However you read the facts and motivations behind the Poly Network hack, it was still possible to remove over $600 million in cryptos without anyone being able to stop it.
In both cases - Poly Network’s $600 million and Kucoin’s $285 million losses - all or nearly all of the missing money returned to where it came from. But that’s hardly the point. In just
the third quarter of 2021 alone, $1 billion was hacked, with the Ethereum ecosystem subjected to 19 other known hacks besides the Poly Network episode, according to a report compiled by Atlas VPN using information supplied by Slowmist Hacked.
And that’s just crypto currencies. Another
$120 million was hacked in DeFi in 2020.
Looking at numbers like these, anyone considering putting more money in crypto must be thinking twice. It seems like a good time to look at what protections currently exist for them and what new moves are needed to make blockchain investment more secure?
Looking for protection?
Insurance is one obvious form of protection but insurers have been slow to enter the crypto world. Despite being a growing, multi-trillion dollar industry, crypto remains 96% uninsured.
Only 2% of the coins on North America’s largest cryptocurrency exchange, Coinbase, are insured.
Nevertheless, there are some schemes out there to provide the assurance of insurance. As early as 2014, Great American Insurance Group was the first to provide cover for the owners of crypto assets in the form of crime and custody policies covering bitcoin
holders for forgery and computer fraud amongst other things. Other players entering the market since then include Nexus Mutual, a decentralized insurance fund operating on Ethereum. Insurers can also provide coverage for crypto businesses, such as exchanges.
Evertas, for example, describes itself as “the world’s first cryptoasset insurance company”.
But, as the paltry figure of 4% coverage demonstrates, this is an area of the insurance market still in its infancy. What’s missing in the insurance industry’s opinion is legal and regulatory clarity. As that emerges, insurance for crypto assets is likely
to become easier, resulting in the opportunity to create a major market, according to a recent
Bloomberg report.
There are also stability initiatives. Binance,
which admits to suffering several dozen hack attempts every day, has created a fund as part of its SAFU customer protection scheme. SAFU collects a fraction of each transaction fee to cover a black swan event. And this seems to be working. In December 2020
Binance announced it would use the fund to compensate $10 million in losses suffered by its customers in the COVER hack.
But, at the end of the day, the most frequent source of hacks and scams is people themselves. It’s an old story you’ve heard before: not having good security hygiene, listening to strangers online or on the phone and, all too frequently, losing their own
private keys. At the start of 2021,
the New York Times reported that about 20% of the 18.5 million Bitcoins then in existence — currently worth around $215 billion — were lost or otherwise stranded.
What needs to be done to ensure better security in blockchain technology?
If that’s the current state of play, there are three things that would have a major impact on crypto asset security.
The first is - as the insurance industry and others are calling for - better regulation. Entities, after reaching a certain size, should be more closely monitored by the regulators. And generally speaking we shouldn’t put too much trust in one entity. As
the big exchanges and custodians are incentivized to become bigger - and pose an even higher risk to the ecosystem - some kind of regulationis needed. There is a clear irony in the fact that the bigger the centralized exchanges become, the more vulnerable
decentralized finance is: on-chain things are mostly safe (I’ve described the exceptions, above), but huge, centralized entities like Coinbase are a growing risk.
A good alternative to self-regulation and government regulation would be more widespread and generally-accepted certification, which would provide the level of reassurance insurers are seeking. The easy way to do this would be to certify only a few custody
providers and then insure just them, but then we run into the centralization issue again. A better solution would be widespread certification that individual companies and smaller custody providers can acquire.
The second change I want to see is greater caution by developers. The community should be more critical of smart-contract-based applications and provide the necessary checks that are missing due to the decentralized nature of those platforms, the lack of
regulation, and current immaturity of the industry. This could be handled by smart contract audits by specialist companies, such as
Hosho, as a necessary prerequisite for any project. Ultimately, investors have to enforce this by not putting their money into Dapps without audits. Anyone can make a smart contract and anyone
can send money to it, so at the moment there is no real protection mechanism.
And the third is self-protection. Users must become more self-reliant and take control of their keys - or at least a fraction of the keys - in non-custodial wallets such as Metamask or Argent so that they can be certain that, without them giving up their
data themselves, no one can access their funds.
The crypto industry is still in its infancy. In some areas we have gone far beyond what seemed possible ten or even five years ago. But in other areas - including dreams of complete security - we have had our eyes opened. It’s down to all of us in the community
to take a clear look and fix the issue.