A HyFi Approach Should be the Answer to DeFi Security

I will be the first to admit to my prior skepticism with regards to cryptocurrencies and other sorts of decentralized finance (DeFi). Having spent most of my career immersed in securing centralized structures and in the world of traditional finance (TradFi) I was doubtful that decentralized models would be here for the long term.

 Yet, following a period where both the adoption and value of crypto have risen steeply, my doubts have waned and my interest has grown. As more value is pumped into the newly developed cryptocurrency system, I find myself increasingly focused on how this system can be better secured.

As this burgeoning community grows, there are almost daily stories about the theft and scams that are endemic across the ecosystem. If the community wants to build a secure, credible and sustainable alternative financial order, moving beyond the current ‘move fast, break things and correct it later’ mentality is a necessity. But this doesn’t mean they need to reinvent the security wheel, either.

Cryptocurrency Security: What’s the Problem?  

The cryptocurrency market’s value exceeded $3 trillion last year and the community is clearly booming and bullish about the year ahead. But, as is often the case when a new technology or trend gains momentum, interest from the criminal underworld also increases.

According to Chainalysis data, a record $14 billion worth of cryptocurrency transaction volume was associated with illicit activities last year, up from $7.8 billion in 2020. A total of $3.2 billion worth of cryptocurrency was stolen in 2021, a year-over-year increase of 516%. One example: AscendEx reported that it lost $78 million following an attack on its wallets hosted across three separate chains—Ethereum, Binance Smart Chain and Polygon.

While hacks and breaches certainly happen in traditional finance (TradFi) as well, there’s a need to highlight the cryptocurrency space given that the industry is now at a critical inflection point in both adoption and regulation. For regulators trying to determine the extent and application of any legal frameworks, cryptocurrency related crime is likely to be a significant consideration.  

DeFi: But Doesn’t Blockchain Provide Security?

I often hear the refrain that not only does blockchain provide enough cybersecurity protection, but also that everything cryptocurrency-related must be allied to blockchain in some way, even security. Yes, it’s true: Blockchains, and the ledger of transactions they produce, are incredibly difficult to break. But they are not immune to risk. For example, front-running attacks can occur when criminals launch an attack in the time gap between transactions that are created and recorded on the blockchain.

There is also a much broader risk with cryptocurrency in that cybercriminals often target the endpoints that connect to the blockchain. For example, cybersecurity firm Intezer discovered an elaborate and sophisticated campaign designed to steal cryptocurrency users’ private keys to their digital wallets, which they dubbed Operation ElectroRAT.

When boiling it down, blockchain falls on the side of being a detective rather than a preventative technology. It provides a certain level of assurance, but it only really acts as an immutable ledger for you to ‘check’ what has already happened on the chain. It also doesn’t operate in a vacuum. The hacks dominating the news are usually breaches of places where blockchain systems interface with the real world, such as smart contracts and hot wallets.

It also seems as though new threats are emerging daily. For example, while individual Layer 1 and Layer 2 communities are all working on and improving their own protocols and smart contracts, cross-chain connectivity has led to an exploitation scenario where unforeseen gaps are being created by interactions between different protocols’ smart contracts when they were mostly originally designed to be used within one protocol. A good example is the recent Wormhole exploit that ‘mutually assumed security’ was adopted in the smart contract bridge, which is the industry practice adopted today. Just to paraphrase NATO’s Article 5: An attack on one protocol is potentially an attack on all protocols as far as cross-chain connectivity is concerned.

Building on TradFi’s foundations

Those in DeFi often think that to usher in a ‘new world’, a fresh paradigm of security tools is necessary and that security also must be linked to blockchain in some way. Combined with the determination to get products to market as quickly as possible, this mindset often leads to overlooking security in favor of the ‘it will fix itself eventually’ mentality.

 If cryptocurrency is to reach its full potential—that is, if we are to build a secure, credible and sustainable alternative financial system—its security infrastructure clearly must improve. And this doesn’t mean we need to reinvent the security wheel. There are tried-and-tested technologies that are used in the ‘old world’ which could be borrowed and applied without compromising the ambition of ushering in a fairer, more democratized ecosystem.

Take identity and access management (IAM) as an example. Just as it is when you log in to your banking app, identity is the key to the front door in cryptocurrency, but many are still clearly getting it wrong. In the world of TradFi, years of pentesting and security development have meant there are now robust IAM protocols and procedures in place. For example, banking providers often use multifactor biometrics (MFB) to authenticate users, where multiple biometric factors like voice and face are combined with asking users to say or do something.

Overall, any comprehensive cryptocurrency security strategy must include the use of traditional security controls. Yes, blockchain provides a certain level of protection, but arguably the greatest risk is when these systems unite with the real world, where the ‘traditional’ tactics of criminals are being used at scale. There are decades worth of testing and development that have taken place to shore up the TradFi world and protect against these common threats—the DeFi community would find it useful to draw upon it.

What do I call this initiative which bridges the TradFi and DeFi gap? I call it HyFi (Hybridized Finance).

Avatar photo

Andersen Cheng

A computer auditor by training, Andersen is something of a polymath having been head of head of credit risk at JP Morgan, Head of LabMorgan (FinTech incubator) and also Head of the Carlyle Group’s European private equity operations. More recently, Andersen ran TRL which was the only provider of hardware cryptography to GCHQ and Downing Street – TRL was subsequently sold to L3 the US Defence Group. 10 years ago Andersen established Post-Quantum, a start-up working to develop encryption capable of withstanding a quantum attack, and the firm is a frontrunner in NISTs global competition to identify an open source cryptographic standard to replace RSA and Elliptic Curve for public-key cryptography. Most recently, using many of Post-Quantum’s R&D innovations, Andersen founded Nomidio, a SaaS based biometric authentication and verification business that works with the likes of Hitachi Capital to deliver ‘practical self-sovereign identity’. Andersen has a great wealth of experience and firm views on the role of encryption in the preservation of privacy and protection of sensitive information.

andersen-cheng has 2 posts and counting.See all posts by andersen-cheng