The following is a guest post from Michael Egorov, Founder of Curve Finance.
The recent Bybit hack saw a grand total of $1.5 billion lost in crypto assets and has become the biggest hack in the entire history of this industry. The thing that makes this breach particularly concerning is that hackers targeted Bybit’s cold storage — typically the most secure part of an exchange’s infrastructure.
While Bybit moved quickly to replenish its reserves with the help of partners, the whole event still left many people shaken up. This situation once again raises security concerns. How vulnerable are crypto exchanges and what lessons should the industry take from this breach?
The Growing Risk to CEX Platforms
The way I see it, this incident is more than just another attack — it’s a wake-up call exposing the systemic security flaws of centralized exchanges. Despite implementing strict security measures, CEX platforms remain prime targets for hackers. Why? Precisely because of their centralized nature.
Unlike in DeFi, where user funds are distributed across self-custodial wallets, centralized platforms store assets in a controlled infrastructure. This creates a possibility of a single point of failure, where breaching a single layer of security can give attackers easy access to vast amounts of funds. After that, it’s pretty much over. Any recovery of funds has to rely on centralized oversight, assistance of external agents and sheer luck.
Chainalysis report clearly shows that in 2024, centralized services were the most targeted, marking a notable shift from DeFi hacks to CeFi. This is further confirmed by Hacken’s data that CeFi breaches more than doubled in the previous year, leading to the loss of almost $700 million. Access control vulnerabilities were highlighted among the primary causes of breaches.
This confirms that exchanges need to rethink their approach to security.
DeFi’s Alternative Take on Asset Safety
The good thing about DeFi platforms is that their very nature minimizes the risks we covered above. Instead of relying on a centralized infrastructure, DeFi protocols leverage smart contracts and cryptographic security mechanisms to protect assets. This eliminates the possibility of centralized points of failure — there’s no single entity that can be exploited to drain user funds.
However, it should be noted that DeFi isn’t without risks of its own. Since it operates in a permissionless environment, hackers are always present. And since transactions are irreversible, the only true protection is flawless code. Poorly written code can lead to vulnerabilities, but if there are no errors, then hackers can’t take advantage of them to break in.
Hacken’s 2024 security report indicates that smart contract exploits accounted for just 14% of crypto losses in 2024. This is why I believe that smart contract audits are essential to ensure the highest possible security standards.
AI in Cybersecurity: A Double-Edged Sword
Since artificial intelligence is becoming a more heated topic every day, there are many in the crypto market who wonder what role it will play in security. So I’m going to offer my two cents on the subject.
First of all, AI tools have not yet been developed to the point where they would be effective in such tasks. But when they come around to that level, it is very likely that they will be effective.
Properly developed AI tools can potentially be highly useful when it comes to simulating and analyzing the execution of smart contracts. In other words, they can help detect vulnerabilities in smart contracts, allowing developers to patch security holes well before hackers come knocking.
Automated testing and AI-assisted audits can also significantly enhance security standards, making both DeFi and CeFi systems more robust. But it would be wise not to rely completely on artificial intelligence in such matters – even this tech can miss things.
At the same time, AI tools can also be weaponized by hackers to scan systems and identify flaws to exploit faster than ever before. This will inevitably mean an arms race between security teams and hackers where platforms will have to constantly stay one step ahead.
And the one thing I would absolutely advise against is using AI to write the actual smart contracts. Given the current level of development of this technology, AI-written code cannot yet match human developers in quality or security.
What Should Crypto Exchanges Do Next?
By now, all centralized exchanges implement industry best practices, such as multisignature wallets and other security protocols. However, as the Bybit hack has shown, these measures don’t seem to be enough on their own.
CEXs inherently create centralized points of failure. While they should be highly secured, they remain single points of attack, making them attractive targets for hackers. One potential solution to this problem could be introducing user-controlled wallets with extra layers of oversight managed by the exchanges. However, it is also well-known that self-custody and key management is extremely inconvenient for most users. So that’s not a particularly safe approach.
In that case, what can exchanges do differently on their side of things?
First of all, we need to recognize that many security mechanisms used by these platforms today, including multisignature wallets, rely on Web 2.0 technologies. This means that their security depends on not just how robust the smart contracts are, but also on the safety of web-based frontends. The UIs that users interact with and through which those smart contracts are accessed.
Issues in frontend security can undermine the entire system, if hackers find a way to compromise it. But ensuring security here is a challenge and a half. Web applications often rely on thousands of dependencies (Uniswap’s UI, for example, has over 4,500), all of which represent a potential attack vector. If even one of these dependencies gets compromised, hackers could inject malicious code into the interface without ever needing to attack the core system.
As such, developers must ensure that not only their own code is safe but also every piece of software their platform depends on.
A good solution would be for large exchanges to use self-hosted Web UIs. They do exist, including for the Safe wallet, in particular. An even better option would be to use specially designed software that bypasses traditional web technologies altogether when interacting with smart contracts. For example, there is an official CLI tool for Safe wallets, which significantly reduces the number of dependencies (by a factor of about 100), bringing down the risk of supply chain attacks.
Additionally, all signing for high-value transactions should be conducted on isolated machines used exclusively for this purpose and nothing else. Doing so minimizes the risk of the human factor playing a role in compromising the signing infrastructure with malware. Another approach could be leveraging containerized operating systems like QubesOS — they are quite exotic at the moment, but do offer enhanced security as part of their design philosophy.
And, of course, while hardware wallets are the standard practice that everyone uses, when high-value transactions are involved, it is critical that exchanges implement mechanisms to verify what, exactly, these wallets are signing. Currently, hardware wallets do not make this task easy, but there are tools available in the market that can assist in verifying transaction data before execution.
All in all, implementing any of these measures is no simple feat — this is a truth that has to be acknowledged. Perhaps the industry as a whole needs to establish formalized security recommendations or even develop specialized operating systems tailored for safe interaction with crypto out of the box.
But it is also true that without significant upgrades to security infrastructure, the risks posed to CEXs will only continue to grow.
Mentioned in this article
Source link
