing strict security measures, the CEX platform remains a major target for hackers. why? To be precise, it is due to its centralized nature.
Unlike Defi, where user funds are distributed to independent wallets, the centralized platform stores assets in a controlled infrastructure. This creates the possibility of a single point of failure. Violating a single security will allow attackers to easily access huge amounts of funds. After that, it’s almost over. Fund recovery should depend on centralized monitoring, support from external agents, and luck in luck.
Chain Analysis Report It clearly shows that centralized services were the most targeted in 2024, indicating a significant shift from Defi Hacks to CEFI. This is further confirmed by Hacken’s data That CEFI more than doubled the previous year, resulting in a loss of nearly $700 million. Access control vulnerabilities were highlighted among the main causes of violations.
This confirms that the exchange needs to rethink its approach to security.
Alternatives for the safety of Defi assets
The good thing about the Defi platform is that its nature minimizes the above mentioned risks. Instead of relying on a central infrastructure, the Defi protocol leverages smart contracts and cryptographic security mechanisms to protect assets. This eliminates the possibility of a focused obstacle. There is no single entity that can be exploited to emit user funds.
However, it should be noted that Defi is not without its own risk. Hackers are always there because they operate in unauthorized environments. Also, transactions are irreversible, so the only true protection is perfect code. Unwritten code can lead to vulnerabilities, but if there are no errors, hackers cannot use them to infiltrate them.
Hacken’s 2024 Security Report This shows that smart contract exploits accounted for just 14% of crypto losses in 2024. This is why we believe smart contract auditing is essential to ensure the highest possible security standards.
Cybersecurity AI: Double-edged sword
With artificial intelligence becoming a more intense topic every day, there are many people in the crypto market wondering what role it plays in security. So I’m going to offer my 2 cents on this subject.
First of all, AI tools have not yet been developed until they are effective in such tasks. But once they get closer to that level, there’s a very good chance they’ll be effective.
A well-developed AI tool is potentially very useful when it comes to simulating and analyzing the execution of smart contracts. In other words, they help detect vulnerabilities in smart contracts, allowing developers to patch security holes before hackers can knock.
Automated testing and AI-assisted auditing significantly enhances security standards and makes both DEFI and CEFI systems more robust. However, it would be wise not to rely entirely on artificial intelligence on such issues. Even this technology can miss things.
At the same time, you can weaponize AI tools with hackers to scan your system and identify flaws to utilize them faster than ever before. This inevitably means an arms race between security teams and hackers where platforms need to always stay one step ahead.
And one of the things I absolutely recommend is to write real smart contracts using AI. Given the current level of development for this technology, AI-written code cannot yet match human developers in quality or security.
What should crypto exchanges be done next?
To date, all centralized exchanges have implemented industry best practices, such as multi-signature wallets and other security protocols. However, as Bybit Hack shows, these measurements do not seem to be sufficient on their own.
CEXS essentially creates centralized points of failure. They should be highly safe, but they remain a single point of attack, making them an attractive target for hackers. One potential solution to this problem is to introduce a user-controlled wallet with an additional monitoring layer managed by the exchange. However, it is also well known that self-supporting and key management is extremely inconvenient for most users. That’s not a particularly safe approach.
In that case, what can be different about exchanges on the side of things?
First, we need to recognize that many of the security mechanisms used by these platforms, including multi-signature wallets, rely on Web 2.0 technology. This means that security relies not only on the robustness of smart contracts, but also on the safety of web-based front-ends. A UI where users interact and access those smart contracts.
Front-end security issues can damage the entire system if hackers find a way to compromise on it. But ensuring security here is a challenge. In many cases, web applications rely on thousands of dependencies (UNISWAP’s UI is over 4,500, for example). All of these represent potential attack vectors. If any of these dependencies are compromised, the hacker can inject malicious code into the interface without having to attack the core system.
So developers need to make sure that not only their own code, but also their platform-dependent software.
A good solution is to use a self-hosted web UI for large exchanges. They exist, especially those that are safe. An even better option is to use specially designed software that completely bypasses traditional web technology when interacting with smart contracts. For example, there is an official CLI tool for secure wallets that significantly reduce the number of dependencies (approximately 100 times) and reduce the risk of supply chain attacks.
Additionally, all signatures for high-value transactions must be carried out on an isolated machine that is used solely for this purpose. Doing so minimizes the risk of human factors that play a role in malware damaging the signature infrastructure. Another approach is to leverage containerized operating systems like Qubesos. It is very exotic at the moment, but has been enhanced as part of its design philosophy.
And, of course, hardware wallets are a standard practice that everyone uses, but when high value transactions are involved, it is important to implement a mechanism that allows exchanges to accurately verify that these wallets are signed. Currently, hardware wallets don’t make this task easier, but there are tools in the market that can help you validate transaction data before it runs.
Overall, implementing any of these measures is not a simple feat. This is a truth that must be acknowledged. Perhaps the industry as a whole needs to establish formal security recommendations or even develop professional operating systems tailored to secure interactions with Crypto.
However, it is also true that without a major upgrade to your security infrastructure, the risks pose to CEXS will only continue to grow.
It is mentioned in this article
