About the Author

Eyal Meron is the co-founder and CEO of Spherex Technologies, an embedded on-chain engine for crypto protocols that reverts suspicious transactions during runtime while maintaining business continuity and regulatory compliance.

The views expressed here are his own and do not necessarily represent those of Decrypt.

On June 2, Velocore’s protocol on Ethereum layer-2 network Linea was hacked, resulting in losses of $6.8 million worth of ETH. The attack, which leveraged a fee overflow bug, resulted in Linea halting operations for an hour in an attempt to mitigate the fallout, and prompted an extensive postmortem.

While the Velocore hack will go down as June’s first major on-chain exploit, it was by no means its last. Another six protocol hacks occurred in the month as recorded by DefiLlama, bringing June’s total losses to over $140 million, while July’s losses totaled $277 million. And May was even worse, with $373 million pocketed by attackers leveraging everything from flash loan exploits to compromised private keys.

The crypto industry has grown accustomed to hacks, which have exfiltrated $6 billion from DeFi protocols alone. This might be normal in crypto, but it isn’t in mainstream society. For as long as this problem remains unchecked, talk of Web3 mass adoption will remain a pipe dream.

While the specifics of each exploit vary, there is a common motif that runs through the major on-chain incidents: Most of these protocols were audited, and often by multiple third-parties. Velocore was audited by Zokyo, Scalebit, and Hacken, for example, and was also being monitored at the time of the hack.

While audits and monitoring solutions have their place, they risk lulling users and projects into unrealistic expectations of security. If multiple audits and monitoring can’t stop sophisticated hackers from breaking in, then it’s clear that a rethink is required.

Hackers are always gonna hack. But this doesn’t mean that DeFi projects are powerless to stop them. What it does mean is that they need to arm themselves with better preventative tools, and implement strategies to mitigate the damage should a breach occur.

Learning from hackers

DeFi projects could learn a lot from hackers, not least in their willingness to think outside the box by adopting unorthodox problem-solving approaches.

The first step is to learn the attackers’ tactics. One of the problems with audits is that they tend to be inward-looking, focusing on fortifying internal code rather than assessing the enemy’s capabilities. To cite but one example, compromised private keys account for 20% of all attack vectors; in May, Alex Labs lost $29 million in this manner.

Despite a panoply of cybersecurity firms touting crypto monitoring tools, these are largely limited to alerting protocol operators of suspicious activity. If a protocol does get hacked, then the team will be alerted to the bad news and that’s it: no attempts at mitigation, attacker identification, or counter-offensive strategy. Monitoring companies notified Velocore immediately when it was hacked, but it took Linea pausing on-chain operations for the attack to be halted.

DeFi projects shouldn’t simply rely on third-parties to resolve all their security challenges either. Rather, they should be proactively educating team members on common phishing methods and signs of suspicious activity. Technical members, meanwhile, should be schooled on the latest attack vectors, including access control exploits and proof verifier bugs.

Rather than expressing gratitude that the latest exploit befell a rival protocol, projects should study closely and apply the inevitable postmortem to their own security regime. Stay humble and study hackers.

Rewriting the playbook

But there are also more practical measures protocols can take to ensure they’re not the latest casualty. Just as humans cannot control the weather, only their preparation for it, the same holds true of hacks.

Teams need to have better solutions in place for threat prevention and tighter control of their smart contracts. Security solutions understand that it’s better to revert malicious transactions on-chain rather than warn of an occurring attack. Prevention is a solution that stops the attack before the transaction(s) are finalized on-chain—and those are the preventative measures we need in the ecosystem.

Despite ostensibly doing everything right from a security perspective, Linea had only one recourse when Velocore didn’t respond to alerts: to pause operations. Better tooling is needed to thwart hacks before they can escalate into multi-million-dollar exploits.

This much is clear: The current approach to crypto protocol security isn’t working, and a radical rethink is required. The market is in need of more security solutions that block malicious activity while maintaining business continuity, because it is time that protocols have better proactive capabilities, improved threat prevention, and a willingness to learn from the opposition.

As Sun Tzu put it, “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Edited by Andrew Hayward

Daily Debrief Newsletter

Start every day with the top news stories right now, plus original features, a podcast, videos and more.