Despite the growing number of attacks in the ecosystem, there are only 1,150 specialists worldwide who are able to audit crypto projects in terms of cybersecurity, according to a study by KPMG.
Although the blockchain is built on a strong security foundation, “Web 3 is not safe from intruders,” according to a study published this Wednesday by KPMG. Although attacks were initially carried out on centralized cryptocurrency exchange platforms (CeFi), they now seem to be concentrated in one sector: the decentralized finance sector.
It will be recalled that decentralized finance (DeFi) is an open financial system available to any user that allows certain traditional financial transactions, such as loans. Decentralized platforms (also called DEX for “decentralized exchanges”) allow peer-to-peer crypto transactions without passing through a trusted third party. We can, for example, quote Bitsquare, Uniswap or PancakeSwap. Conversely, centralized platforms (or CEX for “centralized exchanges”) carry out transactions through their own servers and a centralized order book. You can, for example, mention Binance, Coinbase or Coinhouse.
Between 2012 and 2022, nearly $ 2.66 billion was stolen from centralized cryptocurrency exchanges. For example, in January, the centralized platform Crypto.com was hacked, affecting 483 users. Similarly, in late April, the Chinese stock exchange Hotbit also fell victim to hacking, attackers began to monitor its wallets (e-wallets).
In addition, according to the Immunefi platform, cryptocurrencies worth $ 1.2 billion were stolen from decentralized finance in the first quarter of this year alone. The figure increased by 692% compared to the first quarter of 2021. Among the biggest hackers in the history of DeFi is the Ronin Network, where $ 624 million was stolen from the Ethereum Ronin sidechain from Axie Infinity or Poly Network. a hack where $ 611 million was stolen from the platform.
DeFi has been gaining momentum for several months: in the first quarter, the total amount of money blocked in the DeFi protocols was 10.6% of the total cryptocurrency market. Therefore, the real prey for hackers. The attackers are targeting everything: smart contracts, user wallets, blockchain infrastructure. As soon as they notice the slightest flaw in the system, they decide to attack them.
However, despite increasingly complex attacks, KPMG found that there was still a lack of competent experts to deal with them. Indeed, although automated tools (such as fuzzing) have been developed to prevent certain attacks, human analysis remains important.
“We’ve made a simple observation: more and more crypto projects are breaking down. Crypto companies can wait months before they can audit their smart contracts with crypto security audit companies,” explains Carolina Horna, a cybersecurity and blockchain engineer. at KPMG and co – author of the study.
“If we do not increase the number of experts, the hacks will increase”
If the first audit firm specializing in cryptographic security was established in 2012, and since 2017 this trend is accelerating, today there are only 1105 experts who are able to conduct audits to verify crypto projects. Most experts are concentrated in the United States (410) and India (170), and Europe (40) lags far behind.
“If you compare the number of auditors with the number of developers who encode smart contracts, there are 5 to 8 auditors per 100 developers. There is an imbalance with the need for more people, “said Karolina Horna.
Currently, 18,000 active developers work on so-called open source projects such as Bitcoin and Ethereum blockchains every month. In this context, KPMG believes that there is a lack of specialists who are able to audit crypto projects. This explains the large number of hacks that have taken place so far. If we do not increase the number of experts, the hacks will increase. “
The study examines many classic ecosystem attacks, such as so-called “flash loan” attacks (Editor’s note: unsecured loan that must be repaid before the transaction is completed), where attackers use these loans to obtain funds needed to exploit a vulnerable contract vulnerability. “Or even 51% attacks,” which happens when an attacker takes control of more than half of the blockchain’s verification capabilities and can impose his own version of the blockchain. Then the attacker can roll back a recent transaction.
Moreover, while more and more large companies (luxury, sports, etc.) are falling into cryptocurrencies, they are not yet mastering the topic of cybersecurity, according to KPMG. According to the authors of the study, information systems security managers (RSSI) play a real role in these companies.
“If we affect the cryptocurrency sector, we will have new risks that will be created, CISO will have to identify new protection scenarios in companies. In the long run, we think that CISO will have to advise business teams, because cryptocurrency carries a technical risk, and we think that all these issues will be managed by people, “- concludes the expert.