Time To Address Security Issues After a Year’s Worth of Web3 Hacks?
The Solana, Harmony Bridge, Nomad Bridge, and Wormhole hacks have given rise to security questions and discussions as to how these issues should be addressed.
Who bears responsibility?
The Web3 community has recently been the victim of multiple exploits leading to users and protocols–in the aggregate–losing hundreds of millions of dollars. In the last year, hacks of Solana, Harmony Bridge, Nomad Bridge, and Wormhole have prompted serious discussions on how to address and prevent such events.
There is certainly no shortage of finger pointing, but it remains difficult to ascertain exactly who is to blame and whether there can be any material liability assigned thereof. Protocols tend to assign blame to users, asserting a lack of educational awareness and user error leaves the door open to exploit. To them, these user losses are simply the result of the cryptographic “invisible hand” of digital economics. Users of course deny this, and instead direct blame towards the protocols, alleging the teams deploying the protocols owe a sort of unspoken fiduciary duty to users necessitating deeper and more frequent code audits, as well as greater exploration of edge cases to identify potential chinks in the blockchain.
The Recent Solana Hack
Solana made headlines after nearly $8 million worth of $SOL and other assets were drained from Phantom Wallets and Slope Wallets – two software wallets built on Solana’s protocol. Solana has come out to reassure users that there was no compromise of the Solana Protocol or its cryptography, instead blaming Slope Finance and its mobile wallet application. The direct cause of this hack is still under investigation according to Slope’s most recent official statement. However, it adds to the ongoing discussion of addressing Web3 security issues.
The Cross-Chain Bridge Protocol Hacks
In order to understand the recent exploits of bridge protocols, we first have to understand the function of these digital bridges. Bridge protocols allow for interoperability–meaning two separate blockchains’ ability to interact and conduct transactions with one another. Bridges enable this interaction by wrapping an asset into a smart contract designed to “bridge” to a different blockchain, where an equivalent value of the wrapped asset will be minted in that blockchain’s native token. For example, a user can bridge to the Ethereum blockchain by wrapping BTC in exchange for WBTC. These bridge protocols are a central location where large sums of crypto assets are held. Such vast asset stockpiles entice criminals to exploit these bridges.
The Nomad Bridge is an example of this–where hackers stole roughly $190 million dollars. Yet, this is not the only bridge protocol that was compromised, Harmony Bridge and Wormhole lost a total of $425 million worth of crypto assets due tof hacks. All of these exploits were enabled by bugs in the protocols’ code, leaving the Web3 community questioning the security of bridge protocols. Ethereum founder Vitalik Buterin expressed his concerns surrounding cross-chain applications.
“The fundamental security limits of bridges are actually a key reason why while I am optimistic about a multi-chain blockchain ecosystem (there really are a few separate communities with different values and it's better for them to live separately than all fight over influence on the same thing), I am pessimistic about cross-chain applications.”
What Steps Should Be Taken?
The development and use of blockchain technology is inherently complex and has created for many a significant barrier to entry . Requiring casual consumers and contributors to understand–in depth–the mechanisms of this technology in order to evaluate the risks of certain applications is unreasonable, but also deleterious to the adoption of web3. Therefore, the burden of assuring security and gaining trust from users likely falls on the developers. This required assurance of security will most likely come from a combination of community initiative and regulation.
The Responsible Financial Innovation Act sponsored by Senator Lummis and Senator Gillibrand has attempted to address security concerns surrounding web3. The bill requires the CFTC and SEC, with consultation from the Secretary of the Treasury and the Director of the National Institute of Standards and Technology, to develop guidance to assure security, involving risk identification and mitigation policies implemented by the entity providing digital asset services and independent audits.
The Digital Commodities Consumer Protection Act of 2022 (DCCPA) proposed by Senators Booker, Boozman, Stabenow, and Thune requires “digital commodity platforms,” as defined below, to register with the Commodity Futures Trading Commission.
Section 2 of the DCCPA defines “digital commodity platforms” to encompass new categories for registration with the CFTC including “digital commodity broker,” “digital commodity custodian,” “digital commodity dealer,” and “digital commodity trading facility.”
The CFTC imposes consumer protection provisions requiring “digital commodity platforms” to disclose conflicts of interest and material risks of trading digital commodities. Furthermore, this bill would allow the CFTC to inspect and monitor digital commodity platforms, on an ongoing basis, for the purpose of ensuring compliance.
Closing Thoughts
While the proposed legislation aims to establish more trust in users of web3 platforms, it may raise concerns from blockchain maximalists, especially those who tend to believe in the establishment of a “trustless” economy. Regulation that requires independent audits of web3 platforms and allows the CFTC to continuously monitor such platforms, infringes on the principle of autonomy, and limits the ability of the space to govern itself. Also, imposing compliance requirements will inevitably make it harder for developers with limited resources to build on such platforms, mitigating the decentralization of the protocols. Perhaps the only thing that remains clear is this; regulation is coming. However, it is important to not lose sight of the core blockchain principles because of these recent exploits. A semblance of balance between consumer safety and innovative liberty is necessary for web3 to develop naturally and safely.
This newsletter is written, curated, annotated, and edited by Christopher Foreman (@CryptlessInSEA), Kyler Wandler (@KylerW56), Nicole Prada (@octopape); Nick Corso (@nick_corso2); Evan Santos (@evansantos4); and Kleb (@kleb_33); with consultation and input from Jacob Robinson of the Law of Code Podcast; editing courtesy of TΞxas ₿l◎ckchain LawyΞr ; in collaboration with Ann Sofie Cloots; and support from the Blockchain Barristers Law Student Collective.
The articles and opinions in this newsletter are not legal or financial advice. For legal and financial guidance, please consult a qualified attorney or financial advisor.
 | A guest post by
|