Despite the increase in the number of attacks in the ecosystem, there are only 1,150 specialists worldwide capable of auditing crypto projects from a cybersecurity point of view, a KPMG study shows.
While the blockchain is built on a solid security foundation, “network 3 is not immune to attackers,” according to a study published this Wednesday by KPMG. While the attacks were initially directed at centralized crypto exchange (CeFi) platforms, they now seem to be concentrated in one sector: the decentralized finance sector.
As a reminder, decentralized finance (DeFi) is an open financial system available to any user that allows some traditional financial transactions, such as loans. Decentralized platforms (also called DEXs for “decentralized exchanges”) allow peer-to-peer crypto transactions without going through a trusted third party. We can, for example, specify Bitsquare, Uniswap or PancakeSwap. Conversely, centralized platforms (or CEXs for “centralized exchanges”) process transactions through their own servers and a centralized order book. We can, for example, mention Binance, Coinbase or Coinhouse.
Between 2012 and 2022, nearly $2.66 billion was stolen from centralized cryptocurrency exchanges. For example, in January, the centralized Crypto.com platform was hacked, which affected 483 users. Similarly, at the end of April, the Chinese exchange Hotbit became a victim of a hack, undertaking to monitor its wallets (electronic wallets).
In addition, according to the Immunefi platform, $1.2 billion worth of cryptocurrency was stolen from decentralized finance in the first quarter of this year alone. The indicator increased by 692% compared to the first quarter of 2021. Among the biggest hacks in the history of DeFi is the “Ronin network”, where $624 million was stolen from the Ethereum Ronin sidechain from Axie Infinity or Poly Network. a hack that resulted in $611 million being stolen from the platform.
DeFi has been gaining momentum for several months now: in the first quarter, the total amount of money locked in DeFi protocols accounted for 10.6% of the entire cryptocurrency market. Therefore, a real prey for hackers. Attackers target everything: smart contracts, user wallets, blockchain infrastructure. As soon as they notice the slightest flaw in the system, they decide to attack it.
However, despite the increasingly sophisticated attacks, KPMG has found that it still lacks the expertise to deal with them. Indeed, while automated tools (such as fuzzing) have been introduced to prevent certain attacks, human analysis remains important.
“We made a simple observation: more and more crypto projects are being hacked. Cryptocurrency companies can wait months before their smart contracts can be verified by crypto-audit firms,” Karolina Gorna, cybersecurity and blockchain engineer, explains to BFM crypto. at KPMG and co-author of the study.
“If we do not increase the number of experts, there will be more hackers”
If the first audit firm specializing in crypto security was created in 2012, and since 2017 this trend has been gaining momentum, then today there are only 1105 experts capable of conducting audits to verify crypto projects. The majority of experts are concentrated in the US (410) and India (170), with Europe (40) lagging far behind in this area.
“If we compare the number of auditors with the number of developers who write smart contracts, there are 5 to 8 auditors per 100 developers. There is an imbalance with the need for more people,” emphasizes Karolina Gorna.
There are currently 18,000 active developers monthly working on so-called open source projects such as the Bitcoin and Ethereum blockchains. In this context, KPMG believes that “there are not enough specialists capable of auditing crypto projects. This explains the large number of hacks that have taken place at the moment. If we do not increase the number of experts, the number of hacks will increase.” “
The study looks at many of the classic attacks in the ecosystem, such as so-called “quick loan” attacks (Editor’s note: an unsecured loan that must be repaid before the transaction is completed), where “attackers use these loans to obtain funds. it is necessary to exploit a smart contract vulnerability, or even a 51% attack, which occurs when a single attacker takes control of more than half of the blockchain’s verification capabilities and can impose their own version of the blockchain. after that, the attacker will be able to cancel the recent transaction.”
Moreover, while more and more large companies (luxury goods, sports, etc.) are moving into cryptocurrencies, they are not yet mastering cybersecurity topics, according to KPMG. According to the authors of the study, information systems security managers (RSSI) play a real role in these companies.
“If we touch the crypto sector, we will have new risks, the director of information security will have to determine new scenarios for protecting companies. carries a technical risk, and we think that a person will solve all these issues, ”the expert concludes.