For hackers in 2024, digital assets likely look like a gold mine. 

Looking back at 2023, many people in the industry celebrated that there were only $1.5 billion of funds stolen due to hacks and security breaches over the course of the year (a smaller number when contrasted with 2022’s jaw-dropping $3.8 billion). However, if you consider the frequency of 2023’s hacks, there was on average at least 1 hack per week of $1 million or greater – clearly, hackers are still having an enormous impact in the digital asset space. 

So far, the digital asset threat landscape for 2024 has been similar to 2023, with cyber attackers focusing on crypto exchanges, Web3 apps, blockchain bridges, and smart contracts; widespread phishing attacks and fake airdrops have continued throughout the year. Looking at the broader digital asset ecosystem, security is still one of the top issues holding the digital asset and Web3 ecosystem back from mass adoption. 

How can we continue to combat hacking as an industry? At a high level, security should be a key consideration from the very beginning for any organization involved in digital assets – not something that is addressed or revisited after an MVP is launched. Hackers move with speed, and scaling happens rapidly in this space, so the time cushion that teams may assume they have to find and patch coding or operational vulnerabilities might not exist.

When thinking of security of digital assets, many focus on the type of encryption protocol, whereas in fact, there are quite a few vulnerable fronts that are often overlooked. 

We have identified four fundamental security pillars that any digital asset-based business should consider adopting to build an effective security posture from day 0:

1. Building your team with trust

Digital asset companies can be compromised in 2 ways. The first is well-known – through hacking code. The second is different but just as dangerous: hacking people. There have been a few high profile examples in the industry such as CoinsPaid. 

Today’s hackers will look to socially engineer people within your team with a wide range of technologies, such as deep fakes, in order to gain access to your systems. They may even socially engineer hiring processes to insert malicious developers onto teams, allowing them to access production systems from the inside. 

To combat this, any digital asset team or project should examine their people – truly validating references, work experience, and backgrounds. Projects should look to “limit the blast radius” by establishing basic, role-based permissions that manage access controls for financial and operational tasks, smart contract deployments, and other key systems. For example, your Head of Business Development does not need access to be able to deploy code to your production system.

For anything not on-chain, we recommend only using multi-factor authentication or hybrid security keys. In addition, we recommend establishing or hiring a main security point of contact for your organization. While security is a team sport that requires everyone at the company or project to do their part and remain vigilant, it’s a best practice to have at least one person in the organization constantly monitoring the threat landscape. 

2. System Design: map and monitor all external infrastructure dependencies

External infrastructure is everything that has not been built internally for a project or organization, such as aspects of your tech stack that are developed by an actor outside the core team. 

From a security perspective, key management is among the most important systems you will have to implement. We recommend working with a vendor that has in-depth expertise, has been audited, and is battle-tested. In general, there are too many threat vectors in this area – and too much niche expertise needed – to work with a less proven vendor, or to build these capabilities internally.

With the other external infrastructure systems your team will utilize, like smart contracts, oracles or even external vendors, it’s important to keep close track of what your dependencies and vulnerabilities are, both on- and off-chain. Supply chain attacks are quite common in traditional cybersecurity but are also prevalent in the digital asset space.

3. Continuous Improvement: build with security in-mind 

There are 2 phases to most digital asset companies and projects – MVP and production. Both of these phases can be and are vulnerable to attack. 

When launching an MVP, it’s best to start with testing your team and your code; there are many good solutions on the market today that can help with this. Next, you should define your key invariants for modules and methods, and document them. In the future, this will also make working with auditors more efficient and effective. 

Once your offering is in production, security must remain top of mind. First, we recommend developing a bug bounty program or partnering with someone that can offer you that – working with whitehats to find vulnerabilities in your code tends to be highly valuable. Second, ensure you have good operational security for CI/CD when patch-gapping for open-source software – fix issues on your side first before pushing anything new on-chain. Lastly, test and document your invariants for every code commit and release to ensure you are not breaking your key assumptions. 

4. Red Teaming and Incident Preparedness

Even if you are have executed pillars 1 through 3 flawlessly, at some point, your business or project will be tested or even breached and you need to be able to respond accordingly. In order to react quickly and efficiently, it’s important to develop an incident response plan. 

To build an effective incident response plan, you’ll want to try to think like a hacker and test your systems from the ground up – identifying gaps and ways your system can be hacked, documenting them, and then creating an appropriate plan to deal with these issues, should they arise.

There should also be someone on your team whose main role is to think about and monitor security trends in the industry, continuously testing your systems and looking to implement changes as soon as vulnerabilities are found.

Next steps?

Building an effective security posture takes time, effort and practice. Threat actors move very quickly in this industry, and the Web2 mindset of “Move fast, break things, and fix it” does not apply from a security perspective. 

Each pillar highlighted above is meant to help protect your business, investors, and customers from both internal and external threats. Adhering to these pillars is a large step towards being prepared in the event your business or project is tested – and you likely will be tested. 

If you’d like to learn more about how your team can maximize security, we recommend: